|
To
view this update as a Web page, copy this link into your
browser:
http://www.qtsnet.com/stayinformed/quiknews/quiknews
january2006.htm.
To
subscribe or unsubscribe, please follow instructions at
the bottom of this page.
Welcome to the January edition of QTS QuikNews, our
monthly e-mail newsletter. In this monthly e-mail, you
will receive an update of what's new at QTS - new
products we support, new patches and upgrades, solution
ideas and promotions to save you money, and information
about our company and our clients.
In this issue:
-
QTS and Partner News
-
Events
-
President's Corner
-
QuikSecure Tip of the Month
-
Patches and Upgrades
-
Product Support Lifecycle Watch
-
Solution Spotlight
-
Special Offers
-
Partner Spotlight
QTS AND
PARTNER NEWS
WELCOME TO NEW CUSTOMERS
QTS offers a “welcome aboard” to the following new
customers:
·
New
Jersey Compensation Rating & Inspection Board
·
The
Vitamin Shoppe
·
White Systems
QTS FEATURED IN MICROSOFT MOMENTUM NEWSLETTER ARTICLE ON
SECURITY
Observations from QTS President and CEO Neil Rosenberg
and from Eric Ottaway, COO of QTS customer the Brooklyn
Brewery, are featured in this article on Security in
Microsoft’s Momentum newsletter:
http://www.microsoft.com/business/insights/ content/article.aspx?contentId=1157
QTS IS HIRING!
QTS is recruiting for senior level technical personnel,
as well as an entry to mid-level sales/service support
specialist. If you know anyone who might be a good fit,
please have them submit their resume to Liz Meechan, our
Office Manager. Liz can be reached at
lmeechan@QTSnet.com, or (973)984-7600 x223.
PRODUCT NOTICES AND ADVISORIES
TERMINAL SERVICES CAL TRADE-UP EXTENDED!
Due
to a change in the way Microsoft licenses Terminal
Services as of April 2003, customers may be eligible for
free Terminal Services Client Access Licenses (CALs).
With the release of Windows Server 2003, the “built-in”
CALs under Windows 2000 were
eliminated. However, customers owning Windows XP Pro
receive a free Terminal Services CAL for each XP
license. This offer has been extended, but we
strongly recommend processing this promptly.
For more information, visit
http://www.microsoft.com/windowsserver2003/
howtobuy/licensing/tscaltransfaq.mspx.
Back
to Top
EVENTS
MICROSOFT SOLUTIONS BRIEFING
QTS
and Microsoft
are hosting an Executive Solutions Briefing for small
and medium business customers (25-500 user
environments). Join
us for this informative, 3 hour event to learn how your
organization can benefit from new Microsoft technologies
and solutions, and what tools and resources are
available to you from Microsoft. Microsoft and QTS will
also review the benefits of Software Assurance, discuss
available promotions that can save you money, and review
the roadmap for upcoming product releases and features.
We will also present on key Microsoft initiatives such
as Trustworthy Computing (Microsoft’s security efforts),
the Dynamic Systems Initiative and the integration of
Microsoft’s Business Solutions offerings. This event
will provide valuable information to any Microsoft
customer! Join us on
Thursday morning, February 16th at
Microsoft’s Iselin NJ office or on
Thursday morning, March 16th at Microsoft’s
New York City office. Contact your QTS Account
Manager to register for these events, or follow the web
links above. Note that a signed Microsoft
Non-Disclosure Agreement is required for attendance at
these events.
SECURE & WELL-MANAGED INFRASTRUCTURE
QTS,
New Horizons and Microsoft are hosting a half day
seminar on Tuesday, February 7th at New
Horizons in Iselin, NJ on how to implement a Secure and
Well-Managed Infrastructure. In this event, QTS will
present on how Windows Server 2003 and Exchange Server
2003, combined with Microsoft’s management and security
technologies, can help to provide a reliable and secure
platform for employee productivity. Microsoft and New
Horizons will discuss how employee training can enhance
productivity and effectiveness, and how to leverage
Software Assurance benefits, including training
vouchers. For more information or to register, contact
your QTS Account Manager,
click here, or visit
www.clicktoattend.com and enter event code 104166.
COLLABORATION TIPS & TRICKS
Busy people need tools to help them speed through their
to-do lists and manage all the information and e-mail
coming across their desks. In this seminar, New
Horizons, QTS and
Software Spectrum
will show you how to leverage the many powerful—yet
often untapped—features of Microsoft® Office
Professional Edition 2003. You will learn more about
Microsoft Windows® SharePoint® Services, which provide
an integrated portfolio of collaboration and
communication services that connect people, information,
processes, and systems both within and beyond the
organizational firewall.
The event also focuses on other productivity-boosting
features, such as Microsoft Office OneNote® 2003 and
Microsoft Office InfoPath® 2003, both of which can help
your organization collaborate more effectively and share
important information with whoever needs to see
it—whether they are in the office or on the road.
For more information or to register, contact your QTS
Account Manager,
click here, or visit
www.clicktoattend.com and enter event code 104722
CXO
SEMINAR: DISASTER RECOVERY SOLUTIONS
On
Wednesday, March 1st, join Microsoft, Citrix,
NSI Software and QTS at the Microsoft NJ office for an
informative seminar on how to develop a Disaster
Recovery Plan and build a Hot Site Failover Solution for
your business leveraging technologies from Microsoft,
Citrix and NSI Software. Businesses are challenged more
and more each year with the need to maximize systems
up-time and availability, amidst an ever-increasing
range of threats. IT management is often tasked with
responsibility for developing and implementing Disaster
Recovery Plans to protect the business and ensure
continuous access to key business systems. In this
seminar, we’ll discuss how to build the plan and what
the key elements are, and discuss the various options
for Cold, Warm and Hot Site solutions. We’ll then drill
down into how to cost-effectively build a Hot Site
leveraging technologies from Microsoft, NSI and Citrix
to enable access to your applications and data, and
conclude with tips and best practices.
For
more information or to register, contact your QTS
Account Manager,
click here, or visit
www.clicktoattend.com and enter event code 104270.
The event will also be hosted at the Microsoft NY office
on Tuesday May 9th, and you may register for
that session by clicking
here.
CxO
SEMINAR: PREPARING FOR WINDOWS VISTA
Join
Microsoft and QTS for this informative seminar on how
your organization can get ready for Windows Vista, the
successor to Windows XP Professional as the desktop
operating system of choice for businesses. In this
seminar, we will discuss some of the features and
capabilities planned for Windows Vista, and how your
business can benefit from this next release of Windows,
as well as the upcoming releases of Microsoft Office and
Microsoft Exchange Server. We’ll explore how these new
products can improve user productivity and collaborative
capabilities, as well as how Windows Vista can improve
systems’ reliability, security and performance. We will
also discuss how to deploy Windows Vista across your
organization, leveraging tools such as Remote
Installation Services, the Business Desktop Deployment
Accelerator, and Systems Management Server. We’ll also
discuss best practices in desktop management and patch
management.
The next sessions are
Tuesday, February 21st at the Microsoft
NJ office and
Tuesday, March 14th at the Microsoft NYC
office. For more information or to register, contact
your QTS Account Manager, or visit
www.clicktoattend.com and enter event code 104306
for NJ or 104304 for NYC.
Back
to Top
PRESIDENT'S CORNER
This
month, we’re going to drill down and focus on
technologies and processes that can help you to improve
your identity and access management controls within your
network. This is an increasingly critical area as more
and more organizations find themselves subject to
regulatory requirements that dictate controls to protect
sensitive data (HIPAA, Sarbanes-Oxley,
Graham-Leach-Bliley). I
would note here, however, that this is not just about
technology – it is very much about processes, and how
people can either support or break security within your
organizations. It is interesting to note that according
to the annual CSI-FBI Computer Crime Study (gocsi.com),
the 2005 study (for 2004) was actually the first year
that external security breaches and incidents
outnumbered internal ones – but internal ones typically
remain far more damaging according to most industry
research.
Let’s start with the basics. To gain access to most
networks, a system typically requires a logon ID to
identify the user, and a password to authenticate
the identity of the user. The password is proof of
identity, reasonable in most standard situations,
particularly where there is already some type of
security control (such as physical access to a
facility). The more sensitive the data, or the more
severe the impact of a security compromise, or the less
certain one can be of access being authorized (i.e.,
remote access scenarios), the more important
authentication becomes.
Left
on their own, most users will choose passwords that can
easily be guessed. This is because most users want
passwords that are easy to remember – particularly
considering they often have to remember multiple
passwords for internal systems, plus business web sites,
not to mention personal web sites. The problem here is
that such easily guessed passwords reduce the value of
the password as an access control – particularly when an
attack is socially engineered or when an attacker might
already have building access, or know something about
the user (which makes passwords more guessable).
As
an aside, user IDs being half the puzzle represent a
security issue themselves – if the user ID can be easily
guessed, then that leaves only the password to need to
break. I note this because some companies, in an effort
to enhance customer service, publish their employee
directories on their web site (particularly law firms,
who wish to showcase the resumes and talent of their
professionals). This makes it easy for an attacker to
know the first piece of the puzzle, leaving the password
as the only defense. Most companies would not give
organizational charts and company directories to total
strangers, yet those same companies often do just that
by posting the information on their web sites.
Strong Passwords, as a matter of company policy, help to
reduce this risk. Forcing use of numbers, making
passwords case sensitive, including special characters
all make it harder to guess or to mathematically “crack”
passwords. This can easily be turned on in Active
Directory, and often in applications, to enhance this
line of defense. Forcing periodic password changes also
helps – partially because of the mathematics of this,
but also partially because it reinforces the importance
of security to your users. Also, the fewer passwords
you force users to remember, the more likely you will be
effective in implementing stronger password policies.
This
leads to the issue of managing multiple sets of
passwords, across multiple applications. Wherever
possible, this can and should be eliminated. Microsoft
Active Directory and most other Directory Services
support standards such as LDAP and RADIUS. RADIUS
allows an application or device to look to a RADIUS
Server for authentication when a user tries to log into
it. This is particularly important in situations like
VPN remote access, where a separate point of security
administration (and separate set of user passwords) can
often be eliminated. Microsoft’s IAS Service is a
RADIUS Server for Active Directory, allowing Active
Directory to serve as the authentication point for any
devices or applications that support RADIUS (and don’t
support native AD integration). Eliminating unnecessary
points of user ID management is important from a
security perspective, particularly when it comes to user
provisioning (account creation) and de-provisioning
(account shutdown), which we’ll discuss later. Via LDAP
(Lightweight Directory Access Protocol) applications can
make requests for identification data from a Directory
Service, allowing for easier integration and leveraging
the Directory.
To
address the growing password dilemma, Single Sign-On
applications allow for a primary login to then provide
authentication transparently to other applications.
Let’s use Citrix Password Manager as an example – with
this tool in place, I can log into Active Directory
(enforcing a Strong Password and good password
expiration policies). Password Manager can then
“remember” my passwords to other applications as I visit
them, storing them in an encrypted store either in a
file share or within Active Directory, with a locally
synchronized copy on my hard disk if I so desire. As I
go back to my applications (our accounting system,
Expedia, our HotJobs
recruitment site, Microsoft Partner portal sites) my
passwords are automatically “fed” to these sites and I
am logged in automatically. Citrix Password Manager can
also handle password changes for the “secondary”
applications, either transparently by generating these
passwords behind the scenes, or with user intervention.
The point here is that Single Sign-On technologies give
you the ability to centralize your identity management
with one “key” to the house, and therefore it is easier
to make that key a really good, secure one.
The
other end of this process is management of user IDs by
the applications themselves. Single Sign-On solutions
don’t create the IDs and keep the IDs and passwords in
sync across systems. Although many applications can
integrate with Active Directory, or can leverage Active
Directory to perform its authentication, many others do
not. It is not uncommon in a typical medium sized
business to have separate IDs/passwords and points of
identity management for Network Login (usually AD),
Voice Mail, ERP/Accounting systems, web portals,
database applications and other programs. Each of these
systems usually needs its own ID created, so it is
important to have a checklist process for defining
access requirements and rights for new employees as they
are hired, so they can be set up in all the required
systems. This should be done following the Principle of
Least Privilege – that employees should only have access
to the specific systems and data needed to do their jobs
(however, in my experience this is often not the case).
In smaller and less structured companies, the user
provisioning process is often hit or miss – people get
set up for applications when they try to access them,
without an approval cycle or specific controls and
workflows.
The
Achilles Heel of this process is on the back-end –
de-provisioning accounts. When a user leaves the
company, there often is not a good (or consistent)
process for removing access to applications and
systems. IT often is not notified immediately unless
the manager is worried about an employee, and security
holes often develop. I remember talking to someone a
few years ago about security, and he observed that he
still dialed into his former employer’s voice mail
system to check his voice mail – 2 years after he had
left that company! How many of you have clearly defined
processes for de-provisioning accounts when an employee
leaves, or for that matter, for reviewing access rights
when a job or role change occurs?
The
solution here, if justified based on security impact
and/or administrative cost savings, is a
Metadirectory. A
Metadirectory, such as
Microsoft Identity Integration Server, allows a “hub”
application (such as AD) to synchronize user account
IDs, passwords/changes, and account shutdown with one or
more “spoke” systems, providing a single point of
management for identity and provisioning/de-provisioning
across internal systems. Organizations with large
numbers of users benefit the most from solutions like
this – for example, educational institutions with large
student bodies, or larger organizations with multiple
systems. But even for a mid-size company, the security
benefits can sometimes outweigh the costs.
Now
that we’ve talked about managing IDs and passwords, and
strengthening them, what else can we do? In the “real”
(non-IT) world, we find that as security requirements
increase, we often are asked for multiple forms of
identification – maybe the basic form (driver’s license)
can be stolen or forged, so a passport is also
required. This introduces the concept of “Strong” or
“Multifactor” Authentication – requiring multiple forms
of identification and/or authorization. In addition to
a user ID (identification) and password (primary
authentication), such systems require a second proof of
identity – something you have (a token or smart card) or
something you are (biometrics).
The
most common form of this in the IT world is tokens –
lead by RSA’s
SecurID tokens and
ACE/Server (now called RSA Authentication Server). The
tokens include a small LCD screen with a numeric code
generated every 60 seconds, which matches back via a
common “seed” to the same number on the Authentication
Server. Logging in requires both the password/PIN code,
and the token number – someone who steals the token
can’t get in without the PIN, nor can the user get in
without the token. Other vendors have similar
solutions, or use USB tokens which need to be connected
to the computer and provide second proof of identity via
a Digital Certificate (which is usually generated and
managed by a PKI/Certificate Server), but
RSA’s solution is the most
widely used, and supported by the widest variety of
applications and systems.
Other forms of Strong Authentication also exist.
Biometrics is steadily gaining market acceptance as the
price of biometric readers
decreases, and the accuracy increases.
Lenovo/IBM’s inclusion of
fingerprint readers in their ThinkPad notebooks shows
that this is going to become commonplace before too
long. Other biometric solutions are steadily gaining
adoption, as accuracy concerns are being mitigated.
Smart Cards have also become more and more common, and
companies are starting to integrate building ID badges
with smart cards that can be used with computers (with
smart card readers) for a single point of access
management and control. Again, as hardware prices drop,
adoption will grow. Proximity badges, which are smart
cards that can automatically log a user in based on the
badge being close to the computer, are also starting to
gain momentum, particularly in healthcare environments
where users want faster access to systems but where
identity management is critical for HIPAA compliance.
So,
where do you go from here? We’ve discussed a number of
different solutions, all of which have their own costs
and benefits. Not all solutions are applicable, or
cost-justified, for all environments. The key to this,
like any other element of security, is defining your
risks and sensitivities, then
determining how to mitigate against those risks. This
ultimately boils down to an economic/business decision
(unless regulatory requirements force you to implement a
particular technology/control). I hope this article has
at least helped in framing out some of the options and
considerations. Let us know if you would like further
help.
As
always, feel free to email me your comments or thoughts
at
nrosenberg@QTSnet.com. Thank you.
Neil Rosenberg
President & CEO
Quality Technology Solutions
Back
to Top
PARTNER SPOTLIGHT
This
month’s QTS Partner Spotlight is on ISS Group, a Gold
Certified Microsoft Business Solutions Partner
headquartered in northern New Jersey with a remote
location in Atlanta, Georgia. ISS Group was founded in
1986 and specializes on providing Information Technology
solutions to the Wholesale Distribution and Discrete
Manufacturing communities both locally as well as
throughout the U.S.
For the first ten years of ISS Group’s operations, ISS
Group offered technology products and services for
Manufacturer’s and Distributor’s back-office operations
such as Order Processing, Billing, Purchasing,
Production Control, Warehousing and Accounting
applications. ISS Group’s services included activities
such as software installation/configuration, program
customization, application training,
process re-engineering and project management. By
performing a complete range of solution implementation
services and business process consulting, ISS Group
became experts in satisfying the information technology
requirements, operations and business practices and
processes for Distribution and Manufacturing
organizations.
In 1996, ISS
Group developed an eCommerce solution providing
real-time web transaction processing such as Order
Entry, Purchase Order Maintenance, Stock Status Inquiry,
A/R Inquiry, and more for integration to back-office ERP
applications. This eCommerce solution was developed in
the very early days of the Internet, before Al Gore’s
Superhighway, and afforded ISS Group entrée into the
burgeoning eCommerce and Customer Relationship
Management business. ISS Group focused on the eCommerce
business throughout the late nineties and in 2000 became
one of Siebel’s first reseller’s to market their CRM
applications into the mid-market Manufacturing and
Distribution communities.
As fate would
have it, Siebel was marketing their CRM applications via
the Great Plains product as the Great Plains
Front-office Solution, and ISS Group was selling the
Siebel applications via this sales channel. When
Microsoft decided to purchase Great Plains in 2001 and
develop their own CRM solution, the relationship between
Siebel and Great Plains was dissolved. Microsoft then
began courting the Siebel resellers who were selling via
the Great Plains channel, such as ISS Group, and
convinced ISS Group to become a Microsoft CRM reseller
while the Microsoft product was still in Beta.
ISS Group has
been working with the MS CRM product since it’s initial
release back in 2002, has continued to develop their
eCommerce products and service capabilities as well as
their CRM solutions portfolio and integration expertise
with Microsoft’s BizTalk technology, and has become one
of Microsoft’s top CRM solution providers in the U.S.
ISS Group has developed a product called
iBridge which integrates MS
CRM with back-office ERP solutions, which has been
certified by Microsoft as an approved MS ISV solution,
and has completed dozens of successful CRM
implementations for Manufacturers and Distributors
across the U.S. ISS Group has also broadened their
expertise in Microsoft technologies and offers services
in SharePoint and C# application development, Business
Intelligence solutions, and Information Worker
Productivity solutions using Microsoft Office.
For more
information on ISS Group, please view their web site at
www.issgroup.net, email them at sales@issgroup.net, or
call 973-812-9700. Or, contact your QTS Account
Manager.
Back
to Top |
