Category Archives: Security

  • -

Disaster Recovery that won’t break the bank

Tags : 

Let’s face it, unexpected outages are the biggest cost you’ll never expect to pay. According to the Consulting group Gartner, only 35% of small to medium sized businesses have a disaster recovery plan of any type. This is a staggering statistic considering the cost of downtime is averaged at $84,000$90,000 per hour for SMB and a whopping $1.25b – $2.5b for large businesses. These statistics are not hard to find. Anyone who reads the latest trade mags can find this data online or in publication.

With these kinds of numbers facing businesses, how does an SMB leader overcome it?

The answer is face it, don’t avoid it. There is some good news however.

New innovations combining Shadow Copy, Virtualization and Cloud allow for some decently priced solutions that add resiliency from disaster and scale with business growth.

By combining your backup and DR, your business can create a comprehensive recovery system that will help protect you from outages due to virus attacks, data corruption, hardware failure and even full site failure. Companies that specialize in these solutions will install an appliance at your location that acts as the backup and DR device. The device starts by creating virtual image of your servers. In the event of an outage, that virtual image can be activated allowing a temporary virtual server to run from the DR appliance independent of the original server. Through snapshot technologies, changes in data at the block level are captured and applied to that virtual image. This allows you to stand up that virtual machine as it was at any give time within the backup frequency. These snapshots can be taken every 5 minutes or every day depending on the amount of data you can afford to lose.

This acts as revision control and near real-time backup.

What if the DR appliance fails? Well, that’s were the Cloud comes in. The DR providers configure their appliances to trickle feed the backup data to their data centers over a secure connection. Typically a VPN or private line is established in advance to a segmented part of the providers network which allows fast, secure off-site transmission of your backup data and also the ability to stand up the virtual recovery server in the Cloud. This allows you to resume operations from anywhere in the world.

If the device fails for some reason, the provider already has the data and will ship a replacement appliance overnight that is pre-configured and has all your data on it.

This may sound like an expensive solution, but it’s surprisingly affordable. A typical cost for a solution like this for a 250GB server is around $400-$800 per month. That’s less expensive than the cost of a tape drive with support, Enterprise backup software with support, loads of expensive tapes, someone’s labor to validate and test backups regularly and a secure way to transfer the offsite. Not to mention the extra DR capability you gain. Also, snapshot technologies have no restrictions by application type, file locks or file in use so the backups are much more reliable.

Combining your Backup and Disaster Recovery in this way can save you a lot of money and productivity loss from downtime. Any businesses that are still using tape backups or considering the cost of replicating their entire environment to a remote location (thereby doubling their capital costs) should consider a solution like this.

CBC Solutions is a holistic consulting company whose mission is to help businesses reduce risk and manage costs. We do this by assessing your environment with our expert team of IT veterans, then aligning best in breed providers from our extensive partner network with your business goals.

Contact CBC Solutions today to see how we can help!

CBC Solutions

  • -

5 Points about data storage you should be thinking about

Tags : 

For a business owner, managing storage is probably not on the top of your radar. However there are big consequences to neglecting this task.

You should be aware of your storage management policies regardless of whether you store data onsite or in the cloud. Even if you sub out your storage management to a third party, in fact especially then.

Not managing storage can result in higher than normal costs, delayed response from your business as people spend time searching for information. Poor data management can also put you at risk from security threats as well as compliance and legal issues.

1. Storage is expensive

This may sound counter-intuitive if you’ve always heard the mantra that “storage is cheap”. The fact is, Hard Drives and Storage Media is cheap, storage is Expensive.

Costs of storing data may look inexpensive with vendors practically giving storage away these days, but the management of that data is where the hidden costs are.

Backing up, restoring, searching for data, verifying it’s authenticity, managing permissions and even moving the data to a new provider in the future add huge costs to the organization.

2. Data integrity is extremely important

Documentation that isn’t accurate can often be worse than no documentation at all. Either way, it’s never better.

If you can’t verify that stored documents are the latest version and up to date with changing situations, you could be spending more time verifying the information than you would rewriting it.

When financial or legal documentation is incorrect, it could result in poor financial calculations, compliance violations and additional legal trouble.

3. Data retention is a balancing act

Every organization should have a data retention policy. Without it, documents pile up until they are completely unmanageable. A data retention policy instructs team members on when and how to archive and delete data.

However, there’s another point to be made here.

The lack of a documented retention policy can get you into trouble in other ways. For example. I worked for a company once that was named in a lawsuit. The lawsuit wasn’t about them, but the case demanded that they retrieve documents from 10+ years ago. This became a very time consuming task for the company and put a strain on Legal, Sales and IT departments that had to put off or delay other operations in order to respond properly.

If that company had a documented 7 year retention policy, they would have been able to avoid all that.

Likewise, data retention policies that are two short can cause compliance and legal issues as well. Hence, it’s a balancing act.

4. There are compliances your company needs to follow

Most people know that financial documents should be retained for 7 years, but there are other compliances to consider as well.

If your company is required to meet HIPAA, SOX, ISO, SSAE or PCI standards, you could be non-compliant if your retention policy isn’t properly aligned.

Since these compliances usually pertain to a specific type of data, it must be handled properly. Access may need to be controlled tighter than you’re aware.

5. Not all information is equal

Stored information should be prioritized on two levels. First, there should be a security hierarchy to how data is managed. Team members should be allowed the minimal permissions to the documents they need. Secondly, heavily critical data should be stored in the most reliable and fastest media, while less critical data can be archived to less expensive and even slower media.

With these points in mind, you should be able to work with your technology staff and/or providers to develop a comprehensive storage management plan. This plan should encompass the classification, organization, security and retention of each document type.

Using Document Libraries, Folders, Groups and Metadata, documents can be organized in a logical way so that they’re easy to find and secure. Version controls allow you to track and store multiple versions of critical documents without having to double up your storage.

There are many tools available to help you manage storage efficiently today. Using these tools wisely can help you save money, increase business efficiency, and avoid legal issues in the long run.


CBC Solutions is a Trusted Advisor of IT strategy and technology procurement. We can help design an efficient storage management policy as well position you will some of the best solutions and providers in the industry. Call now for a free consultation to help us save you time and money!


CBC Solutions
Trusted Procurement Advisors
Internet • Voice • Cloud
(619) 784-5211

  • -

EMV chips bring new regulations for Merchants

Tags : 

While many end-users have been receiving new credit and debit cards implanted with the new EMV chip, merchants have been forced to update their systems to take advantage of the new chip technology. Here’s thing most merchants don’t know: new regulations that go into effect on Oct. 1st 2015 could shift the liability for credit card fraud to the merchant. For example, Home Depot went through a fraud debacle in 2014. In that case, customers and banks carried the majority of the liability. If that same event happens after Oct 1st 2015, the merchant could carry all the liability if they are not fully EMV compliant.

Does the EMV chip technology really help?

The way that the EMV technology works, is that when you insert your card into an EMV aware system, the chip generates a one-time access pin through a process known as tokenization. That pin is used to create and maintain the encrypted transaction. The card must stay in the machine throughout the transaction to keep the encrypted session in tact. In this way, the chip improves security and thus reduces the chance of fraud.

If the vendor of my merchant systems says they’re compliant, does that mean I don’t have to worry?

Not really. The vendor can only guarantee compliance for their own equipment. However, PCI-DSS compliance applies to the entire network that the credit card processing equipment is connected to. In other words, if you plug a fully PCI compliant device into your main network, the entire network needs to be compliant as well. Vendors may say you’re compliant but if they’re not giving you a written guarantee, be cautious of assuming you can stop there.

What about ‘card not present’ situations such as online transactions or pay by phone?

Card not present solutions are not required to abide by the EMV requirement.

What is PCI compliance and do I need it?

All merchants that accept credit cards must be compliant with the Payment Card Industry Data Security Standards (PCI-DSS). Businesses who are found to be non-compliant could be fined as much as $100,000 a month! The cost of fraud is event higher than that.

How can I be sure I’m compliant?

There are companies out there who can help you become compliant, assess your network on a regular basis and even insure you up to $100,000. Contact us to learn more. We can help.

CBC Solutions
Trusted Procurement Advisors
(619) 784-5211

  • -

Analyzing risk in a tech-enabled business

Tags : 

Businesses today have to manage a lot of risk. When it comes to technology, the risks are vast and can be difficult to calculate. The effectiveness of a security or disaster recovery solution can be especially hard to calculate. How do you know if you have enough redundancy and tight enough security controls to keep your business safe? Until something happens, you really don’t know. And then when it does, of course, it’s too late.

There are several ways to manage risk when it comes to technology. A security professional can perform a risk analysis to help you to determine your risk threshold, or the balance between mitigation and acceptance. This is also referred to as risk ‘appetite’ or ‘tolerance’.

Risk Avoidance – Often the risk to too great and it’s best to hold off on the solution until the risk can be mitigated. The risk analysis will tell you if you should avoid the solution or mitigate the risk.

Risk Acceptance – Sometimes, a risk is accepted and the organization decides to roll the dice and hope nothing happens. Again, this is not always a bad decision, the risk analysis will help you determine that. You’ll need to review your risk threshold and the mitigation costs so you don’t create more vulnerability than you’re comfortable with.

Risk Mitigation – Anytime a risk assessment is performed, mitigation costs should accompany it. The cost of mitigation should be considered anytime a vulnerability is discovered.

Risk Transference – One of the better benefits of Cloud Computing and Managed Services is that it often allows you to transfer the risk to another party. The feasibility of this boils down to the contract. There should be a Service Level Agreement (SLA) in place that indicates where the provider’s responsibility begins and ends and where their liability ends. This will help you to uncover how much risk has been transferred to the other party and how much you should still be worried about.

Qualitative vs Quantitative Risk Assessment

Information security professionals will generally perform risk assessments as either one of these. A Qualitative Risk Assessment is a more general version where risks and vulnerabilities are qualified as high, medium and low risk. There isn’t a lot of numbers involved in a Qualitative Risk Assessment. It’s more of a lower cost solution to help you define your current posture.

For a detailed risk assessment where dollar amounts are assigned to each component, consider a Quantitative Risk Assessment. In this type of assessment, risks are calculated down to a specific number. There is a lot of math that goes into this so it can be a rather expensive task. Security professionals will calculate the following factors:

Single Loss Expectancy (SLE) – is the cost a single incident will cost if it occurs

Annual Rate of Occurance (ARO) – how many times an asset was lost due to the risk

Annualized Loss Expectancy (ALE) – annual anticipated loss due to the risk; this is calculated by multiplying the SLE by the ARO

Exposure Factor – a number calculated by how much loss could incur. For example if it’s determined that a building would burn halfway through on average if it catches on fire, the exposure factor would be 0.5 or 50%

Safeguard Value – this equates to how much you’re willing to spend to mitigate a specific risk

There are several formulas used to calculate the values above and define a risk tolerance. I won’t go into all of them since that’s a book all on its own. If you’re dying of curiosity, you can read all 495 pages of The Security Risk Assessment Handbook. For now, just know that there are two different kinds of risk assessments, and best of all, there are trusted companies to help you perform one. Ideally, every company should at least have a Qualitative Risk Assessment performed.

  • -

5 Questions to ask your Cloud Provider about security

Tags : 

Almost every survey regarding moving an enterprise to the cloud shows “Security” as the top concern by most business leaders. It’s important to note, that the “Cloud” can only be as secure as the provider makes it. Some cloud providers are exemplary at providing a secure network, some are not. The right cloud provider is going to operate their network with a much higher level of security that most enterprises, but it’s not good practice to assume they are doing so. In order to find out how secure you provider is, it’s important to ask the right questions.

 It’s not enough to trust that your data is secure just because your vendor says it is. Read through your contract in detail. It’s also a good idea to get a legal review of the contract, preferably before it’s signed to make sure you know where your liability ends and the providers begins. Your provider should be able to answer these 5 questions

1. Who has access to my data and how is that access managed?
This is important. The provider will always have access to some form of the data. It has to. The question is, does the provider maintain a good security practice around the management of that data and how is access governed withing the providers network?

Good answers to expect: ‘We have limited access by only key individuals, security is managed by a rigorous access control and auditing program’

Possible warning signs: ‘We have no access to your data’; ‘We are not responsible for data security

2. What screening methods are involved in hiring staff members and vendors?
Service providers of every type should have a process to make sure that their staff members and vendors all pass a rigorous security screening which includes background checks to make sure they’re trustworthy.

Good answers to expect: ‘We have a detailed screening process that all employees must pass before they’re able to work here

Possible warning signs: ‘We make sure our employees are trustworthy‘ (without a process to validate it)

3. How can I report a possible security breach and what is the expected response time?
The answer to this question should be very clear. Furthermore, the process should be documented and easily accessible. Your staff members should be able to know what to do in an emergency.

Good answers to expect: Call this number to speak to a support representative immediately

Possible warning signs: ‘Submit a ticket by email or web form, your inquiry will be responded to within one business day

4. Do you have a security policy and is it available to customers?
This is a bit of a trick question. Security policies should be company confidential. If a provider is too willing to give you information about their security practices, that could indicate irresponsibility on their part. They should be able to provide a list of security policies and the table of contents, but not the policy itself. Some providers will be able to even provide certifications based on SSAE, PCI or SOX audits.

Good answers to expect: We have internal, confidential polices, but we can provide limited disclosure on what those policies contain

Possible warning signs: Yes, we can provide you with all our security documents

Even worse answer: We have a policy, but it’s not in writing

5. What security related certifications does your organization own?
There are a lot of security certification out there for solution providers. Sarbanes Oxley is one, SSAE 16 is one that applies to datacenters specifically; there are 3 types, 1, 2 & 3. Having all three means the facility has undergone a very strict audit that happens once a year in order for them to keep their certification.

Free yourself from the worry of technology and get back to running your business today!