Reliable Networks Joins Citrix Verified IaaS Providers Program

We were pleased as punch recently when Citrix called and asked if we wouldn’t allow ourselves to be verified as a Citrix Ready IaaS Cloud for XenDesktop provider.

By way of background, we have been hosting Private and Hybrid Cloud servers backed by Citrix XenServer for several years now. Our own Zimbra Hosting platform is on the same highly redundant and resilient infrastructure as our clients’ Cloud servers. Earlier this year we invested six figures in our new Citrix CloudPlatform environment; we and our clients have been more than happy with the results. (And to be clear, we don’t do Public Cloud.)

One challenge in the Cloud Hosting space is that there are few barriers to entry, so if you are considering using a commercial cloud provider for your Private/Hybrid Cloud deployment, how can you differentiate the newbies and dilettantes from the folks following best practices? How do you know your data will be secure?

Sure, we have a SOC 2 Type 2 audit covering Security, Availability and Confidentiality, but good or bad, anyone with a checkbook can buy CloudPlatform (or VMware for that matter).

To be part of this Citrix Verified IaaS Program however, a provider has to document that their workflow processes are in conformance with Citrix’s reference architectures and best practices. And oh-by-the-way, Citrix comes on site too for an in-person and quite intimate poke-about.

Our on-site Citrix visit is scheduled for early next month, but Citrix felt comfortable with our submissions to date to include us alongside companies like Verio/NTT Communications in the announcement post.

If you’d like to find out how we can help you better manage technology risk via our Managed Cloud offerings, give us a call at (207) 772-5678. And if you’d like to read Citrix’s Press Release, you can click here.

Take care,
L. Mark Stone
General Manager, Managed and Private/Hybrid Cloud Services
Reliable Networks
A Division of OTT Communications

The information provided in this blog is intended for informational and educational purposes only. The views expressed herein are those of Mr. Stone and do not necessarily reflect those of Reliable Networks, OTT Communications or Otelco Inc. The contents of this site are not intended as advice for any purpose and are subject to change without notice. We make no warranties of any kind regarding the accuracy or completeness of any information on this site, and we make no representations regarding whether such information is up-to-date or applicable to any particular situation. All copyrights are reserved by Mr. Stone. Any portion of the material on this site may be used for personal or educational purposes provided appropriate attribution is given to Mr. Stone and this blog.

Rackspace Emulates Reliable Networks’ Approach To Cloud Servers

Yes, the title is a little presumptuous I confess, but with Rackspace announcing they have left the pure IaaS market to provide only Managed Cloud servers, we at Reliable Networks are feeling a little bit full of ourselves right now. (Don’t worry, we’ll get over ourselves in a few minutes, I promise…)

You see, we have always liked Rackspace for their “fanatical” approach because we are much the same in that client service is paramount.  We do think we are way more proactive than Rackspace; one client affectionately calls us “The constructive thorn in our sides.” because we don’t let them be too expedient too often.  But we respect Rackspace for their client-centric view on things and imagine we have common ancestors a few generations back.

But unlike Rackspace, we never got into the pure IaaS market.  Having done tech M&A for a number of years, it looked to me like that was one that would commoditize fast.  Plus, all of our clients value not only our highly resilient, redundant and performant infrastructure, but our expertise – offered only inseparably from our Cloud Server and other Hosted compute offerings like Zimbra.  We essentially function as our clients’ part-time, on-demand CIO/CTO/Senior IT staff, collaborating with both C-level executives and client IT staff with a view towards better managing technology risk and spend.

Earlier this year Rackspace hired Morgan Stanley to explore “strategic options” so we knew all was not well.  It’s still early days but kudos to Rackspace for swapping out a CEO and keeping their stock even today selling at more than 2.7x sales (it had been near 4.5x a year or so ago as I recall).

The pundits as per usual are claiming the entire Cloud market is commoditizing, and unless one becomes the biggest all will be lost. On a related note, Forbes magazine is recommending companies should no longer build new data centers but instead rely on data centers from Cloud providers. We agree with Forbes but look to a Cloud market with different levels of value-added services.

In other words, we think the Cloud market is showing signs of maturity onset, just like the car business.  Toyata and GM fought to be the largest in the world and look at what that brought them.  Meanwhile, those car companies who elected not to be all things to all people, and who compete on value-add, not price, are doing quite well thank you.

At the end of the day, it’s not the price of the hardware that matters, but what you can do with it and how much technology risk you can mitigate cost-effectively.  And that takes people. Really smart people.  And Managed Services.  So that’s why we have never offered pure IaaS and why we find it interesting (and yes, somewhat satisfying) that Rackspace is seemingly abandoning the commodity scale market for the smaller, but higher value-add Managed and Professional Services market we’ve stayed in since day one.

OK, time’s up.  We are over ourselves now…

If you’d like to find out how we can help you better manage technology risk via our Managed Cloud offerings, give us a call at (207) 772-5678.

Take care,
L. Mark Stone
General Manager, Managed and Private/Hybrid Cloud Services
Reliable Networks
A Division of OTT Communications

The information provided in this blog is intended for informational and educational purposes only. The views expressed herein are those of Mr. Stone and do not necessarily reflect those of Reliable Networks, OTT Communications or Otelco Inc. The contents of this site are not intended as advice for any purpose and are subject to change without notice. We make no warranties of any kind regarding the accuracy or completeness of any information on this site, and we make no representations regarding whether such information is up-to-date or applicable to any particular situation. All copyrights are reserved by Mr. Stone. Any portion of the material on this site may be used for personal or educational purposes provided appropriate attribution is given to Mr. Stone and this blog.

 

What Is The Best Protection Against Malware?

What Can We Learn From Race Cars?

In the racing business, there is an old saying that “To finish first, one must first finish!”  Trying to go as fast as you can, all the time, is in fact, not the best way to finish a race in first place.  More often than not, all it does is get you in the middle of a wreck.  (I used to be the Chief Driving Instructor at a Rally School, so I have some experience with this…)

Indeed, the more experienced and talented the driver, the more often their coach will advise them to slow down, to give them time to better plan their next move.  In other words, if you can drive at 99.9% one hundred percent of the time, you’ll be both safe and fast.  And when something does go awry and you need to drive at 110% for a bit, you’ll have the margin and composure to do so.

 

Drive Encryption Malware Strikes Again

You may have seen a recent Ars Technica article in which a senior Symantec executive admits that anti-virus software catches less than half of all malware (here’s the full URL: http://arstechnica.com/security/2014/05/antivurus-pioneer-symantec-declares-av-dead-and-doomed-to-failure/).  Not surprisingly, not a month goes by that we don’t hear about some poor end user clicking on a link in an email and inadvertently launching some drive encryption malware requiring their workstation to be rebuilt from scratch.  (It gets worse when the drives encrypted are the company network drives, and whole servers have to be rebuilt and restored…)

So how can we apply how to go fast in racing to malware protection?

It’s simple: Slow Down!  Slow down how fast you skim through email. Take a breath before you click on a link.  Know where your mouse cursor is, in what application before you hit the Enter key.  Don’t be the cause of a malware wreck!

 

The Most Effective Anti-Malware Tool?  Training!

In our experience, end-user training is the most effective malware detection tool.  With the benefit of hindsight, most malware delivered via email links does look suspicious, but only after you take that extra split-second to look at it.  Often there is a typo, a graphic that doesn’t look quite right or some other attribute that appears out of place in an email purportedly from the Post Office telling you about a failed package delivery attempt.

Sure, at Reliable Networks we are fussy about security and do things like block executable attachments and have multiple vendors’ products scanning our email stream (inbound and outbound BTW…) but these URL links delivering malware are quite clever, insipid, and frankly, the bad guys are way ahead of the good guys who sell anti-virus/anti-malware detection solutions.

But at the end of the day, we recommend our users slow down — just a little — and take advantage of our uniquely human ability to sense when things are not quite right.

Now, we are of course not suggesting you abandon the usual protections. Indeed, we like a multi-vendor approach because when new exploits are discovered, different vendors release updates at different times, and just a few minutes can make a difference.  So even though it costs more, it’s fairly cheap “insurance”.

And if you’d like to schedule some end-user training with us, we’d be happy to oblige.  Just give us a call at (207) 772-5678.

 

Take care,
L. Mark Stone
General Manager, Managed and Private/Hybrid Cloud Services
Reliable Networks
A Division of OTT Communications

The information provided in this blog is intended for informational and educational purposes only. The views expressed herein are those of Mr. Stone and do not necessarily reflect those of Reliable Networks, OTT Communications or Otelco Inc. The contents of this site are not intended as advice for any purpose and are subject to change without notice. We make no warranties of any kind regarding the accuracy or completeness of any information on this site, and we make no representations regarding whether such information is up-to-date or applicable to any particular situation. All copyrights are reserved by Mr. Stone. Any portion of the material on this site may be used for personal or educational purposes provided appropriate attribution is given to Mr. Stone and this blog.

Are We Up For You?

One of the things we pride ourselves on is comprehensive internal monitoring of our entire infrastructure and cloud environment. Whenever we benchmark ourselves against other cloud providers we consistently find that our monitoring is much more extensive than others.

Is it Good For You Too?
But just because our stuff is up and running doesn’t always mean it is up for you. The Internet can be incredibly flakey, so for the past few years we’ve been using an external monitoring service (from Pingdom if you are curious) to make sure that our public facing Private Cloud applications and network hardware is globally responsive. We do have clients with offices overseas who connect to our Zimbra email system for example, so we want to make sure the Internet is carrying their traffic appropriately.

How To Find Out…
Recently, Pingdom improved their Public Status Pages reports for clients like us, so today we added a menu item to our web site called “Cloud Status”. This links directly to Pingdom’s reporting engine. You can go there directly too; the URL is:

http://status.reliablenetworks.com

How To Interpret “Downtime”
Pingdom is harsh on reporting; they have multiple monitoring servers all over the world looking at their customers’ stuff, and all it takes is one monitoring system perceiving an issue (which can often be nothing more than temporary bad routing on the Internet) to flag a service or hardware.

That suits us just fine because we are less interested in showing to the world nothing but pretty green “Service is Up” globes than we are in making sure all of our clients across the globe are having a good experience on our Cloud — even if a bad experience has nothing to do with us or our upstream providers.

We really like transparency and hope that whether you are a current or perspective client, you find our new status page from Pingdom useful.

Take care,
L. Mark Stone
General Manager, Managed and Private/Hybrid Cloud Services
Reliable Networks
A Division of OTT Communications

The information provided in this blog is intended for informational and educational purposes only. The views expressed herein are those of Mr. Stone and do not necessarily reflect those of Reliable Networks, OTT Communications or Otelco Inc. The contents of this site are not intended as advice for any purpose and are subject to change without notice. We make no warranties of any kind regarding the accuracy or completeness of any information on this site, and we make no representations regarding whether such information is up-to-date or applicable to any particular situation. All copyrights are reserved by Mr. Stone. Any portion of the material on this site may be used for personal or educational purposes provided appropriate attribution is given to Mr. Stone and this blog.

Spam, Spam, Spam, Spam… (Lovely Spam, Wonderful Spam!)

Monty Python references notwithstanding, in the past few weeks we have seen an extraordinarily major increase in the amount of spam hitting our and our clients’ mail servers — and it’s been anything but Lovely.

A quick check of the Postfix mailing list and a few others confirmed our suspicion that we are not alone in our suffering. The root cause seems to be legitimately configured, not (necessarily) compromised, cloud servers on Amazon and other self-service public cloud providers. The servers we have tracked stay up for just long enough for them to get noticed by all the anti-spam blacklist engines, and then they are taken down and new ones pop up to take their place.

After reviewing literally hundreds of email headers looking for clues, over the past week we rolled out some significant tweaks to our spam filtering methodology on our Zimbra hosting farm. So far over the past few days, we’ve seen the amount of spam emails which get through go back down to the usual few per day, without any increase in “false positives” (i.e. legitimate email incorrectly identified as spam).

We’ve documented our updated techniques on Zimbra’s SpamAssassin Customization wiki (propeller heads only for this one I’m afraid…)

If you’d like help improving your system’s anti-spam configurations with Zimbra or Exchange, give us a call at (207) 772-5678.

Take care,
L. Mark Stone
General Manager, Managed and Private/Hybrid Cloud Services
Reliable Networks
A Division of OTT Communications

The information provided in this blog is intended for informational and educational purposes only. The views expressed herein are those of Mr. Stone and do not necessarily reflect those of Reliable Networks, OTT Communications or Otelco Inc. The contents of this site are not intended as advice for any purpose and are subject to change without notice. We make no warranties of any kind regarding the accuracy or completeness of any information on this site, and we make no representations regarding whether such information is up-to-date or applicable to any particular situation. All copyrights are reserved by Mr. Stone. Any portion of the material on this site may be used for personal or educational purposes provided appropriate attribution is given to Mr. Stone and this blog.

Just Say “NO!” To Windows XP

Earlier this month Microsoft finally ended support for Windows XP (unless you are, say, the British government and are paying Microsoft more than a million quid to get another year of support…)

The trade press reports that many companies, despite years of prodding, have taken an ostrich approach to migrating away from XP to Windows 7 or Windows 8, and are still running Windows XP systems with an Internet connection.

“We have good firewalls in place!” “We run up to date anti-virus and endpoint protection on every Windows XP machine.” are just some of the comments we have heard that companies use to self-justify that, despite using an unsupported operating system, the risk of doing so has been mitigated.

No longer.

Last week the trade press reported that a new exploit in Internet Explorer had been found and is being exploited. Microsoft as of this writing has yet to release a fix, but has made clear that Windows XP will not get the fix.

For the moment, the public consensus seems to be to stop using Internet Explorer entirely (tough when some apps are hard coded for Internet Explorer…) until a Microsoft patch is released.

But if you are still running Windows XP, this is just one more reminder that XP will not be getting any more security fixes, and that it really is time now if you haven’t done so already to just say “NO!” to Windows XP.

Need help planning this migration? Give us a call at (207) 772-5678.

Take care,
L. Mark Stone
General Manager, Managed and Private/Hybrid Cloud Services
Reliable Networks
A Division of OTT Communications

The information provided in this blog is intended for informational and educational purposes only. The views expressed herein are those of Mr. Stone and do not necessarily reflect those of Reliable Networks, OTT Communications or Otelco Inc. The contents of this site are not intended as advice for any purpose and are subject to change without notice. We make no warranties of any kind regarding the accuracy or completeness of any information on this site, and we make no representations regarding whether such information is up-to-date or applicable to any particular situation. All copyrights are reserved by Mr. Stone. Any portion of the material on this site may be used for personal or educational purposes provided appropriate attribution is given to Mr. Stone and this blog.

Core Switch Failure = Zero Downtime on our Private Cloud

Lessons From The Cold War
Back in the Cold War era, the US and Soviet air forces took a radically different approach to fighter jet design.

The US optimized designs for combat first, so the F-16 has its engine intake on the bottom of the aircraft for aerodynamic reasons. If you recall what happened to Capt. Sully’s aircraft over the Hudson River in New York City, you know what happens to a jet engine when it ingests a bird, or anything other than clean air (it’s called “FOD”: Foreign Objects and Debris in the trade…). Consequently, the US Air Force has crews whose job it is to keep runways totally clean.

The Soviets believe war is always dirty, and you will always be short handed, so they architect their tools to work in really messy conditions. AK-47s never jam, even when doused with mud, for example. Their MiG-25 fighter aircraft has doors on the top of the aircraft that close off the forward-facing jet engine intakes for take off and landing, and suck air in at a right angle from the top of the aircraft. It’s not efficient nor aerodynamic, but we’ve heard you could land a MiG-25 on a dirt air strip and not cause any damage to the engines.

Lessons Applied
There’s an old saying that “All hardware eventually fails; all software has bugs.” So on our Private Cloud infrastructure, we take from both the US Air Force’s and the Soviets’ play books and combine meticulous maintenance and monitoring with highly resilient and redundant architectural design.

This week it all paid off.

Uh Oh…
Earlier this week we were alerted that one of the network cards on one of our physical cloud servers (which each host between 20 and 30 of our clients’ servers) had negotiated its connect speed down. We replaced the network cable, and that worked for about an hour. And then the same thing happened on one of our other physical cloud servers. Not a network cable for sure.

After running a series of diagnostic tests, we determined that one of our Cloud’s two redundant core switches was flaking out (that’s a technical term BTW…) but not failing outright. We opened a ticket with HP (it’s a ProCurve switch) who agreed with our assessment and overnighted a warranty replacement to us, which we put in the next day.

If the core switches were not redundant (and too many providers do not have fully redundant switching), a core switch failure would have caused an outage for our entire Private Cloud.

Whew!
But in our case, the switch flakiness and replacement happened with no service outage whatsoever. In fact, if we hadn’t sent a maintenance notice out to our clients, (we are a full-disclosure kind of shop) no one but us would have been the wiser.

The US Air Force and the Soviets’ methodologies were entirely complimentary in this case, to the mutual benefit of our clients and our engineers’ blood pressure readings.

Conclusions
So next time you are considering a Cloud hosting provider, ask them what would happen if a core switch failed outright, and whether they would notice if the switch didn’t fail but the line speed just dropped some. And then ask them the same thing about their firewall (we have a redundant pair of those too), the network cards on the servers (yup, redundant there too) and everywhere else along the chain.

And when you are ready for our trademarked “Uptime. All the time.” please give us a call at (207) 772-5678.

Take care,
L. Mark Stone
General Manager, Managed and Private/Hybrid Cloud Services
Reliable Networks
A Division of OTT Communications

The information provided in this blog is intended for informational and educational purposes only. The views expressed herein are those of Mr. Stone and do not necessarily reflect those of Reliable Networks, OTT Communications or Otelco Inc. The contents of this site are not intended as advice for any purpose and are subject to change without notice. We make no warranties of any kind regarding the accuracy or completeness of any information on this site, and we make no representations regarding whether such information is up-to-date or applicable to any particular situation. All copyrights are reserved by Mr. Stone. Any portion of the material on this site may be used for personal or educational purposes provided appropriate attribution is given to Mr. Stone and this blog.

Zimbra Password Strength – New Study From Dashlane Recommends Our Policies

Most Websites Allow Crackable Passwords Like “123456″ and “password”
When we first deployed our Zimbra hosting farm years ago, we insisted on complex passwords, password rotations 3x per year and other security protections for our clients. Some prospective clients didn’t like that we wouldn’t let them use three-character passwords, or that they had to change their passwords every four months.

But we stuck to our guns and helped clients to make easy-to-remember passwords that were very complex. If they got stuck changing their password on their mobile device, we gladly helped them through it.  We know it can be frustrating, but we knew the alternative was worse. We use those password policies pretty much everywhere now too.

So it was quite gratifying to see the folks at Dashlane publish a study ranking websites on their password policies — especially because Dashlane’s recommended policies are almost exactly what our policies have been for years.

You can read the PDF press release here or the ArsTechnica article here.

Use a Password Manager Please
One thing the Dashlane press release didn’t explicitly recommend, (doing so would appear to be a little too self-serving…) is to use a unique password for every web site or service; i.e. never use the same password on two or more sites. In that way, if one site gets hacked, you don’t have to worry about changing your password quickly on all of the other sites where you used that same password (like your online banking web site…). To do that, you of course need a password manager (like Dashlane or one of the other myriad password managers out there).

I confess I’m a big proponent of password managers and typically use 24-character passwords everywhere, relying on the password generator function within my password manager to generate good, random passwords with complex characters.  It’s now at the point where I have no idea what my passwords are; I just know the (complex) password which unlocks my password manager.  And I back up the password manager’s database regularly.

If you would like some help with your password challenges, please feel free to call us at (207) 772-5678.

Hope that helps,
Mark
General Manager, Managed and Private/Hybrid Cloud Services
Reliable Networks
A Division of OTT Communications

 

The information provided in this blog is intended for informational and educational purposes only. The views expressed herein are those of Mr. Stone and do not necessarily reflect those of Reliable Networks, OTT Communications or Otelco Inc. The contents of this site are not intended as advice for any purpose and are subject to change without notice. We make no warranties of any kind regarding the accuracy or completeness of any information on this site, and we make no representations regarding whether such information is up-to-date or applicable to any particular situation. All copyrights are reserved by Mr. Stone. Any portion of the material on this site may be used for personal or educational purposes provided appropriate attribution is given to Mr. Stone and this blog.

MPLS, VPNs, BGP Exploits and Maybe Your Data Isn’t as Secure as You Thought? (Zimbra Can Help.)

Wow! Three 3-letter acronyms right off the bat before we even get to the topic at hand: Data Security.

What’s the specific problem here, really?

Well, the problem is that we have stumbled across a few prospective clients using MPLS networks who thought their data traveling across those MPLS networks was secure.

When we showed them how it wasn’t, they freaked. And rightly so, because when you combine MPLS with a BGP hack, you may as well be sitting on an open unencrypted wireless connection in a hacker’s favorite coffee shop accessing your company’s most sensitive data — it’s just about as secure.

Let’s do a quick level set:
If your company’s applications are hosted in multiple data centers, chances are pretty good that either the data center provider, your ISP or both have tried to sell you on the benefits of deploying an MPLS (“Multi-Protocol Label Switching”) network. At the risk of oversimplifying, MPLS let’s you treat multiple, complex networks as if they were one simple network, like in your office. MPLS adds tags (labels) to the data packets to say to the routers “This packet should be routed to the Dallas data center please!”

So that’s nice for application developers and network administrators, who no longer need to worry about complex routing issues when doing things like deploying an Exchange Witness server in one data center, and two replicated mailbox servers in two other data centers.

But MPLS says nothing about the specific route packets are to take between data centers. That responsibility has always fallen to BGP (Border Gateway Protocol), and MPLS does not at all replace BGP. For the non-techies, BGP is kind of like getting directions on Google maps. Sometimes you get a choice of routes, and sometimes you get offered just one route between the starting location and your destination. Same with BGP. Internet backbone providers, major carriers and telecoms “announce” BGP routes most typically as a way to load balance between routes and also to steal market share. AT&T for example might do a deal with a major multinational data center provider to move a bunch of their traffic to AT&T for a week or so for a price break. BGP is what controls how those data packets are routed between here and there. And by some estimates, there are as many 100,000 BGP announce changes every day.

BGP Hacking 101
Going back to our Google Maps example… You know how once in awhile you get offered a route that just looks weird, and you kind of suspect it’s wrong, but you’ve never been to the destination before so you follow the route anyway? Well, BGP hacks work pretty much the same way; they’ll route the traffic someplace where they can examine it. Imagine a car jacking gang who hacked your Google Maps app to route you and your Porsche into an abandoned industrial park you think represents a nice shortcut to your destination. With a car jacking, the traffic stops at the car jacking itself. With a BGP hack, the traffic gets copied but passed on straightaway so neither the sender nor the receiver are likely to notice the traffic has been rerouted.

Since BGP has historically been accessible only to the big boys and sovereign nations, there is explicit trust when one provider’s router advertises BGP routes for certain IP addresses to the entire Internet. Remember when Pakistan unwittingly took YouTube off the air? Yup, that was a bad BGP announce, accidental yes, but you get the idea.

The problem is that doing intentionally bad BGP announces to route “interesting” traffic through your routers let’s you examine all of that traffic. Indeed, Renesys makes a living analyzing the tens of thousands of BGP changes made each day with a view towards protecting their carrier customer base from BGP errors as well as malevolent BGP changes.

In a recent Renesys blog post, they note that this “Let make a BGP announcement so I can look at some interesting traffic!” hack has become more prevalent. We expect this attack vector to increase radically as routers capable of doing BGP announcements come down in price from about $35,000 ten years ago to under $1,000 today (and anyone can buy them).

So What’s The Exposure for MPLS Users?
The Exposure is that we have now seen several companies who have thought that traffic routed over an MPLS network was secure (presuming the MPLS network itself was secure), and so did not encrypt that traffic. That means that anyone on the route between the company’s data centers had full access to that unencrypted data. Subject to HIPAA? Uh oh, you just had a defacto Security Rule violation. Did you sign an NDA or other contract requiring you to keep data confidential and not share it with any third parties. Ooops, if you copied the data between data centers, you just breached your agreement. If you are old enough to remember, this exposure it not so different from listening in on an old phone system party line, without letting anyone know you are on the line.

In Google’s case, this is why they recently announced that they are encrypting all traffic between all of their data centers, even though their data centers are connected via private networks.

What’s The Solution?
First, anytime data has a chance at moving between servers, if you can encrypt that data, we recommend you should.

Well-architected software will do this out of the box. Our email system is Zimbra, and Zimbra has a “secure interprocess communications” setting which is enabled in the default configuration. With Zimbra, this means that each Zimbra component — even when Zimbra itself is installed on only one server — exchanges data with the other components only after encrypting that data. When you go to scale Zimbra to multiple servers, you can then domicile those servers in different data centers and the traffic between them will be encrypted automagically.

If you don’t control the software at that level (or even if you do but you want to be absolutely sure), then we recommend you deploy site-to-site VPNs between your multiple data centers, and not rely on the data center provider to do that for you. VPNs and MPLS play nicely together, so it’s not like you have to choose one or the other.

Third, don’t forget about your remote access users. Yes, Microsoft now encrypts Remote Desktop traffic (128-bit encryption only though…), but deploying a Citrix, SonicWall or other gateway which provides an on-demand VPN and two-factor authentication provides enhanced security with little added usability burden to end users.

Lastly, consider upgrading your encryption to 256 bits (“banking grade”). In early 2014 we will be doing so on our Zimbra Hosting farm, and the marginally higher cost for a 256-bit SSL certificate is really cheap insurance against some of the weak ciphers commonly used for 128-bit encryption.

As always, if you’d like some help wading though any of this, please do not hesitate to give us a call!

All the best,
Mark
CIO

Yahoo and Google Encryption Catch Up

Lately we’ve been reading a lot of articles about how Yahoo and Google are encrypting communications in the wake of the Edward Snowden revelations regarding NSA spying. Here’s one example from today.

Their current efforts are to be applauded, but to be frank, their engineers — and executives — knew better a long time ago.

It used to be that when you went to log in to most email services, your username and password were encrypted but after you logged in all your emails flying between their servers and your laptop in Starbucks were unencrypted. To claim now that these email providers are “Shocked; shocked!” that the NSA was listening in when any thirteen year old sitting in the Starbucks with you could do the same thing with free hacking tools readily available is only slightly more believable than Captain Louis Renault (from the movie Casablanca) being shocked to learn that gambling was taking place in the club. Sure, the scale of what the NSA is alleged to be doing may be shocking, but the tech to do so is pretty rudimentary and widely available.

So kudos to Marissa Mayer, Yahoo and Google for catching up and starting to encrypt all end-user communications coming in and out of their data centers — the way we and our clients have been operating for years.

Want to get your Zimbra email? We have always encrypted both the login and all subsequent transfers of your email; both receiving and sending. Need to get remote access to your corporate Citrix Desktop from Starbucks? Two-factor authentication is required. You have how many mobile devices checking your email? Sorry, we still force password changes every 120 days and yes, you do need to use a “complex” password.

By the way, while Marissa Mayer is getting started at encrypting customer data in and out of Yahoo’s data centers, we will be upgrading our Zimbra encryption to 256-bit banking-grade encryption as part of our next Zimbra upgrade.

Don’t get us wrong, we think there is a valid, valuable role for the NSA to perform. We welcome reasoned debate over how and the extent to which the NSA et. al. should be involved in pre-emptive data harvesting on as large a scale as has been reported and alleged. But at the end of the day, we are more worried about the traditional bad guys and unethical, unscrupulous competitors trying to access your data. After all, we know that your data is valuable. So is ours. We keep our data in the same infrastructure as our clients. We have a SOC 2 Type II audit covering Security, Confidentiality and Availability because, well… we should. Indeed, our data center providers have their own SOC 2 Type II audits too.

So if you are looking for a Zimbra and/or Private/Hybrid Cloud provider who works hard every day to keep your data safe, please give us a call at (207) 772-5678.

Take care!
Mark
CIO