Insperitas Blogs – Insperitas

23rd February 2018

GDPR – Your User Database

Many companies have a website and a customer database. It is now essential that those of us who rely on consent to hold this data have the express permission of the individual concerned.

Personally Identifiable Information (PII) includes business email addresses as they identify specific individuals.

To meet our obligations we need to have a clear opt in policy on our website and a database that we can use to audit access. Can you do these things today? If not, please contact Insperitas so that we can help.

Article 32 of GDPR clearly indicates a need to prove security of processing.

Please see the excerpt below taken at Feb 23rd 2018 12.25 UTC from:

Article 32

Security of processing

1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

(a)	the pseudonymisation and encryption of personal data;

(b)	the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c)	the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

(d)	a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

3. Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.

4. The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.

5th December 20175th December 2017

Have you Cloud Costs gone Stratospheric?

Well, to be honest, that’s not at all surprising. It’s an all too common scenario.

Why?

Because companies choose to use Cloud Services for the following reasons.
1. To urgently replace an existing backup solution.
2. Because some new urgent project demands a Cloud based solution.
3. To speedily boost or replace on premise servers.

All of these are time based demands and often they spawn a sudden launch into Cloud without serious consideration of how resources should be managed.

The common problems this creates include:

No tagging
No one knows why a server was built or if it can be deleted
Lack of clear ownership
Bills cannot be allocated properly
Disagreement as to who owns the shared Cloud services
Insecure solutions
Inefficient solutions
Inflexible designs

Insperitas can help you by:

Evaluating your whole Cloud infrastructure
Ensuring proper systems and processes to enforce best practices
(read more…)
Remediation of existing issues

But you don’t want or need to become dependent on Insperitas. And you probably wont be able to move immediately to meet best practices. A better solution might be for a consultant can come to your site (or work remotely) for 1 day a week to teach and guide your own employees to implement success.

Together let’s bring your costs back down to earth.

earth

Call me (+44 7932 678578) or fill in your details on our contact page and start moving towards a more cost effective Cloud engagement.

14th November 201723rd February 2018

agile and Agile

I am not a software developer but I do have project management experience. One of the problems for project managers is that developers want to work with Agile whilst customers often want a waterfall style report. This problem for me is fundamental. It’s the realization that there is a difference between Agile (a software development as a methodology, on which I am not an expert) and agile (small a) as a principle of a successful modern business. Coming back to the Manifesto of Agile helps us out here. These are simply good general principles. Even in their wording they recognize that asserting one way to be right and another to be wrong belongs to an older era where slow paced change was acceptable. In other words let’s be agile about Agile and not set in concrete.

These good principles need to start from the top. “Individuals and interactions over processes and tools” embodies the root of the question. Bosses should hire people they trust…and then trust them. This doesn’t just apply to developers. Once managers get this principle, Agile development follows smoothly. Until managers get it, we will face this continual, painful, seismic fault, with occasional earthquakes and aftershocks felt on both sides of the divide. (With PMs invariably caught in the middle!)

Bosses should hire people they trust…and then trust them

This reaches back to the recruitment processes which are not designed to select the right people but focus on certificates. It reaches even further back into the education system that directs children toward certificate attainment. (Excellent TED talks on this https://www.ted.com/talks/sugata_mitra_build_a_school_in_the_cloud and http://www.ted.com/talks/ken_robinson_says_schools_kill_creativity) We should, of course, 1^st teach children to care for other people and to respect them, and then teach them how to learn. Employees also need to do their part, being willing to be flexible with their role depending on what is needed at the time instead of sticking rigidly to an old job description.

So whilst I don’t disagree with teaching Agile (or Scrum, or any other agile development process) to development teams, I really believe that we need to start with teaching the philosophy and principles behind the Agile Manifesto.

6th November 20176th November 2017

Kill the CAB – Improve your competitive advantage

The correct use of Cloud Services enables fast moving change.

A Brief History of Change

Companies used to be pretty static. Small changes were introduced over years. As a Global marketplace started to open up, companies realized the need to change in order to remain relevant and competitive. Small changes can be effected by the in house BAU team whereas large changes are renamed as projects and these are facilitated by project managers. (That’s why there are so many project managers now compared to 15 or 20 years ago.)

As changes in companies multiplied some problems developed. Changes sometimes broke things and running multiple projects concurrently required changes to be carefully co-ordinated. This led to change management becoming another drain on resources. Companies would create change boards or CABs and these have to be staffed by operationally responsible people.

CAB Meeting

Most people think of a CAB as Change Approvals Board. In fact ITIL refers to a CAB as a Change Advisory Board. There is a world of difference between the two! Changes are often reviewed in CABs by those who know the existing state of play well, but know little about the change being introduced. These people rely on getting the right information from the PM and the Project’s architect. This in turn reduces the CAB to a paper exercise. “Fill in this 8 page document and we will consider whether your change should be allowed to go ahead”. This is exacerbated by the CAB being staffed by people who have the responsibility to keep things working. So there is a general reticence to introduce change.

A CAB should of course be a forum to schedule changes that might interfere with each other not a hurdle to progression.

(Almost) Up-toDate

So now to Etsy and Amazon.

In 2011 Amazon explained that they introduce one change every 11.6 seconds. That’s a lot of changes to get through CAB… unless of course they have a better solution?

seconds

Etsy have a policy of asking their new developers to release change to live on DAY ONE of their employment. This allows them to get into the right mindset for introducing change. And the correct mindset is “Go for it!”

How can that work? Isn’t it dangerous? Well there are a number of tools and processes that can help. Perhaps the over-riding consideration is Fail-Fast (an Agile Teaching) but you need an infrastructure that can provide you with the security you need, one that can facilitate the Fail-Fast approach. This CAN be accomplished without reference to Cloud Services, but in reality Cloud will provide you with the easiest solution.

In terms of acronyms we can talk about DevOps, DevSecOps and WebOps. Also important are CI, CD and Agile. Each of these deserves its own paper. But the bottom line is that CABs ARE HISTORY. If your company has one.. you have a problem. You dont need it. Its slowing you down. Move on.

If you would like a FREE REVIEW to see how your business can benefit from Cloud Solutions then fill in your details on the contact page and I will get be delighted to help.

12th October 201713th October 2017

Will I Save Money?

I have been delivering business cards to local businesses offering Cloud IT Services. Often the unspoken question is

“Are you asking me for money?’

Followed quickly by:

“Can you save me money?’

Of course the answer is: It depends! I would like to shout out “YOU’RE MISSING THE POINT” but that’s probably not helpful. Instead I decided to write this blog “Saving Money with The Cloud”.

coins

Most businesses I speak to face many pressures and the last thing on their mind is IT. They are concerned about getting new business, managing staff, their premises costs, managing their current workload effectively… the list goes on.

So here are FIVE reasons to think about your business and Cloud IT Solutions.

Continuity

Taking the most obvious reasons for spending on IT first, we need to talk about failure. What happens when it all goes wrong? You have data saved on your laptop or a local server and it breaks. Do you have a backup? Do you know how to access your backup? Will you be reliant on someone visiting your business to fix the problem? What will that cost?

We can level this up too… what happens when the company you rely on to supply your backup solution fails to deliver? Do you want to wait until there is a disaster to find out if your solution is effective? Most companies seem to be happy to operate with this head in the sand approach. The truth is that backing up to Cloud is likely to be either a necessary extra expense (if you have no valuable backup solution today) or a cost saving (if your current backup solution is anywhere other than in The Cloud). So the answer here is “Yes I can save you money.”

Growth

If you need to expand for any reason you should think Cloud. If you take on staff how will you communicate and share data? Do you need more space for more data? The Cloud might be the cheapest option and will remove your need to spend cash on new hardware.

Money Management

Maybe this should be the number 1 reason to move to Cloud? With Cloud Services you pay for what you use. Its easy to budget. There are no unexpected bills. Any Cloud support costs should be 100% transparent with no surprises.

Security

The next thing we need to discuss is “Security”. IT Security is such a massive topic, whole books are written about it and anything I write here could only gloss over one of the most important IT topics. Suffice it to say that lots of small companies imagine that this is not an issue for them. Until you ask them what their competitors could do with their customer list… or what they could do with their competitors list of contacts. Security IS an issue for EVERYONE.

Some imagine that the least secure place for their data is on the cloud but I suggest you look at it this way: If I were to post your data where everyone can see it, such as on a billboard, what would we need to do with that data to keep it secure. Then answer is to encrypt it. Secrecy has come a long way since you were a child. We don’t just swap the letters around or write it in lemon juice. Very complex encryption techniques are available to all of us. By utilizing this technology we can choose precisely who should see what data whilst making it available easily.

We don’t just swap the letters around
or write it in lemon juice.

Improving your business

For some companies there is a clear benefit in improving their IT. Yes you can save money by introducing efficiency to your business. Good IT choices can drive better business decisions. Even very small businesses should be tech-aware. Whether its digital marketing, a better website or sharing data with customers YOU can improve your business by making good IT choices.

For larger customers, adopting Cloud best practices can make you reach your market faster, change quicker and allow you to become more agile. Business growth is often driven by disrupting the status quo. Will you be disrupting or disrupted?

4th October 201712th October 2017

Cloud Security

Data breaches occur all too often. Tighter controls are imminent and will help protect Personally Identifiable Information. However, every person or business that posts or stores anything on a Cloud Platform MUST take full responsibility for that data. This includes understanding the security of the Cloud Service.

This blog is NOT a full and complete list of all security measures that could be implemented but I would like to highlight some of the measures that should be considered.

Risk Awareness

We all have data that is pretty much of very little value to anyone else. That picture of your new born baby might have massive sentimental value to you but is probably not going to be worth much in the hands of a criminal. We also have data that we intend to be publicly available: Your CV, for example, or a company’s marketing brochure.

Some data that will be stored in the Cloud could cripple or destroy a business if it were to be compromised. Every piece of data has a value to you and a value to others. The costs of securing data should be carefully weighed against those values.

Your CSP

Whilst a very large company investing millions in a Cloud Service might well want to spend money determining how secure a CSP’s datacentres are, for the most of us that is overkill. Cloud Service Provider’s (CSP’s) base their business case on providing a secure solution. For the most part, we can safely assume that data stored with a major player in the Cloud will be significantly more secure than storing it ourselves. (Yes, even if you keep it under your pillow … or your dog’s pillow)

dog-pillow

They will however expect you to do your part!

ENCRYPTION

Hopefully an obvious one but if you don’t intend your data to be publicly available then you should definitely encrypt it! However you have a number of options.

Encrypt on premise and manage your own keys.
Encrypt in transit using your own or a CSP managed key.
Encrypt at rest using your own or a CSP managed key.

For the vast majority of us, trusting the keys provided by the CSP will be sufficient. If you are storing government secrets you may wish to manage your own keys.

Account Security

From when your account is first set up you should be sure that your access to your account cannot be compromised. If you allow someone else access to your account everything else becomes irrelevant. In many companies though access needs to be shared. There are a number of tools we can use such as Multi-Factor Authentication that we can utilize to help us implement Least Privilege Access.

Least Privilege Access

It is essential that any Cloud Strategy simplifies the process for devolving access and responsibility for data. Practices that have been important in traditional computing environments for many years are even more crucial as we move to the Cloud. This includes appointing a data owner for every bit of data and managing the full life cycle of that data. Least privilege, as the name suggests, means that we only give the minimum amount of access to data that a person needs to accomplish the specific task in hand. Some CSPs allow a person (an identity) to assume a number of roles which allow differing levels of access.

Firewall Controls

All major CSPs offer a competent firewall service that can be trusted. This should be utilized to implement Least Privileged Access to the public. This would indicate that where a service has a public front end, the data behind that service is held in a place that is fire-walled off from the front end.

CI / CD

The perfect security solution lies in making security part of your release process. The most forward thinking companies have a process of Continual Improvement and Continuous Deployment. One of my favourite lines is that Etsy ask their new programmers to deploy to live on day one. It is possible to completely automate the processes that secure our data and our infrastructure in the Cloud. This is complex but will be valuable when done well. One day all code will be released this way (I hope 😉 )

27th September 20174th October 2017

Rules for your 1st Cloud Steps

Your might be considering Cloud for any of the following reasons:

You Need Cheap Secure Offsite Backup. The Cloud can be an effective way to achieve this.

Your Server Hardware is Old. You have some applications running on a server that is aging and ought to be replaced. If “Cash is King” then saving the capital expense might be useful.

cash is king

You’d Like to Reduce Your IT Costs. Sometimes a service that is currently provided in house such as email can be delivered more effectively (and possibly cheaper) by a Cloud Service Provider (CSP).

Whatever your drivers are, it is essential that you resolve the following important issues!

Choosing the CSP. There are a number of providers. Which one(s) are a good fit for your business?

Account set up. The last thing you need is to set up the account in a way that will leave you frustrated later.

Cost Management. You need to be certain that costs cannot escalate horribly because of a poor design.

Security is essential. How can you be 100% sure that your data (and your customer’s) data is secure?

This blog expands on the topics above. I would be delighted to assist you with investigating and providing solutions for any of these. Insperitas is also able to provide support for Cloud solutions.

Choosing The CSP.

maze

The three largest providers are also the most flexible

Amazon Web Services (AWS) is the largest CSP on the planet and offers a very wide range of services. The tools are relatively well known and can be adapted easily. For many this is the go-to place when beginning a Cloud Journey. https://aws.amazon.com/choosing-a-cloud-platform/

Microsoft are good at providing a Cloud version of services that they would traditionally provide by selling applications. Email is a classic example. For larger companies MS also offer a mature Identity and Access Management Solution based on Active Directory. Microsoft have a large network of partners and are “Enterprise Ready” in the sense that they are the oldest and most mature of the Big 3 CSPs.

Google are slightly newer to providing Cloud Services when compared to AWS. Google Cloud Platform (GCP) provides a much smaller array of services than AWS. However the services which they do provide are very well executed. They have a stated aim to be the largest CSP in the world in the next few years. https://cloud.google.com/why-google/

Setting up the account

The important things to ensure when it comes to setting up your account in either AWS or in GCP are:

Dont get locked out! You need MFA but who will have ultimate control?
For AWS choose a good Phone number.
For Google, will you get an enterprise account or a Gmail account?
How can you give access to another account for support?
Can you make use of free services?

https://aws-tutorials.blogspot.co.uk/2017/04/setting-up-your-new-aws-account.html

Setting up the account

The important things to ensure when it comes to setting up your account in either AWS or in GCP are:

Dont get locked out! You need MFA but who will have ultimate control?
For AWS choose a good Phone number.
For Google, will you get an enterprise account or a Gmail account?
How can you give access to another account for support?
Can you make use of free services?

https://aws-tutorials.blogspot.co.uk/2017/04/setting-up-your-new-aws-account.html

Managing Costs

If you have teenagers in your house you will well understand the difference in attitude to electricity use between bill-payers and non-bill-payers (also known as freeloaders). When you are using your own hosted infrastructure you only have to make sure that you don’t fill up the hard drive or place too many demands on memory and processor. However when you use Cloud Services you need to be sure from day one that you will be warned if your monthly costs are going above your anticipated levels.

In addition you need to be sure that your costs are allocated correctly. This isn’t difficult but demands that you follow good Cloud practices right from the start.

Security

padlock

When I setup one of my first Cloud servers I was a little surprised to find out a week later that a virus had been installed on the server. I had left open a port to the server that could have been disastrous. These days whenever I build any service online I start with ensuring that it is secure. This isn’t complicated but it is necessary.

For a FREE assessment type code 1709FREE into the “Message” bar on our Contact page

11th September 20174th October 2017

Principle 7: Prepare for failure

Design your services and components to cope with failure. Any single component failure should not impact the overall service.

When designing Cloud Solutions ensure that the load is spread in a way that will cater for failure. The extent of the spread will depend on the criticality of the service as more spread equates to higher cost.

Use Load Balancers effectively to separate stateless micro-services from each other.

8th September 20174th October 2017

Principle 5: Measure Everything

Every Cloud Service should be measured and logged

In order to ensure that costs are kept to a minimum it should be possible at all times to know all there is to know about each service. Its important to realize that when using elastic virtual servers, the logs could be deleted when the server is deleted. Therefore servers should log all data centrally in a way that can be readily interrogated.

Log everything. Modern Cloud Services provide detailed logs. Collect them ALL. These include Application Logs, Infrastructure Logs and Security Logs!
Good elasticity depends on having accurate usage data.
Failing to measure is a sure fire way to waste money.
Set alerts on services based on the metrics expected and your design.
Use Tags properly. Your 1st tag for each item should be Cost_Centre. Tagging Taxonomy is important to save future headaches.
A good logging tool is essential for intelligent interpretation.