This week we are pleased to introduce Chuck Adams, of Captstone Works. Capstone Works has been providing professional IT support for businesses since 2001. With over 33 years in technology, Chuck brings a unique perspective to adding value through technology to the small to medium sized business marketplace. Chuck’s diverse experience in marketing, sales, executive leadership, and “boots on the ground” technology implementations has allowed him to accumulate a wealth of solutions, tools and techniques that benefit small to medium sized businesses. Capstone Works specializes in delivering managed IT services, network support, cloud backup, cloud computing, and disaster recovery.
Q: Can you tell us a bit more about your background?
After graduating from Carnegie Mellon University I started as a database application programmer working in Direct Response Marketing – which most people call junk mail. When I had six years in a business-centric data analysis evnrionemnt, I moved into consulting for several large manufacturing enterprises, including Electromagnetic Sciences. Then I moved to IE DuPont’s polyester manufacturing facility in Kinston, NC. While at DuPont I worked with the development team on their real-time database driven production tracking and quality assurance systems.
Q: That experience is very useful, since database-driven production monitoring and control is a business goal many of our customers have. So how do you put it to use? When you go into a new plant or company, what is the first step to understanding the IT infrastructure you will be managing?
We start by identifying, evaluating, and documenting the network infrastructure. This begins with the perimeter router, subnets, VLAN, and network-centric applications and network needs. These may include needs such as VoIP, real-time monitoring, or Bring Your Own Device policies. From this start, we can effectively access the security and performance potential on the network and work inward from there.
Q: How has IT changed over the past ten years?
We have definitely seen a revolution in technology in the past ten years in the workplace and on the factory floor. Security and Network threats are more challenging to guard against, 802.11N and 802.11ac, the Bring Your Own Device revolution, VoIP, the Internet of Things, and the Cloud have all emerged in the past decade.
Through the cloud, data and applications are at our fingertips all the time and there’s less need to manage local hardware infrastructure, but we have concerns over critical data that is managed outside our direct control. Encrypting data at rest and data in motion become even more important. Cloud application may also require pinholes through which production data must pass in getting to the cloud, and this must be secured and managed.
Bring Your Own Device has been a challenge from the beginning. BYOD should always be on its own isolated VLAN or dedicated infrastructure. These uncontrolled devices create a threat vector that can start ‘inside’ simply by someone walking through the office door.
While VoIP does not impost direct demand on the real-time system, it can add complexity in managing quality of service unless the voice services are on their own network.
Q: How do you manage technology within the networked corporate structure?
Managing all these variables means taking a proactive approach and ensuring that we have the tools and processes to keep relevant and/or unusual network activity visible. This gives us the tools to respond in advance of an exploit rather than playing catchup after a breach.
Of course, things do occasionally happen and a ‘response plan’ is important to have prepared and communicated in advance.
Q: From your experience, what business imperatives drive the adoption of technology?
The business imperative that typically drives business technology is value – including additional productivity or insight weighed against the cost of implementation. Some things, like WiFi and hardware refreshes are expected in today’s environment, and management usually finds them easy to approve and budget for. The cloud is something many businesses seem eager to invest in, and in some cases it’s a good investment. In others, it merely moves your costs from fixed assets and hardware replacement cycles to a monthly recurring cost.
Other hardware upgrades like moving your network to 10GB core network speeds, implementing hardware-based active threat protection, network traffic visibility, and proactive management may meet with more budget resistance, as the benefits are harder to quantify. Having good data on existing systems, capacities, and loads are helpful in making your case there.
Q: Cloud Computing is a hot topic in industrial automation. What suggestions do you have for customers attempting to move to the cloud?
Well, it’s important to choose the cloud for the use cases that make sense. There are two main use cases where the cloud is a good option:
- Moving the core line of businesses applications to the cloud, where customization is not a key need. This can include Salesforce or CRM solutions.
- Another use case is disaster recovery and business continuity. Storing backup in the cloud and being able to virtualize the failed devices or the site completely in the cloud for business continuity can be exceedingly valuable.
Q: How are you managing the Bring Your Own Device trend, and what would you recommend to businesses handling this issue?
Well, BYOD injects a potential security threat, as I mentioned earlier, and while you’re usually not able to tell employees to leave devices in the car, you do have to manage access in a proactive way. You can do this by keeping outside devices on their own separate physical network, or by using a VLAN which allows you to share the physical infrastructure, but keeps outside devices logically isolated from your other data.
Then, inter-device isolation is an option, where employees can’t connect devices to one another. You don’t want to inject a BYOD Facebook storm, where employees are surfing Facebook all day when they have other things they should be doing.
Q: Security is a big issue today. However, there’s a tradeoff between having so much security that people cannot perform their jobs, and too little security. How do you strike a balance between these two opposing forces?
Well, password policies are a must. People are usually resistant to changing passwords often, but complex and long passwords should be required for hardware devices that are accessible only through SNMP and/or web interfaces. Passwords should be 8-10 characters long, complex, with spaces or special characters, and not use dictionary words. This will go a long way in prolonging ‘brute force’ attacks, where virtual machines can be used to try and guess passwords.
Patch management is also a must. Keeping the infrastructure updates applied and current is a major step forward in keeping vulnerabilities to a minimum. Most of the vulnerabilities are known to manufacturers and developers and can be plugged.
Implement transparent layers of security starting outside the firewall using commercial “secure” DNS servers like OpenDNS and cloud based CDN/DNS providers like CloudFlare. Then at the perimeter, have transparent scanning based on virus content, URL reputation, and scanners looking for PCI, HIPAA, and other sensitive data leaks. Of course each network must be locked down to prevent the root execution capabilities of exploits like Kryptolocker and other destructive worms and network exploits.
External scans should be looking for vulnerabilities like SSL Cipher Compliance and misconfigurations.
Q: What criteria should a company use to choose the anti-virus and firewall for their systems?
We look for firewalls that use centralized management with real-time visibility across sites. We also look for integrated loss prevention, which scans the network for information that we don’t want to lose, like financial information, social security numbers, etc. We also look for protection against advanced persistent threats and zero-day malware.
In antivirus software we are looking for centralized management with real-time visibility across sites, a cloud based network to quickly identify trends, effective outlook plug-ins, and effective HTTP threat management.
Q: How should you increase the security of wireless systems, like WiFi networks?
Depending on the level of security required (see security tradeoff above) you can lock down wireless to know MAC addresses, requiring IT intervention to connect a new or unknown device to your network. While this is “work,” it is prudent for certain environments to assure nothing unknown can ever join your network
Wireless BYOD should, of course, use separate infrastructure or be isolated in its own VLAN. WiFi networks should use WPA2 encryption and hidden SSIDs whenever possible. This way there is less visibility to threats, and less activity between devices. Isolation is important for BYOD. Those devices shouldn’t be able to see anything but themselves and the internet.
Q: What password policies do you suggest ?
Password policies are a must, and complex LONG password should be required even for hardware devices that are accessible through SNMP and web interfaces.
Password databases, such as on premise or cloud services like Secret Server, or PassportalMSP are useful in storing and retrieving passwords.
2 factor authentication, including AuthAnvil, Duo, and others include something you know and something you have, which can be essential for mission critical infrastructure and financial systems
Q: I have always been extremely impressed with Capstone Works’ customer service. What is your philosophy around customer service?
We pride ourselves on being the “Friendly, Proactive, Worry-Free IT Company”. We start with Friendly, because it’s ultimately about the people we serve. I strive to hire individuals who approach their day with a servant’s heart and team members who will find the solution to the Client’s issue regardless of whether is “in scope” or not – in our view, if its electrical and you’re not using it to cook food, you should start with a call to Capstone Works. We always start our inquiry, both internally and externally with “What’s the business goal; what are we/you trying to accomplish?
Q: What do you think customers will be expecting from future managed IT services?
We expect a demand for greater integration across all levels of the IT infrastructure, which will allow us to increase proactivity, using the data across all our clients to “predict” vulnerabilities and exploits.
We are also seeing a rise in offering support by the numbers of users, rather than by device. We’ve been using this model for ten years now, and it simplifies the understanding for the client, and ties IT support costs closer to payroll costs.
Q: What advice do you have for someone entering the industry? What advice would you give to yourself 10 years ago?
The one thing I would advise is to learn to understand a problem before suggesting changes. According to Stephen Covey, you should “First seek to understand before seeking to be understood.” That means striving to understand the business goals the customer wants to accomplish before suggesting changes. Change things ONLY when it adds clear value to your company or your client’s company.
Another thing we’ve learned is that if it’s not tested, it doesn’t work.
I also really believe that in life, fail, and fail often, but fail quickly. Don’t agonize over things – failure breeds innovation and new perspectives on solutions.