My Personal Security “Best Practices”

First, let me get some disclaimers out of the way: I won’t describe myself as a security expert and what I am about to share is my personal opinion, which is based on my personal experiences. By no means does this article reflect the opinions of my present or past employers and I have no business relationship (or gain from) any of the products or companies I am mentioning here.

With that out of the way, I would like to share a couple of security related practices that I have adopted over the years. I sometimes get asked questions about these topics, so I hope that you find this article informative.

Let me start with passwords:

We need passwords for a ton of things in our professional or personal lives. Password complexity requirements have gone up and there is no way we can remember all of the passwords we need to use on a regular (or not so regular!) basis. There are several vendors that provide single sign-on (SSO) solutions on the web and they basically work by establishing one master password (that you hopefully CAN remember) and then automatically log you into your web applications or let you look up your passwords. So far so good, except that you have to trust the vendor of this kind of solution 100% to keep your information safe and to have safeguards in place that their employees are not helping themselves to your passwords.

Therefore, I dislike all of these types of solutions and prefer the ones where I can personally control the security and encryption of the password file. And apparently I am right given the recent hack of LastPass (http://www.engadget.com/2015/06/15/lastpass-hacked/). I used different apps over the years – first on the iPhone (http://www.apple.com/iphone/). It was eWallet by a vendor called Ilium Software and I liked the fact that it had a Windows companion app that allowed me to sync the files to the PC. These days I am on a windows phone (http://www.windowsphone.com/en-US/) and use a product called SkyWallet (http://skywallet.net/). It works by having a file on share (I am using OneDrive (https://onedrive.live.com)) and it lets you personally generate and specify the crypto key to secure that master file. It also has a desktop companion application so all your passwords stay in sync between devices. It does not provide SSO, but I am actually fine with that and can simply launch the app, look up what I need, and then log in. The important part is that no third party stores my master key and the password file itself is encrypted.

What about files?

There were the days when all your files, photos, and music resided on your PC and you had to make CD-ROMs or DVDs to back up your stuff every once in a while. That was really painful. I later added secondary hard drives to protect myself from disk failure by establishing a RAID configuration, but that didn’t protect me from the total physical failure of my PC in case of hurricanes, home fires, floods,  or other nasty (yet very unlikely) surprises.

I started using a product called HandyBackup (http://www.handybackup.com/), which I liked, because I could simply backup my stuff. I had some $5 per month web hosting service with virtually unlimited storage that I used for the purpose and handybackup allowed me to use my own encryption of the data using the blowfish algorithm (https://en.wikipedia.org/wiki/Blowfish_(cipher)) . This worked reasonably well, but had two major shortcomings: because I chose to encrypt the data, handybackup did not allow me to configure actual file synchronization and I could not simply get to my files from a public terminal or mobile device. Well, it was a backup solution and a fine one at that. I used it for several years, but never had to actually restore anything during that time frame.

I finally got to like online file storage (I happen to use OneDrive, but there many other solutions available as well). My problem here was again that I really don’t trust any company to keep my personal data safe from prying eyes, so encryption is key to me. Initially, I started by just storing photos and personal videos on the service and kept my financials and tax returns between my local machine and the handybackup solution. Then I discovered BoxCryptor (https://www.boxcryptor.com/en), a software solution from a German provider that allows you to automatically encrypt all your stuff in a cloud data solution. What I like about it that it also allows you to create your personal key file, which is never stored on any third party cloud service. This suits me just fine and now all of my personal data is 100% encrypted by BoxCryptor and stored (and sync’ed) on OneDrive. The boxcryptor client is available for all my mobile devices, so now I am enjoying insta-access of all my stuff with a high degree of privacy. Note that there is an option to store the crypto key with the vendor’s cloud service, but I chose to manage it myself. Should I ever lose it, it won’t be recoverable, so there is an added level of personal responsibility involved here.

What about my PC?

Not much to say here. Windows 8.1 / Windows 10 with BitLocker (http://windows.microsoft.com/en-US/windows7/products/features/bitlocker). Enough said. If someone steals the laptop or gets hold of my desktop PC, have fun decrypting that stuff. I have no idea if some has tried to hack BitLocker by using brute force techniques, but I don’t think that there is another alternative that would also be seamless to the user experience. Then again, all the files I have are still encrypted by BoxCryptor, even at rest on the local machine, so I think I am good.

I personally can’t wait until the general availability of Intel’s RealSense and Windows Hello technology to simply use my pretty self as a password 🙂

What about corporate BYO things?

This could very well turn into a soapbox, so I will try to keep it brief. Some companies adopted BYO policies under which employees are allowed to bring their own mobile devices, laptops, and PCs to work. The idea was that employees could simply choose the device they like and in some cases the employer would provide a stipend to help cover the cost. I always thought that this was a terrific idea, and as an employer, I would basically use centralized application hosting with terminal servers, citrix (www.citrix.com), vmware(www.vmware.com), etc. and virtual desktops. I would configure things in a way that none of the corporate data could be copied to the user owned device. These technologies are so mature these days and internet access is so ubiquitous that this can easily be achieved without compromising the end user experience. The old philosophy was that everything inside a building was considered secure (because the building had access controls and physical security. I think that the new philosophy needs to be that anything in an office space is considered not secure and only things inside the actually data center are considered to be secure.)

The reality is sometimes a bit different though. One group I met during my days as a Citrix consultant erred far on the side of user convenience and let employees use any device on the network without any restrictions whatsoever. People could install corporate and personal  applications and also freely download all the corporate data to their personal devices. Trust over draconian security measures was the word! This worked until the day an employee quit and basically took all of her work data with her (no chance for the rest of team to continue her projects.) This is also problematic from the point of view that people sometimes join competitors and having them keep access to critical internal data is just inviting trouble. That group also allowed departing employees to often keep their laptops that the company had paid for (especially if they were 2 years or older as those could not really be given to new employees either). Again with all the data , email archives etc. Interestingly, one day my counterpart there told me that one of his team members resigned and joined a competitor. He did the right thing and turned in his (corporate owned) laptop and was honest and upfront about his move. The manager notified HR and IT, access was revoked and all seemed well until IT started tracking the person’s manager down and demanded a complete forensic analysis (to be performed by the manager, mind you) as to which files may have been copied off the device or emailed to a personal account etc. Insane. Especially given the otherwise wide open policies.

So, security is never really free, but there is always a tradeoff between security and convenience. Luckily, many vendors really make our lives convenient and enterprises have good practices and tools at their disposal to strike the right balance – if they choose to.

Florian

twitter: @florianbecker

 

 

Health Monitoring of PCoIP® Protocol with SDA

Providing the tools necessary to complete an assessment – whether it be for migrating the workforce to a new operating system, adopting a new storage solution, or incorporating virtual infrastructure into the environment – has always been one of SysTrack’s strong suites. As the landscape of IT evolved to the cloud to accommodate for global business and mobile workforces we needed to evolve our assessment capabilities just the same. Streamlining and simplifying the process for getting all the moving parts in place to perform an assessment by moving the SysTrack master system to the cloud was the first step to aligning SysTrack-based assessments with the modern IT narrative: make it simple, make it easy to use, and make managing it available from anywhere.

SysTrack Desktop Assessment is our cloud-based service for performing VMware Horizon assessments. As the service has grown in use we’ve worked to continue enhancing it through the addition of new tools and content. It’s now easier than ever to monitor PCoIP and health data with SysTrack Desktop Assessment. An interactive dashboard was added for each, and as a part of the overall service they add great value and enhance your ability to continuously monitor the state of your environment.

The PCoIP Summary dashboard allows you to trend average latency, average receive packet loss, and average transmit packet pass. The day over day trend line quickly illustrates typical values for the selected item, making it simple to spot an outlier that might warrant further investigation. Selecting a day of interest will display session summary details for that day to give you insight as to what may have caused the spike. Additionally you can see the top 15 users by average bandwidth use as well as session summaries and top ten focus applications for a selected user.

PCoIP1

The PCoIP Summary dashboard is a good way for monitoring specific metrics, but if you’re more interested in the general health of your systems then the Environmental Daily Health Trend dashboard can offer some great insight. Similar to the PCoIP dashboard it provides a trend line that then allows you to select a date to drill down to more detailed data. The logical flow of dashboard is to select a date of interest, select a system of interest based on that system’s health score for that day, and then view the health trend of the selected system. This an easy way to uncover a particular system that may be experiencing issues leading to a poor user experience.

Health1

Once your assessment is underway it’s a good idea to be continuously monitoring and managing the health of the environment. SysTrack is, at the end of the day, all about the user experience. While providing the tools and data for doing a VMWare Horizon assessment we wanted to make sure to also provide the tools and data for looking after the users. A core component of any assessment should be examining user and environmental health to make sure there are no major issues that need to be addressed prior to completing the assessment. The PCoIP and Environmental Health dashboards allow you to do just that.

SysTrack Use Case: SDA and Image Planner

At Lakeside our mission is to provide the insight you need to make smart business decisions concerning your IT systems. We work to make sure SysTrack can deliver the data required to understand, plan for, and manage the newest technology and products in the industry. In recent years the pace of innovation has really started to gather steam with things like data center modernizations, cloud-hosted services, and new enterprise software products. Right now there’s a growing demand in the industry to offer cloud-hosted services and products, and we’ve been working with VMware to deliver an online assessment that meets that demand. SysTrack Desktop Assessment is an online tool that provides detailed data and reports to help plan for a migration to a VMware Horizon solution. The initial rollout of this service provided access to static reports, some interactive dashboards, and a data visualizer tool.

To enhance the service we’ve added access to additional tools, and in this blog we’ll explore how to use the Image Planner.

One of the biggest challenges when planning to move towards VDI is developing an adequate image plan. A typical environment could have thousands of applications, and figuring out which ones are required by which users is an extremely complex task. Image Planner automates much of the work by tracking application usage, so the suggested image plans are based on user behavior and not anecdotal evidence. Starting a new Image Planner model is simple; you just choose a name and add any system selection rules you choose, such as excluding servers.

IPP1

After your model is created you have several interactive screens that enable you to tweak the model before it becomes finalized. Your options include Provision, Retarget, Automation, Delivery, and Layering. Each of these options addresses a component of the image development process and are designed to make sifting through large amounts of data seem easy. We’ll look at each of these options a little closer to see exactly what’s offered.

Provision

The Provision section displays a list of all installed software packages along with some basic information like version, number of users, and number of systems. The purpose of this section is to allow you to reduce the total image count and simplify the software portfolio. Within this section you have visibility into basic usage data, helping to reduce the complexity of the image models. This valuable insight drives important decisions about which packages should be included or excluded from all images. A simple example would be searching for Microsoft Office, an extremely common software package. The filtered results show me all installed Microsoft Office packages, versions, number of users, and number of systems installed. At this point I might make the decision to install the latest version of Office everywhere. 

IPP2

Looking at the overall software portfolio for the first time, especially when performing tasks like choosing a version of Office to install everywhere, can highlight a very common issue: The number of different versions present in the environment for the same piece of software. You might uncover ten different versions of Adobe Reader, for example. This leads us to the next Image Planner section.

Retarget

The idea of Retarget is to select a single target version for a particular software package. Sticking with our example of Adobe Reader, I can filter the results to display all the versions of Reader that were discovered. At that point I can select any of them and retarget to another version. Logically I might want to choose all of the outdated versions and retarget them to the newest version. The result is a simplified model with reduced clutter. 

IPP2

Automation

Unlike the previous two, this section allows you to make more general decisions that aren’t related to specific packages. You’re presented with sliders that let you set thresholds for whether or not a package is to be user installed, installed everywhere, virtualized, or published. You set your preferred threshold based on usage, except for the case of virtualization which is based on package complexity. This allows you to quickly update and iterate your model as you go through the process. 

IPP3

Layering

The layering section is a very powerful method for reducing the overall image count and simplifying your model. It allows you to automatically group users with similar usage characteristics into a layer that gets delivered as a set of software packages based on those characteristics. Before the automation is done you set the maximum layer count, minimum coverage, minimum packages per layer, and minimum machines per layer. This is a great way to automate the task of deciding which users fit best with which image. In a perfect world each user would have their own image tailored to fit their exact needs, but the complexity of actually accomplishing that is not realistic. Layering can quickly and automatically accomplish this based on which users have similar software needs. 

IPP4

Delivery

The Delivery section allows you to choose if a package should be delivered through a method other than installing it to the image. Your options include user installed, virtualized, or published. If a particular software package is commonly used in your environment and has a high complexity score it would be best to leave the delivery method as installed on the image. Or maybe there’s a set of packages that have a very low usage rate, you could choose to have those be user installed. This is another good way to reduce the overall complexity of the portfolio you have to manage. 

IPP5

After working your way through these sections and iterating a few times the detailed results for each image can be viewed through an SSRS-style report. Image Planner works to simplify what is an inherently complex task, and in doing so it can save you a lot of time and cost. Now included as part of the SysTrack Desktop Assessment service, planning for a migration to a VMware Horizon solution is much easier. 

SDA Image Planning and Portfolio Optimization

After having completed assessments for thousands of workstations with the SysTrack Desktop Assessment service provided for VMware we’ve been inundated with requests for all kinds of features. One specific need kept coming up time and time again, and I’m happy to announce that we’re now able to provide a solution for it. With the start of VMworld not only are we going to start providing the SysTrack Cloud Edition for vCloud Air as a “SysTrack as a Service” offering with the capability to extend your data collection indefinitely into the implementation and steady state deployment phases, but we’re also offering expanded planning tools to help tackle the problem of portfolio planning.

Overwhelming feedback from users of the SDA has been that one simple addition would provide monumental benefits: access to our Image Planner. With an on premises deployment of SysTrack it’s possible to simply build an image plan directly in the IP web application and have that imported directly into SysTrack Transform for project management. The latest update to SDA unlocks that functionality for any customer to allow cloud based image planning and portfolio rationalization. This means that with our automation focused web app it’s possible to build out a plan for a base image and map out user application requirements with ease.

With IP you can start with a list of systems you want to work with; you can choose to begin with all systems or a subset if you want to have multiple plans. Once you’re ready to get started you’re immediately able to start whittling down your potential inventory of applications by making choices for what to keep and what to exclude. There’s also an interface for standardizing on specific versions of software if you’ve got multiples or if you want to remove apps that serve duplicate business purposes.

The real key feature, and the one that makes IP such a valuable way to map out user entitlements, is the automation area. This allows you to pick some basic settings for when to install applications separately from a base image, when to deliver an application via RDS, or when to virtualize applications. This then maps out the user entitlements for which users in the environment need access to those applications and assigns them to the appropriate choice.

Another key feature is the addition of AppVolumes app stack planning. This appears in the Layering section of IP and provides a mechanism to automate the analysis and assignment of applications into stacks that are then associated with users. Basically it’s a way to streamline picking what applications should go where and pinpointing who should be entitled to use them.

The net outcome is a comprehensive report that contains a list of images that are required, the supporting files necessary for those images, and a complete mapping of users to the applications they require. This makes it much easier to plan a migration, and it remove quite a bit of the manual effort that would otherwise be required to ensure every user has their critical applications.

These new features are all live over at the VMware SDA site, so if you haven’t already registered get started today!

Announcing SysTrack Cloud Edition for VMware vCloud Air

One of the greatest advantages of the growing influx of cloud based solutions is the opportunity to move IT to be service oriented. The ability to take advantage of consumption based models for everything from infrastructure all the way through software subscriptions frees up substantial time that would otherwise be spent with complex and expensive provisioning and management tasks. More and more IT organizations are taking advantage of various cloud services providers to make their lives easier, and this has created a wide set of different, potentially disconnected data sources that can be difficult to unify and report across. Lakeside sees this as a fantastic opportunity not only to tie together all of the various data feeds and tracking areas necessary to understand all of the service provider performance and usage, but to also expand into offering SysTrack as a service as well. This provides a simple way to generate consistent reporting using a system of record that’s been proven across millions of endpoints with the ease of a simple subscription. This is why the SysTrack Desktop Assessment (SDA) has been expanded to provide continuing collection after the assessment, allowing the use of SysTrack through the lifespan of a transformation and beyond.

The introduction of the SDA service in conjunction with VMware has been a resounding success, and so far through that offering we’ve helped with analysis and reporting across many thousands of endpoints. With all of this activity, a resounding request that we’ve received time and time again is to provide access to this data collection throughout the lifespan of a project, and I’m happy to announce that this is now available through a subscription to SysTrack Cloud Edition for vCloud Air. Basically if you want to keep your collection going to show how your end user experience evolves with the solutions you implement, and if you want to have meaningful, quantitative methods to resolve any end user problems that may arise, it’s as simple as continuing your SDA project indefinitely. There’s no need to provision heavy on premises infrastructure, you’ll continue to use the interface you’re familiar with, and the solution will ramp up with you as your needs evolve. We’re also introducing some newer features that expand the value of SysTrack in the cloud and bridge the gap between a full on premises deployment and cloud based SysTrack.

You’ll now have access to tools like Resolve through the use of our simple SysTrack Forwarder (an easily deployed proxy service), as well as our Image Planner. That means that the full life cycle of a project can now be assessed, planned, and tracked continuously using the same toolset for fair and accurate comparison and analysis. With that it’s simple to prove that you’ve succeeded in optimizing your environment with real insight into the end user experience improvements you get with your transformation.

To see how easy it is to get started (if you haven’t already), why not register today? Just head to the registration site and start a new project. It’s simple and straightforward to begin the data collection, and, if you like the depth and quality of environmental visibility you gain, now it’s simple to keep that collection going as long as you need it.

VMware Guest Blog: SysTrack Cloud Edition for VMware vCloud Air

I’m Aaron Black, Senior Product Manager in End-User Computing at VMware, and over the course of the last few months I’ve been pleased to work with Lakeside Software to provide the SysTrack Desktop Assessment (SDA) service to our customers and partners. This cloud-based analytical solution collects system data from physical and virtual desktops to provide detailed data points useful for the planning and adoption of the VMware Horizon platform.  To date, SDA has analyzed thousands of end points and provided our customers and partners almost 2000 detailed reports, based on the customer’s specific environmental data, and focusing on Horizon products and technologies.  This helps customers and partners better understand their own environment and use a data-driven approach to architect the right products and solutions.

VMworld has arrived in the US and I’m happy to join Lakeside in announcing the introduction of SysTrack Cloud Edition for vCloud Air, an expansion of the functionality of the existing SDA offering that provides steady state management and continuous assessment from a SaaS-based  platform. This marks a great opportunity for VMware customers to continue leveraging the powerful insights from SysTrack throughout the lifecycle of their projects. Even more importantly it provides the ability for customers to have quantitative insight into the user experience throughout the implementation of VMware’s product portfolio.  This gives our customers the confidence to move forward with the security to know when they’ve succeeded in their desktop transformations projects.

SysTrack Cloud Edition for VMware vCloud Air provides several areas of key value:

  1. Data Driven Validation– With no added complexity SysTrack Cloud Edition provides a single point of reference for verifying that the environment has been improved through the use of VMware’s powerful portfolio.
  2. Scalable, Flexible Architecture– Ramp up and down as necessary for data collection with minimal or no local infrastructure requirements.
  3. Cross Platform Reporting – This solution supports virtual desktops, both persistent and non-persistent, and physical workstations. That means that as your environment evolves the data collection continues uninterrupted throughout.

SysTrack Cloud Edition for vCloud Air is helping make our customers’ transformations effective and efficient, resulting in faster adoption and more rapid expansion. As we continue our rapid innovation at VMware with expansion in key end-user computing areas it’s becoming more and more critical to have assessment, characterization, and validation of what we are providing customers as we modernize their computing estate.

To learn more read Lakeside’s white paper on SysTrack Cloud Edition for vCloud Air, and also make sure to visit the registration site to find out more about getting started with your own project.