Email and Collaboration

I saw this article pop up on a blog the other day so I thought maybe it would be a good time to discuss Zimbra as a good solution for email and collaboration for a small business.  Until about 6 months ago, my company was running a simple and free SMTP/IMAP server with web access by SquirrelMail.  This all worked great for mail and of course is was great since it was free.  For our meeting/calendar system though, we were using MeetingMaker.  This wasn’t free and there were several things we did not like about it.

1. By default, it would not do LDAP authentication.  So everyone had to remember a different username/password and manage keeping them in sync.  To get this capability was more money.
2. It did not integrate at all with the mail client.  Again, I think there were some connectors you could buy or publish as ICS, but at that point the security model wasn’t proven out.
3. It did not support over the air synchronization with wireless devices without several add-on packages.

So about six months ago when we had used up all our MeetingMaker licenses and new we would be hiring some new people soon, we decided to hunt around for a new solution.  Our goals were basically, to make up for the 3 flaws listed below. We wanted an integrated mail/calendar system, preferably with other collaboration features as well such as task lists, contact storage, etc.  We wanted something that would allow us to do LDAP authentication with our existing LDAP servers.  We also wanted something that supported OTA synchronization with wireless devices.  As always, we also prefer open source.

Looking around, we found two main options.  The Kolab project looked fairly promising, but had a few big question marks on it at the time.  At the time, the web interface (using Horde) was not fully completed.  It also had a somewhat un-favorable and un-friendly installation.  They had everything packaged together with another system that was meant to ensure all the correct versions of everything got installed, but I ultimately found it very difficult to work with.

The other potential solution we came across was Zimbra.  This looked very promising.  It was open source, had all the features we were looking for (some did have a fee, but we weren’t completely opposed to that), and had been proven a little more than Kolab had with several large installations we could refer to.  So we ended up choosing Zimbra, though we did end up going the Network Edition route with the “Zimbra Mobile” addition, but all in all, it still came out to about the same as we were paying just for our meeting system before.  So it was still a very good deal.

Zimbra does offer their open source edition and if you aren’t looking for OTA synchronization with mobile devices or a few other features (a scripted backup/restore process, rebranding, domain level administration) then the regular, free edition will probably work great for you.  I definitely encourage anyone interested to give it a try and let me know your results.

Monitoring

We recently did a search for some good network monitoring software.  It wasn’t specifically required by the SAS 70 audit, but it has greatly helped us in monitoring server/application availability as well as getting notified of outages or other events (disks nearing capacity, etc).

We looked around and there were several solutions out there, but ultimately we decided to go with Zenoss.  It was open source and the free edition had all of the features we were looking for.  It can perform all sorts of different monitoring and make use of things like SNMP and even use existing Nagios tests.

We’re still playing with some of the tests and trying to figure out some good indicators of issues that we can set notifications on, but all in all, it was a very simple setup and configuration.  I would definitely recommend this product to anyone that wants to be able to monitor availability and performance on their network.

Is Linux ready for your Small Business?

I ran across a great article this morning informing small businesses about the viability of switching over to linux instead of Microsoft Windows.  If any of you have read my blog before you probably know I’m a big linux proponent.  I also made this suggestion in my post about Microsoft’s decision to stop shipping XP.  The article does a good job at pointing out some of the benefits of linux and potentially a few issues as well.  They also have a good post listing some common linux replacements for Windows applications.  I’m not sure I agree with all of their suggestions, but they are good points.  I would definitely suggest Mozilla Firefox over Konqueror as a browser, but other than that, they make some great suggestions.

They also mention Windows applications running under Wine, using virtualization to still run Windows, or dual booting.  Honestly, I don’t think any of those would be required.  The main issue you will run into if you decide to go this route is convincing your users and training them on the new applications.  Many of them won’t need much training, but there will definitely be little things along the way.  I do have some very helpful tips for anyone considering this though.

Start Slow. Don’t try to switch everyone over to linux over night.  The best route I would suggest is to first ask for volunteers.  If you know some closet linux fans, go after them first.  The goal of this phase is to win over a few employees that can help convince the rest of the employees.  If you can get a regular, non IT, employee to start using it and they buy into it and enjoy it, their testament will be much more convincing than anything any IT employee could say.  If the user REALLY likes it, or if the user is a higher up manager, and they are very influential with the other employees you may even get a grass roots movement on your hands where the mast majority of users are requesting to be switched over to linux.

Start Switching Applications Now. When you decide to start down this road, one of the best things you can do is to start switching applications now.  Start installing Firefox on your Windows machines and encourage users to use it instead of IE (I would even suggest changing the default browser).  Most linux IM clients also have a working Windows version.  Install OpenOffice and remove Microsoft Office.  That last one will probably cause the most complaints.  If you don’t want to completely remove Microsoft Office yet you can just change the file associations so by default documents open in OpenOffice instead of Microsoft.  I would also suggest changing settings in OpenOffice so that, by default, it will save documents in the Microsoft 97-2003 formats.  These steps will at least get your current Windows users used to the new applications so when you switch them over to linux it won’t be as big of a change for them.

Those two steps are really the most important two things to do in order to make this transition easier.  I would definitely suggest at least giving it some thought as it can save your organization a good amount of money.  If anyone has any success (or failure) stories with any such transitions I’d love to hear them.

Best IT Jobs

I came across this article this morning about the best IT jobs that can be fairly safe from outsourcing.  It reaffirms a belief I’ve held for the past couple of years about the future of IT.  Strict coding jobs are definitely a very good candidate for outsourcing, so maybe not quite that safe of a long term career plan.  As much as it pains me to say that because I love coding.  However, in all honestly, just about anyone can code.  Yes, you will definitely get a wide variety of quality of code, but it is definitely the easiest part of the process to outsource.  So what jobs in IT are safe?

Many, many articles have been written recently about the growing strategic role that IT plays in business…especially large businesses.  IT is no longer expected to just sit back and wait for projects to come to them and do what they are told.  They are expected to find ways in which they can strategically apply technology to help the company reach it’s goals.  So, the individuals that can do this are the ones that are going to bring the most value to a company and be the least likely to be outsourced.  So the architects, business analysts, and people with strong design skills are pretty safe positions.

In my opinion, the IT field as a whole is still a great field to go into.  There are many different aspects of the job and you can easily get a wide variety of things to work on.  Not to mention that the pay is pretty good as well.  But, with the outsourcing scare, it is a bit on the competitive side.  So, what is my advice to anyone in the IT field that worries about their job getting outsourced?  Get to know the business.  Become very familiar with exactly what it is your company does from an operational stand point but also business practices in general.  I definitely think there is a growing demand for someone (like myself) with a bachelor’s degree in computer science and an MBA as well.  But even if you don’t want to go through the work of getting an MBA, at least get familiar with your company’s business.  Look for inefficient processes that you think technology could improve and start making suggestions.  Most importantly, don’t get discouraged if your suggestions are shot down, just look for more.  Companies will really value this initiative and your knowledge of the business.

Intuition over Intelligence

I stumbled across this interesting post this morning which re-affirmed a believe I’ve held for a long time and which most small business owners/managers probably know very well.  The article summarized a report that studied CEOs from some of the largest companies in Britain.  It found that many of them (7 out of 10) cited their experience in team sports as positively influencing their career.  It goes on to point out that a majority of those were far more successful on the sports field than in the classroom.

The study goes on to say that this team sports experience has honed the skills of these CEOs to be more intuitive rather than intellectual thinkers.  In other words, they rely on their intuition, gut, and past experience rather than any theory they learned in school.

I would definitely agree, especially for small businesses, that a majority of decisions are made from intuition, as I think they should be.  I can also see how team sport activities would greatly improve certain skills that are key to being a good CEO.  Good CEOs must be good leaders and must be self-confident.  Team sports definitely build both of those skills.  On top of all of this, I do think schooling is very important as well.  While team sports help build your leadership skills and self-confidence, schooling will help build your base of knowledge on which your intuition will draw.  So I definitely don’t think this study is trying to say school is not important, it is just stressing the fact that intuition and logic very often play a much greater role in business decision making than theory does.  But you need to have a wide base of knowledge and experience for your intuition to come to the right conclusions.

So what does this mean for future generations?  If we want our children to be successful, what should we do?  I think it’s pretty obvious…in addition to making sure they are working hard at their classes, we should also make sure they are involved in more than just studies alone.  We should encourage them to get involved with team activities (be they sports or other types of teams) that encourage building leadership and communication skills.

License Audits on the Rise

Okay, so fresh back from a long holiday weekend and my brain isn’t quite up to speed yet, so today’s post is going to be a short follow-up to my recent post on License and Patch Management.  According to this article, software license audits are on the rise partly due to an increase in the use of open source.  Vendors are trying to squeeze more money from current clients so they are verifying the license agreements are actually being followed.  It points out that a good strategy to plan for this, as well as likely lower your current costs by eliminating some excess licensing, includes the following steps…

• Meter – Accurately count the number of deployed licenses to reconcile against license entitlement.
• Adjust – Continuously reduce the number of licenses deployed.
• Standardize – Diminish software-version and vendor inconsistencies.
• Monitor – Actively police non approved software to enable fast remediation.

The system I mentioned in my previous post, the KBOX 1000 from Kace, can definitely help with all of this.  It can do metering and monitoring to help you out.  Probably the best advice in this article, in my opinion, would be the standardization.  Once you are monitoring the software installed on all of your managed computers, you can find out if users are using two separate pieces of software from different companies under difference licenses to do the same thing.  Likely, picking a standard solution in these cases and getting bulk license can save you a good 5-10%.  I would also encourage you to research some open source alternatives to software you are currently paying for.  We are actively trying to replace Microsoft Office with OpenOffice as much as possible and are having quite a bit of success with it.

Lose a Laptop Recently?

I happened to stumble across some new support options form Dell that may come in handy if you (or an employee) is prone to losing a laptop.  Of course, anyone with a laptop is capable of losing it or having it stolen, but as we know, some people are just a little more forgetful than others.  I have no idea what sort of pricing Dell is putting on these services, but you may want to investigate and see if the cost helps mitigate the risk…or at least gives you a warm fuzzy feeling that makes it easier to sleep at night when the forgetful executive is on the road.  Here are the two main options of interest.

Laptop Tracking & Recovery.  Definitely the more interesting of the two, with this service Dell has built some additional software into the BIOS to “phone home” whenever the computer hooks up to the internet.  It will report as much location information as possible, which, unless you have GPS capabilities on the laptop (which was mentioned in the details) is probably just an IP address which can be traced to an owner.  If the thief is smart about it, this IP information will be fairly useless so I would recommend going with a model that includes the GPS capabilities if this feature is really important to you.

Of course, we also have to think about the risk mitigation this provides.  The major risk of losing a laptop is losing the data on the laptop, correct?  I mean, lets face it, replacing a laptop really isn’t that expensive, but losing sensitive information can be detrimental to your business.  So, does this really protect against that?  Well, I would argue it depends on the thief.  If the thief stole the laptop with intent of harvesting corporate information, this plan is probably going to be useless.  Probably the first thing the thief will do is dump the entire drive off to a copy.  Depending on what is found on the computer, it’s quite likely it will never even get connected to the network if the thief is smart.  However, if someone just swipes the laptop for the sake of swiping a laptop, this could be very useful.  That sort of thief will likely not be as smart and is stealing the laptop to be able to use (or sell) a laptop.  So it is very likely the laptop will get re-connected to the internet at sometime and the data may never leave the laptop.  And of course there’s the lost laptop.  If you think you are fairly likely to lose the laptop and aren’t as worried about targeted theft, this plan may make sense for you…that is, of course, assuming someone does find the laptop, boots it up, and gets it connected to the internet so it can phone home.

Remote Data Delete.  The second option I found interesting was the capability for Remote Data Delete.  Using this option, if the laptop was stolen, you can launch a remote delete command which will use the same software as before.  Again, this will only work when the laptop is connected to the internet.  So using the same analysis as above, this would really only be useful in the second case mentioned.  So in the case that someone actually wanted the data…this probably isn’t going to help you for several reasons.  First, as I mentioned above, the thief is likely going to take a copy of the hard drive (or physically remove the hard drive) before ever connecting the device to the internet.  Secondly, you have to initiate this delete.  This means, the theft/loss has to be reported.  Who knows how much time will exist between when the laptop is actually lost or stolen and when you are notified.  Then you have to notify Dell and launch this command.  So there’s likely quite a bit of a window in there for the thief.

So, in my opinion, I don’t think these options will really do that much to protect you.  The main fault of these plans is that they rely on the laptop getting connected to the internet.  I’m not real sure if a remote data deletion will really ever be that useful since a thief that wants the data will very likely already have the data by the time you know the laptop is stolen.  If the thief isn’t after the data, they’ll probably never notice it anyway.  You’re much better of using encryption technologies to encrypt the data on the drive.  As for the tracking and recovery, I think this is a great idea, but I’m not sure if it’s really to a point that it’s all that useful yet.  Again, I think about the only case it will be useful in is if someone steals the laptop (either from the employee or from the location the laptop was lost) for the sake of using/selling the laptop.  Some sort of RFID or satellite solution that did not depend on the device getting connected to the internet would be much more useful…though probably also more expensive.

So there you go.  If you or your employees are prone to losing laptops, you may want to consider these options, but remember my suggestions when you’re considering it to ensure you understand exactly what you’re getting and how much protection it’s really giving you.

License and Patch Management

Another issue we were thrown when preparing for our SAS 70 audit was managing license compliance and patches.  In other words, we need to know we only have Microsoft Office installed as many times as we have licneses for, and we need to know when there are updates and which computers have not applied those updates.  For this issue, we are still very much in the process of working it out.  We have a system that should help a lot, but we are still in the process of figuring it out and how best to use it.  It’s the KBOX 1000 from Kace.

We do really like the visibility the KBOX gives us.  We can now see all software installed on all our workstations, both Windows and Linux.  To a certain extent, we can also use the KBOX for automatically distributing new software and updates.  It has a patch management functionality, though I’m still tinkering with it and trying to figure it out.  It tells me patches and identifies machines it thinks needs the patch, but one thing it’s really missing in my opinion is telling me WHY it thinks that machine needs the patch as I think I’ve found several times when a patch doesn’t apply to a machine.

Another thing I think it’s missing in it’s patching and software distribution features is the concept of dependencies.  Let’s say I have software package A and B.  If software package B must be installed after package A, there’s really no way to enforce that rule in KBOX.  Same with patches.  Some patches will have a note buried in teh comments saying that some other peice of software must already be installed in order for the patch to work properly.

The KBOX does provide license management, though I’m currently waiting on the next version that has some updates, mainly the ability to create Software Families.  Currently, there’s no good way to group different versions of software together and apply the same license to all versions of the software.

So if you have similar issues, I would encourage you to take a look at the KBOX appliance as it does seem to be a very good tool in general, though I’m not quite ready to through full support behind it without first seeing the next version (which was supposed to reach General Availability on 6/23, but as of today I still haven’t seen it).  Does anyone else have some good suggestions on how to solve these issues?

What is SaaS and What can it do for me?

Since I have mentioned I work at a software company that follows the software as a service (SaaS) model, I figure I should provide a little overview of what SaaS is and where I think it is going.  As small business IT professionals, we really have a lot on our plate and keeping up with the latest in technology isn’t always easy, so hopefully this overview will give you a good idea of what SaaS is and where/how it could be useful for you.

Basically, SaaS is software that is provided to you over the web that you pay for what you use (usually you pay for a certain number of user licenses, but there are a few different licensing/billing models out there).  To fully understand it, we can talk about some different levels of SaaS.

The first level is really just a hosted application.  In this arrangement, the software company basically installs new instances of the software you purchased that will only be used by your company.  So you really have an entire server (or multiple servers if it is an n-tier application) dedicated to your usage.  The provider may use hardware virtualization to reduce their costs, but as far as you know, it’s a server(s) dedicated to your use, be it virtual or physical.  The provider will handle upgrades to new versions but since you are on your own hardware, you can sometimes choose to opt-out of upgrades or schedule it when it is convenient to you.

The next level that really changes anything is when the software becomes multi-tenant.  It’s pretty costly for the provider to maintain separate hardware for each client, even if they are virtual servers, so the next obvious step is to host multiple clients on the same hardware.  That is what multi-tenant means.  So now your data and the data of other clients are all hosted from the same server but separated logically.  The data all lives in the same database tables, but the application separates the data out using foreign key constraints.  It’s fairly easy to tell if a provider has made this jump or not because the deployment time for a new client drastically reduces once this jump is made.  In this model, new clients can be setup very quickly as no new hardware needs to be deployed.  Access for a new client can usually be enabled in a matter of minutes.  This doesn’t necessarily mean it will be completely usable in a matter of minutes as it would not contain any customizations you require at that point, but the access to a generic instance is very quick to setup.

The only real step left isn’t really that different from the last step.  In this final step, the application must be scalable.  This really means that it should be fairly easy to increase the amount of transactions the system can handle without the end users noticing anything has changed.  This is achieved through a mutli-tier architecture design.  Pretty much any application that was created to be a SaaS application is going to be designed in this way from the start, so in many cases, applications will acheive this and the previous step at the same time.  A very common architecture would be a layer for the data, which would be a database server.  The scalability of this could be achieved in a few ways.  The provider could use clustering technology to increase the size and power of a single database server, or they could distribute the data across multiple databases and add new database servers as needed.  In that case, one client is usually (but not necessarily) kept in one single database and the clients are simply spread across the different servers.  You would then also have an application server which handles all the business logic and talks to the database server.  This would be scalable by the ability to add additional application servers and use network load balancing to spread the load across the servers.  And finally, the last piece to the most common architecture would be the presentation layer.  This would be the web servers which talk to the application servers.  So as you can see, there are many ways in which this sort of design can be expanded and the clients may not even know.

So what advantage does SaaS offer for a small business?  Well, the answer is it can offer a lot.  Hosting applications on site is a very expensive operation.  You have to buy servers, you have to have room to store the servers in a controlled environment, you have to maintain the servers, and that’s just the hardware costs.  Now, for the software cost, you have to either buy or develop the software, install and configure it, maintain it and install subsequent updates.  All of this takes time and requires certain skills and experiences.  SaaS gives you the ability to push all of these tasks off onto the software provider.  Sure, your data is hosted at another location and you need to consider this risk and ensure the provider you select has proper security controls in place for your data.  But the cost savings that can be had are great.  The easiest and biggest bang for the buck you will find with these applications are the processes that every business has to perform such as payroll.  These are fairly common processes and thus it is very easy for software companies to provide SaaS solutions that will offer a few customization points that can satisfy a large number of users.  The more custom a process is to your organization, the harder it will be to find a SaaS application that will satisfy your needs.  However, you also need to consider, is this process custom because it has to be, or custom just because that’s the way we’ve always done it.  If it’s simply custom because that’s how it’s always been done, you may be able to reap good benefits and some great best practices by switching to a standardized SaaS application.

Log Management

Another issue we faced in dealing with our SAS 70 audit was log management.  Every system admin deals with this issue, we just ignore it most times.  You have all sorts of information stored in log files on all your various servers.  If you were going to review them regularly, you would probably be doing that just about all day every day if you have more than a handful of servers.  Specifically for SAS 70, we needed to have processes to review things like access logs, backup logs, etc from all of our systems on a regular basis, as well as document this review process so that we could prove someone was actually reviewing the logs.

There are several companies out there with pretty good products in this area, a google search for log management will turn up several results such as LogLogic, EventLogManagement, and Splunk among others.  We looked into several of these, but in our opinion, the best value for our money definitely seemed to be with Splunk.  Basically, with Splunk, you set all your servers to send their log information to a main splunk server (or several distributed ones) by either having syslog or similar services forward the data or installing the basic splunk server on the server itself and configuring it to just forward the data to the main splunk server.

Once all your log data is in the main splunk server, you can simply “search” the logs just like a google search.  If you have everything configured to extract the correct fields you could do a search like user=jsmith to see everything that John Smith has been doing.  What servers has he logged into and accessed.  One very good report that this can produce is when an employee is terminated.  You can see what they access just before they were termined and what, if anything they accessed after they were terminated.  Obviously, the after termination list should be empty.  But that’s just one advantage.

We are still pretty early in our setup and still working on some of the field extraction and report generation, so I’ll likely have some better examples and praises for splunk in the near future.  For now, I’m interested in hearing how other small businesses are handling this issue.  Anyone willing to share?