[The following is courtesy of Anchor – an eFolder company and a ManageOps partner.]

Consumer-grade file sync solutions (referred to hereafter as “CGFS solutions” to conserve electrons) pose many challenges to businesses that care about control and visibility over company data. You may think that you have nothing to worry about in this area, but the odds are that if you have not provided your employees with an approved business-grade solution, you have multiple people using multiple file sync solutions that you don’t even know about. Here’s why that’s a problem:

1. Data theft – Most of the problems with CGFS solutions emanate from a lack of oversight. Business owners are not privy to when an instance is installed, and are unable to control which employee devices can or cannot sync with a corporate PC. Use of CFGS solutions can open the door to company data being synced (without approval) across personal devices. These personal devices, which accompany employees on public transit, at coffee shops, and with friends, exponentially increase the chance of data being stolen or shared with the wrong parties.
2. Data loss – Lacking visibility over the movement of files or file versions across end-points, CFGS solutions improperly backup (or do not backup at all) files that were modified on an employee device. If an end-point is compromised or lost, this lack of visibility can result in the inability to restore the most current version of a file…or any version for that matter.
3. Corrupted data – In a study by CERN, silent data corruption was observed in 1 out of every 1500 files. While many businesses trust their cloud solution providers to make sure that stored data maintains its integrity year after year, most CGFS solutions don’t implement data integrity assurance systems to ensure that any bit-rot or corrupted data is replaced with a redundant copy of the original.
4. Lawsuits – CGFS solutions give carte blanche power to end-users over the ability to permanently delete and share files. This can result in the permanent loss of critical business documents as well as the sharing of confidential information that can break privacy agreements in place with clients and third-parties.
5. Compliance violations – Since CGFS solutions have loose (or non-existent) file retention and file access controls, you could be setting yourself up for a compliance violation. Many compliance policies require that files be held for a specific duration and only be accessed by certain people; in these cases, it is imperative to employ strict controls over how long files are kept and who can access them.
6. Loss of accountability – Without detailed reports and alerts over system-level activity, CGFS solutions can result in loss of accountability over changes to user accounts, organizations, passwords, and other entities. If a malicious admin gains access to the system, hundreds of hours of configuration time can be undone if no alerting system is in place to notify other admins of these changes.
7. Loss of file access – Consumer-grade solutions don’t track which users and machines touched a file and at which times. This can be a big problem if you’re trying to determine the events leading up to a file’s creation, modification, or deletion. Additionally, many solutions track and associate a small set of file events which can result in a broken access trail if a file is renamed, for example.

Consumer-grade file sync solutions pose many challenges to businesses that care about control and visibility over company data. Allowing employees to utilize CFGS solutions can lead to massive data leaks and security breaches.

Many companies have formal policies or discourage employees from using their own accounts. But while blacklisting common CFGS solutions may curtail the security risks in the short term, employees will ultimately find ways to get around company firewalls and restrictive policies that they feel interfere with their productivity.

The best way for business to handle this is to deploy a company-approved application that will allow IT to control the data, yet grants employees the access and functionality they feel they need to be productive.

In a move that will probably end up in the top ten technology blunders of the year, Lenovo decided, starting in September 2014, to pre-install Superfish VisualDiscovery software on some of their PCs. (Fortunately for most of the readers of this blog, it appears that it was primarily the consumer products that were affected, not the business products.) The “visual search” concept behind Superfish is interesting – the intent is that a user could hover over a picture in their browser, and Superfish would pop up links to shopping sites that sell the item in the picture. I could see where that would be some pretty cool functionality…if the user wanted that functionality, if the user intentionally installed the software, and if the user could easily turn the functionality on and off as desired. But that’s not what happened – and here’s why it’s a big problem.

In order to perform this function when a user has an SSL-encrypted connection to a Web site, Superfish has to insert itself into the middle of that encrypted connection. It has to intercept the data coming from the shopping site, decrypt it, and then re-encrypt it before sending it on to the browser. Security geeks have a term for this – it’s called a “man-in-the-middle attack,” and it’s not something you want to willingly allow on your PC. In order to do this, Superfish installs a self-signed trusted root certificate on the PC. That means Superfish has the same level of trust as, say, the VeriSign trusted root certificate that Microsoft bakes into your Operating System so you can safely interact with all the Web sites out there that have VeriSign certificates on them…for example, your banking institution, as most financial institutions I’ve seen use VeriSign certificates on their Web banking sites. (Are you frightened yet?)

But that’s not all. Superfish installs the same root certificate on every PC that it gets installed on. And it turns out that it’s not technically difficult to recover the private encryption key from the Superfish software. That means that an attacker could generate an SSL certificate for any Web site that would be trusted by any system that has the Superfish software installed. In other words, you could be lured to a Web site that impersonated your bank, or a favorite shopping site, and you would get no security warning from your browser. You try to authenticate, and now the bad guys have your user credentials. (How about now?)

Hopefully, you’re at least frightened enough to check to see if your system was one of the ones that Lenovo shipped with Superfish pre-installed. You can find that list at http://news.lenovo.com/article_display.cfm?article_id=1929. Again, it appears that the majority of the Lenovo systems on the list were consumer models, not business models. If you are one of the unlucky ones, you can find an uninstall tool at http://support.lenovo.com/us/en/product_security/superfish_uninstall

You should also note that security experts are divided as to whether simply running uninstall tools and deleting the root certificate are sufficient. Some have recommended a new, clean installation of Windows as the safest thing to do. Unfortunately, this may require you to purchase a new copy of Windows if you don’t have one lying around…as just re-installing from whatever recovery media may have come with your new PC will probably also re-install Superfish.

Meanwhile, Lenovo has stopped pre-installing Superfish, and is doing its best to control the damage to its brand. We wish them the best of luck with that – from what we’ve seen, they make some great products…and at least one really bad decision…

A few months ago, we wrote about how business leaders could determine when it was time to use an outside IT vendor. (See “When Should an IT Leader Use a Vendor, Part 1” and Part 2.) Once the decision has been made to seek outside help, the logical next question is how to choose the right IT vendor. Before you begin that selection process, you need to assess your organization’s needs:

• Do you have an in-house IT staff and just need a consultant for specialty work? Or do you need to outsource a broader spectrum of services, such as comprehensive help desk support, fixed fee monitoring and support services for your workstations and/or servers, and consulting services to help you establish future technology direction? A consultant may have different pricing approaches for different types of IT projects, while the broader spectrum of services is probably best handled via a fixed-fee monthly support contract.
• What, exactly, are you looking for? Do you need a single project completed? Are you looking for design services, deployment services, post-deployment support, or some combination of the three? Do you want your vendor to provide a complete package consisting of hardware, software, and services, or only part of the solution? Will the project be built on premise, or do you want to go to the Cloud? IT providers frequently specialize in different aspects of the IT world, so make sure you have a talk with any company you are considering to determine if they can fulfill all of your needs, or if you will need multiple providers to achieve your end goal.

After you’ve determined your needs, you will want to identify IT providers that offer the services that you need. Some providers are very specialized, and others have boad offerings. You will want to do your due diligence by checking out the provider’s own Web site as well as supporting sites such as LinkedIn, Facebook, Twitter, etc. But don’t stop there – dig deeper and examine their credentials. Look for case studies, testimonials, and references. Ask if you can actually speak to the customers who are profiled in these case studies, testimonials, and references. If you’re looking for a comprehensive support agreement, ask to review the contract to make sure all of your needs are covered and that the proposed Service Level Agreement (“SLA”) meets your requirements. Some of the questions you’ll want to answer are:

• How qualified is the provider’s staff? Are they certified with the vendors whose products they will be working on in your environment?
• How big is the provider’s company? Size and reach matter – you don’t want to have a service emergency and discover that the only person who knows how to work on your systems is gone on vacation. On the other hand, if your organization is small, your business may be less important to a very large provider and you may get more attentive service from a smaller one.
• What geographical areas does the provider cover? This is obviously important if your own organization operates in more than one area, but will also be important if you’re considering a potential move or business expansion.
• Does the SLA include a guaranteed response time? More importantly, does that guaranteed response time meet the needs of your business? It might be nice to have a one hour guaranteed response time, but shorter guaranteed response times are likely to be more expensive…so if your business really doesn’t need that SLA, why pay for it?
• If you’re signing a support contract, make sure you clearly understand what services are covered, what is excluded, and what your cost is for items that are excluded from coverage.

Did we miss anything that you have found to be important? Let us know in the comments.

If you’re running a WatchGuard e-Series firewall appliance, please note that it will reach End of Life on December 31, 2015. Here’s what that means for you: First of all, when your current LiveSecurity subscription (and/or other Unified Threat Manager components) expires, you will not be allowed to renew it for another year. You can purchase a renewal that will expire on December 31, 2015, but the cost will not be pro-rated – you’ll have to pay for a full year of coverage, but you won’t get a full year of coverage. If you continue to run your e-Series appliance after December 31, you will be running without any support from WatchGuard – no more firmware updates, no more updates for the Gateway AV or WebBlocker functions (if you’re using those), and no hardware warranty coverage.

The good news is that WatchGuard has a trade-up program for existing customers that will allow you to purchase a new firewall appliance at a significantly discounted price. So our recommendation to you is that you:

• Plan now to replace your e-Series firewall appliance on or before December 31. If your existing LiveSecurity subscription is due to expire sooner than December, then that’s probably the replacement date you should shoot for, rather than wasting money paying for a renewal when you won’t get your full money’s worth.
• Contact ManageOps to get pricing for your trade-up options so you know what to budget for. We will then put you on our follow-up list and contact you with a quote roughly 60 days before your subscription expires so you can get your replacement unit ordered.

ManageOps is pleased to announce the availability of Cloud-Based VDI as an option for Hosted Private Cloud customers. Historically, most customers have been well-served by Cloud desktops delivered from shared servers using Microsoft Remote Desktop Services and Citrix XenApp. However, there are some situations where this approach may fall short. For example, there are still some applications that will not run properly in a multi-user environment. There are also situations where a power user may need dedicated processor and RAM resources to run applications that require substantial resources and may cause “noisy neighbor” problems when run on a shared server platform that is servicing other users as well. Both of these situations can often be addressed by dedicating an Operating System instance per user. More information on the distinction between Cloud-Based VDI and other forms of Desktop-as-a-Service (DaaS) can be found in our blog post entitled Cloud-Based VDI vs. DaaS – Is There a Difference?

What this is NOT

We are not announcing the availability of Windows 7 or Windows 8.x desktops running in the Cloud. If you need a Cloud-based infrastructure that provides access to Windows 7 or Windows 8.x desktops, we will be happy to provide a proposal for a customized Cloud solution. Microsoft has chosen not to include these desktop Operating Systems in the Service Provider License Agreement (SPLA), meaning that service providers like ManageOps can only provide access to Windows 7 and Windows 8.x desktops under very specific conditions that must be evaluated and quoted on a case-by-case basis.

What this IS

ManageOps’s Cloud-Based VDI option provides a VDI user with a dedicated instance of Windows Server 2008 R2 or, optionally, Windows Server 2012 R2. We use Microsoft policies to change the “look and feel” of the desktop to the familiar Windows 7 or Windows 8 user interface. This approach allows us to maintain compliance with the Microsoft SPLA while still supporting applications that do not run well in a multi-user environment, providing dedicated processor and RAM resources to users whose needs demand it, and providing power users a greater level of administrative control over their own desktops than can be provided in a multi-user environment where a single user’s changes could adversely affect other users.

For more information, contact ManageOps at (425) 939-2700, email support@manage-ops.com, or click the “Request a Quote” button on this page.