Outsource EVERYTHING

This post is a little facetious, but only a little.  The more I look at outsourcing opportunities, the more I believe it's the right answer for so many things.  Whenever you can find somebody who specializes in a task that you need done, why would you want to do it yourself?  OK, I know that's not always right.  Pricing certainly is a factor, but what else?  What are things that should NOT be outsourced?

Need any Barracuda Help?

My Barracuda blog has been pretty silent over the last three years because, frankly, Barracuda Networks has been doing a great job keeping Barracuda’s running well without needing much hands-on work.  However, I know some people still have specific spam, or usage, issues.  If you use a Barracuda Spam Firewall and are in need of some custom rules, I’d love to hear from you about your needs.

Password Guidelines

This is pretty much unrelated to Jason Powell's recent talk, but coincidentally I was working on a password document at about the same time.  This was prepared for a client who agreed to allow for reuse and modification.  What would you add or change?  Looking for “best practices” and practical guidelines to share.  CITRT people, please use if appropriate.  And yes, I already know that Jason's policy was different.  Remember, this is a set of guidelines to be adapted to particular needs.  A recent story in Windows Secrets is also good information on strong passwords.

Why are good passwords important?
It’s an unfortunate fact of life that there are “bad guys” out there who are trying to get you.  It’s possible that someone specifically wants to steal YOUR information or that of your employer.  Or, perhaps someone wants to discredit or embarrass you or your employer.  It’s just as possible that there is someone out there who’s just interested in learning *if* your system can be violated.  Regardless the motive of the bad guys, if they break in, it’s a bad thing.  There is a common misconception around the idea of “I don’t have anything of interest to a bad guy.”  If a hacker gains access to ANY account on a system, that gives a way to use the system’s own power to help gain further access.  Any breech gives a foot in the door for a more targeted attack.  If you have an account, you are a gateway to EVERYTHING stored on the network. 
 
What makes a good password?
There are three primary qualities of a good password:

1. Not easy to machine decode. Hackers have powerful tools that can “guess” passwords with incredible speed and ability. Therefore, good passwords are long and complex
2. Not easy to guess. A good password shouldn’t be easy for a person to guess. Long and complex passwords are best but they should NOT be based on identifiable personal information.
3. Easy to remember. This may be the most counter-intuitive part of a good password. If you have to write your password down, it’s a bad password. A good password is one that you, and only you, can easily remember

Do those three rules make it seem that good passwords would be impossible?  Perhaps, but maybe there are some simple ways to create long, complex passwords that are also easy to remember.
 
Ideas on creating good passwords:
One of the best ways to come up with a long, complex, password is to think in terms of phrases rather than words.  Start with a phrase that’s easy to remember, but is not based on any information obviously identifiable to you.  Find a phrase that includes upper and lower case, numbers, and special characters.  For instance:
My #1 all time favorite movie is Gone With The Wind
Using that entire phrase as your password is great:
My#1alltimefavoritemovieisGoneWithTheWind
(Sometimes it’s hard to NOT type the spaces,  but many systems DO allow for spaces in passwords!)

Another good solution is to pick first letters from a phrase.  Using the above phrase, we might generate (in your head, still) a password of:
M#1atfmiGWTW
That password is almost as easy to remember as the original, reasonably easy to type, yet very difficult to guess or for a program to decode.

Let’s try another:
September 29 is a special day to a friend of mine
As before, we could use the entire phrase, or we could do a quick encoding to come up with
S29iasdtafom
 
Now here’s a special trick that makes passwords better.  Most people, when asked to create a complex password, come up with a word, capitalize it, then add a special character or number to the end.  Orangutan*1 is an example.  Technically, that is an “ok” password.  However, since that’s what most people do, that’s the sort of approach most password cracking programs take to break passwords.  You can be smarter!  Simply turn it around.  #1Orangutan is a far better password (still not great, but incredibly better).  (#1SortOfLikeAGorilla is much better.)
 
A few things to avoid:
There are certainly some things NOT to use when creating passwords.  You can add to this list, then just remember not to do these things.  Easy, right?

• Passwords should never contain your name, your account name, or your company name
• Passwords should never be simple words from the dictionary (note: using multiple words is recommended)
• Passwords should never be made substantially of letter sequences (ABCDE) or number sequences (87654)
• New passwords should not be at all similar to previously used password. (start with an entirely new phrase)
• Don’t use the same password for different purposes. For different accounts, different systems, different websites, use different passwords. It’s easier than you think to be creative and still have unique, memorable, passwords if you think in terms of phrases

Password Policy
Here are the absolute must do and must not do requirements:

• At least 8 characters (more is always better)
• Contains at least 3 of the 4 character types: Upper Case Letters, Lower Case Letters, Numbers, and Special Characters
• Does NOT contain any part of your name or user name
• Must be changed at least every 6 months
• Is NEVER to be given to anyone else. Not your family, not your friends, not your manager – NOBODY!
• Is NEVER to be written down
• YOU are 100% responsible for the security of your account through your own careful use of a quality password
• Any employee found to have violated policy may be subject to disciplinary action, up to and including termination of employment.

 

Just Two Months to Regional Fall CITRT events

Do you have October 27th blocked out on your calendar?  The regional fall CITRT events are two months away, today.  Are you ready?  Keep watching CITRT.org for info.  Atlanta area people, expect an Atlanta.citrt.org page, coming soon (right Ryan?).  Registration for the North Point event should be ready in the next day or two.

Update, 2:30pm: Info is starting to appear here: atlanta.citrt.org

Survey Answers

If you didn't already look at (and take) the Understanding Small Business Survey, start there before you look at the answers below.

Reminder, the ranking is 5 for most important, 1 for least important.  These are the answers according to a survey of more than 100 successful California small business owners.  The survey was conducted by Small Business Success Magazine in January 2003.

What is the Key to Business Success?
5 Business Knowledge
4 Market awareness
3 Hands-on management
2 Sufficient capital
1 Hard work

What is business' greatest trouble spot?
4 Too much growth
3 Too little growth
5 Too fast growth
2 Too slow growth
1 Sporadic growth

Business Plans are:
1 For the birds
2 Nice, but not necessary
3 Something I can do with my accountant
4 Useful and informative
5 Essential - wouldn't do business without them

What is most vital for small business marketing?
5 Word-of-mouth
2 Advertising
3 Signs
4 Location
1 Community Events

What does small business need most?
3 Money
5 Market research
1 Help
2 Time
4 A solid business plan

What make a good entrepreneur?
4 Creativity
3 Discipline
5 Consumer orientation
2 Technical proficiency
1 Flexibility

I'm not proposing that because 100 successful business gave these answers that they necessarily are the right answers, but it's sure interesting.  Once again, I have to ask.  How might this apply to Church IT?

Understanding Small Business Success

At the Business Development Conference I attended back in June, there was a "survey" about the factors behind small business success.  If you're of the entrepreneur mindset, you might want to try it out.

For each grouping, rank the answers with 5 meaning most important and 1 meaning least important.

1. What is the Key to Business Success?
Business Knowledge
Market awareness
Hands-on management
Sufficient capital
Hard work

2. What is business' greatest trouble spot?
Too much growth
Too little growth
Too fast growth
Too slow growth
Sporadic growth

3. Business Plans are:
For the birds
Nice, but not necessary
Something I can do with my accountant
Useful and informative
Essential - wouldn't do business without them

4. What is most vital for small business marketing?
Word-of-mouth
Advertising
Signs
Location
Community Events

5. What does small business need most?
Money
Market research
Help
Time
A solid business plan

6. What make a good entrepreneur?
Creativity
Discipline
Consumer orientation
Technical proficiency
Flexibility

There you have it.  This survey was given to a bunch of successful businesses and the answers were tallied.  I'll post the answers in a day or so.  I'm sure you could search this out on the Internet, but please don't.  Do your own answers.  As aside, for Church IT managers: how much does this same line of thinking apply to what you do every day?

I wonder how people like 37Signals would answer, and if their answers would match the pattern of other successful businesses?

Moving on From Tape

For years, I've wanted to get away from tape backups.  Remember the Data Domain bumper sticker?  Last month I attended a quick presentation from Barracuda Networks on their Backup products.  One of the slides showed the answer I wanted: disk-based backup is now cheaper than tape.

According to the slide, for a 400GB solutions, tape will be a little over $12k, and Barracuda's service, including off-site storage, will be a little under $10k.  If you want the breakdown, here it is:

400GB Tape Backup, 3 years:
$1,954 Drive and Controller
 1,840 40 tapes + Cleaning Cartridge
 6,886 Software for multiple devices + Exchange and SQL agents
 1,510 2 years maintenance for above software

12,190 Total cost for 3 years (tape)

400GB Barracuda Backup Service, 3 years:
$2,499 Barracuda Backup Server
 7,200 Off-site Storage Subscription

 9,699 Total cost for 3 years (Barracuda)

That's almost a $2500 difference across 3 years.  OK, what's wrong with this picture?  Well, sure, you could probably find a lower cost drive, and maybe squeeze some on the tape and software price.  So maybe the cost is biased.  But wait...the tape solution cost is missing something.  Somebody has to swap tapes, and label tapes, and take them off site, and bring them back for restores.  What's the cost of that person?  And what's the risk of a mistake?  Plus, how many stories have you heard of a restore from tape not working?

When I consider that this is Barracuda (fast to install, easy to configure, simple licensing, "just plain works"), it's pretty much 100% automated, including replicating your data to TWO off-site locations, and the data is on-line all the time for quick restores without having to hunt for tape, the numbers skew even more in favor of disk-based backup.

So, why would anyone ever buy tape again?  Have I missed something?

Why Outsource?

This is a draft of an article for a Managed Services Provider where I'm helping with a bit of web and marketing.  Want to help me with it?  Why would you outsource?  Why would you not?  What are the qualifiers?

Why Outsource?
“Outsourcing gives you the best fit of resources for your needs”

Outsourcing provides the best mix of services for your IT dollar.  You pay for, and get, exactly the resources you need, from CIO, CTO, helpdesk, network admin, technicians, and any other need.  Only need a CIO a few hours a month?  Outsourcing let’s you have exactly those hours.  Need 1 ½ helpdesk technicians.  Perfect!  Outsourcing provides top-notch people while letting you use them for as little as a few hours a month.

Do you do your own dry cleaning?  Do you butcher your own beef?  Do you provide your own water purification?  Certainly some people do each of these, but for most of us, it doesn’t make sense.  Instead, we want somebody with the right experience, the right tools, and the full resources, to take on those tasks and let us go about our lives.  This same concept works with your IT needs.  Let experts, with the right skills, do the work for you, and pay for only what you need.

Most businesses have a legitimate need for a CIO, a CTO, a network admin, a network engineer, a helpdesk technician, a web developer, a database administrator, and perhaps several other IT roles.  Does it make any sense to hire eight people to fill those roles?  Does it make sense to hire just one or two people, who even if extremely talented, would have trouble filling all those roles?  Why not, instead, hire people well-suited to each of those roles, but not full time; hire them for just the amount of time you really need, even if it’s only a few hours per month?  Outsourcing let’s you fit experienced resources to your needs.

Update 9/7/2009:  Outsourcing takes the stress away from many tasks and jobs.  Outsourcing provides "peace of mind." 

Early Warning to Help Prevent Back Door Losses

We're all pretty familiar with the idea of back door losses at churches and most would like to see the back door closed.  Today's ChMS products have data that could help warn of potential exits, but most of the time the analysis work to learn from that data is a bit too hard for "normal" people to deal with.  What a frustration -- the belief that helpful data exists, but too much trouble to process it.

Well, I think I have some good news.  A friend has developed a solution that helps monitor the status of a congregation's membership.  The nice thing is that he (through his product) does all the hard stuff, digging through the data, to produce *easy to read* reports that tell you exactly who is at risk.  The output is simple: some dashboard reports and graphs, that show, by individual, who the church needs to check up on.  There are several levels of warning, from a "first hint," all the way up through a critical/urgent, "do something right now" situation.  Currently, the solution works with Shelby, but plans are to connect to ACS and Fellowship One very soon.  If this is something that sounds interesting, please let me know and I'll help make a connection for you.

Here's a bit of a pre-announcement about this solution/service:

A Dunwoody (GA) based company, Integrity Financial Services (IFS), is looking to partner with two large churches: one utilizing ACS and one utilizing Fellowship One as its church management system.  In June 2009, IFS launched a second-generation product specifically for churches, SheepGate, to track and monitor monthly changes to its membership bases by named individual.  Each month, SheepGate also identifies named individuals exhibiting early warning signs of disengagement from the congregation.  Churches can then use that prioritized listing of "at risk" members to focus its congregational shepherding and retention efforts. SheepGate is currently integrated with Shelby Systems, church management system.  IFS wishes to provide two partner churches with its SheepGate product at no charge in exchange for the opportunity to create and document implementation with ACS and Fellowship One using live data.  IFS is targeting a July 31 integration for ACS and Fellowship One.

I'll be posting this same information on the ChMS discussion list, so feel free to post follow-up there.

No Need to Involve the IT Department

Saw this on a website the other day.  “Because {product} is easy to setup and use, there’s no need to involve the IT department or install any extra software on the PC.”

This sounds great from a user or customer service perspective.  Why does it cause the hair on the back of my neck to stand up?  I don't think it's a control thing...