Systematization of a Service By Richard D. Zuleg

Sometimes we are faced with the taking on a new or existing project or service. This process is usually riddled with a number of problems. The first problem you may encounter is the scattered data problem. Critical bits of data can be found on the company intranet, stored on a file server, embedded in a script, or in someone’s memory. This data could be contact information, user names and passwords to systems, instructions on how to perform a task or descriptions of what a particular service is intended to be. Services often involve repetitive tasks such as doing some analysis and then creating the same email, or document over and over with slight variations. So your job is to understand what is involved and track down all of this data, get it organized, and identify the tasks involved to complete the job.

The first step toward getting your new project under control is to start collecting and organizing the data. Look for certain types of data that can be extracted and placed in a central location. The goal is to abstract as much data as possible, for example if you have a separate service document for each client try to identify common procedures and data elements. Contact information for example should be stored in a central database and documents should reference this. Once the data has a defined structure you need to define a central location for this data. A database is a usually an ideal central location for data.

Once you have decided how the data will be organized and stored you can start to look at your procedures. The goal is to find similarities between tasks and streamline the tasks as much as possible. Make tasks repeatable, cut unnecessary steps, and make sure the tasks produce the same results each time. This is where we can start to build in quality assurance. The key is to think of a long term scalable solution and define a repeatable process.

Once data is properly organized and centralized, and the procedures have been streamlined into a repeatable process with quality checks in place we can move into the final phase. At this stage the supporting infrastructure will be in place and the data will be correctly organized and referenced by our procedures. It will now be a simple matter to automate the procedures. You have now defined your data structures and written your procedures so that the process is ready to be accomplished by a machine. The machine produces and packages the product and then the product will be reviewed by a human for the final quality check and then the package is delivered to the end consumer.

To review, the steps for systemization of a service are:

1. Identify data that can be abstracted
2. Identify, streamline, and document the process
3. Build supporting infrastructure
4. Automate the process

The key is to think of long term solutions.

Looking forward to 2012 By Brad C. Johnson

To all of our readers of the SystemExperts Blog: thank you for taking time out of your busy schedules and lives to review and comment on the material that we prepare for you.

We hope that 2012 brings you all a healthy, rewarding and prosperous year. Despite the continued hardships of the economy and events around the world that impact our daily lives, we see a lot of people and organizations that continue to focus on the fundamentals that help us all do the best that we can: due diligence, professionalism, and respect.

Let's keep that going in 2012!

Back to the Future: Layered Security By Brad C. Johnson

In December of 2010 I posted a "Looking forward to 2011" entry that included the following simple advice: "One thing that we have learned in the last few years is that often times, it's the simple and straightforward actions that make the most sense." That is a theme that has been consistently used in this blog because it just turns out to be true. Albert Einstein once said: "Make things as simple as possible, but not simpler. "

Related to that is this advice: do not rely on just one method of securing a resource, no matter how dynamic, exhaustive, or impressive it is. We have been a consistent supporter of this equally tried and true "Belt and Suspenders" approach to everything security. Using simple layers of security is often more dependable than expensive or complex products or strategies. Just this last week, the following news was in the headlines:

"The NCAA mistakenly left its internal SharePoint site unprotected, allowing fans, media … to have complete access to its most sensitive economic information. The leak involves years of accounting information, slideshows and much more."

How is this possible? Probably because they assumed that since this data was on the "inside" (an assumption that used to be rampant throughout the industry that essentially makes no sense anymore) that the normal or default protections would be enough.

There are a number of "Belt and Suspender" tactics that probably would have prevented this exposure from happening. None of them sophisticated or complex; yet as a collection of protection layers they would have provided an environment that would have prevented the exposure, even if one or more of them had failed.

• Internet facing firewall: have rules that are just as strict about what goes out as you have for what comes in: don’t allow file share protocols outbound
• Monitoring: similar to the firewall, be just as concerned about traffic that is leaving the network as what is coming in: detect file share requests travelling outbound
• Intrusion detection: notice that external IP addresses are accessing internal resources
• Authentication: require users to provide credentials to use SharePoint services
• Authorization: define acceptable users or groups that can access the SharePoint services

None of the above actions are hard to implement or require unique security infrastructure or expertise. Each one of them is providing a certain type of security awareness or protection that is related to but different than the others. No single one provides ultimate protection of the internal resource but as a whole, they represent a layered approach to protecting the asset; even if one or more of them are, for whatever reason, not working.

So, here we are ending 2011 just where we started the year: focusing on fundamentals; preaching about straightforward and layered security philosophies.

Extending your Shields into the Cloud By Jason Reed

Business IT departments are always looking for advantages and ways to save money. Outsourcing processes to other companies that have a core-competency in highly specialized or costly functions allows business to focus on their products and services, while saving money. Common examples include off-shoring code development or replacing costly datacenter, hardware, and sometimes software costs with cloud services.

Naturally, the IT environment and its resources still need to be protected. This means that the perimeter is extended to cover its computing resources wherever they may be. While there is still a core perimeter, the contents of that perimeter are changing. Where before we saw all computing under one roof, now we are seeing the extension of the perimeter to other, hopefully, trusted partners.

Companies and consumers are using Software as a Service providers more and more to instantly fill a need in the organization. Services like Gmail, Expensify, ManyMoon, Gravity, and too many more to mention allow businesses to rapidly and inexpensively consume critical business services. However, because theses SaaS deployed services are often beyond the control of the organization, they weaken the ability of the business to rely on the security of these functions. In many cases, we have seen where so much of the infrastructure used by a business has been put in the cloud, that the only reason for perimeter security is to protect the desktops used by the employees at the site.

Infrastructure as a Service (IaaS) allows businesses more control over their resources. While SaaS and Platform as a Service (PaaS) services leave the business with limited control, IaaS is still seen as an extension of the businesses computing infrastructure. There is a growing market for products that can “extend the shields” around these remote outcropping of computing resources. These systems, real or virtual, are maintained by the business and are often classified the same way as a remote datacenter or office location. With the ability to deploy private clouds at many IaaS providers, there is little difference between IaaS and a remote co-location facility. In these cases, interconnection between the two sites is the only item not owned by the business.

Unfortunately, many companies have not yet gotten their head around cloud computing and what it means to their business. The cloud is just like any other resource, inside or outside of the perimeter. The Cloud Security Alliance has published in invaluable paper on cloud security entitled, "Security Guidance for Critical Areas of Focus in Cloud Computing V2.1". In it is a section titled, "An Editorial Note on Risk: Deciding What, When, and How to Move to the Cloud" that every IT manager or security officer should read about moving to the cloud. That covers the resources in the cloud. What is left is how to integrate the resources at the business with the resources in the cloud. Essentially for IT Security practitioners, this forces the question of how to extend perimeter security to a different computing structure often outside of your control.

Business are moving slowly, absorbing the cloud options, and deploying non-essential functions to the cloud initially. As many see that they can extend their functions to IasS providers, or release control to PaaS or SaaS providers, they are making their way to the cloud. Of course, we will not see all companies releasing control of their infrastructure to others any time soon, but instead a slow migration as more controls because exposed to the users. For now, I foresee many more private and hybrid cloud services. The Cloud Security Alliance lists a hybrid cloud with the following definition:

"Hybrid Cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds)."

"There is always a trade off between security and accessibility". That is a common phase we hear in information security. We don’t employ moats or towering castle walls as much anymore to protect our interests, but each in its day provided a level of protection against outsiders. Each also provided challenges to access the protected resources by legitimate users. (I don’t know if you have ever had to raise or lower a drawbridge, but that is hard work). The benefits of a well-defined perimeter are that we know what we want to protect and what to expose.

Today, we are increasingly exposing more and more functions, while still trying to protect them as much as possible. This duality creates challenges whose solutions are bountiful, but are often complex to maintain. Companies want the best of both worlds, maximum protection, and maximum access. The trick is finding the right balance to allow the business to actually stay in business.

Securing Dropbox (and other cloud syncing services) By Keith Royster

As the number of computers, laptops, and mobile devices we use grows, services that sync our important files between them grow in popularity. But are these services secure enough to store our confidential files? Recent news suggest not. One of the more popular file-syncing services, Dropbox.com, has experienced recent and significant security issues this year, including a brief lapse in their authentication system that made passwords optional for a 4-hour window. And not to pick on Dropbox - virtually all of these services carry some security trade-offs by design, including them having the keys to your encrypted files so that they can de-duplicate data to minimize storage requirements. Syncing confidential files in the cloud is not recommended without additional encryption.

All encrypted syncing solutions are not created equal

Searching the internet for "securing Dropbox" will result a myriad of blogs suggesting various ways to encrypt your cloud-synced files. What they all have in common is that they attempt to encrypt your files locally before they go into the cloud. But not all local encryption methods are best suited for cloud-synchronization. SystemExperts spent some time trying many of the suggestions found online, but experienced the following issues with most of them:

• Tools that create encrypted volumes within the Dropbox folder create a single large file that must be synchronized every time a single file within it changes, making it very slow. And often times the size of the these volumes cannot grow, so a single large file must be created from the start. These problems were common to tools such as TrueCrypt (cross-platform) and encrypted disk images such as .dmg and .sparseimage files (both built-in for OS X only).


• OS X has a disk image format called "sparsebundle" that it created precisely for syncing files to its Time Machine backup service. It solves the problem of syncing entire volumes by dividing it up into smaller "bands". But this is not a cross-platform solution. Additionally, testing indicated that Dropbox had trouble detecting changes to the "bands" in real-time, and had trouble synchronizing them if the volume was mounted by multiple systems.


• Encrypting individual files makes for faster syncing, but can be tedious if it must be done manually with tools such as zip-archiving tools.

EncFS to the rescue

SystemExperts found EncFS (or Encrypted File System)solutions best suited for the task. EncFS uses AES-256 encryption, is cross platform (Windows, Linux, and OS X - sorry, no mobile yet), and it encrypts individual files on the fly as they are placed into the mounted EncFS volume. As an added bonus, EncFS provides some protection for lost or stolen laptops. EncFS mounts the encrypted files on your file system and displays them decrypted at the mount point as a new drive or volume, so as soon as the system is powered off or the user logs out, the mount point is lost and the decrypted files are no longer available.

However, there are some caveats to EncFS:

• The only Windows solution we found is a commercial application called http://boxcryptor.com/ which starts at $20 for commercial use, although it does offer a free version with some limitations
• Although free, the OS X and Linux solutions are more technically challenging to install
• Although the file contents are encrypted, anyone with access to the file system can see how many files and folders exist, their permissions, their approximate sizes, and their last accessed and modified timestamps.

Example usage of EncFS

In our test setup, we synchronized files across multiple OS X systems. Following these installation steps for OS X , we created a folder within Dropbox for our encrypted EncS files, and an EncFS mount point outside of our Dropbox folder. (Tip: On OS X and Linux, name the folder within Dropbox using a preceding . (dot) to make it invisible. This way you aren't tempted to place unencrypted files within the encrypted EncFS folder by accident.) We named our new EncFS volume "eDropbox", which showed up on our Mac as a new attached drive. After repeating the setup process on two additional systems, we began placing files within this new eDropbox drive. Files were immediately and transparently encrypted to the EncFS folder within our Dropbox folder, and then synchronized to our other systems, making the unencrypted file immediately available on all of the respective mounted eDropbox volumes. But anyone accessing our Dropbox account in the cloud (including the operators of the service itself) will now only find AES-256 encrypted files there.

Please let us know how EncFS works for you, if you find other solutions that work better, or how your company is addressing secure file synchronization.