dinsdag 24 maart 2015

Beat Cryptolocker - ditch documents

A few years ago, a company I worked for had to upgrade their MS Office version to a more recent version. They had to, because they wanted to move to a new Sharepoint vesion, so they could use Sharepoint as the new document management system. Of course, using Sharepoint as a central document management system only works if all employees learn how to use Office and Sharepoint in the manner that Microsoft designed it. Until today I never saw any company where Sharepoint was implemented in the right way. In many cases documents are stored just like documents are stored on a file server, in a hierarchical way. Resulting in the same mess that you find in any organisation that uses documents: lots of copies, versioning problems, corrupted files and, not in the least, compatibility problems, because MS Office is not capable of storing files in a transparant way. Update and you're doomed...

A long time ago I wrote a report for a company advising them to do away with documents and move to a content management system based solution. Write and store your documents in a cms or (enterprise) wiki. I love wiki's. There is only one current version of any document, old versions are available always, with track changes, no compatibility problems, since all text is stored in the most simple way, using a simple markup language and, not in the least, there is are great full text search features. Try that on a file server or in Sharepoint...

Anyway, the company never followed my advise. They really wanted the Office lock-in, so that you could check the presence of people involved in the document creation process...

But now there's a new incentive to ditch documents. Cryptolocker.

Cryptolocker is malware, intended to extort people by means of encrypting documents on a computer. Or on a server. On Skydrive and perhaps an a Sharepoint server (MS claims that Office365 is not vulnerable). The criminals claim to decrypt the documents after payment of a large amount of money. There have been some reports of cryptolocker software malfunctioning, whose crypto functions can be bypassed, but in most cases an infection with cryptolocker is very bad news for a victim.

The only way not to fall prey to these criminals is by not having any documents on a pc or server, or on sharepoint. If you don't have documents, they cannot be locked. In order to do so, move to cms based text creation and storage, use a cms, use a wiki, use presi-like presentation solutions, use ethercalc instead of desktop software. And don't misuse Excel for data manipulation or statistical analysis, use databases and BI tools. Output: why print it? Use a live data viewer or pdf generators if you need a hardcopy.

And if you really want to use documents, move to platforms that are not vulnerable. Much cheaper than paying for ransomware.

vrijdag 20 maart 2015


Recently I had this discussion, about managing identities in a company and what strategy to follow towards future developments like Attribute Based Access Control. A very interesting discussion, because this company was quite big and employs several tens of thousands of personnel. And only a few thousand of those have a Windows account. These people need an account because they have an email address and need access to folders and shares. The others don't have a Windows account, because they don't use any information systems.

AD is a silly tool: it's a user directory, a domain controller, an authentication service, an authorization server, a federation server. Too big too fail, but no focus.

During the discussion the IT manager of the company stated thet he wants every employee to get an Active Directory account, because he feels that in the near future everyone need to access some information resources on a Windows server or Sharepoint. Everyone needs an AD account (no, licensing costs is not yet a problem, as long as they don't use the account actively).

In my opinion this is not the right strategy. In the near future we don't access data on Windows of Sharepoint servers anymore. We will use web services on web servers that we access with a digital identity that can come from any (trusted) source. Active Directory will become Passive Directory.

It already happened: my company doesn't even have an AD anymore. I think it will be end-of-life before it's end-of-support...

Yes, I know, I must be wrong, everyone is expanding AD and so growing their legacy base. And we all move to Azure AD. But just think about this mind experiment...