Choosing the right offset backup provider

Recently I had an interesting experience that I think is noteworthy. Something worth sharing with my peers and circle of influence.

Last month I had the experience of accidentally backing up 7GB of MP3 data to our offsite data backup provider, i365 (formally eVault). I have been a happy customer for YEARS of their service. It works as intended, and quite frankly I rarely even think about them as it "just works". But I got nailed with a HUGE overage bill that blew away my DR budget. It was not a pretty site. Half a year's budget spent in two months.

I gave them a call to find out what was going on, and their Customer Service technical team was awesome in helping me to identify the culprit. We quickly stopped that folder from being backed up any more, and then created a filter to prevent media file extensions from ever being backed up again. This wasn't a standard web based, email only support option. It was a real, living, breathing geek who knew how their software works. And that is important to me... it let me address the issue in a pretty fast manner and move on to more interesting pursuits.

However, the fact remained that it was an expensive lesson on what NOT to do. I had overages of about $26/GB, which is insanely expensive by today's rates. Then again, it was a plan I was on from over 3 years ago. So I can't really blame them for that.

So I twittered in frustration. And Vlad Mazek over at Own Web Now sent me some information about his offerings, which from a cost perspective is way more inline with what a small business can afford. And ultimately I sent out the following twitter after learning about his services:

Holy cow. OwnWebNow offsite backup appears to be way better for small business than eVault.

Now from a social media perspective that might not mean much. But it had an interesting cascading effect worth noting. It seems management over at Seagate heard about the tweet. And it caused a meeting to be scheduled between myself, my eVault account manager and her director.

We had our conference call this morning. Talk about service! They listened to my concerns, and reviewed my account with them. Being with them for so many years, they wanted to keep my business and wanted to make things right. And from the action items from the meeting, it sounds like they will.

Our data needs have changed. We have doubled the amount of data we need to store offsite, and being hit with 4x overage charges isn't acceptable. They listened to the pain I have identitifed, and are addressing it with a new plan that is more inline with my needs and expectations. Guess what? It is going to cost me more money. Considerably more money than if I went with Own Web Now's service. However the difference is WORTH it to me, and although I haven't made a final decision yet... I am leaning heavily to stay with them. As a small business owner my loyalty is to my company and its bottom line. However, it is balanced with the costs of good technical support, and great customer service. Something Seagate/i365 has shown me today.

Customers matter. Without them, a software company is nothing. And it seems i365 get that. And it seems they listen to their customers on Twitter. That's just awesome. And that small gesture has probably secured my business for many years to come.

BSIMM: Maturing the process of Building Security In.

Although software security is still in its infancy, there are several methodologies like Microsoft SDL, OWASP CLASP and Cigital Touchpoints that are being adopted by more and more companies as part of their software security initiatives. Many share much of the common ground. A new study driven by Gary McGraw, Brian Chess and Sammy Migues investigated these common traits across several world leading companies, including Microsoft, Google, Adobe and EMC. Entitled the "Building Security In Maturity Model (BSIMM)", it helps to document a process of understanding and analyzing the real world experiences these companies have had in their software security development lifecycles.

I was privileged enough to get early access to this study and have to say over the last few weeks I have reflected on their skelton and see some real merit for using BSIMM in enterprise environments. It dictates a well rounded maturing process that can easily be adopted, even if in stages, to significantly increase the security effectiveness of a company's development process.

I highly recommend to take a look at it. You can download it here.

If there is one criticism I would have on BSIMM, it is that it has a requirement of scale. In the study, the median for a software security group (SSG) is 35 to 40 people, which is much too large for a majority of software companies out there. With the adoption of many agile software development paradigms, teams are getting smaller, not bigger, and are becoming isolated from main development teams. Especially if outsourced. And in actuality, it is my belief its these smaller teams that would benefit most from a software security development lifecycle that is better studied, understood and adopted. It's one of the reasons I like the Microsoft SDL process. It works with small teams of 5 or 10 people in the entire team.

However, that is no reason to dismiss BSIMM. From the 110 activities, although some simply don't fit, much does, irregarless of the size of the team. The requirement is that it be bought into... shifting culture and defining attitude. What was interesting to see was the top 10 activities seen through most companies studied. They include:

• Create evangelism role/internal marketing
• Create policy
• Provide awareness training
• Create/use material specific to company history
• Build/publish security features (authentication, role management, key management, audit/log, crypto, protocols)
• Have SSG lead review efforts
• Use automated tools along with manual review
• Integrate black box security tools into the QA process (including protocol fuzzing)
• Use external pen testers to find problems
• Ensure host/network security basics in place

Sounds like good advice to me.

I'd like to congratulate Gary and his peers on an interesting study. And I hope others in the industry will look up this research and see how they can adopt it to their own development processes. With any luck, we can see adaptations to allow this to work with considerably smaller teams.

Using Information Cards when using Microsoft services

I am down on the Microsoft campus for the week hanging with other security professionals. As I was coming to the building to listen to Steve Riley a few Security MVPs and I were talking about identity and I was surprised to hear that they didn't realize you can use a managed Information Card issued by Microsoft Live ID to provide single sign on to most of Microsoft's ecosystem. I use mine all the time, giving me single sign-on to MSDN, TechNet, Live, Connect etc.

Back in 2007 I actually blogged how to do this. But most people didn't realize that it has been rolled out to work with production services now, and has for some time (as a beta). So this blog is to provide a link on how to do this.

Rather simple.... just go here: https://login.live.com/beta/managecards.srf

Doing that will get you issued a managed card which you can use on XPSP3, Vista and Windows 7 workstations. When you sign up, you will now have an option to present an information card. It looks like this:

So if you ever find yourself complaining that you hate entering your Passport/LiveID password all the time when logging into Microsoft services, fear not. Use an Information Card and take advantage of single sign-on!...