Interesting Hiring Practice

July 17, 2008

I stumbled across this article about one of the hiring practices of Zappos.  Basically, they put their new employees through a rigorous 2 week training program.  After the training program, the employee is offered $1,000 to quit.  So basically, the rigorous training program will weed out some real bad candidates and then the $1,000 offer will likely weed out anyone that is not going to be all the dedicated to the job.  Looks like a pretty good practice to ensure you get dedicated employees who want to work there.  Definitely worth some thought anyway.


The Internet Home and Forensics

July 16, 2008

Alright, I’m suffering from a bit of a brain drain this Wednesday so time for a fun and interesting post a little off topic.  Still a security post, but not really related to business as I try to keep it.  As you can tell from my blog links on the side, on of the blogs I regularly keep an eye on is the Cracked, inSecure, and Generally Broken blog.  A while back he had a post about his Jura F90 Coffee maker and how it could be hacked.  This then led to a further post about Java Forensics.  In this post, Craig talks about how the information stored in the coffee maker could be of use for forensics analysis.  I think this is a very interesting topic and something we are very likely to see more about as more and more devices in the common household become “smarter”.  The personal computer is already a prime source of information for investigators.  I can’t tell you how many times recently I’ve been watching somthing like 48 Hours and the prosecutor brings up the fact that the individual on trial for murder had recently been searching the web for topics such as “how to kill your husband”.  So I think it will be interesting to see what other devices in our homes start telling our secrets in the years to come.

Asset Management with SaaS

July 15, 2008

I previously posted on License and Patch Management which is very closely related to asset management.  The solution we chose for License and Patch Mangement, the KBOX 1000, also does asset management.  Asset Management, in general, just means keeping track of all your assets.  When we are talking about Asset Management in IT, we generally are talking about keeping track of all of “technology” assets.  This would include computers, printers, monitors, switches, firewalls, and can also include software and licenses.  I’m revisiting this topic slightly because I recently came across a link to a company that is providing Asset Management software in a SaaS model, SAManage.

As with many, though not all, asset management software, SAManage works using an “agent” installed on each PC it manages that reports to the server and tells the server about itself.  It can tell the server things like what OS it is running, what BIOS it is using, what hardware it’s running on, and a listing of all currently installed hardware (among other things like disk usage).  However, instead of reporting this all to a server located at your facility, in this case you set it up to report to the server at SAManage.  You can then log into their site and view/manage all of your assets.

This solution struck me as even more interesting when I downloaded their “agent” to give it a try and see how well it worked.  I noticed, when getting ready to install the agent, I had seen this agent before.  They are using, at least on the agent side, some open source asset management software called OCS Inventory NG.  This struck me as interesting since OCS Inventory NG was the other solution we were looking at besides KBOX.  Ultimately, the patch management offered by KBOX is why we decided to go that route (though right now it doesn’t seem to be working that well).

In any case, I found the idea of Asset Management via a SaaS model rather intriguing.  It looks like they provide all the basic functionality of being able to see all your installed software and associate that software with licenses.  It appears they do some degree of patch management as they state they can alert you when a computer is missing a security patch.  However, I do also see a few key things missing on their user interface.  Mainly, the ability to manually enter assets.  There are many assets we may like to track (like monitors) that would not be able to report themselves.  If this tool can’t support manually adding those items, no you have to track these items some other way and using two different systems for the same purpose is almost never the correct answer.  They also appear to have disabled the deployment option of OCS Inventory NG.  In other words, in OCS Inventory NG, you can set up a “package” to run on given computers that will run a script or an executable.  Commonly, this would be used to install software and is a very useful feature of this sort of software.  This may not be a big deal for people that are already using something like SMS for this, but it’s a good feature does exist in almost every on-site Asset Management software and there is no reason it couldn’t work in a SaaS model either.

So, is SaaS a good model for Asset Management?  Well, I think SAManage looks very promising, though I think it has a little ways to come before it’s really offering it’s full potential of value.  Two of the main things I think SAManage could do to REALLY increase the value of their offering (beside re-enabling the deployment mechanism) would be to provide update notifications and security alert services.  One reason we choose KBOX over OCS Inventory was because of the “patch management” so we would know when new versions of software are out.  They provide this service for the standard Microsoft software, but also several other packages as well (though the list still needs a decent amount of expanding done).  It wouldn’t be too difficult for a SaaS provider like SAManage to start going through the list of software all their clients use and do checks for the most recent version of that software and provide this information to their clients.  It could be automated by scripting in a majority of cases.  But having a list of the software I have installed and which packages have updates available would be very useful.

As for security alerts, the SaaS provider could probably do something similar to the update checks with security alerts.  So instead of checking for updates they would check for known security issues with software using something like Secunia.  So now, not only could you see if the software you have installed on your network has new versions, but also if there are known security vulnerabilities for the version of the software you have installed.  If a SaaS provider such as SAManage could provide that data I think they would start seeing a large growth in interest to their services.

If you’re not ready to pay for services like this or an appliance based solution like KBOX but want to track your assets and don’t care as much about the patch management, I would definitely recommend taking a look at OCS Inventory NG as it is a very good tool.  It was a very tough decision to choose between it and KBOX and I honestly sometimes still wonder if we made the right decision.

Email and Collaboration

July 14, 2008

I saw this article pop up on a blog the other day so I thought maybe it would be a good time to discuss Zimbra as a good solution for email and collaboration for a small business.  Until about 6 months ago, my company was running a simple and free SMTP/IMAP server with web access by SquirrelMail.  This all worked great for mail and of course is was great since it was free.  For our meeting/calendar system though, we were using MeetingMaker.  This wasn’t free and there were several things we did not like about it.

  1. By default, it would not do LDAP authentication.  So everyone had to remember a different username/password and manage keeping them in sync.  To get this capability was more money.
  2. It did not integrate at all with the mail client.  Again, I think there were some connectors you could buy or publish as ICS, but at that point the security model wasn’t proven out.
  3. It did not support over the air synchronization with wireless devices without several add-on packages.

So about six months ago when we had used up all our MeetingMaker licenses and new we would be hiring some new people soon, we decided to hunt around for a new solution.  Our goals were basically, to make up for the 3 flaws listed below. We wanted an integrated mail/calendar system, preferably with other collaboration features as well such as task lists, contact storage, etc.  We wanted something that would allow us to do LDAP authentication with our existing LDAP servers.  We also wanted something that supported OTA synchronization with wireless devices.  As always, we also prefer open source.

Looking around, we found two main options.  The Kolab project looked fairly promising, but had a few big question marks on it at the time.  At the time, the web interface (using Horde) was not fully completed.  It also had a somewhat un-favorable and un-friendly installation.  They had everything packaged together with another system that was meant to ensure all the correct versions of everything got installed, but I ultimately found it very difficult to work with.

The other potential solution we came across was Zimbra.  This looked very promising.  It was open source, had all the features we were looking for (some did have a fee, but we weren’t completely opposed to that), and had been proven a little more than Kolab had with several large installations we could refer to.  So we ended up choosing Zimbra, though we did end up going the Network Edition route with the “Zimbra Mobile” addition, but all in all, it still came out to about the same as we were paying just for our meeting system before.  So it was still a very good deal.

Zimbra does offer their open source edition and if you aren’t looking for OTA synchronization with mobile devices or a few other features (a scripted backup/restore process, rebranding, domain level administration) then the regular, free edition will probably work great for you.  I definitely encourage anyone interested to give it a try and let me know your results.


July 11, 2008

We recently did a search for some good network monitoring software.  It wasn’t specifically required by the SAS 70 audit, but it has greatly helped us in monitoring server/application availability as well as getting notified of outages or other events (disks nearing capacity, etc).

We looked around and there were several solutions out there, but ultimately we decided to go with Zenoss.  It was open source and the free edition had all of the features we were looking for.  It can perform all sorts of different monitoring and make use of things like SNMP and even use existing Nagios tests.

We’re still playing with some of the tests and trying to figure out some good indicators of issues that we can set notifications on, but all in all, it was a very simple setup and configuration.  I would definitely recommend this product to anyone that wants to be able to monitor availability and performance on their network.

Is Linux ready for your Small Business?

July 10, 2008

I ran across a great article this morning informing small businesses about the viability of switching over to linux instead of Microsoft Windows.  If any of you have read my blog before you probably know I’m a big linux proponent.  I also made this suggestion in my post about Microsoft’s decision to stop shipping XP.  The article does a good job at pointing out some of the benefits of linux and potentially a few issues as well.  They also have a good post listing some common linux replacements for Windows applications.  I’m not sure I agree with all of their suggestions, but they are good points.  I would definitely suggest Mozilla Firefox over Konqueror as a browser, but other than that, they make some great suggestions.

They also mention Windows applications running under Wine, using virtualization to still run Windows, or dual booting.  Honestly, I don’t think any of those would be required.  The main issue you will run into if you decide to go this route is convincing your users and training them on the new applications.  Many of them won’t need much training, but there will definitely be little things along the way.  I do have some very helpful tips for anyone considering this though.

Start Slow. Don’t try to switch everyone over to linux over night.  The best route I would suggest is to first ask for volunteers.  If you know some closet linux fans, go after them first.  The goal of this phase is to win over a few employees that can help convince the rest of the employees.  If you can get a regular, non IT, employee to start using it and they buy into it and enjoy it, their testament will be much more convincing than anything any IT employee could say.  If the user REALLY likes it, or if the user is a higher up manager, and they are very influential with the other employees you may even get a grass roots movement on your hands where the mast majority of users are requesting to be switched over to linux.

Start Switching Applications Now. When you decide to start down this road, one of the best things you can do is to start switching applications now.  Start installing Firefox on your Windows machines and encourage users to use it instead of IE (I would even suggest changing the default browser).  Most linux IM clients also have a working Windows version.  Install OpenOffice and remove Microsoft Office.  That last one will probably cause the most complaints.  If you don’t want to completely remove Microsoft Office yet you can just change the file associations so by default documents open in OpenOffice instead of Microsoft.  I would also suggest changing settings in OpenOffice so that, by default, it will save documents in the Microsoft 97-2003 formats.  These steps will at least get your current Windows users used to the new applications so when you switch them over to linux it won’t be as big of a change for them.

Those two steps are really the most important two things to do in order to make this transition easier.  I would definitely suggest at least giving it some thought as it can save your organization a good amount of money.  If anyone has any success (or failure) stories with any such transitions I’d love to hear them.

Best IT Jobs

July 9, 2008

I came across this article this morning about the best IT jobs that can be fairly safe from outsourcing.  It reaffirms a belief I’ve held for the past couple of years about the future of IT.  Strict coding jobs are definitely a very good candidate for outsourcing, so maybe not quite that safe of a long term career plan.  As much as it pains me to say that because I love coding.  However, in all honestly, just about anyone can code.  Yes, you will definitely get a wide variety of quality of code, but it is definitely the easiest part of the process to outsource.  So what jobs in IT are safe?

Many, many articles have been written recently about the growing strategic role that IT plays in business…especially large businesses.  IT is no longer expected to just sit back and wait for projects to come to them and do what they are told.  They are expected to find ways in which they can strategically apply technology to help the company reach it’s goals.  So, the individuals that can do this are the ones that are going to bring the most value to a company and be the least likely to be outsourced.  So the architects, business analysts, and people with strong design skills are pretty safe positions.

In my opinion, the IT field as a whole is still a great field to go into.  There are many different aspects of the job and you can easily get a wide variety of things to work on.  Not to mention that the pay is pretty good as well.  But, with the outsourcing scare, it is a bit on the competitive side.  So, what is my advice to anyone in the IT field that worries about their job getting outsourced?  Get to know the business.  Become very familiar with exactly what it is your company does from an operational stand point but also business practices in general.  I definitely think there is a growing demand for someone (like myself) with a bachelor’s degree in computer science and an MBA as well.  But even if you don’t want to go through the work of getting an MBA, at least get familiar with your company’s business.  Look for inefficient processes that you think technology could improve and start making suggestions.  Most importantly, don’t get discouraged if your suggestions are shot down, just look for more.  Companies will really value this initiative and your knowledge of the business.