Tag Archives: Business Practices

Are the Advantages of BYOD Worth the Security Risks?

Check Point Software recently released their Third Annual Mobile Security Survey, highlighting the impact of mobile devices on IT security. They surveyed more than 700 IT and security professionals in the U.S., Canada, Germany, the U.K., Australia, and New Zealand, and the respondents were spread fairly evenly across the spectrum of business sizes, with the largest segment (29%) coming from businesses with between 100 and 1,000 employees.

Here are some of their key findings (quoted from the site linked above):

  • The Greatest Threat Resides Within Your Organization – 87 percent of surveyed professionals believed that the greater security threat to mobile devices were careless employees. Nearly two-thirds of the respondents believed that recent high-profile breaches of customer data were likely due to employee carelessness.
  • Proliferate Use of Personal Mobile Devices on the Corporate Network – Despite careless employees as the weakest link into businesses, 91% of IT professionals saw an increase in the number of personal mobile devices connecting to their networks over the past two years. In 2014, 56% of those surveyed managed business data on employee-owned devices, up from 37% in 2013.
  • Mobile Security Incidents Expected to Rise – 2015 is shaping up to be a risky year, according to those surveyed. Of the security professionals surveyed this year, 82% expect the number of security incidents to grow in 2015. Additionally, nearly all of the respondents (98%) expressed their concern about the impact of a mobile security incident, with the greatest concern being the potential for lost and stolen information.
  • Cost of Mobile Security Incidents Continue to Rise – 2014 saw an increase in remediation costs for mobile security incidents. Of the IT executives surveyed, 42% noted that mobile security incidents cost their organizations more than $250,000.

Consider some additional trend data:

  • Computerworld predicts that BYOD smartphones will continue to grow at roughly a 30% CAGR through 2017 – from only 88 million two years ago to 328 million in 2017.
  • Rapid7 quotes a Cisco prediction that by 2016 there will be 1.62 billion mobile devices (of all kinds) in the workplace. They also state that more than 80% of the mobile devices in the workplace today are employee-owned.
  • Over a year ago (back in May, 2013), Gartner predicted, based on a global survey of CIOs, that, by 2017, more than half of companies will require their employees to supply their own mobile devices.

So let’s recap: 98% of the Check Point respondents were concerned about the impact of mobile security incidents on their businesses, 42% said that such incidents had already cost their businesses more than a quarter of a million dollars, 82% expect the number of security incidents to grow in 2015. Yet nearly all have seen an increase in the number of personal mobile devices connecting to their networks over the past two years, and, by all indications, the BYOD trend will continue and, if anything accelerate. Which brings up two obvious questions: (1) If BYOD is such a security risk, why are businesses overwhelmingly moving in that direction? And (2) What can a business do to leverage the benefits of BYOD while still limiting the exposure to security risks? Let’s look at these two questions…

Why BYOD?

  • It reduces the business’ capital outlay for mobile devices. Even in cases where businesses give their employees a cash allowance to purchase the mobile device of their choice, the company generally saves money in the long run by not being responsible for the maintenance and repair of an employee-owned device.
  • Employees are more productive when working on their preferred device. Someone who has been using an iPhone for years isn’t going to be happy about being handed a company-owned BlackBerry device. A Mac user isn’t going to want to deal with a company-owned Windows laptop – and vice versa. Younger workers in particular, who have grown up with technology, want to use what they’re accustomed to using, and will be more productive if allowed to do that.
  • Employees who use mobile devices for both work and personal matters tend to put in more hours per year – some surveys suggest as many as 240 more hours per year – than those who do not.
  • Given the above, business who do not implement BYOD may find themselves at a competitive disadvantage.

How to Do BYOD Safely
First of all, more and more organizations are implementing some form of mobile device management (MDM). According to the Check Point survey, 56% of organizations were managing the business data that exists on personal devices, up from 37% in 2013. There are numerous MDM products on the market, but I would suggest that managing the mobile device itself is only part of the problem. A complete solution would also include mobile application management (MAM) – some mechanism to deploy secure applications to a mobile device…applications that would be “sandboxed” away from an employee’s personal applications, such that the data accessed by those applications would be isolated from the personal applications, and information could not be copy/pasted from a secure application into a personal application. It would also be nice if the organization could selectively wipe the secure applications and associated data from a mobile device while leaving the employee’s personal data and applications untouched. Citrix XenMobile Enterprise is such a solution, and the following 16 minute video does a great job of demonstrating the XenMobile Enterprise user experience:

And, of course, if your users need access to full-blown Windows applications, not just mobile apps, they can securely access those applications via Citrix XenApp or XenDesktop, as we’ve been doing for years.

Bottom line: BYOD is here to stay. Businesses are increasingly turning to BYOD because of its advantages, even though they recognize that it brings with it significant security risks. It is, however, possible to gain the advantages of BYOD without compromising the security of your company data, and VirtualQube, by virtue of our longstanding partnership with Citrix, can help.

eDiscovery Part 2 – PST Files vs. Exchange Archiving

This is the second in a series of blog posts on eDiscovery, which will include video excerpts from the presentation we made at the O365 Nation Fall Conference held in Redmond last month. In Part 1 of this series, we discussed the lifecycle of an Exchange email message, what the “Recoverable Items” folder is all about, and the role of the “Single Item Recovery” feature in Microsoft Exchange.

In this segment, we discuss PST files – why you may not want people using them, how to prevent their use, and the archiving functionality that is built into Exchange 2010 and 2013 and why it’s a better option.

How Do You Back Up Your Cloud Services?

I recently came across a post on spiceworks.com that, although it’s a couple of years old, makes a great point: “IT professionals would never run on-premise systems without adequate backup and recovery capabilities, so it’s hard to imagine why so many pros adopt cloud solutions without ensuring the same level of protection.”

This is not a trivial issue. According to some articles I’ve read, over 100,000 companies are now using Salesforce.com as their CRM system. Microsoft doesn’t reveal how many Office 365 subscribers they have, but they do reveal their annual revenue run-rate. If you make some basic assumptions about the average monthly fee, you can make an educated guess as to how many subscribers they have, and most estimates place it at over 16 million (users, not companies). Google Apps subscriptions are also somewhere in the millions (they don’t reveal their specific numbers either). If your organization subscribes to one or more of these services, have you thought about backing up that data? Or are you just trusting your cloud service provider to do it for you?

Let’s take Salesforce.com as a specific example. Deleted records normally go into a recycle bin, and are retained and recoverable for 15 days. But there are some caveats there:

  • Your recycle bin can only hold a limited number of records. That limit is 25 times the number of megabytes in your storage. (According to the Salesforce.com “help” site, this usually translates to roughly 5,000 records per license.) For example, if you have 500 Mb of storage, your record limit is 12,500 records. If that limit is exceeded, the oldest records in the recycle bin get deleted, provided they’ve been there for at least two hours.
  • If a “child” record – like a contact or an opportunity – is deleted, and its parent record is subsequently deleted, the child record is permanently deleted and is not recoverable.
  • If the recycle bin has been explicitly purged (which requires “Modify All Data” permissions), you may still be able to get them back using the DataLoader tool, but the window of time is very brief. Specifically how long you have is not well documented, but research indicates it’s around 24 – 48 hours.

A quick Internet search will turn up horror stories of organizations where a disgruntled employee deleted a large number of records, then purged the recycle bin before walking out the door. If this happens to you on a Friday afternoon, it’s likely that by Monday morning your only option will be to contact Salesforce.com to request their help in recovering your data. The Salesforce.com help site mentions that this help is available, and notes that there is a “fee associated” with it. It doesn’t mention that the fee starts at $10,000.

You can, of course, periodically export all of your Salesforce.com data as a (very large) .CSV file. Restoring a particular record or group of records will then involve deleting everything in the .CSV file except the records you want to restore, and then importing them back into Salesforce.com. If that sounds painful to you, you’re right.

The other alternative is to use a third-party backup service, of which there are several, to back up your Salesforce.com data. There are several advantages to using a third-party tool: backups can be scheduled and automated, it’s easier to search for the specific record(s) you want to restore, and you can roll back to any one of multiple restore points. One such tool is Cloudfinder, which was recently acquired by eFolder. Cloudfinder will backup data from Salesforce.com, Office 365, Google Apps, and Box. I expect that list of supported cloud services to grow now that they’re owned by eFolder.

We at VirtualQube are excited about this acquisition because we are an eFolder partner, which means that we are now a Cloudfinder partner as well. For more information on Cloudfinder, or any eFolder product, contact sales@virtualqube.com, or just click the “Request a Quote” button on this page.

eDiscovery Part 1 – Lifecycle of an Email Message

Last Friday, September 26, VirtualQube was invited to present at the O365 Nation fall conference in Redmond on the subject of eDiscovery and Organizational Search in Microsoft Office. O365 Nation is a new organization created by our long-time friend Harry Brelsford, the founder of SMB Nation, and, as you might expect, most of the content at the conference was related to Office 365. However, since the eDiscovery and Search tools in question are built into Exchange, SharePoint, and Lync, the subject matter of our presentation is equally applicable to on premises deployments of these products.

This is the first of a series of blog posts on this topic, which will include video excerpts from the presentation.

It is important to note that the Microsoft tools discussed here only cover a portion of the Electronically Stored Information (“ESI”) that an organization may be required to produce as part of a discovery action. ESI can include Web content, social media content, videos, voice mails, etc., in addition to the information contained in email and Lync messages, and SharePoint content. The primary purpose of these tools is to enable you to preserve email, Lync, and SharePoint content in its original form, perform integrated searches across all three platforms – plus file shares that are being indexed by SharePoint, and export the results in an industry-standard format that can be ingested into third-party eDiscovery tools for further processing.

Since, by sheer volume, email is likely to be the largest component an organization will have to deal with, this series will begin with a discussion of the lifecycle of an email message in Microsoft Exchange – specifically, what happens to an email message when the user’s “Deleted Items” folder is emptied, and how we can insure that if a user attempts to modify an existing message, a copy of that message in its original form is preserved.

Cloud-Based VDI vs. DaaS – Is There a Difference?

With nearly all new technologies in the IT space comes confusion over terminology. Some of the confusion is simply because the technology is new, and we’re all trying to understand how it works and how – or whether – it fits the needs of our businesses. Unfortunately, some of the confusion is often caused by technology vendors who want to find a way to label their products in a way that associates them with whatever is perceived as new, cool, innovative, cutting-edge, etc. Today, we’re seeing that happen with terms like “cloud,” “DaaS,” and “VDI.”

“VDI” stands for Virtual Desktop Infrastructure. Taken literally, it’s an infrastructure that delivers virtual desktops to users. What is a virtual desktop? It is a (usually Windows) desktop computing environment where the user interface is abstracted and delivered to a remote user over a network using some kind of remote display protocol such as ICA, RDP, or PCoIP. That desktop computing environment is most often virtualized using a platform such as VMware, Hyper-V, or XenServer, but could also be a blade PC or even an ordinary desktop PC. If the virtual desktop is delivered by a service provider (such as VirtualQube) for a monthly subscription fee, it is often referred to as “Desktop as a Service,” or “DaaS.”

There are a number of ways to deliver a virtual desktop to a user:

  • Run multiple, individual instances of a desktop operating system (e.g., Windows 7 or Windows 8) on a virtualization host that’s running a hypervisor such as VMware, Hyper-V, or XenServer. Citrix XenDesktop, VMware View, and Citrix VDI-in-a-Box are all products that enable this model.
  • Run multiple, individual instances of a server operating system (e.g., 2008 R2 of 2012 R2) on a virtualization host that’s running a hypervisor such as VMware, Hyper-V, or XenServer. In such a case, a policy pack can be applied that will make the 2008 R2 desktop look like Windows 7, and the 2012 R2 desktop look like Windows 8. In a moment we’ll discuss why you might want to do that.
  • Run multiple, individual desktops on a single, shared server operating system, using Microsoft Remote Desktop Services (with or without added functionality from products such as Citrix XenApp). This “remote session host,” to use the Microsoft term, can be a virtual server or a physical server. Once again, the desktop can be made to look like a Windows 7 or Windows 8 desktop even though it’s really a server OS.
  • Use a brokering service such as XenDesktop to allow remote users to connect to blade PCs in a data center, or even to connect to their own desktop PCs when they’re out of the office.
  • Use client-side virtualization to deliver a company-managed desktop OS instance that will run inside a virtualized “sandbox” on a client PC, such as is the case with Citrix XenClient, or the Citrix Desktop Player for Macintosh. In this case, the virtual desktop can be cached on the local device’s hard disk so it can continue to be accessed after the client device is disconnected from the network.

Although any of the above approaches could lumped into the “VDI” category, the common usage that seems to be emerging is to use the term “VDI” to refer specifically to approaches that deliver an individual operating system instance (desktop or server) to each user. From a service provider perspective, we would characterize that as cloud-based VDI. So, to answer the question we posed in the title of this post, cloud-based VDI is one variant of DaaS, but not all DaaS is delivered using cloud-based VDI – and for a good reason.

Microsoft has chosen not to put its desktop operating systems on the Service Provider License Agreement (“SPLA”). That means there is no legal way for a service provider such as VirtualQube to provide a customer with a true Windows 7 or Windows 8 desktop and charge by the month for it. The only way that can be done is for the customer to purchase all the licenses that would be required for their own on-site VDI deployment (and we’ve written extensively about what licenses those are), and provide those licenses to the service provider, which must then provision dedicated hardware for that customer. That hardware cannot be used to provide any services to any other customer. (Anyone who tells you that there’s any other way to do this is either not telling you the truth, or is violating the Microsoft SPLA!)

Unfortunately, the requirement for dedicated hardware will, in many cases, make the solution unaffordable. Citrix recently published the results of a survey of Citrix Service Providers. They received responses from 718 service providers in 25 countries. 70% of them said that their average customer had fewer than 100 employees. 40% said their average customer had fewer than 50 employees. It is simply not cost-effective for a service provider to dedicate hardware to a customer of that size, and unlikely that it could be done at a price the customer would be willing to pay.

On the other hand, both Microsoft and Citrix have clean, easy-to-understand license models for Remote Desktop Services and XenApp, which is the primary reason why nearly all service providers, including VirtualQube, use server-hosted desktops as their primary DaaS delivery method. We all leverage the policy packs that can make a Server 2008 R2 desktop look like a Windows 7 desktop, and a 2012 R2 desktop look like a Windows 8 desktop, but you’re really not getting Windows 7 or Windows 8, and Microsoft is starting to crack down on service providers who fail to make that clear.

Unfortunately, there are still some applications out there that will not run well – or will not run at all – in a remote session hosted environment. There are a number of reasons for this:

  • Some applications check for the OS version as part of their installation routines, and simply abort the installation if you’re trying to install them on a server OS.
  • Some applications will not run on a 64-bit platform – and Server 2008 R2 and 2012 R2 are both exclusively 64-bit platforms.
  • Some applications do not follow proper programming conventions, and insist on doing things like writing temp files to a hard-coded path like C:\temp. If you have multiple users running that application on the same server via Remote Desktop Services, and each instance of the application is trying to write to the same temp file, serious issues will result. Sometimes we can use application isolation techniques to redirect the writes to a user-specific path, but sometimes we can’t.
  • Some applications are so demanding in terms of processor and RAM requirements that anyone else trying to run applications on the same server will experience degraded performance.

There’s not much that a service provider can do to address the first two of these issues, short of going the dedicated-hardware route (for those customers who are large enough to afford it) and provisioning true Windows 7 or Windows 8 desktops. But there is a creative solution for the third and fourth issues, and that’s to use VDI technology to provision individual instances of Server 2008 R2 or Server 2012 R2 per user. From the licensing perspective, it’s no different than supporting multiple users on a remote session host. Once the service provider has licensed a virtualization host for Windows Datacenter edition, there is no limit to the number of Windows Server instances that can be run on that host – you can keep spinning them up until you don’t like the performance anymore. And the Citrix and Microsoft user licensing is the same whether the user has his/her own private server instance, or is sharing the server OS instance with several other users via Remote Desktop Services.

On the positive side, this allows an individual user to be guaranteed a specified amount of CPU and RAM to handle those resource-intensive applications, avoids “noisy neighbor” issues where a single user impacts the performance of other users who happen to be sharing the same Remote Desktop Server, and allows support of applications that just don’t want to run in a multi-user environment. It’s even possible to give the user the ability to install his/her own applications – this may be risky in that the user could break his/her own virtual server instance, but at least the user can’t affect anyone else.

On the negative side, this is a more expensive alternative simply because it is a less efficient way to use the underlying virtualization host. Our tests indicate that we can probably support an average of 75 individual virtual instances of Server 2008 or Server 2012 for VDI on a dual-processor virtualization host with, say, 320 Gb or so of RAM. We can support 200 – 300 concurrent users on the same hardware by running multiple XenApp server instances on it rather than an OS instance per user.

That said, we believe there are times when the positives of cloud-based VDI is worth the extra money, which is why we offer both cloud-based VDI and remote session hosted DaaS powered by Remote Desktop Services and XenApp.