Scott Grizzard – Open Source IT Consultant

If you work with enough IT people, you know that each of us have our “list” of things we are always trying to sell.  Me… I usually push for some form of version control, and everyone else thinks I am crazy.  So, it is prudent to take a look at what your IT consultant is proposing, to see if you really need that IT project, or if the project will cause more long-term support headaches than it is worth.  But, when most IT people are pressed for justification, they respond with a string of “techno-jargon”, and you say, “Okay… do it,” just to make them stop.

However, there are some IT projects that are almost always worth doing.  I have made a list of the top ten, and I will attempt to explain the techno-speech attached to each justification.

1. Network Documentation – This is absolutely essential; without documentation, you are at the mercy of your IT person’s memory.  This documentation should, at a minimum, include a list of the servers, firewalls, and routers in your office, a list of the services they offer, and a print-out of the configurations of each service.  It should also include a logical schematic of the network, which is a drawing that shows how each computer is connected to the others, and where the routers and firewalls are.  Most importantly, it should include a “one-page” cover sheet with a list of “current issues” and an overview of the network that someone can read and “jump right in”.
2. IT Policies and Procedures – Even if you are a “one person office” with no servers and one desktop, you should sit down with an IT consultant and discuss what you should and should not do on the system, and write it down.  Topics covered should include what types of information (especially confidential information) should be sent through email, how the computer should be updated and how often, what types of software you should allow users (including you) install on the machines, what anti-malware protection you are using and how often you should update it, and what the backup and restore procedures are for your data.  You should also go over the common ways of “getting infected with malware”, and establish policies to mitigate these.  A larger company should include hiring and “un-hiring” procedures with regards to accounts and passwords, and have documents for new hires to sign.
3. Mirrored RAID – The idea is to have multiple hard drives in a system, and let them “copy” each other, so if one hard drive fails, the system keeps running and no data is lost.  The two mechanical parts in most computers, the fans and the hard drives, are the two “physical” devices that tend to fail, and while your computer can usually handle a failed fan intelligently (they usually shut off when the processor overheats), a failed hard drive will put your system out of commission and destroy some of your data.  By installing multiple hard drives, and having them “mirror” each other, you move a problem from “two-week disaster” to “nuisance”.  The details of how you do it (hardware vs software) are less important; any mirrored RAID system is better than no mirrored RAID system.  I recommend you installing mirrored drives on every server, and on any computer that “is essential” to your business.  Most server software supports RIAD out of the box, but setting up clients with RAID is something you need to ask for when purchasing new computers, and it can be a pain to do.  Note: RAID is not the same as back-up – you need to do both.  RAID protects you against physical hard drive failure, not against other forms of disaster such as malware or office fires.
4. Off-site Backups – What is the cost of loosing all of your data in a fire?  That is the reason to do off-site backups.  These can be as simple as burning a DVD of your data every week and taking it home with you (if you work from home, somewhere else then), or as complex as an automated, hourly backup to a remote server.  If all of your information is on one server, the easiest thing to do is have two external hard-drives, mark one “Tuesday” and the other “Friday”, and alternate between them.
5. WPA2 Wireless Security – Everyone knows to use some form of security on their wireless network, but if you are using the old WEP encryption (if your router is over five years old), you might as well not be using any – WEP is too easy to break.  I recommend you forgo ten lattes and purchase a new router.  If your older wireless network cards in your computers do not support WPA2, you can use WPA instead… it’s not as good, but it should be sufficient.
6. Uninterruptible Power Supplies – These are the big batteries you plug your computer into so, if the power goes out, your computers stay on.  The most important feature of these is that they keep the power constant to the computers if the power “flickers” in the building.  That “flicker” ruins computers.  Buy a UPS for every computer in the office, and buy a “heavy-duty” one for the servers.  There is no reason to loose a $1500 piece of hardware for want of an $50 battery.  Indeed, the power just flickered while I was writing this, and my computer, on a battery backup, stayed on.
7. Client Certificates or Keys for Remote Access – If you can access your office computer from home with only your password, you need better protection.  If that password gets out (and it will), you have compromised all of the data you can access from that machine, which is much more than you realize.  Think of a remote client certificate or key as a five-hundred character password that you don’t need to remember, and is unique for a particular computer.  If the “password” is ever lost or stolen, it is easy to revoke only that certificate or key, while keeping the certificates and keys you have installed on other machines.
8. Defense in Depth – This refers to having more than one line of “sufficient security” between you and the Internet.  There should be two firewalls between you and the Internet, the firewall inside your computer, and the firewall between your computer and your Internet connection (usually a correctly-configured router).  There should also be two levels of anti-malware detection on your email, the first on your email server, and the second on your desktop; if your email provider does not provide virus detection, switch.  The reason for doing this is there are often undiscovered vulnerabilities in any single solution, and having two layers of protection protects you from these vulnerabilities.
9. TLS/SSL for Email and Web Applications – You should encrypt the connection between you and the servers you use, even if they are inside your internal network.  Many connections you use without thinking about it (such as connecting to a Windows server for files or Remote Desktop) are usually encrypted by default, and the three that are most often not encrypted are your email, your web browsing, and any instant messaging client you use.  You want to encrypt these connections, particularly when you send your username and password to access the services; you might not care about someone intercepting your Facebook profile edits, but you should care about users intercepting that Facebook password, because users reuse passwords, and that “Unger50Todd%” sent over the Internet in Plain-Text might also be the very secure password for the Windows Domain that allows Remote Desktop (another good reason to use certificates).  For email, ask your email provider to help you enable encryption, and if they don’t offer it, switch email providers.  For web sites, try putting https:// instead of http:// when connecting to web servers before you send your password. If the web site does not offer encryption, and it is not essential to your business, use a different password for that service, and write it down somewhere.  You are sending it in plain-text across the network anyway, so you shouldn’t worry too much about it.  If the site is essential to your business (such as a supplier), talk to the webmaster; there is probably a way to connect securely that is simply not “obvious”.
10. “Browser Based” Internal Applications – There is a whole class of small to medium size business applications that you can install on an “internal server” and access through a web browser.  Given two “all else equal” alternatives between an application that you install on local computers, and an application you must set up a “Web Server” inside your office to run, go with the server-based application.  The reason is simple, the application is (or should be) client-neutral, so you can connect to it from any computer that runs the required web browser.  More importantly, you only need to worry about updating and protecting the application on one location instead of multiple locations, which makes the application much cheaper to manage.  Furthermore, if you must develop an internal application for your business, insist that it be developed as a browser-based application.  If they put up fuss about having to run a web server, say “that’s fine, you can pick one up for $400″.  If they still refuse, find someone else.  Given the speed of connecting to a server over an internal network, and the development of Ajax applications that seem “desktop-like”, there are very few reasons to build custom internal applications.  Custom web-based applications are much less expensive to develop, and inherently more secure because the application connects to the central database directly instead of over the network (and I have yet to see an internal application that was not a database application).

If there are any differences of opinion, I would like to hear about it.