ATLSECCON Session: Data Protection Mishaps to Avoid

This week I am in Halifax, NS for a Veeam-sponsored event, Atlantic Security Conference (ATLSECCON).

image

There I had a speaking session get accepted: Data Protection Security Mishaps that you can avoid.  Here is the description:

When it comes to data protection, the risks are high. Too many times companies take adequate protections for live workloads; but are the same standards are applied to the durability of the data protection scheme? Different backup technologies offer different opportunities and risks for security the backup data.
In this breakout session, join backup expert Rick Vanover for practical security tips for data protection administrators to avoid being the next headline. Topics covered in this session include:
• Storage security strategies for backups
• Managing multiple security techniques
• Identifying backdoors from data protection solutions
• Implementing controls for each step of the data protection process

image

The session was very well attended and I got some great feedback! So, here’s the gist of my presentation:

Download PPTX: https://www.dropbox.com/s/k5pj45srxx6sd2r/ATLSecCon%20-%20Session.pptx

Here is a summary list of the mishaps to avoid on what I presented:

  • Today it’s more that tapes falling off the truck.
  • The primary systems are protected well, the data protection application has many surfaces and is subject to the same security rules.
  • Identify surface areas of data protection solutions. Kicker: You may have more than one data protection solution.
  • Monitor restores. The Redirected restore could breach security profiles. Recommended solution includes the Veeam Restore Activity Report.
  • Have monitoring and logging framework in place now. It’s a lot harder to set it up after an incident and know what to look for.
  • Identify where data protection logging exists. In addition to aforementioned report, come components may have logging also (tape moves, modules within data protection solution, etc.).
  • Storage for backups is usually an afterthought in most organizations. Primary storage may be secured well, backup storage should have the same standards.
  • Know what frameworks are in use. VMware vSphere or System Center Virtual Machine Manager administrators can take a backup of a VM. Even if they don’t have access to the guest operating system.
  • Don’t “lock your keys in your car”: Don’t rely on CIFS or SMB for backup storage that is managed by Active Directory. Why? What happens when you need to restore Active Directory? Same for storing VM backups inside of your VM infrastructure. What if that’s the problem?
  • Don’t store backups at home. Get indoor public storage. It’s very affordable, has 24/7 access and can be an cost-effective alternative to storing backups (tape/disks) at home.
  • Don’t “Overdo” Deduplication. Don’t double or triple dip deduplication (additional security surface areas and minimal gain for a lot of I/O and CPU consumption). Additoinally, beware of a Windows Server 2012 deduplicated volume encapsulated on a VHD or VHDX and copied or otherwise silently exiting the datacenter.
  • Watch the encryption vs. performance discussion. Make sure different parties don’t “Temporarily” disable volume encryption because backups are slow…
  • Use the 3-2-1 rule. Simple timeless rule can address almost any failure scenario:
    • Keep 3 different copies of your data
    • On 2 different media
    • 1 of which is off-site

    A special thank you to those who attended and for the ATLSECCON board for allowing me to present and Veeam to sponsor!

What can you do to avoid the next cloud failure?

Companies investing in cloud-based solutions should do so very carefully, like any other technology or business decision. In an era where not all cloud solutions are made for the long-haul; there needs to be some clear insight on what is a good decision today and into the future. We’ve seen two key cloud failures recently in the form of services ceasing. The first happened last year when cloud storage provider Nirvanix filed for bankruptcy and the other recent example is Symantec Backup Exec.cloud shutting down. Aside from offerings being closed down, we’ve also see outages of cloud-based solutions that can impact applications or content delivery.

image

The reality is that cloud-based solutions may not make it, it’s a very diverse offering of services for companies to choose from today and the benefits of cloud-based solutions don’t always apply to all organizations. It is also a natural conclusion to plan for some form of outage. This applies to traditional hardware and software products as well, so the decision process isn’t new; it however needs different handling.

So, what can you do to avoid the next cloud failure? It starts with full examination. Companies can latch on the business benefits that a cloud-based solution brings, but part of the admission process should include a plan for evacuation. To put it another way, the cloud has infrastructure too. Things can go wrong, and it needs to be managed and protected. This applies both to the providers of a cloud-based solution, but also as a fiduciary responsibility to those who subscribe to it. Taking this key approach to going into a cloud-based solution will make a material difference on what needs to happen, should a cloud failure occur.

I advise companies to take the following points in to a cloud-based solution investment:

  • Ensure portability to another cloud, or back on-premise
  • Design the specification of the cloud-based solution to be ready for another public cloud, even if you have chosen another public cloud
  • Give extra consideration to application dependencies on a particular cloud

Do you see any risk of more cloud failures? I’m sure we’ll see them, but none have been very impactful thus far. Share your predictions in this interesting category below.

Product Review: Generator Interlock for Standby Power

If you are like me, you want to have a backup plan. I do this in my professional role for data protection, why not do the same at home! Note: Consult a qualified electrician for your panel modifications.

When I lived in West Michigan, we had many occurrences of multi-day power outages and we installed an interlock kit for a safe feed for generator power. Since we’ve moved to this new house, I decided to go ahead and get a kit installed here. Here is the generator we bought in 2005 or so:

image

On the right side, the 4-pole interface is a 240-volt, 20-amp interface (L14-20P). Now this generator is nice, but it doesn’t have the legs to run everything in the house. Namely, I have to turn off the Rickatron lab datacenter and avoid running the air conditioner and electric dryer. Heat (natural gas), kitchen, garages and lighting however can run on this generator. I’d like to have had a 30-amp / 9000 Watts or so unit; but this is what I have.

While I don’t live in such a rural area now, there is always the risk of a power outage. And the way I see it, the problem is solved either way:

Power goes out: I’m good.

Power stays on: I’m good.

My natural choice in this situation is a manual kit, I call it a “double-throw bypass switch” but basically it’s an interlock kit. I have a Siemens electrical panel at home and bought the right kit for my house and feed from InterlockKit.com.

Here is how these systems work:

  • The panel has two breakers added to bring in power in my case 2×20 AMP feeds from my generator.
  • The Interlock switch keeps these two breakers off until there is a power incident.
  • When you have a power incident, you connect your generator feed and start the generator.
  • Then throw the two switches to provide a feed that is a closed system from the generator that is safe and to code.

Let’s walk through the steps. The picture below is my panel after the Interlock kit has been installed and is the normal running configuration when I have municipal power:

image

The top 2 right breakers are the input from the generator, and the interlock kit keeps them off during normal situations (when municipal power is on).

It’s a good idea to test the system, for the following reasons:

  • You are familiar with the process works
  • You know the pieces and parts work
  • You will extend the life of the generator by keeping it running occasionally

To hook up the generator a proper installation has a weatherproof box installed on the exterior of the house (with an adequate gauge going to the panel, again leverage the qualified electrician).  Part of the solution is to have a long cable going from the weatherproof box to the generator. This is shown below (and the other end of this cable goes to the generator):

image

Once the wiring is in place, I can switch the panel to use the generator feed. Note the two steps below:

  • Stop the municipal feed
  • Switch the interlock
  • Activate the feed from the generator

 

image

While the generator (5500 running/7000 max Watts | 20 Amp) doesn’t have the full power for this house, it does keep the heat on, the kitchen going and all lights as well as TV and cable. This solves my concern on what to do if/when the power goes out. Further, this is the “Few-Hundred-Dollar Solution” compared to autoswitch standby systems:

Generator:  $400-600

Interlock Kit: up to $150

Electrician: up to $300

If you get a full house, auto-switch generator, it can easily get to a $10,000 solution. Further, those generators run on natural gas – which you can’t assume will be in place at all times. I keep enough fuel for 2 days of generator runtime, which is nice to ensure that I’m managing that process.

Final verdict: Interlock Kit A+ | Highly Recommend.

vSphere 5.5 B Released

Don’t let the quiet times of the holiday’s fool you! vSphere 5.5 was released on 22-December 2013! vSphere 5.5 has seen the following release sequencing:

  • VMware ESXi 5.5 22-Sept Build 1331820
  • VMware vCenter Server 5.5 22-Sept Build 1312298
  • vCenter Server Appliance 5.5 22-Sept Build 1312297
  • VMware vCenter Server 5.5.0a 31-Oct Build 1378901
  • vCenter Server Appliance 5.5.0a 31-Oct Build 1398493
  • VMware vCenter Server 5.5.0b 22-Dec Build 1476387
  • vCenter Server Appliance 5.5.0b 22-Dec Build 1476389
  • image

    (Click on image for Released Notes of 5.5.0b)

On Halloween we had vSphere 5.5 A come out. If you have not started your vSphere 5.5 upgrade, start with the B release; then do the hypervisor updates for ESXi.

VMware KB 2057795 has good upgrade information.

Install VMware Tools on Nested ESXi with ShortURL

One of the most useful VMware Flings of all time has just come out, VMware Tools for Nested ESXi. Nested ESXi is running ESXi within ESXi or another VMware hypervisor. Fusion, Workstation and maybe Player support nesting ESXi.

We all know these few facts:

  • VMware Tools makes VMs run better
  • Nested ESXi isn’t production-ready
  • Nested ESXi is a great lab/test technique

In the Fling page, it has option 2 listed to run the .VIB (an installable module on an ESXi host) from directly downloading it from VMware.com. This is “loosely” analogous to the whole OVA vs. OVF discussion, a pointer vs. full install locally.

With option 2, you can take the full command:

esxcli software vib install -v http://download3.vmware.com/software/vmw-tools/esxi_tools_for_guests/esx-tools-for-esxi-9.7.0-0.0.00000.i386.vib -f 

And condense it to a short URL:

esxcli software vib install -v http://vee.am/esxitools –f

Here is the command being entered on an ESXi 5.5 host nested on ESXi:

(I did enable SSH, this can also be done in the DCUI however)

image

Before the command, the VM (nested ESXi) displayed this in the vSphere Client (Shhh… Not using Web Client yet):

image

After the host is rebooted, VMware Tools are running as shown below on startup:

image

Then in the vSphere Client, you are golden as well!

image

The ShortURL will help when it comes to installing VMware Tools by hand on a host, much like Windows Firewall I’ve remembered: netsh advfirewall set allprofiles state off.

So, save this command and keep it for the ages!

esxcli software vib install -v http://vee.am/esxitools –f

Enjoy! Thank you VMware Flings team, and William Lam!

Stella Artois: Chalice Can vs. Bottle review

Over time, I’ve come to fancy Stella Artois. Stella is a Belgian lager beer that really works for any situation. Recently in the states, I’ve seen the new Chalice can, a 440 cl container that I’m convinced is better than the bottle! Here is my first video comparing the chalice can with the bottle:

I’ve long thought that the chalice can outperforms the bottle in terms of smell, taste, head and drinkability. Watch this video to see the results:

Do you have the Stella Chalice can available in your market? I encourage you to check it out if so. Does the can outperform the bottle for you? Share your feedback below.

The business of airlines: Adapt or die

imageThose of you who know me well will find out eventually the three things that I know best. I only do one of them for my day job, so chances are you could guess one of them. But my three things I know best are:

  • Computers
  • Airplanes
  • Cooking

Oddly, a person I know quite well aligns in a very similar fashion: Jason Perlow. Jason is a great communicator, a frequent guest on the Veeam podcast with me, an excellent techie and WOW his food creations are amazing.

Anyways, Jason had two recent blog posts that caught my attention. The first was “Delta SkyClub: Hitting the bottom shelf” and “Delta, United engage in mileage shenanigans with American Express”.

I read all of Jason’s posts and see where he’s coming from. I disagree with his criticisms of both program changes. His accounts are right of the facts, loyalty programs and lounge access is effectively monetized.

I believe these actions by Delta and like programs are justified.

Let’s start with the club program. I’ve had access to the Delta Sky Club (formerly the Crown Room) since 2002 or so with my American Express credit card. I have noticed the new Luxury Bar service, and to an extent agree with Jason’s post. I would choose Blue Moon (I prefer unfiltered Belgian Wheat Ales) or Stella Artois as well, which are now part of the Luxury Bar service. I have purchased Stella Artois as it is served in the proper chalice. I only drink beer there; I’m not sure what my wife will do as she only drinks Bailey’s. She’ll probably settle for wine.

Regarding the spend requirement for loyalty programs, as it turns out; I am in good shape with that program with no changes. The Delta program shows you your performance, here’s mine below. The Medallion Qualification Dollars is estimated, I’m on-track for my status next year based on 2013 performance.

image

In both situations, this sounds oddly familiar to what we have to do in computers. We have to change the process, or the business model from time to time. This may be necessary to survive.

The last 13 years have been absolutely brutal on the airlines. The inventory management practices that have been delivered from all of the web booking engines (AKA business intelligence around the sales process) have really made it tough for the airline. I think in 2000, Delta was profiting around 6-10 Million US Dollars per day.

The change in the industry has been remarkable. Sure, we’ve lost food service on flights. Sure, it is now harder to get to talk to someone when things go wrong. Sure, we have limited flight options from what we had a number of years ago. Sure, we also now pay fees for many things: good seats, bag checks, some foods and drinks.

But the business changed. In fact, it had to. Air fares have gone down. Operational costs, in particular fuel, have gone up. Something had to give.

This is the classic case of an industry, and Delta has been atypical in its financial performance leading it to success. This is also an industry that deals in single digit profits and margins, etc. When the losses come in, they come in bad. I remember hearing about quarterly losses in the middle part of the last decade being 2 Billion US Dollard (per quarter!). The June 2013 quarterly report stated this:

Delta’s net profit for the June 2013 quarter was $844 million, or $0.98 per diluted share, excluding special items1. This result is a record June quarter profit excluding special items and is a $258 million improvement year-over-year.

This doesn’t happen without some change.

I respect you, Jason Perlow, but disagree because the business has to change.

Follow

Get every new post delivered to your Inbox.