Presentation: Security and Governance in the Cloud

Here is a presentation that I did recently for NHS CIO’s and CCIO’s.

It is all about how NHS England has followed a journey to cloud services and the IT Security & Information Governance issues we had to deal with along the way. It tries to also show other NHS organisations how they might work towards similar aims.

DSC vs. GPO vs. SCCM vs. MDM

Microsoft Windows administrators now have a number of ways for managing their estates.

  • Group Policy (GPO)
    Allows very fine-grained control over every aspect of Windows. Primarily aimed at Windows desktops. Requires Active Directory (AD) and very careful configuration. Requires well trained specialist staff to get it right.
  • System Center Configuration Manager (SCCM)
    Allows central control over software delivery. Also requires AD. Configuration of delivery packages can be complex and very careful change control is required. Software delivery via SCCM can also be intrusive to users. Requires well trained specialist staff to get it right.
  • Desired State Configuration (DSC)
    Though extended by Microsoft this is actually part of a wider open standard “Open Management Infrastructure” and so applies to other platforms as well including Linux. Mainly aimed at server configurations. Falls into the DevOps camp as it defines server configurations in purely text format and so can be put under source control easily. DSC is typically dynamic and enforces the correct configuration (normally every 15 minutes) which greatly helps ensure secure configurations.
  • Mobile Device Management (MDM)
    Primarily aimed at mobile devices, this style of configuration is increasingly applicable to Windows Desktops with the advent of Windows 10. Microsoft InTune is leading the way with other MDM vendors following on. Not everything on the desktop can yet be controlled this way, even with W10 but many key settings and controls are already available. A much simpler method for enforcing desktop settings than the other methods, it allows fewer administrators and much less specialist knowledge.

The article from FoxDeploy covers the first three of those and lays out the purpose of each. Well worth a read.

What is missing is the 4th method which uses Mobile Device Management tooling. The leading contender for this is Microsoft InTune. However, InTune is really only focussed on Windows 10 (desktop and mobile), it has limited control in other Operating Systems.

Servers only ever exist in a given state. If they deviate or we make changes, we refactor and redeploy. DSC drives it all and the machine will be up and running on a new OS, with data migrated in a matter of minutes.

For all practical purposes, the first true large scale management tool we had for Windows systems in the modern era was Group Policy, or GPO as it is commonly truncated.

Comparatively, SCCM and MDT allow us to we import an image from a Windows install disk and then run dozens of individual steps which are customized based on the target machines platform, model, office location and other factors. The sky is the limit.

Curated from DSC vs. GPO vs. SCCM, the case for each. – FoxDeploy.com

Stay Secure! The Latest Recommendations for IT Security

Individuals and enterprises do not understand the value of their Information nor how to protect it. This article attempts to reveal simple and practical ways to protect IT assets and outlines some of the latest thinking and tools from industry experts.

IT Security changes over time and it is important to stay abreast. New threats are appearing all the time and so threat management also needs to change.

Here are some tips and pointers to the current thinking in IT Security.

Back in February of this year (2013), the Centre for Strategic and International Studies (CSIS) in the USA published a short but to the point paper on how to successfully combat the majority of current cyber security threats. The paper gives an excellent background to the latest threats without getting too technical. But the great thing is the 4 steps that they give to combating the majority of current threats.

These are summarised as:

  1. Use application “whitelisting” to help prevent malicious software and other unapproved programs from running.
    Whiles this is not quite as convenient for users, some of whom want to run anything they like, it is vastly superior to spending money on Anti-Virus tools that can slow down PC’s and often fail to catch the key malware. Of course, Anti-Virus tools do provide additional protection and should continue to be used.
    Example products for whitelisting are: SecureAPlus (review on gHacks), McAfee Application Control, and several others
    See also the SANS whitepaper “Application Whitelisting: Panacea or Propaganda” which describes the issues and opportunities in detail and gives useful conclusions. There is also a write-up on application whitelisting on Tech Republic, and another on InfoWorld.
  2. Patch applications such as PDF readers, Microsoft Office, Java, Flash Player, and web browsers.
    Patching schedules need to be vastly accelerated for most organisations. Having 2 or 3 “updates” a year leaves vast open security holes in enterprise infrastructure that is just asking to be compromised. Patching of key applications such as those listed here needs to happen weekly at least, as soon as possible is best. The bad guys aren’t waiting, they change their toolkits within hours to exploit newly found vulnerabilities.
  3. Patch operating system vulnerabilities, for the same reasons discussed above.
  4. Minimize the number of users with administrative privileges, the highest level of authority to make changes or undertake actions on a network.
    Users with administrative privileges are the goldmine for the bad guys. They are the easy back door into the heart of your enterprise systems.

According to these papers, following these simple rules is likely to protect 80-100% of common enterprise attacks right now.

For the latest on the underbelly of the Internet and the current threats, take a look at the blog of Brian Krebbs – Krebbs on Security. In particular, I strongly recommend reading and paying attention to his article: Tools for a Safer PC. Also pay attention to his article The Scrap Value of a Hacked PC that describes just why the bad guys want your PC even though you think there is nothing of value on it.

Microsoft 64-bit Application Support (lack-of)

Microsoft’s 64-bit support is still sorely fragmented as we find out with a brand new laptop trying to access Microsoft SharePoint.

The joys of working with Microsoft products!

So I have a brand-new, shiny 17″ HP laptop. 64-bit throughout. 6GB of RAM and comes pre-installed with 64-bit Windows.

You would think, then, that you would want to use 64-bit applications right? Wrong!!

I automatically use the 64-bit version of Internet Explorer to access some Microsoft specific sites (Outlook Web Access and SharePoint 2007). I install and use the 64-bit version of Microsoft Office. Does this work well with SharePoint (from Microsoft)? No!

For starters, you cannot upload an Excel spreadsheet to a SharePoint list like you should be able to. You get an error:

This feature requires Microsoft Internet Explorer version 5.0 or later, and Windows 95 or later.

Next you try to switch a list into a “Datasheet” view – which looks a bit like a spreadsheet. Inevitably, you get another error:

The list is displayed in Standard view. It cannot be displayed in Datasheet view for one or more of the following reasons: A datasheet component compatible with Windows SharePoint Services is not installed, your browser does not support ActiveX controls, or support for ActiveX controls is disabled.

To fix these errors, you then have to download and install “2007 Office System Driver: Data Connectivity Components“.

And you have to use the 32-bit version of Internet Explorer 9 (IE9).

Enterprise System Design and Accessibility

Most web designers are well aware of the need to design with accessibility in mind and that this is a legal requirement in many countries.

Not so many IT architects and designers who deal with internal, enterprise systems are aware, though, that these laws and requirements also apply to internal systems.

Recently I’ve yet again seen a number of dreadfully designed user interfaces (UI) for enterprise systems that most certainly don’t meet usability standards let alone accessibility standards! Continue reading “Enterprise System Design and Accessibility”