Visit the grand opening of our Indianapolis data center on Oct. 23

Hello, Indianapolis!

Online Tech invites all IT professionals in and around the Circle City to attend the grand opening celebration of our fifth Midwest data center – and first in Indiana – from 3 to 7 p.m. on Thursday, Oct. 23.

We’re offering a no-pitch, behind-the-scenes look at a secure, compliant, enterprise cloud computing and colocation data center. Network with your peers, meet some of our clients, eat, drink and be merry!

Registration is simple (click here or the button below) and required. You must present a valid photo ID (we are a secure and compliant data center, after all!) on the day of the event.

Our Indianapolis facility has more than 44,000 square feet of data center space. All critical equipment is N+1, or fully redundant. It is is SAS 70, SSAE 16, and SOC audited to provide security and reliability and also PCI, HIPAA, SOX and Safe Harbor audited to meet national industry compliance requirements.

Expansion of secure, compliant hosting into Indianapolis a ‘win-win-win’ for current clients, future clients and Online Tech

Press release: Online Tech Acquires Indianapolis Data Center

Posted in Data Centers, Online Tech News | Tagged , | Leave a comment

What to do about Bash bug, which could pose bigger threats than Heartbleed

Cybersecurity experts are saying a bug in the widely-used command prompt software Bash could be a bigger threat to users than the Heartbleed bug that surfaced earlier this year. The vulnerability affects Unix-based operating systems, including Linux and Apple’s Mac OS X.

The bug – which has picked up the moniker Shellshock – allows for malicious code execution to take over an operating system and access information. Patches have been issued by many of the major Linux distribution vendors.

Security expert Robert Graham, who has extensive coverage of the bug on his Errata Security blog,  describes why it is so worrisome:

The first reason is that the bug interacts with other software in unexpected ways. We know that interacting with the shell is dangerous, but we write code that does it anyway. An enormous percentage of software interacts with the shell in some fashion. Thus, we’ll never be able to catalogue all the software out there that is vulnerable to the bash bug. This is similar to the OpenSSL bug: OpenSSL is included in a bajillion software packages, so we were never able to fully quantify exactly how much software is vulnerable.

The second reason is that while the known systems (like your web-server) are patched, unknown systems remain unpatched. We see that with the Heartbleed bug: six months later, hundreds of thousands of systems remain vulnerable. These systems are rarely things like webservers, but are more often things like Internet-enabled cameras.

So, what to do? published a test to determine if a Linux or Unix system is vulnerable:

To check your system, from a command line, type:

env x=’() { :;}; echo vulnerable’ bash -c “echo this is a test”

If the system is vulnerable, the output will be:


this is a test

An unaffected (or patched) system will output:

bash: warning: x: ignoring function definition attempt

bash: error importing function definition for `x’

this is a test

The fix is an update to a patched version of the Bash shell. To be safe, administrators should do a blanket update of their versions of Bash in any case, suggests.

David Kennedy, security expert and CEO of northeastern Ohio’s TrustedSec, also strongly recommends updating systems.

The TrustedSec blog offers this local system test to see if you are vulnerable:

env x=’() { :;}; echo Your system is vulnerable’ bash -c “echo Test script”

However, Graham provides this somber note: “There’s little need to rush and fix this bug. Your primary servers are probably not vulnerable to this bug. However, everything else probably is. Scan your network for things like Telnet, FTP, and old versions of Apache (masscan is extremely useful for this). Anything that responds is probably an old device needing a bash patch. And, since most of them can’t be patched, you are likely screwed.”

Bridging the software and infosec professional chasm
Encryption video series
White paper: Encryption of Cloud Data

Posted in Information Technology Tips | Tagged , | Leave a comment

A data loss prevention strategy guide

Note: The following article is part of a shared content agreement between Online Tech and InfoSec Institute. (View original post.) For more information on IT disaster recovery, download disaster recovery white paper or check out our case studies.

In this article, we’ll learn about the concept of data loss prevention: why it is needed, what are the different types of DLP and its modes of operations, what is the planning and design strategy for DLP, what are the possible deployment scenarios, and what are workflow and best practices for DLP operations.


Every organization fears losing its critical, confidential, highly restricted or restricted data. Fear of losing data amplifies for an organization if their critical data is hosted outside their premises, say onto a cloud model. To address this fear or issue that organizations face, a security concept known as “Data Loss Prevention” has evolved, and it comes in product flavors in the market. The most famous among them are Symantec, McAfee, Web-sense, etc. Each DLP product is designed to detect and prevent data from being leaked. These products are applied to prevent all channels through which data can be leaked.

Data is classified in the category of in-store, in-use and in-transit. We will lean about these classifications later in this article. Before starting the article, we have to keep in mind that the information is leaking from within the organization.

Continue reading

Posted in Information Technology Tips | Tagged , | Leave a comment

Michigan HIMSS 2014 Fall Conference

Online Tech rarely misses an opportunity to attend a HIMSS event, which are always packed with healthcare information management hot button topics and innovative ideas. So we’re particularly eager for next week’s Michigan HIMSS Chapter 2014 Fall Conference in Plymouth Township, just minutes from our Ann Arbor headquarters and three of our four Michigan data centers.

The theme for the Sept. 16-17 event is “Health Information Technology: The Vision and the Value” and it will be held at The Inn at St. John’s. Some of the subject areas include:

  • Health Reform in Michigan and the Role of HIT
  • Care Transitions: Hospitals and Nursing Centers Improving Patient Outcomes
  • Navigating a Meaningful Use Audit
  • The Value of Electronic Health Records: TCO for Transformation Projects
  • And, a Mobile Health Roundtable with eight industry experts

The Michigan Chapter of HIMSS was formed in the spring of 2002 and chapter members come from diverse backgrounds, all involved in some aspect of healthcare information systems and management. Non-members are invited to attend the fall conference.

Also: Online Tech will be showcasing our HIPAA-compliant hosting services in the exhibition space at the conference. Stop by!

Posted in Michigan Data Centers, Online Tech News | Tagged , | Leave a comment

7 business drivers for your backup and recovery strategy

In a previous post, I laid out the first three questions your CIO should answer before you start your backup and recovery research. The CIO should provide direction around the value of the data, the Recovery Point Objective (RPO) and the Recovery Time Objective (RTO).

Mike Klein
Online Tech

Once these executive-level business requirements are understood, the context can be used to ask the next set of high-level business and technical questions that drive your backup and recovery strategy.

1) How confidential or compliant does your data need to be? Do you need your backups encrypted — both in transit to your provider and at rest on the provider’s backup storage — to meet HIPAA, PCI or Sarbanes-Oxley compliance requirements? Do you need to choose a provider that meets specific compliance requirements for your industry so your company can remain compliant at your next audit?

2) How secure does your backup strategy need to be? Security is different from compliance. Compliance is the set of rules and audits that surround the data center and any provider delivering backup services. Security is the physical, electronic and network measures that are put in place to prevent theft or unauthorized access to the data.

If you drive tapes off-site, consider the human factor and physical security risks. Consider the type of security infrastructure that you want to see delivered by your offsite backup provider to keep your backup data secure. Do you know where they are physically storing the data? Do you understand their approach to data encryption and data deletion?

3) What is your recovery strategy? If you lose a file, how quickly do you need it be restored to your servers? If you lose a server, how quickly can the server be recovered? If you lose your data center, how quickly can your business be up and running again?

Once you understand your RTO, you can design your recovery strategy to meet these objectives. For example, sending your backups to a file storage system in the cloud (like Amazon) can be very cost effective, but the data is unstructured and getting your data back across the internet can take a very long time (days). Enterprise-grade backup and recovery with deduplication technology can reduce the recovery time significantly.

4) Do you need a backup partner that can provide cloud servers for you to quickly restore your data in the case of a disaster? For even faster recovery times, consider a provider that can recover your backup data directly onto cloud servers in the same data center. Providers that can connect your cloud servers to your backup data over a 10G network can change your recovery times by orders of magnitude.

5) Can you bring your own servers or SANs directly to the data center to recover your data? The internet is the slowest pipe when it comes to recovering terabytes of data. If you can’t use cloud servers at your backup provider, consider the option of collocating backup servers or SANs to recover the data over their 10G network into your equipment.

6) How automated is your backup procedure and how many technical man-hours are required on your part to set, monitor and restart failed backups? These are often overlooked costs. Many CIOs don’t understand how often their backups fail or how much time is spent managing the backups on a daily basis.

7) What is the infrastructure of the backup target — is it designed to withstand drives, hardware, network and data center failures? Not all backup targets are built with RAIDed drives or redundant network infrastructure.

When it comes to your backup and recovery strategy, it’s best to take the time to understand your critical drivers, ask the tough questions of your backup vendor and test your recovery strategy before you need it.

Backups don’t matter until they matter. You don’t want the last remaining copy of your data to be corrupted or find out that your recovery strategy isn’t fast enough to recover your business when you need it.


Disaster Recovery white paper

Don’t strand your data

New managed disaster recovery solution eliminates the surprise of ‘stranded backups’

3 questions your CIO needs to answer to set your offsite backup strategy

Posted in CEO Voices, Cloud Computing, Disaster Recovery, HIPAA Compliance, PCI Compliance | Tagged , , , | Leave a comment

Keeping cybercrime secrets despite increasing data breach reports

We attempt to stay on top of cyber security and data breach topics here on the Online Tech blog, providing some industry perspective to news of large data breaches like those at Community Health Systems, P.F. Changs, eBay, Target and other unnamed victims.

Of course, we don’t cover them all. We’d be writing nothing else. You’d be reading nothing else.

Consider that along with reports today about Home Depot investigating a potential breach of customer credit card numbers, over the past two weeks alone there have been news reports on cyber attacks and data breaches at the following organizations: UPS, the Chicago Yacht Club, SuperValu, Schnucks, the Nuclear Regulatory Commission, US Investigation Services, Otto Pizza, Cedars-Sinai Medical Center, the University of Louisiana-Monroe, New Mexico State University, the University of Miami, PlayStation Network, JPMorgan Chase, Albertsons, Dairy Queen, the Memorial Hermann Health System, the Australian Federal Police, the Racing Post, the Summit County (Utah) Fair and half the population of South Korea.

That’s 20 organizations and one country for those keeping score at home. And there are probably others that escaped our radar.

In fact, news of large-scale data breaches have become so commonplace that senior writer Seth Rosenblatt recently published an article about industry experts becoming concerned about alert fatigue – fearing “that people may throw up their hands and stop caring as news of even more breaches get reported.”

In that piece, Rosenblatt suggests that “companies are getting better at reporting security breaches, which also feeds into the perception that the increase in the number of breaches may even be larger than it really is.” He quotes Andy Serwin from analyst firm Morrison and Foerster as saying, “I’m not sure that we’re seeing more activity, or more attention on the activity.”

While that may be true, other reports issued just days later by different media outlets indicate that not all companies “are getting better at reporting security breaches.”

Take, for instance, the JPMorgan Chase data breach. As the Washington Post reports, rumors were circulating in cyber-security circles for a week that a major New York-based bank had suffered a data breach before JPMorgan confirmed it was victimized. The impression is that JPMorgan – like many companies before it – kept evidence of a cyber crime private until journalists forced the issue.

From that Washington Post story:

This reticence is both deeply rooted within corporate America and, to some consumer advocates, deeply infuriating. Had a family’s precious jewelry been stolen from a safe deposit box, any bank would have quickly notified the affected customer. Yet loss of personal information, especially when it happens on a mass scale, is treated differently, both by the law and by industry custom.

The result is that days, weeks or longer can pass between when a company learns of a cyber-crime and when its customers do. That gap, say security experts, can amount to crucial lost time for people who might want to protect themselves by monitoring transactions, changing passwords or alerting other relevant parties – such as a credit card company – that the risk of fraud or identity theft is elevated.

Dairy Queen is being similarly criticized. The following is an excerpt from a story in the Minneapolis/St. Paul Business Journal, noting two days had passed since the chain revealed a potential data breach at its stores – an admission seemingly coerced by a report:

The Edina-based restaurant chain hasn’t said how many stores were affected, how widespread the breach could be or how long it may have lasted. Though its brief announcement included a statement that it is complying with an investigation into the matter, it did not indicate what else it may be doing to protect customers. There are no notifications to customers on the company’s home page, its Twitter feed or Facebook page. Company representatives have not responded to requests for further comment.

But it’s not all bad news. The same story applauds another Minnesota-based company for properly handling its data breach. Within 24 hours of disclosing its breach, SuperValu, Inc. “had issued a full list of affected stores, along with information about the duration of the breach and what the company was doing in response. Supervalu also established a call center for concerned customers.”

iHT2 recommendations for HIPAA-compliant cloud business associates
Top 5 healthcare cloud security guides
Data breach reporting: A job killer or business saver?
Experts: Be fast and forthcoming with details of a data breach

RESOURCES: As security breach reports mount, experts fear alert fatigue
Washington Post: Hacked? Customers are the last to know
Business Journal: Dairy Queen’s silence on data breach could have ‘corrosive effect’ on consumer perception, crisis expert says


Posted in HIPAA Compliance, Information Technology Tips, PCI Compliance | Tagged , , , , | Leave a comment

3 questions your CIO needs to answer to set your offsite backup strategy

There are a number of options for offsite backup, including tape backup shipped offsite, backing up to a simple cloud storage like Amazon, or an enterprise-grade offsite backup and recovery solution.

Mike Klein
Online Tech

Before any detailed conversation takes place around the technical and business considerations impacting your backup strategy — such as compliance, confidentiality of the data, security requirements and recovery targets — there are three questions your CIO needs to answer prior to researching solutions for your offsite backup and recovery plan.

Question 1: How important is your data?

If you lost an important file or all of your servers to a disaster, what kind of impact does it have on your business? Backup and recovery is basically an insurance policy. Your insurance can provide system-level recovery in case of a major disaster or file level recovery to restore lost files for minor disasters as well.

This first question is important to ask because it gives you a framework on how to think about the type of “insurance” you want to buy with backup. If your data is critically important to the success of your business, your CIO will most likely want a higher coverage, faster response insurance policy than if your data could be completely recreated from paper records.

Question 2: How much data can you afford to lose?

Once you know how valuable your data is to the business, you need to understand the recovery point objective (RPO) that your CIO wants for the different applications.

The RPO dictates how often you capture your data and send it offsite – weekly, daily, hourly or instantly. If you can survive with weeks-old data without an impact to your business, it drives a different set of decisions than if you need to recover the latest up-to-the minute customer transactions.

Question 3: How fast do you need to recover your data and be operational again?

This is your recovery time objective (RTO). Some applications may not need to be back up for weeks while others need immediate failover. Many mid-size businesses look at a 4- to 24-hour range as reasonable targets for recovery on their applications.

In my experience, once you have the answers to these three strategic questions, you’re ready to dive into the technical and business drivers for your backup and recovery strategy, as you start researching solutions to meet your goals.

Data is money: Just as money belongs in a bank, data belongs in a data center
Don’t strand your data
Data protection and the cloud

Posted in CEO Voices, Cloud Computing, Disaster Recovery | Tagged , , | Leave a comment

Largest HIPAA breach ever: Hackers steal data on 4.5 million Community Health Systems patients

There’s a new leader on the U.S. Department of Health & Human Services’ Wall of Shame.

A hacking group known as “APT 18” is suspected of stealing names, Social Security numbers, addresses, birthdays and telephone numbers from 4.5 million patients of Community Health Systems, a network of 206 hospitals across 29 states (see map at right). Credit card numbers and medical records were not accessed.

It’s the largest attack involving patient information since the HHS started tracking HIPAA breaches in 2009, passing a Montana Department of Public Health breach that affected roughly 1 million people.

Patients who were referred or received services from doctors affiliated with Community Health Systems in the last five years were affected, the company reported in a regulatory filing on Monday. The sophisticated malware attacks occurred in April and June.

According to numerous news reports, security experts said the hacker group may have links to the Chinese government. Charles Carmakal, managing director of the Mandiant forensics unit, hired by the hospital group to consult on the hack, told Reuters that “APT 18” typically targets companies in the aerospace and defense, construction and engineering, technology, financial services and healthcare industry.

In an Online Tech webinar titled Why is it So Hard to Secure a Company,” security expert Adam Goslin discussed how the past decade has seen “a continuous and steady increase in attempts by specifically the Chinese attempting to gain intellectual property.”

According to a CNN report, Mandiant and federal investigators told the hospital network that the hacking group has previously conducted corporate espionage to target information about medical devices. This time, however, the bounty was patient data.

Community Health Systems stated in a release: “Our organization believes the intruder was a foreign-based group out of China that was likely looking for intellectual property. The intruder used highly sophisticated methods to bypass security systems. The intruder has been eradicated and applications have been deployed to protect against future attacks.”

In his aforementioned webinar, Goslin, the CEO of Total Compliance Tracking, detailed examples of the value of intellectual property theft:

One of the stories that the FBI was bringing up was the Chinese were trying to get into a manufacturing facility to get a sample of a rinse solution for some type of a glass manufacture. It was a coating for glass and they couldn’t figure how they were doing it. So, the Chinese were trying to get a hold this of this rinse solution in the manufacturing setting. …

There was a story of an organization that had spent some number of years developing a patent. They were just about to file it and found that they have gotten hacked by the Chinese. The Chinese filed for the patent. Because the organization’s entire business revolved around this work, they literally had to pay royalties to the Chinese just to use the patent that they developed themselves that got hacked out from under them.

The value of personal information is clear: Hackers can sell the information to those looking to steal identities. And hospital networks are becoming a hotbed for finding that information.

Michael “Mac” McMillan, CEO of security consulting firm CynergisTek, told Modern Healthcare that hospitals are “going to become a bigger and bigger target as the hacking community figures out it’s easier to hack a hospital than it is to hack a bank and you get the same information. I’m not sure healthcare is listening yet.”

McMillan told the website there has been a spike in hacking activity directed at hospitals this year:

“I know at least a half a dozen or so hacks against hospitals we work with where the data wasn’t transferred, but it still caused a lot of disruption,” McMillan said. “But it wasn’t a HIPAA issue, so it didn’t get reported.”

Download HIPAA Hosting White PaperRELATED CONTENT
Defense in depth

What took so long? How data breaches can go months without being detected

Data breaches ending careers “right to the top” of C-suite

Online Tech webinar: Why Is It So Hard to Secure a Company?
Modern Healthcare: Chinese hackers hit Community Health Systems; others vulnerable
Reuters: Community Health says data stolen in cyber attack from China
CNN: Hospital network hacked, 4.5 million records stolen


Posted in Encryption, HIPAA Compliance | Tagged , , , , | Leave a comment

U.S. internet connection speed lacking overall, Michigan among top 10 fastest states

How fast is your internet connection? Chances are, if you’re in the United States, it could be faster.

In Akamai Technologies’ recently released State of the Internet Report, the U.S. isn’t among the top 10 of countries or regions in the rankings of the global average connection speeds. Using data collected in the first quarter of 2014, here are the top average connection speeds in megabits per second, according to the study:

  1. South Korea (23.6 mbps)
  2. Japan (14.6 mbps)
  3. Hong Kong (13.3 mbps)
  4. Switzerland (12.7 mbps)
  5. Netherlands (12.4 mbps)
  6. Latvia (12.0 mbps)
  7. Sweden (11.6 mbps)
  8. Czech Republic (11.2 mbps)
  9. Finland (10.7 mbps)
  10. Ireland (10.7 mbps)

So why isn’t the U.S. – the birthplace of the internet – on the top 10 list? Akamai points to the variation in high broadband connectivity. Just 36 percent of Americans have high-speed broadband connectivity that delivers more than 10 Mbps compared to 77 percent of South Koreans.

In its coverage of the report, explains the reason:

The reason behind the large difference in high speed internet access is believed to be the Telecommunications Act, which was enacted in the U.S. in 1996. This legislature has allowed large firms, such as Verizon Communications, Comcast Corporation, Time Warner and AT&T to divide up the market among themselves, and thus not be exposed to competition. In South Korea, on the other hand, the fierce competition amongst telecommunications companies has led to heavy investments in infrastructure, and ultimately, far better connectivity speeds.

Obviously the United States is a much larger land mass than any of the countries in the top 10. Sweden, the largest country on the list by area, is the 56th-largest country in the world at 173,860 square miles. The United States is 22 times larger (3,794,100 square miles).

Nearly half (22 states, plus the District of Columbia) of the United States would be among the top 10 global list if broken into states – and much of the northeast region of the country would be near the top of the list.

As illustrated by a map created by Broadview Networks using the Akamai’s data (at right), speeds fizzle in the middle of the country. Idaho, Louisiana, Missouri, New Mexico, Mississippi, West Virginia, Montana, Kentucky, Arkansas and Alaska all have speeds less than 8 mbps.

Online Tech’s home of Michigan has an average mbps of 11.8, the eighth-fastest state in the country and the fastest of the 12 Midwestern states. Here is Broadview Networks’ breakdown of the top 10 internet speeds by state. Find the complete list here.

1. Virginia (13.7 mbps)
2. Delaware (13.1 mbps)
2. Massachusetts (13.1 mbps)
4. Rhode Island (12.9 mbps)
5. District of Columbia (12.8 mbps)
6. Washington (12.5 mbps)
7. New Hampshire (12.3 mbps)
8. Utah (12.1 mbps)
9. Michigan (11.8 mbps)
10. Connecticut (11.7 mbps)
10. North Dakota (11.7 mbps)
10. Oregon (11.7 mbps)

Online Tech ready to meet Metro Detroit’s growing IT infrastructure demand
Data is money: Just as money belongs in a bank, data belongs in a data center

Akamai’s State of the Internet Report U.S. Lagging in Terms of Internet Connection Speed
Broadview Networks: Internet Speeds by State: MAP

Posted in Cloud Computing, Information Technology Tips | Leave a comment

Improving security on the ‘Internet of Things’

Mark Stanislav’s title is “Security Evangelist.” Online Tech has previously provided him a virtual pulpit from which to preach and his barnstorming tour continued last week in Las Vegas, where he spoke at the recently concluded DEF CON 22 Hacker Conference.

Stanislav and Duo Security colleague Zach Lanier presented “The Internet of Fails: Where IoT Has Gone Wrong and How We’re Making it Right,” described as a dive into research, outcomes and recommendations regarding information security for the “Internet of Things,” or IoT.

IoT refers to the interconnection of computing devices – everything from heart monitor implants to remote home thermostats – that transfer data without human-to-human or human-to-computer interaction. Essentially, anything that can be assigned an IP address and given the ability to transfer data over a network is part of the IoT.

Last year, Stanislav co-hosted two sessions in a three-part Online Tech webinar series on encryption, participating in both the Encryption at the Software Level and Encryption at the Hardware and Storage Level presentations.

In Las Vegas, Stanislav and Lanier’s presentation was about the rapid – and sometimes haphazard – growth of the IoT and the security risks associated with it. ABI Research estimates 30 billion devices connected to IoT by 2020.

The presentation drew the interest of the folks at Dark Reading, who featured the duo’s new security resource,, which was launched in February. After struggling with their approach to smaller technology vendors with bugs and trying to handle coordinated disclosure, Stanislav and Lanier decided to change the process and dialog that was occurring into one that is inclusive, friendly and researcher-centric.

The loose organization of security-minded vendors, partners and researchers is focusing on “improving information security for bootstapped/crowd-funded IoT products and platforms” that may be tempted to choose a quick launch and profits over security.

When launched at BSides San Francisco earlier this year, the mission of was defined as:

Provide the information, resources, guidance, and community necessary to help small commercial and independent developers, makers, and inventors of hyperconnected, pervasive computing devices make security-conscious design decisions. Additionally, incentivize independent security research and reporting/coordinated disclosure of vulnerabilities/flaws in those very same devices.

Five more researchers have joined the Duo Security colleagues to populate with links to presentations and technical guidance on web application security, mobile application security, cloud security, network security and industry standards.

“All the researchers basically are doing this — one, because they want to help some people; two, because they are getting research done and not being sued for it,” Stanislav told Dark Reading. “They already have opt-in from these vendors.”

“We’re going to have researchers looking at pre-production hardware, doing assessments against them… and actually making the device better before they go to people’s hands rather than after.”

Vendors, researchers and content creators are encouraged to get involved with’s efforts to enhance IoT security.

Download Mobile Security White PaperRelated content:
Mobile Security: Are Most Apps Safe?
Webinar: Encryption at the Software Level
Webinar: Encryption at the Hardware and Storage Level

Dark Resources: Small IoT Firms Get a Security Assist
Duo Security: BSides San Francisco: Announcing

Posted in Cloud Computing, Mobile Security | Tagged , | Leave a comment