MiBiz Newspaper
About a month ago, I received an email from the editor of MiBiz asking if I’d like to participate in a technology roundtable discussion on security.
MiBiz is a bi-weekly B2B publication covering business news in the 18 county-wide area that makes up West and Southwest Michigan. Most local businesses get the publication for free but from what I have heard, quite a few read it to see what’s going on in the area.
They ended up publishing only a small bit of what I had to say so I thought I would post my full response to the questions.
[UPDATE] Here is a PDF of the article.
What are your customers’ top technology security concerns?
We deal quite a bit with Internet Security and more specifically with online credit card transactions (ecommerce, online donations, etc…). A lot of our clients are new to doing online transactions and need someone to walk them through the process of setting everything up in compliance with their credit card merchant provider and VISA regulations.
Are cyber criminals becoming more sophisticated and how do you advise your clients to address that threat?
Dealing with cyber criminals is definitely an issue but you can have the same problems with curious users or users that do something you didn’t plan on them doing and it opens the door for them to see more than you may want. Working through a solid and tested solution helps outline these possibilities and how to continue watching for future issue. For new customers, we often recommend a feasibility study that allows for a low cost analysis of what it going on and define a project plan for moving forward.
Will endpoint security solve most or all of current IT security problems?
Endpoint security means different things to different people. For us, we don’t deal as much with individual workstations but with providing secure web and email servers. Making sure you have a strong firewall, ability to do strong encryption of data being passed around and constantly making patches to your servers is important. Having a vulnerable machine is a large problem from the server level down to the individual machine.
A large problem with endpoint security alone often falls with trusting your users/employees to follow best practices in maintain a secure endpoint environment. Of course you can lock them down (not entirely a bad thing), but there’s always that one person that decides to download the fun little tool that opens up your network. Skype right now is notorious for getting around firewalls and security infrastructure to work. That’s why people love it so much, it just works but it’s also why IT professionals need to watch it and be careful how people use it along with other tools like this.
Should vendors have any liability for insecure software?
The biggest problem I see is when companies solely rely on companies like Microsoft and Cisco to sort out and solve all security issues in a turn key solution they can install and not worry about. It needs to constantly be monitored and evaluated. I think vendors need to stand by what they deliver and definitely be committed to fixing issues, but you can’t rely on one company to solve all insecurities.
VoIP could be the most important telecommunications technology of our time. How has it been accepted in West Michigan?
We are extremely excited about VoIP and the possibilities it brings. I think West Michigan companies are very open to it but are still trying to figure out it’s full value and how exactly it works. For us, we’ve been really excited about Open Source solutions like Asterisk (An Open Source PBX and telephony toolkit). The team at Elevator Up is currently outlining solutions to take more advantages of VoIP technology in the ways of user interaction. Things like connecting company ordering systems with call in orders and reservation services.
How do you address VoIP security issues?
The biggest problem with VoIP in the area of security is public awareness of the possible vulnerabilities. From hackers being able to hijack or eavesdrop on a user’s VoIP Subscription and subsequent communications to storing VoIP conversations in email - there’s a lot to think about and work through. Depending on the commitment level of the company to keep information private and secure, it’s important to setup authentication methods and secure VPN tunnels along with monitoring the system.
Are your clients more concerned with attacks on their IT systems from outside or inside and which do you feel poses more of a threat?
Client concerns depends on the size of the organization. Our experience has been smaller companies are more concerned about outside threats whereas larger companies are equally concerned, they’re also worry about employee loyalty and controlled access to information and IT resources. It’s hard to say one poses more of a threat than the other but inside threats seem to take a lot of effort and policy setting so it requires you to work with more departments than just IT.
Do you find a lot of first adopters in this area, or do businesses in this region tend to opt for the tried and true technology?
I think people are realizing that tried and true technology is really a myth. There isn’t any tried and true technology - it doesn’t matter if you’re going toward Microsoft or Linux. The focus is changing from “Can I buy this off the shelf and be done with the issue?” to “How integrated can we be and how easy is it for us to change”.
Slowly but surely West Michigan business’ are beginning to look at the technology around them and thinking of some extremely creative ways to use it. With the Internet as more of a development platform - we’ve already worked with a few local organizations to be completely online and automated. Using technology like this streamlines business workflow and processing while allowing people to work on more important tasks.
Look into your crystal ball. What hot new security technology and/or IT trends are you watching?
OpenID is something we’ve been pretty excited about. In it’s simplest form, it’s a digital identity protocol allowing for decentralized single sign-on to websites and software. A lot of companies like AOL, Versign, Firefox, Yahoo, Microsoft, etc… are integrating OpenID into their applications and helping bring a lot of awareness to the benefits of OpenID. Microsoft recently announced at the RSA conference this year it’s commitment to OpenID and integration into upcoming software. The team at Elevator Up is also integrating OpenID into soon-to-be-released software solutions.
How’s business? Are you growing, maintaining status quo or shrinking?
Our team gets along really well and we all love what we do. We’ve been steadily growing for the past few years and had a nice bump in growth over the past few months which has allowed us to hire a full-time software engineer and purchase additional web servers to offer our clients more web and email hosting solutions.
What is your forecast for your business for the immediate future?
On the web/email hosting side of our business, we’ve seen large growth in companies looking for guaranteed uptime with a high level of server redundancy. We’re continually adding new servers to our clustered environment and plan to offer some new services to businesses looking for virtualization and collaboration and messaging in the next few months.
Along with hosting, we’re currently helping a lot of organizations secure their online payment and shopping system security. There’s a lot of local businesses that are doing more on the web and need to setup a more secure online infrastructure than they currently have.
Ryan Merket Says:
Great responses.
I recently had a good discussion with a cyber crimes agent for the USAF/Homeland Security. He said they spend the majority of their times investigating intrusions on Windows servers.
I guess there are a lot of rootkits, open bugs, and 0day vulnerabilities associated with Windows servers.
…and that is why I use Unix based enviroments.