Thoughts on DLP in modern business…

What does it mean to implement DLP?? So far as I have seen; each vendor has his own view on how to enforce DLP within the organization and how to manage it.

The reason of what brought DLP to the surface is that I had a discussion with one of my customers on DLP enforcement and how to manage it within his infrastructure. While reviewing Email encryption solutions by Sophos and Symantec last week; I found that each vendor has his own concept “if we may call it like that” on DLP and how to manage and enforce it.

First, let me state my own view of DLP; DLP is a technology that helps the organization to own the information/data and prevent leaking those information/data out.

Modern information/data is stored in different locations now, some examples:

- ERP/CRM data.

- Email, Office files, PDF documents.

- SharePoint and similar portals.

- Laptops, USB memory sticks, and portable hard disks.

Helping any organization to control data on the above sources is not easy and could be done in several manners and ways, based on my findings; I will share some thoughts with people thinking about rolling out DLP in their infrastructure:

- DLP is not controlling physical ports (USB, serial, firewire ports..Etc).

- DLP is not DRM nor Encryption.

- Permissions help in controlling the data access, but when the data is accessed; a malicious consumer of the data could share them with 3^rd parties or leak them out either intentionally or unintentionally.

- Internal users do most of the hacks/leaks.

- Encrypting the data might help in DLP, but will not help in controlling what happens if a malicious user decrypted them or encryption algorithm is broken, Also encrypting the data might not help when the organization need to share All/some data with authorized 3^rd party.

- If the IT department secured physical ports/access, what about leaking the data out using corporate emails or worst, personal emails.

- How you will classify data as corporate and how you will classify data as none-corporate.

- Data classification is suitable for data stored in shared folders, but what about data in SQL/Oracle databases or data copied from documents and sent as emails.

- How data will be shared with 3^rd party and secured outside the organization’s control circle.

- Monitoring, logging and alerting, and feeding other 3^rd party security applications that are used by the security team.

- What about endusers experience, do we need any input from users?

- What about data in the cloud?!

As you can read from the above, DLP will never be a single solution/technology, DLP is a mix of solutions, technologies and processes that govern the data inside the corporate.

Hope that the above thoughts will shed some light and ring some bells in your head when thinking about DLP.

Dude, What are the 5 elements I must consider in my virtual machine backups?

The new business demands and challenges pushed IT organizations and Pros to rush into using virtualization/cloud technologies, with this push comes a huge challenge in selecting the proper backup method and spotting the key factors to consider when designing backups for virtual machine.

To help you addressing this challenge and spotting those points, we will release a white paper that identifies key elements to consider when backing up and recovering virtual machines and explains them in details.

So stuff like Agent or agentless backup, unified or virtual specific backups, Data Deduplication (how, when) with virtual machines, large backup sets, granular vs. one backup/restore set, adding to that great and critical tips for applications (AD, SQL and Exchange), Hypervisors (VMware/Hyper-v) and network layer.

This unique white paper has been written by a group of the best minds in applications, virtualization and backup worlds, the authors of this white paper are:

• Thomas Maurer: Thomas is Hyper-v MVP, well known in his contributions in System Center, Hyper-v and cloud community.
• Mikko Nykyri: VMware vExpert and virtualization product mangaer for backup exec.
• me, Mahmoud Magdy

In this white paper; Published at Symantec here http://ow.ly/kOQBJ , we bring you the top points to consider, key factors and top issues to identify when backing up and restoring virtual machines, we will also go through a Google hangout session discussing those elements in details.

so start tuned, and follow us on Twitter, Linkedin and facebook and wish you all happy backup and successful restore.

Boosting your career and knowledge in Active Directory

Since a while I was thinking about helping others posting their TRUE knowledge and skills, I seen a lot of guys roaming around with no clues how to build true knowledge about IT infrastructure in general.

In this blog series, I will list recommended reading for several technologies and components and how you can build knowledge around that, of course; hand-on and time will give you the required experience, but these recommendations will help you to stop the no-clues auto-pilot mode.

I will start with AD, please note the following:

• You might have different opinions about the readings, again these are my recommendations.
• I read the below list so when I complied this list I wanted to cut it short for you instead of reading useless stuff.
• You will still need to build hands-on experience.

so let us start with the Active Directory reading lists:

Active Directory branch office deployment guide for 2003	http://www.microsoft.com/en-us/download/details.aspx?id=5838
Windows Server 2003 Design kit	http://www.microsoft.com/en-us/download/details.aspx?id=3299
Active Directory post graduate readings	http://blogs.technet.com/b/askds/archive/2010/07/27/post-graduate-ad-studies.aspx I recommend reading replication topology, Kerberos, DFSR, DFS replication, logon and authentication technologies,
Active Directory Designing and deploying	http://www.amazon.com/Active-Directory-Designing-Deploying-Running/dp/1449320023/ ref=sr_1_1?s=books&ie=UTF8&qid=1366872876&sr=1-1&keywords=active+directory
Active Directory cookbook	http://www.amazon.com/Active-Directory-Cookbook-Laura-Hunter/dp/0596521103/ ref=sr_1_5?s=books&ie=UTF8&qid=1366872876&sr=1-5&keywords=active+directory
Active Directory field guide	http://www.amazon.com/Active-Directory-Field-Guide-Hunter/dp/1590594924/ ref=sr_1_19?s=books&ie=UTF8&qid=1366872919&sr=1-19&keywords=active+directory
Active Directory MCM reading list	http://www.dynamicevents.com/MCM/MCM_Windows2008-Directory_Pre-reading_v5.pdf
AD site coverage/DNS..etc	http://etutorials.org/Server+Administration/Active+Directory. +Windows+server+2003+Windows+2000/Chapter+11.+Site+Topology/ Recipe+11.19+Disabling+Automatic+Site+Coverage+for+ a+Domain+Controller/
SOME READS	http://blogs.dirteam.com/blogs/sanderberkouwer/archive/ 2008/06/24/domain-controller-stickiness-prevention.aspx http://blogs.dirteam.com/blogs/paulbergson/archive/2010 /04/19/ad-clients-not-authenticating-to-its-local-site.aspx http://blogs.dirteam.com/blogs/paulbergson/archive/2013/ 01/02/preventing-spoke-dc-s-from-advertising-in-the-hub-site-for-authentication-availability.aspx http://jorgequestforknowledge.wordpress.com/category/ active-directory-domain-services-adds/dc-locator/ http://jorgequestforknowledge.wordpress.com/2007/06/ 30/dc-locator-process-in-w2k-w2k3-r2-and-w2k8-part-1/

This list will be updated on regular basis to reflect the most recent interesting reads, I wish you all successful career in AD.

Announcement: Exchange 2013 sp1 will support running from removable media such as “flash drives”

Through a trusted resource at the product group, we got the information that sp1 of Exchange 2013 will support running from removable media such as flash drives, dvd drives and blue ray disks, this will allow greater flexibility and decouples the sw layer from hw layer allowing exxhamge to be delivered as remote application over terminal service session or running it as
portable app over linux machines

What a great news, can’t for service pack 1….

Using Redirect with OWA breaks RSA SecureID authentication

the use of OWA redirect rule is very famous now, this has been outlined in several blog post, the best and the original was Brian’s post here http://briandesmond.com/blog/redirecting-owa-urls-in-exchange-2010/

however, careful must be taken when configuring the above rules specially when you are going to use RSA SecureID authentication, the above configuration will prevent the clients on the OWA from accessing the WebID virtual directory and the browser will stop at the path OWA/WebID/IISWebAgentIF.dll with a blank page.

to solve this issue, you will need to stop the redirect and use another method (maybe Java redirect script) because you will not be able to use RSA SecureID with the redirect.

other notes to be considered when configuring OWA with RSA SecureID:

• Make sure to follow the steps outlined in the WebAgent_IIS.pdf document.
• make sure to configure the RSA application pool with admin account (this is mentioned in the document but can be easily overlooked).
• make sure to have the securid file created (install the Windows Agent and do test authentication), the documentation instructs you to download the RSA SDK and use the agent_nsload.exe and convert the file to the web agent format, this is not correct, just copy the file form the authdata folder to the web agent installation directory.

you receive “Authentication Method Failed” on the RSA authentication monitor and “authentication failed” error message on the RSA security Center

Consider the following scenario, you installed the RSA Windows agent and added the agent, when you test the login you receive “Authentication Method Failed”.

you are using the correct Passcode or SecureID code, so what is the issue:

Solution:

The issue happens because you are using server that is multihomed, when you create the agent you specify the IP that will be used by that agent, the agent might use incorrect IP although in real-time reporting, you will see the agent IP presented correctly.

to overcome this issue, RSA has KB a37416 that specifies the solution, you can read it over RSA knowledge base if you don’t have access then:

- Configure IP override, from the advanced settings in the RSA security center, make sure to specific IP override that will use the same IP configured in the Agent settings on the security console.

simple, but yet tricky issue.

Configuring Citrix Web Interface with RSA SecureID , Notes from the field

Configuring your Web Interface to work with RSA SecureID can be troublesome, I spent 2 days trying to figure how to make it work, here are the configuration steps:

Follow the steps mentioned in this CTX article: http://support.citrix.com/article/CTX126843

BUT, as usual there is a trick, completing the above configuration will not work, you will get the following error:

There was a problem with the RSA SecurID ACE/Agent. Check that the ACE/Agent is installed correctly and that the path to the file aceclnt.dll has been added to the PATH environment variable.

To solve this problem, first, follow the following steps:

- make sure to install the RSA Web Agent, the Web Agent must be installed as it will add some keys in the applicationhost.config that are needed by the IIS.

- Configure the Web interface not to send the domain name, from Explicit authentication, properties, Explicit/Two-Factor Authentication and uncheck (Send Domain and username to ACE/Server)

some additional troubleshooting steps are here (Like the PATH and secret key reset)

http://support.citrix.com/article/CTX125097