First off, a little trivia:

The term USA PATRIOT Act is actually an acronym for Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act.

Who doesn’t love a good acronym?

Now, let’s get down to what I found.

The first article I came across was by Timothy M. Banks, in his article titled Cloud Computing and the USA Patriot Act: Canadian Implications, Mr. Banks clarifies that the Canadian Criminal Code already permits the seizure of electronic data:

this legislation has led the Office of the Privacy Commissioner of Canada to conclude in three decisions not only that Canadians are at risk of personal information being seized by Canadian governmental authorities (including without the knowledge of the target), but also that there is already a risk of that information being shared with U.S. authorities.

So there you go. A first indication that your data may not be as safe as you think even if it’s in Canada.

Then, I came across this FAQ on the Governement of Canada’s own web site: Frequently Asked Questions: USA PATRIOT ACT Comprehensive Assessment Results. Significantly, question #6:

Has there been a case where personal information about a Canadian was accessed under the USA PATRIOT Act?

The federal government is not aware of any such case to date.

Ok, so it’s not like this is happening on a daily basis…

A little more digging, and I found references to David Fraser, a Partner at McInnes Cooper in Halifax, Nova Scotia. Mr. Fraser specializes in Internet technologies and privacy. In this IT World article titled Don’€™t use the Patriot Act as an excuse, Mr. Fraser states that

The U.S.A. Patriot Act has become short for “Oh, we can’€™t use the cloud”

In another article – Keeping data here no protection against US: Lawyer – he says:

The Patriot Act is a “boogey man”,€… The fact is most developed countries have legal tools that allow their law enforcement agencies to make legal claims on data held in their countries or outside their borders

Interestingly, that article contained a link to another one, where Mr. Fraser warns that there are security issues much bigger than “the cloud”: Never mind the Patriot Act, watch your thumb drives. Too true!! It’s incredible that still today, so few organizations have clear policies or tools to manage data loss through these tiny little storage devices.

More digging, and I came up with this Government of Canada page: Summary of Submissions to the Lawful Access Consultation, where it clearly states that:

For the police, this involves the lawful interception of communications and the lawful search and seizure of information, including computer data. Lawful access is a specialized tool used to investigate serious crimes, such as drug trafficking, money laundering, smuggling, child pornography, and murder. Lawful interception of communications is also an essential tool for the investigation of threats to national security, such as terrorism.

In other words, even if your data is on your own server, locked in you office, authorities can still get to it if they suspect you of illegal activities!

And there have been enough examples of that in Quebec in the last couple of years:

• Quebec’s anti-corruption squad seizes computer data in raid on Liberal party’€™s Montreal headquarters
• Anti-corruption squad raid on Laval city hall, mayor’s home
• Charbonneau Commission: Laval notary Jean Gauthier minimizes his link to Vaillancourt

Municipalities, mayors, notaries, engineering firms – all had data seized from their offices by the anti-corruption unit in this debacle.

My personal conclusion: unless your organization is doing something highly illegal, there should be no reason to fear using services like Office 365. And if you are into illegal activities, chances are that the authorities will be able to get to your data, no matter where it is!

Judi Hadden became principal of the school 3 years ago, coming from an educational organization that still had on-premise network services; she was surprised to see how all of the school’s data was being stored in the cloud – emails, documents, everything was in Google’s hands.

“I was very uncomfortable with that,” she says. “I was worried about privacy issues, safety; the whole idea that we had absolutely no control over rights, permissions, just who was doing what with all that data. It was all completely out of our hands.”

About a year later, Hadden brought on Joel Melashenko as Director of Technology. With an extensive background in education as well, he shared the same concerns about the use of cloud-based services. “I feel like we were just guinea pigs for Google; they want us to hand over all our data to them and trust them with everything. Despite all the reassurances, agreements, terms and conditions, I have a really hard time with this. All of these cloud services host our data outside of Canada, and therefore our privacy laws do not apply.”

The whole Edward Snowden saga certainly didn’t help reassure CGS that their data is safe from prying eyes. “Oh, people are watching!” says Melashenko. “Just a little while ago, one of our students posted something fairly menacing on Twitter; within a couple of minutes, we had a call from  a watchdog group in Washington D.C., warning us about the tweet. While in this case the outcome was positive, it demonstrates just how vulnerable we are in the cloud.”

So in the summer of 2013, Hadden and Melashenko decided to migrate out of Google and back onto on-premise services. They installed some Windows 2012 servers to provide file and print services, as well as Exchange 2013 for email. They moved all of the users’ files back onto the local servers, and migrated all of the emails into Exchange.

“Now, you see, that’s one thing people don’t think about in ‘the cloud’,” muses Melashenko. “There’s no such thing as a shared network folder. People just share files and folders with whomever they want. After we migrated the files onto our local servers, we had a lot of users complaining that ‘Hey, I had a lot more files and folders than this!’ We had to explain to them that ‘No, you had files and folders that were shared with you!’ It’s a whole other paradigm that I think a lot of organizations don’t think about: who owns the files? The users? Or the organization? What happens when a user leaves and you want to delete their Google account? All those shared files and folders are going to go where, now? Maybe this isn’t as relevant for students, but think about administrative and support staff: student evaluations, psychological evaluations, budgets and business plans, etc. How do you structure these things in a free-for-all cloud environment and ensure continuity when there are staff changes?”

“We just think it’s a better approach to maintain control over our data and teach our users to be good ‘digital citizens’,” says Hadden. “We’ve taught them how file systems work, how having shared folders on a network makes more sense than ad-hoc individual shares. Of course, it also allows us to better protect the school’s data by assigning the rights and permissions properly and controlling access to it. We now feel better knowing that we control who has access to what on the network.”

“We’ve worked with our staff and students,” she continues, “and have been teaching them about being ‘ethical digital citizens’. It has certainly paid off: we’re seeing our girls now making better decisions about what they’re doing with technology than a year ago. We have built awareness of the consequences of giving up personal information.”

At the beginning of the school year in September 2013, everyone started working with the new infrastructure. Everything was working well, and everyone was happy.

But there was still one piece of the puzzle missing: how would users now access their files from outside the network? All the files were now stored on Windows servers, but how could CGS provide access to these files from home, or from mobile devices?

“That’s where the Novell solutions come into play,” says Melashenko. “We met with Adaris back in November, and they talked to us about Novell Filr. It was exactly what we were looking for. Not only could we now provide Dropbox-like services to our users, but because Filr sits inside the network, it can also expose users’ Home directories as well as any network folder we want! We can control whom we expose these folders to, and to top it all off, Filr respects the file system rights we already had in place. Brilliant!”

“They also showed us Novell iPrint, which would allow us to print to any of our existing network printers from our mobile devices; we figured that would beautifully complement Filr and provide a more complete mobile solution. Our users have been loving it and the enthusiasm around the solutions has been great.”

“We realize that we seem to be going against the trend of moving to the cloud,” says Hadden, “but the reaction to what we’ve done has actually been astonishing. We’ve had many calls from other schools and school districts who share the same concerns that we had and are rethinking things. At a recent conference for technical coordinators in Alberta education, the keynote speaker began with the question, ‘Are you concerned about student information in the cloud?’, and it triggered off a huge discussion, where the overwhelming feeling was ‘Yes, we are concerned about this!’ In British Columbia,  privacy laws strictly forbid public organizations – including educational – to store data with cloud service providers outside of Canada. The mentality out there is therefore very different – similar to ours here at CGS – and they cannot understand how educational organizations can permit users to store anything they want in the cloud.”

It should be noted that neither Filr nor iPrint require a traditional “Novell” network infrastructure; as is evident from the CGS story, they had a pure Microsoft/AD environment. Novell solutions integrate natively with either Novell/eDirectory or Microsoft/AD infrastructures.

“The Novell solutions have been working really well, and user adoption has been quick; we’ll certainly be looking at what else they have to offer!” says Melashenko.

Find out more here about the solutions: Novell Filr & Novell iPrint

]]> http://www.adaris.ca/calgary-girls-school-novell-solutions-drive-the-clouds-away/feed/ 0 http://www.adaris.ca/loss-of-sensitive-data-easily-preventable/ http://www.adaris.ca/loss-of-sensitive-data-easily-preventable/#respond Tue, 07 Aug 2012 16:27:19 +0000 http://www.adaris.ca/?p=1181 USB thumb drives – currently, they are still the easiest and most accessible way to physically store and transport files.

Their size makes them easy to misplace and lose; their inexpensive price is such that we don’t care if we do. We simply go out and buy another one, or reach into our drawer for one of many that have been given to us over the years. No big deal.

However, if the USB thumb drive contains the personal information of over 2 million voters in 25 ridings, losing such a device might be more of an embarrassment. Such was the case with Elections Ontario.

See the full story here, and here.

Now, you would think that such information would be properly protected, especially coming from a government organization. The two devices that were lost, however, were not encrypted and the data stored on them was not protected in any manner. In this particular case, the biggest fallout for Elections Ontario is that they will lose the confidence of voters, something they don’t really need at time when voter turnout is already low.

Imagine the impact, however, if this data loss had happened to a business – either private or publicly traded – that was working hard to market and sell its products and services. The impact of such a loss could be devastating.

The story broken in July, and as I sat there watching the TV report I couldn’t help but shake my head. With the wide availability of tools and security measures available in today’s IT industry, there is simply no excuse for this type of security breach. There is a wide choice of solutions out there, including Novell’s ZENworks Endpoint Protection Suite, which recently received a 5 stars out of 5 rating from SC Magazine.

This is the fifth year in a row for ZENworks Endpoint Security Management to receive 5 out of 5 stars. This year is different though. By adding ZENworks Full Disk Encryption to create this Suite, we now have validation that Novell offers a feature rich, robust, easy to use and implement Endpoint Security solution.

– Chris Gacesa, Senior Product Manager / Technology Champion at Novell

ZENworks is easy to deploy and use; for example, an administrator could create a policy to ensure that all USB storage devices are encrypted:

It takes about 30 seconds to create such a policy, and maybe another 60 seconds to assign it to your devices. Such a simple thing to do that could prevent so much trouble!

There is, simply put, no excuse for any organization to find itself in this position today!

But it’s the wedding pictures, the travel mementos, the family heirlooms and all that valuable content that just cannot be replaced. The anger that can result from such a loss makes us wonder what more we could have done to protect these valuable assets.

That’s why, when we leave the house, we don’t leave the doors open. We lock everything and set the alarm on.

And yet, most organizations, when they provide laptops to their end users and send them out into the world, do just that – leave the doors wide open. There still seems to be a lot of the “that can’t happen to me” mentality. You’re wrong. The 2010 / 2011  CSI Computer Crime and Security Survey reports that 33.5% of targeted attacks are laptop / mobile device theft.

Whether authorized or not, employees will often carry sensitive corporate data on their laptops. Recent examples from www.privacyrights.org include:

• The March 30 theft of a physician’s laptop resulted in the exposure of personal information. The physician had violated VA policy by placing the personal information on his own laptop.  Veterans may have had the last four digits of their Social Security number, discharge date, and medical provider name exposed.
• A Boston Children’s Hospital employee misplaced an unencrypted laptop during a conference in Buenos Aires.  It contained the names, dates of birth, diagnoses, and treatment information of patients were exposed.
• A laptop went missing from a physician’s office sometime between March 16 and March 20 of 2012.  The laptop contained patient outcomes data from patients in the adult ICU from 2000 to 2008.  Patient names, race, age, dates of admission and discharge from the Intensive Care Unit, and results of treatment may have been exposed.
• January 23, 2014: a major medical information breach comes to light – an unencrypted laptop is lost that contains private information for 620,000 Albertans. “The database and the laptop were both password protected but the laptop hard drive was not encrypted. The company has now put encryption software on all its laptops.” Too little, too late.

One very famous incident at the Department of Veterans Affairs ended up costing them $20 million!

Novell’s ZENworks Full Disk Encryption allows organizations to easily and transparently encrypt users’ hard drives. At the University of Minnesota Physicians, who had already been using ZENworks to manage their endpoints, the desktop administrator started encrypting drives as soon as it was released with ZENworks 11 SP2. When I asked him how that had been going, he said that users did not even realize their drives had been encrypted. Once he applied the policy, the laptop just needed to be rebooted and the drive was encrypted in the background – so far, not one user had complained about any impact on performance.

How easy is it? Just create a policy:

Then set up the encryption you want:

And finally, associate the policy with individual workstations, workstation groups, or even users:

It took – literally! – about 2 minutes to create this policy and associate it. Nothing to deploy to the workstations: ZENworks uses one single agent for all of its functionality.

Coupled with ZENworks Endpoint Security Management, you can ensure that any sensitive data is properly protected and accounted for when you provision your users with laptops.

Some reminders about ZENworks:

• ZENworks is not dependent on a Novell infrastructure – it also integrates natively into Microsoft/AD environments!
• All components of ZENworks are managed through a single web-based console and use a single adaptive agent on the endpoints!

If you want to find out how ZENworks can help you secure your endpoints, download this document, which briefly goes over the features of ZENworks Endpoint Security Management.

Now…how quickly can you deliver this important patch to all of your desktops? If you had ZENworks Patch Management, this kind of news would make you yawn. You would simply login to your console, highlight the patch, setup the deployment and then go home to your wife (or husband!) and kids for a nice supper.

Read the full article here: Adobe to rush patch for newly discovered flaw

Small pieces of the Titanic’s hull were brought back to the surface and analyzed. It was found that the steel contained high amounts of phosphorus and sulphur, which make it susceptible to fractures in low temperatures. In other words, the steel used to build the hull was inadequate for use at low temperatures! This seems strange since this ship was, after all,  meant to navigate the cold North Atlantic waters.

Additionally, it was found that the rivets holding the hull’s steel plates together were much more fragile than once thought. According to Wikipedia:

“scientists found many to be riddled with high concentrations of slag. A glassy residue of smelting, slag can make rivets brittle and prone to fracture. Records from the archive of the builder show that the ship’s builder ordered No. 3 iron bar, known as “best”—not No. 4, known as “best-best”, for its rivets, although shipbuilders at that time typically used No. 4 iron for rivets. The company also had shortages of skilled riveters, particularly important for hand riveting, which took great skill”

In the end, it can be argued that hitting the iceberg was what sank the great ship; however, we now know that poor construction also played a critical role.

There are many “icebergs” floating around your network: hackers, viruses, trojans, malware, etc. The question is: how strong is you hull? Is the steel strong enough? Are the rivets just “best” or “best-best”?

If you’re not keeping your systems properly patched, then you’ll be in danger when you hit an iceberg. Notice that I said when, and not if.

I’ve written about this before (“You Get What You Pay For“), but I’ll say it again: if you’re just relying on Microsoft’s WSUS server to patch your systems, you are providing inadequate protection to your servers and workstations!!

Proof? Again this week Adobe released a security update to address 17 flaws in their PDF Reader and Acrobat. Read the story HERE <<— How are YOU going to deploy this update to your workstations in a timely manner?

ZENworks Patch Management provides a complete solution that insures that all your systems are properly patched in order to avoid being compromised. It allows you to manage and deploy patches for more than 40 vendors.

Consider this:

Compared to a manual approach, ZENworks Patch Management reduces labor by over 90% from 4,447 to 392 estimated hours annually.

For example, you can create baselines for groups of devices so that any device added to this group automatically inherits all required patches in order to meet your security policies.

Call or e-mail us in order to find out more about the ZENworks family of products.

Once or twice a year, the rugs would be taken out, hung on a line and beaten with a stick. Although some rug cleaning “experts” of the day did not recommend this practice – “it tends to loosen the fibers of the rug” – our great-grandparents knew that it was essential in order to maintain a healthy home environment.

No one could see those microbes hidden in the fabrics of the rugs, but evidently, they were enough of a nuisance that in May 1930, the French authorities decided that there should be no more rug-beating after 10:00AM, since it left too many microbes in the courtyards!

“And this has what to do with security?” you ask.

Well, our experience shows us that there are “microbes” living in your corporate network directory!

They go by various names:

• Expertus Ratio: the “Test Account”, often used by your own IT staff to test new services or deploy software, these accounts are often left behind once the tests are completed.
• Novus Ratio: the “Unused Accounts”, these are normally left behind by employees that are no longer with the organization.
• Terrenus Ratio: the “Temporary Accounts” that are often created for external consultants, temporary employees, interns, etc.
• Muneris Ratio: the “Service Accounts” created by applications and services installed in your network.

It doesn’t matter which directory is in use – Active Directory, eDirectory, or any other – most administrators we talk to admit that some of these “microbes” exist in their corporate directories. These microbes can be very hazardous to the health and security of your network; they’re often what hackers use to gain unauthorized access to your digital assets.

When I ask network admins about these microbes, I almost always get the same type of response; it goes something like “Yeah, we do have some of those, and I’ve been meaning to take the time to go through them.” But most don’t. Until something happens, at which point the guilt-ridden “I-Should-Have-Taken-Care-of-This!” monster comes around and pokes fun at them.

So before you even start considering identity and access management solutions, or any other security devices or systems, take action:

Stop Should-ing, take your directory out, beat it with a stick and get those microbes out!!

When talking about IT, “security” means different things to different people:

• Anti-virus
• Firewalls
• Intrusion Detection
• Event Logging
• Data-loss prevention
• etc

This year, though, CIOs are saying that Identity Management is the top priority. Combined with a recent report that shows that deploying Identity and Access Management solutions has a very short ROI, that bodes well for firms like Adaris that have great solutions to offer customers!

See the article here.