Data Center is our focus

We help to build, access and manage your datacenter and server rooms

Structure Cabling

We help structure your cabling, Fiber Optic, UTP, STP and Electrical.

Get ready to the #Cloud

Start your Hyper Converged Infrastructure.

Monitor your infrastructures

Monitor your hardware, software, network (ITOM), maintain your ITSM service .

Our Great People

Great team to support happy customers.

Friday, March 28, 2014

Proteksi data Anda di Cloud



Data Protection In The Cloud: The Basics

What is data protection in the cloud? This isn't an easy question to answer, since it comes in various forms and the tools and technologies for data protection are extremely numerous and can be used in different combinations. From IT’s perspective, a large number of choices can make cloud more difficult than traditional schemas. Still, we can cut the Gordian knot of cloud complexity with three steps that will help guide further exploration of data protection.
First, we need to understand in general what data protection models the cloud might solve. Second, we need to understand that big decisions related to the cloud and data protection include what is managed internally and what is managed by a third party. Third, we need a rough basis for putting together an inventory that an organization can consider when moving to the cloud. We can then use this foundation as a basis for future discussion of data protection in the cloud.
Data Protection Processes
Backup, recovery, business continuity (BC), and disaster recovery (DR), are among the issues that are bandied around in discussions involving data protection, as are other terms, such as combined BC/DR and high availability (HA). Keep in mind that definitions matter. If you and a vendor define issues and processes differently, what you get may not be what you want or need.
Backup is easiest and the most familiar process for most situations. A backup is a data protection copy of data derived from the production copy (which is the official working copy of the data). A backup copy is used to recover data needed to restart an application correctly.
Disaster recovery (DR) is the recovery of the entire relevant IT infrastructure at a remote (i.e., secondary) site after a primary (i.e., production) site has become unavailable for an unacceptable period of time. Yes, the data is important, but so is the recovery of servers and their applications, as well as any required networking capabilities.
Business continuity (BC) is about both operational recovery (OR) and disaster recovery (DR). Operational recovery pertains to recovery from a specific problem at a primary site, such as a server, application, or disk failure. It may be absolutely critical, but requires a fire drill response as opposed to invoking (often with an official declaration of disaster) widespread disaster relief that affects all applications.
Very few recovery events are caused specifically by a disaster (thank heavens!). Instead, most are operational recoveries. While some of the DR infrastructure may be helpful in some cases for providing operational recovery, simply being able to recover data from a backup in the cloud may be all that is necessary.
Cloud Definitions And Data Protection
The National Institute of Standards and Technology (NIST) defines public cloud computing as cloud infrastructure provisioned for open use by the general public, existing on the premises of the cloud provider. In contrast, NIST defines private cloud as cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). "It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises," according to NIST.
Consider this definition in relation to data protection and a third party’s key role in providing a service, such as backup-as-a-service (BaaS), recovery-as-a-service (RaaS), or disaster recovery-as-a-service (DRaaS), even if no such label is used. That role implies a level of trust in a service provider that must be in place from the very beginning of a cloud engagement.
[Find out what questions to ask when evaluating cloud providers in"Avoid Cloud Storage Disasters: 6 Questions To Ask."]
If an organization builds and hosts its own private cloud without service provider help, that is commendable, but isn't very different from traditional implementations. Now, some vendors, such as backup/recovery vendors, have products that can work across traditional, private, and public infrastructures, but our focus of data protection in the cloud will focus on services provided by third parties. Keep in mind that the roles of the organization and a third party are not decoupled in a private cloud.
A term called “managed private cloud” solves this problem. A managed private cloud is where a service provider supports specific services in a cloud for each organization individually. This is in contrast to multi-tenancy, where a public cloud provides isolated access to the same pool of infrastructure to multiple organizations.
First Steps
Let’s say that an enterprise wants to consider what to do with cloud services. First, IT has to make an inventory of all workloads. What workloads are run in-house? Of those workloads, are any candidates for traditional outsourcing or moving to a cloud? If they move, their BC/DR requirements would move with them. If they do not move, what functions for backup, DR, and BC need to be performed for each application?
Rudyard Kipling classically memorialized the five W's of journalism (who, what, when, where and why) as six "serving men" in a poem (with the addition of how), but we can use this model for this non-journalistic purpose. Take each workload and fill in the six related blanks; keep in mind this is just a starter for inquiry and not a full methodology:
Filling out the table for each workload provides you with a rough understanding of what you need and helps put you in the driver’s seat when dealing with vendors. They can have a good story, but unless you know what you want, you may become mesmerized by what they say.
Mesabi Musings
The cloud is, of course, a hot topic in the IT world. But to figure out how data protection fits in the cloud, we have to distinguish among backup, disaster recovery, and business continuity and the parts or functions of the business they relate to. Otherwise, the terms can be bandied about to create confusion and unnecessary complexity.
Then we have to understand that data protection in the cloud is a service provided by a third party, through either a managed private cloud or a public cloud. Finally, we need a general understanding of whether the data protection requirements for each workload might fit in the cloud. That way, each organization has enough to get started in evaluating alternatives for data protection in the cloud. This is only a start towards understanding data protection in the cloud, but it should be enough to get you on your way.

SNMP sebagai standard Network Management


SNMP officially stands for is Simple Network Management Protocol — you may have seen it on a configuration screen for an IP camera or other security device and wondered what it was used for. It really is a pretty useful protocol, and security professionals like Ray Coulombe and Sal D’Agostino think it is time the industry did something with it.
Coulombe, founder and managing director of SecuritySpecifiers.com, explains that SNMP is not new. In fact, it has been around for 25 years. It was originally intended to be replaced by other architectures, but, instead, has evolved in its own right and achieved broad acceptance. Working in conjunction with a range of network monitoring packages, such as HP’s Open View, WhatsUpGold by Ipswitch, and Network Vision’s IntraVue, SNMP can provide a command center or a technician important system information, out of limit or alarm conditions, or the ability to update device parameters. Many security devices support SNMP, but it is rarely used, and when it is, that’s usually done by the same manufacturer’s software or diagnostics.
Now, with the support of the Security Industry Association’s Standards Committee, the security industry is looking for provide integrators, A&Es and end users a roadmap related to SNMP usage and implementation. The SIA SNMP subcommittee is inviting security industry vendors to attend its next meeting at ISC West. The meeting will be held on Thursday, April 3, from 1:30 - 3:00 PM in Sands Expo Room 507.
According to Coulombe, the SIA SNMP subcommittee chairman, “this effort seeks to bring together under one umbrella all of the collective knowledge we can muster in order to allow the security industry to make its devices function with network management software via a protocol that has been in the IT industry for 15 years.”
“End-users, manufacturers and system integrators on the SNMP subcommittee are leveraging internet standards to develop a common means of monitoring physical security devices.  As is the case with applications programming interfaces (APIs) most companies have developed proprietary approaches,” says D’Agostino, CEO of IDmachines and co-chair of the SNMP subcommittee.  “The good thing about what the SNMP subcommittee is doing is that it leaves these intact.  What we are trying to do is to get to a first set of non-proprietary data elements common across vendors of a given physical security device type.  This is an important step forward from the legacy proprietary to open interfaces and it opens up a wide range of services that can be provided.”
Currently, many manufacturers offer varied functionality under the Simple Network Management Protocol (SNMP) through agents called MIB’s (MIB stands for Management Information Base), embedded in their devices. However, across the industry, there has been little “rhyme nor reason” to what’s being monitored or managed in those devices, says Coulombe, resulting in ”missed opportunities to leverage IT protocols and, more importantly, to better serve customers.”
Rodney Thayer, an industry consultant and subcommittee member, further explains that, “the use of standards-based network management provides a valuable addition to the set of tools one can use to manage a modern converged security infrastructure.  It benefits customers and their vendor supply chain through enhanced visibility of the infrastructure and assisting to provide more proactive maintenance.  It will help position physical security solutions to address evolving customer needs, which are including more and more IT-centric requirements.”

In the September issue of Security Technology Executive, Coulombe’s Tech Trends column addressed the SNMP issue
 
SNMP is based on a model consisting of a manager, an agent, and a database of management information, managed objects and the network protocol. The manager provides the interface between the human network manager and the management system. The agent provides the interface between the manager and the physical device(s) being managed. The information to be accessed is stored in a specified format in the device database, known as a Management Information Base (MIB), used by both the manager and the agent.
MIBs contain the parameters to be collected for reporting, captured for notifications or configured by the corresponding management software. Basic commands are “gets” to retrieve desired information, “traps” to trigger alarm or condition notifications, and “sets” for configuration and control. There are three common revision levels, or versions, of SNMP - v1, v2c, and v3. Each succeeding version provided more functionality and, importantly, more security.
Version 2c uses log in information known as Community Read and Write strings, analogous to passwords and requiring change from default values. Information, including configuration commands, is sent in the clear. Version 3 provides for far better security and privacy through authentication (using MD5 or SHA hash) and DES or AES encryption. This becomes particularly important if the managed device has been configured to allow system variables to be remotely set — another avenue for a hacker to gain control of IP camera settings.
Impact on the Security Market
In our industry, there are tens or hundreds of vendors, each with their own unique set of MIBs and only discoverable by software packages that have been configured to look for them. Predictably, their usage is sparse.

So what’s an industry to do? Enter the Standards Committee of the Security Industry Association (SIA), which has recently approved an effort to develop an industry set of standard MIBs. This means that vendors from across the industry will get together to decide those conditions which merit monitoring, capturing or configuring. The kinds of conditions could include such things as loss of video, intensity of video compression, excessively high access card retries, over-current, under voltage, hard disk drive utilization, excessive temperature, loss of pressure and more.
By having a solid set of conditions for which MIBs are defined, it is far more likely that third-party monitoring software will supervise the network and attached security devices. Such software may have the ability to discover devices, identify linkages between them, name devices, examine their status and history, provision IP addresses and reconfigure them
.

Sollarwinds sebagai Product of the Year



SolarWinds Products Garner Global Recognition From IT Pro Community and Industry Experts

SolarWinds Named "Software Product of the Year," "Best Risk/Policy Management Solution," "Virtualization Management and Optimization Editor's Choice," and More

AUSTIN, TX, Mar 27, 2014 (Marketwired via COMTEX) -- SolarWinds SWI -2.59% , a leading provider of powerful and affordable IT management software, today announced its IT management products across network, security, virtualization, remote IT administration and help desk services have received accolades from leading IT publications, organizations and their associated communities. Among those honoring SolarWinds are Network Computing Magazine, SC Magazine, Virtualization Review, Windows Networking, Virtualization Admin, IT Europa and Ed Tech Digest.
"For more than 15 years, SolarWinds' mission has been to deliver purpose-built products that help simplify the complexity of monitoring, analyzing and resolving real world challenges IT Pros face on a daily basis and as their needs evolve, be their trusted partner regardless of budget restrictions, time constraints or vendor integration parameters," said Suaad Sait, executive vice president, products and markets, SolarWinds. "To have our products recognized by both industry experts and the IT community for excellence across networks, systems and application is continued reinforcement that working closely with and listening to our user-community thwack to design the products they want and need is the right approach."
Network Management Network Computing Magazine, a U.K. publication, named SolarWinds Network Performance Monitor (NPM) "Software Product of the Year" and also recognized it as runner-up for "Network Management Product of the Year" in March.
Additionally in March, SolarWinds NPM won for Networking Solution in the EdTech Digest Awards, recognizing outstanding contributions in transforming education through technology.
In February, SolarWinds NPM was named first-runner up by the Windows Networking community in the Readers' Choice Network Monitoring Award category.
Finally, SolarWinds NPM was named a finalist for Networking Solution of the Year in the IT Europa European IT & Software Excellence Awards, the only pan-European awards that recognize real-world solutions. The winners will be announced in late March.
Security Management The 2014 SC Awards U.S., announced in February, included 650 nominations in 31 categories that focus on products and services affecting IT security. SolarWinds Network Configuration Manager was honored to win in the "Best Risk/Policy Management Solution" category for the second year in a row, and SolarWinds Log & Event Manager received a finalist distinction in the "Best Security Information and Event Management (SIEM) Solution" category.
Virtualization Management In January, SolarWinds Virtualization Manager was named Editor's Choice for Virtualization Management and Optimization by Virtualization Review and voted second runner-up by Virtualization Admin's community in the Readers' Choice Awards for Monitoring, Management & Performance.
In March, SolarWinds Virtualization Manager picked up the finalist recognition in the Virtualization Solution category in the EdTech Digest Awards.
Remote IT and Help Desk Management The Windows Networking community recently voted and named SolarWinds Web Help Desk the best Help Desk solution in December 2013 and SolarWinds DameWare Remote Support the first runner-up for Remote Control in January for their Readers' Choice Award categories.
For more information on SolarWinds' IT Management products, including downloadable, free 30-day evaluations, visit the SolarWinds website or call 866.530.8100.
About SolarWinds SolarWinds SWI -2.59% provides powerful and affordable IT management software to customers worldwide from Fortune 500 enterprises to small businesses. In all of our market areas, our approach is consistent. We focus exclusively on IT Pros and strive to eliminate the complexity that they have been forced to accept from traditional enterprise software vendors. SolarWinds delivers on this commitment with unexpected simplicity through products that are easy to find, buy, use and maintain while providing the power to address any IT management problem on any scale. Our solutions are rooted in our deep connection to our user base, which interacts in our online community, thwack, to solve problems, share technology and best practices, and directly participate in our product development process. Learn more today athttp://www.solarwinds.com/ .
SolarWinds, SolarWinds.com and thwack are registered trademarks of SolarWinds. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies.

Monday, March 24, 2014

Gunakan ISO 17799 utk amankan akses partner / service provider Anda



ISO 17799: A methodical approach to partner and service provider security management
http://cdn.ttgtmedia.com/images/spacer.gif
http://cdn.ttgtmedia.com/images/spacer.gif
http://cdn.ttgtmedia.com/images/spacer.gif
This tip is part of Ensuring compliance across the extended enterprise, a lesson in SearchSecurity.com's Compliance School. Visit the Ensuring compliance across the extended enterprise lesson page for additional learning resources.
These days, it is fairly common for a company to outsource customer-facing services or allow another organization to handle data processing and even security monitoring and management. Outsourcing allows companies to provide a wider range of services, reduce cost and focus on other tasks that will strengthen the business.
http://cdn.ttgtmedia.com/images/spacer.gif

http://cdn.ttgtmedia.com/images/spacer.gif
http://cdn.ttgtmedia.com/images/spacer.gif
Every time an organization trusts another business entity to handle sensitive information or manage critical infrastructure, however, there are risks. Worse yet, many companies do not realize that failing to closely examine their prospective partners' security practices can lead to compromise. Organizations that are bound by regulations like HIPAA, Gramm-Leach-Bliley (GLBA) andSarbanes-Oxley (SOX) may pay an even steeper price, as these regulations explicitly require organizations to manage the risk associated with service providers.
Fortunately, enterprises can curtail partner or service provider security issues by taking a methodical approach to assessing and managing the risks. That means coming to terms with the risks and the costs of creating and maintaining these partnerships. One such approach is a partner management program based on the ISO 17799 standard.
A standards-based methodology
By definition, ISO 17799 is a "code of practice for security information management." In other words, it is a laundry list of best security practices that apply to a broad range of business environments. The standard covers areas including risk assessment, security policy, governance, access control, information classification, operations management and business continuity.
A partner management program based on the ISO standard consists of three phases:
·         Inherent risk assessment – A review of how much damage could be done to a partner if information or services were compromised and there were no security controls. In other words, how bad would it be if the partner was compromised? A partner, for example, may hold critical and sensitive customer information, like credit card numbers or social security numbers. If such data is compromised, a company's reputation could be ruined. That would constitute a critical inherent risk and call for a deeper evaluation.
·         Partner practice assessment – An examination of the partner to a depth commensurate with the inherent risk. For critical partnerships that demand an in-depth review, many organizations use ISO 17799. The assessment consists of a walk-through of the standard, where the partner's practices are compared to those described in ISO 17799's 133 subsections. Each of ISO 17799's major areas (including risk assessment, security policy, access control, communications and operations, physical security, and business continuity) has subsections which review best management practices. 

When addressing communications and operations management, for example, the assessment walks through the administrative practices for the service provider's production environment, covering the distribution of responsibilities, the documentation of procedures, and critical control components like change control and patch management. While such an evaluation may sound straightforward, each one of the sections requires managers to carefully consider how the standard should be applied to their given business, organizational, and technical contexts. A reasonable practice for a small company where every employee knows each other, for example, may be less acceptable in large multinational organizations, and decisions must be made accordingly.
 

The ISO standard can also be useful in reviewing partners that provide less critical services. The standard can be used to construct a questionnaire that gathers data and assesses how well an organization and its many departments can manage the security of another company's information. Some questions that would likely appear in a questionnaire are:
·         Does your organization utilize network controls to segregate the corporate and production networks?
·         What mechanisms are used to ensure that only authorized application users are allowed access to data managed by the service?
·         How often are backups of the service data executed?
·         Has a documented incident response plan been put in place? How often does the production staff practice the plan?
·         Has your organization had a security incident?
·         Remediation, monitoring and periodic assessments – After a partnership is established, the work is just beginning. Any important weaknesses that are discovered should be remediated according to an agreed-upon timeline. Furthermore, the initial assessment should be used as a baseline against which future analyses can be compared. Service providers should be revisited at least once a year to determine whether anything about their environments, designs or practices has changed for the worse. Using an ISO 17799-based report card makes it possible to compare a partner's progress with the results and assessments of other partners. The accumulation of information can help establish minimum requirements for all service providers.
ISO 17799 as a common framework
While most service providers bristle at the idea of yet another security review, particularly one that goes to the depth that an ISO 17799 review calls for, most can appreciate the fact that the ISO standard provides a set list of requirements.
One of the most problematic aspects of partner reviews is their ad hoc nature. Service providers are essentially asked to play by a different set of rules for each review they face. By agreeing on ISO 17799, service providers and consumers can substantially reduce the cost of preparations and make reviews much more efficient. The result is better communication, better documentation and faster consummation of service agreements.

About the author:
Dick Mackey is regarded as one of the industry's foremost authorities on distributed computing infrastructure and security. He has advised leading Wall Street firms on overall security architecture, virtual private networks, enterprise-wide authentication, and intrusion detection and analysis. He also has unmatched expertise in the OSF Distributed Computing Environment. Prior to joining SystemExperts, Mr. Mackey was the director of collaborative development for The Open Group (the merger of the Open Software Foundation and X/Open) where he was responsible for the integration of Microsoft's ActiveX Core with DCE and DCE Release 1.2. Mr. Mackey is an original member of the DCE Request For Technology technical evaluation team and was responsible for the architecture and defining the contents of DCE Releases 1.1 and 1.2. He has been a frequent speaker at major conferences and has taught numerous tutorials on developing secure distributed applications.