LANVERA’s System Engineering Team – 2018

“NIHIL SINE MAGNO LABORE”
– Translated ‘Nothing Without Hard Work’

Rebuilding technology is no small feat.  It takes people who are willing to work the extra hours, have the attention to detail, put their technical skill to the test, and work with peers who expect the same.  It takes a team.

ITO SE 2018

LANVERA System Engineering Team – 2018

\\ JMM

Information Security Preventative Measures

Information Security Preventative Measures
By US Department of Homeland Security, United States Secret Service
NTX ISAA Cyber Security Conference, November 10, 2018

  1. Employee Awareness and Training
  2. Strong Filters
  3. Email Scanning (Incoming and Outgoing)
  4. Firewall Configuration
  5. Network Segmentation
  6. Software Updates
  7. Scheduled AV Scans
  8. Configure Access Control (Least Privilege)
  9. Disable Remote Access
  10. Software Restriction Policies

Please check out this conference notes and consider attending going forward.  Amazing event and a lot of content shared.

\\ JMM

“Secure” is not a binary, black-and-white thing.

“Secure” is not a binary, black-and-white thing. Instead, it’s about risk management. Instead of asking whether something is secure, it’s better to ask whether it is “secure enough for such-and-such purpose”. – Quote from Crypto Stack Exchange, August 2013

I seem to be talking a lot about security these days.  Not only in my professional life, but in my personal day to day.

I am considering shifting my family from Windows phone over to Android, despite the personal pains supporting this ecosystem that worked flawlessly for me for many years.  The security conversation in this context is rife is opinion and observation from friends and colleagues.  Everything from Android’ inherent security challenges to hackers leveraging Google Play to distribute bad wares.  Admittedly, I will lose some sleep knowing my family’s desire to load hundreds of apps.

Getting the Microsoft ecosystem connected onto an Android phone requires passwords and access to applications that will not be understood as to why.  Just going through the motions.  For example, the password vault we’ve been using in my family worked only on Windows phone.  We need to consider what tool works well in the Android space, ease of transference, and retraining my family members to use this tool.  Further, vaults need access and will prompt if it can obtain rights to reach or access areas of the operating system.  Another situation rife with chance of malfeasance.

When I researched a deck on security back at Santander, I found the above quote and it immediately returns to mind when I talk security in both spaces today.  Many organizations take a harder line to reach the goal of “secure”, damn productivity and usability.  Compliance works for larger organizations under audit scrutiny.  But many companies do not operate in those industries.  Neither do families.

Nevertheless, when I look at technologies, you have to look at the people at the helm.  Combined, risks can be pondered and formulated. And after thoughtful interaction and use cases, discussion with the people using the technologies, making the arguments pro and con, can you make the right decision for those users.  As often times, technologies are often secure enough when powered by security conscious people.

My recent thoughts on the matter.

\\ JMM

Rob England IS the IT Skeptic

“You don’t change culture team by team or app by app. You don’t get to pick and choose where you DevOps. You can do it for a while – operating bi-modally – in order to experiment, to allow new ways of working to incubate, but it is essential to converge quickly. DevOps is not a piecemeal tool, it is an organisational transformation.” – The IT Skeptic Blog, July 22, 2017

This blog isn’t about DevOps.  There are now thousands to choose from with authors off all walks.  This blog is about Rob England and his blog, The IT Skeptic.

If you haven’t read this blog, start.  It’s a must read.  In fact, I’ve spent evenings rolling through his old content to follow his train of thought in the hottest topics all IT shops struggle with:  How to do IT service delivery, effectively.  It’s an art.  It’s not simple.  And done poorly, costs organizations dearly.

I do not have a recommendation where to start.  If you read his last blog, currently on December 5, 2017, it’s titled, “Project Management was the worst thing that ever happened to IT“… Wow.  And right on target.  Do organizations think this way?  Most can not.

\\ JMM

Companies Expect Updated Information Security Documents

“Below is a list of documents that is requested by a vendor management company.   Information Technology needs to be able to provide these documents on demand:

-Information Security Policies (Current)

-Cyber/Network Security Policies with Testing Requirements and Results (i.e. Vulnerability and/or Penetration Testing) (Current)

-Incident Response Policies with client notification protocols (Current)

-Disaster Recovery/Business Continuity Plan(s) (Current)

-Disaster Recovery Testing Results (Current)

Whether it is a partnership, vendor relationship, or just being a customer, it’s no longer unusual to get asked how companies treat security.  Risk Management survey’s include questions like, “Has your company been hacked in the last 12 months” and “What was your incident response plan to the breach”.

Where to go to get this stuff?  Where do you keep it?  How to manage?  Many larger companies hire the talent to write it.  Alternately, resources exist that can help with what is needed to cover.  Here are a couple of resources:

I have used all three in my career with success.  Managing these documents should be no different than other IT policies.  In other words, manage collectively with yearly reviews and periodic changes as the organization matures.

What tools or resources have you used to help write security documentation?  Drop me a link to add to the list!

\\ JMM

Challenging IT “Enablement”

“I don’t want my guys to be technical. That’s your team’s job.”

Imagine if Information Technology pushed “day-to-day support” to the business. Before you shoot this idea down, the concept is already actively being embraced by many smaller technical companies. Go read “A Year Without Pants”, by Scott Berkun, the story of WordPress.com where this idea and other evolutionary collaborative work space ideas has roots.

I call it, “IT Enablement”.  A focus on giving people the tools and trust, with strong oversight and governance from IT.  The alternative is zero trust, which is the popular direction for a majority of risk-adverse IT organizations.  Enablement is a philosophical challenge to today’s status quo and not embraced by many.

As with all disruptive ideas, success is determined through buy in and culture. So, when a strategic directive to eliminate the necessity for a help desk landed, we responded with goals to enable business units with a heightened degree of endpoint control while IT provides just governance and security controls.

Long story short, this direction bombed. I wish to write to talk briefly about what happened and why.

Problem 1.  A Misunderstanding.  As what often happens in leadership meetings, it’s often not what’s said, but what wasn’t.  In the discourse, I realized that my interpretation of what our senior leaders want translated to situations that put IT directly in opposition with our conventional business leaders.  How so?  Read on.

Problem 2.  An Revolution.  As this new direction took flight, did I prepare leaders?  Socialize this direction?  Align to goals or strategy?  Not satisfactorily.  In fact, the culture shift attempted occurred at the send of an email:  Effective immediately, support responsibilities are owned by our end users.  And as you might have guessed, leaders did not embrace.  In fact, we were criticized in town hall and by other leaders.  A series of ouch moments.

Problem 3.   Road map to Transformation.  About this time, IT leaders met and realized the bigger challenges in front of us, based on our misread and failed embrace of technical ownership.  The ‘digital transformation’ was born.  Here is our transformation road map:

Solution 1.  Simplify The Landscape.  From policies, standards, and procedures to technology, software, and networking.

Solution 2.  Monitor & Transparency.  Every single thing in IT should be measurable.  A tool will not just focus on measuring and reporting, but giving our technical support teams access for transparency.

Solution 3.  Education and Consult.  Information Technology should be consulting our business leaders, educating our people, and establishing the knowledge culture.  A baseline of technical skills and measuring the values of providing.

The goal:  To eliminate the help desk (Level 1) by 2020.

This blog took me more than a few weeks to write.  How to talk about a subject like this is not easily done nor written about.  And our journey about this topic consumed 3-4 months.  Upon reflection, it was a difficult time.  However, it was worth the attempt, I learned quite a bit from many leaders with legitimate perspectives, turning this fail into learning moments.

If you have successfully put to rest your IT help desk and embraced Enablement, please write me.  I would love to learn how you did it and challenges faced…

\\ JMM

The Technology Roadmap…

One of the masterful idea’s contributed by Steve Moore, Director, IT Operations, at Santander Consumer USA, was introducing the Technology Roadmap.  This tool is not just about tracking what technology is owned, but serves a very specific purpose:  managing upgrades, identifying risk, communicating timeframes.

If your looking for a way to set up up transparency in IT systems engineering and communicate timeframes with leadership, this tool accomplishes that aim.  If you need to report to auditors the review cycles and pros/cons to the versionsm, this tool meets that need.

You can find this tool here.

\\ JMM

Status Of Lanvera: Confidence Is Building…

August is my three month mark working at LANVERA. The IT transformation is in full swing and much of the work we have been working on is being felt.  The leaders report three months of network infrastructure stability and confidence is building. This is good for morale across the organization and I am humbled by the hard work.

Our highlights to this point are:

  1.  We hired our security-focused system engineer, Jeromey Lange.  A seasoned technical veteran and leader, Jeromey is going to bring a dimension to the team to reinforce the DevOps culture Steve Taff and I are trying to build.  Certifications include VCP, MCSA, MTA, ITILv3, and Tintri.  He is going to take on Alien Vault USM and run our security practice. A next level player.
  2. The commitment to VMWARE NSX and SDN. With heated discussion and negotiation, the engineers are taking on VMWARE’s NSX technology. We’ve chosen Mobius to partner with us to lead us through our NSX rollout. This milestone is particularly significant as our hopes this decision will see meaningful gains as our DevOps platform.
  3. Workstation Technology Refresh projects kicks off earnestly with work on hardware standards and continued support to develop on the Microsoft platform. Considerable time being spent working the requirements and desired specifications nets decisions of continued use of Dell hardware.
  4. McGuire Solutions has wrapped up the network engineering work and submitted his recommendations. The physical network is comprised of mostly security components on a Cisco Nexus backend. Greg’s team will be engaged to realize the solution starting in September!
  5. Investment in Coppell’s datacenter. We will be upgrading the internal infrastructure to uplift the technology foundation. Examples are patch panel rewire, electrical re-wire, electrical redistribution, and upgrading to cabinets.

Always forward!

\\ JMM

Obtains Certification = Display Knowledge = Shows Confidence

“The good news is that certification provides you with a verified foundation of expert, real-world knowledge to build on, so you’ll be ready to ramp up on the job 39% faster than your peers. If you’re still not convinced, 38% of IT pros said that certification helped them perform complicated tasks more confidently. It’s science.” – Born To Learn Blog

We’ve agreed as a team that there is a need for baseline competencies. That skills and experience are vital to our success. If any one area lacks, the team has to compensate for our weak areas that we accepted. When those weak areas accumulate because we couldn’t trust team members to perform complicated tasks, the team fails.

As such, we’ve made a bold move to mandate VMWARE VCA DCV certification as a baseline team member qualification. Expectations laid to stay current. We are implementing advanced VMWARE technologies and there is too much risk to bring in unskilled people.

Goal: Everyone on the team has VCP, MTA, and Nimble certifications.

Before And After Certification\\ JMM

60 Days: It’s Go Time!

“Does anyone have any questions on where we are going and your role how to get us there?  No?  It’s go time, team.  Always forward!” – Jonathan Merrill

Here we are at the 60 day mark and we are looking back with awe and anticipation. Although this isn’t the exhaustive list, the highlights are:

1. We hired our system engineering architect, Sonny Mendoza. A US Navy and IT veteran, he brings deep expertise in both the VMWARE and Microsft stack. A proponent of VEEAM and NIMBLE, two complimentary technologies currently in house. His experience in both the SMB and large enterprise space is evident in his questions and answers. He has been an amazing addition to the IT team, bringing in sage experience, a positive energy, and can do attitude.

2. Wrote and implemented IT maintenance policies focusing on patching and security remediation. The policy includes an change freeze period, quarterly reviews and update schedule, and architectural review. Formalizing maintenance was the first step in establishing a relationship and accountability with teams testing patches and reducing risk. Establishing a schedule communicates when IT infrastrucutre will be updated so development and print operations has down range visibility, setting reliable expectations.

3. Implented enterprise password management. Our specific requirements were password sharing with teams, role based access control, automatic password rotation, password auditing and history, Active Directory integration, and high availability. We migrated from a KEEPASS situation to Click Solutions’ Password State.

4. Implemented the enterprise auditing solution. Speaking to vision, the solution needed to give unprecedented transparency to all teams as we marry up audit data with change management practices and and enabling a better support visibility across all teams. Netwrix Auditor is a best of breed tool and is supremely designed for SMB organizations. Microsoft space initially targeted. Additional work still to go covering VMWARE, Exchange, SQL, and networking.

5. Implemented an asset-focused network management tool. Many of my former team members won’t be surprised, but I am firm believer of LANSWEEPER and giving teams’ access to manage their resources. This tool gives teams a birdseye view of whats installed, what errors exist, and health of resources applied. When we rolled this out, teams were presently surprised at what’s going on and assists in the troubleshooting of issues. Now we are collaborating.

6. Exited out of CenturyLink’s hosted services. We are continuing to evaluate our strategic partners and aligning to goals. No fault of CenturyLink, we determined to go another direction. We thank them for their stellar services provided.

7. Implemented the ORC process. Documenting systems should be a part of our DNA. This process enforces the C (Culture) and S (Sharing) in CAMS. We asked for leadership buy in and got it, trained teams, now set goals. 100% by Jan 1.

8. Implemented Death By Meeting’s, “Tactical” and “Stand Up”. Next up is strategic. Goal: Lower adhocs.

All this in 30 days! And doesn’t include the projects in flight. Here are some quick bullets of things we are building:

  • Workstation Technology Refresh. Uplifting the workstation platform, bringing in new tech.
  • Active Diretory Refresh. Cleaning up the past, rolling out RBAC, and enabling teams. Trust, but verify.
  • Network Refresh. Rethinking wireless, local area, and wide area networks. SDN for the win.
  • OpManager Proof of Concept. Manage Engine’s solution is comprehensive. Amazing value for what is delivered.
  • Splunk Proof of Concept. Can anyone argue that Splunk isn’t an amazing tool? Evaluating it’s place.
  • Alien Vault USM Proof of Concept. Having had experience with Nessus, Qualys, Nexpose, Alien Vault is a challenger.
  • Data Operations Proof of Concept. Automating core functions internally. Managing 10k scripts or jobs requires control.
  • Intranet / Employee Portal.  Rethinking SharePoint’s place.

It’s go time.

\\ JMM