The missing services of your FTC Safeguards provider.

By: Russ Hensley, CEO CISSP

Right now, many companies are in the second push of the Federal Trade Commission to expand their consumer protection laws. For decades, the Sarbanes-Oxley regulations have flowed freely and been applied to the banking industry. In January 2022, an expansion of those rules went into law bringing new industries into their scope. In simple terms, outside of a bank most companies who issue loans now have new regulations to abide by. Those now include car dealerships, loan providers, boat dealerships, etc. The current deadline is June 9th 2023 for implementation.

One of the best examples of the implementation comes from the National Auto Dealers Association (NADA) in their “A Dealers Guide to the FTC Safeguards Rule”. This guide was published by NADA for car dealers, and easily breaks down into common sense steps what security tasks, documents and positions have to be identified into 8 steps.

The marketing from vendors who are selling to these newly covered industries is varying wildly as well. Unfortunately, these marketing activities, being aimed at employees who have never been required to understand anything about compliance or cybersecurity, are creating large gaps in the implementation. For example, I recently had one dealership tell me that they are going to be compliant for $600 per year from one of their vendors, and another dealership told me that they were going to be compliant by simply moving their loan-processing software from an on-premise application to another one as a cloud service. Neither one of these options will make a company compliant. I have another article posted about the false claims of simply moving data to the cloud as a one-stop security solution for reading later, but simply neither of those claims can be true. The latter claim for example, completely ignores any consumer information that is collected in the service department work order software applications which also are in scope of the protected information. It does however, help sell the application by a company who sells you guessed it – on-line loan processing software.

On the other hand, most dealers are being engaged by firms who are charging appropriate rates to implement policies and assessments as part of the academic process. However, most of these newer companies have never been faced with creating several hundred pages of new policies and that requires a large degree of effort from professionals who do this daily.

Yet this solution doesn’t provide complete compliance with the regulations. Most national firms are unable to complete the on-site actual IT support and cybersecurity support that often requires boots on the ground. Some consulting firms are simply offering a monitored anti-virus tool, but they are not engaged in any of the required patch management efforts that is required for the FTC Safeguards rule.

Compliance does not equal secure is a mantra that often permeates IT security professionals’ meetings and here is a good example. Those firms can create the documents from the processes which would only document gaps and deficiencies. However, they are not providing the last step to execute inside the businesses with the meat and potatoes part of the solution to get the hard work done because they simply don’t have the resources to project out into the actual business for that work. Hensley / Elam does have those last-mile resources and we want to work with your consulting firm if you have one or we can complete the documentation with our staff for you if you don’t have one.

About the author – Russ Hensley is a cyber security professional (CISSP) with over a decade of direct security experience consulting banks, healthcare entities, and a lengthy list of other industries. With over 26 years of general IT experience running one of Kentucky’s largest IT service companies. He is also a multi-engine commercial instrument airplane pilot, and private helicopter pilot.

Russ Hensley

Consumer Cybersecurity expectations for aviation industry

By Russ Hensley, CEO CISSP

As a Certified Information Systems Security Professional (CISSP) I am asked on a weekly basis by both business associates and personal friends for my advice on how to keep their data and records secure.  Data security is much different today than it was even 5 or 10 years ago.  Data breaches are a daily occurrence by both small and large business as well as personally.  There are many industry standards in place but those standards have not been adopted across the board leaving glaring holes that put businesses and individuals at risk.   We can do better to protect our data in general and business aviation. Let me explain.  

Most corporate aviation flight departments will fall in line with the security of their parent company who owns and manages their own aircraft.   Those will have private networks along with other defenses in place to match the business requirements.  They assess their own risk and might have the same issues in the parent business that I discuss later, but these operators are not the subject of my thoughts in this article.

For those companies that do not fall under the umbrella of a larger corporation, such as fixed base operators and charter operators they often do not have stringent data protection policies in place.  They present themselves to their clients to offer high-touch service at the front door to business travelers or highly affluent travelers.   However, is their data security meeting the expectations of their clients?  

Also for the purpose of this article I need to expand Cybersecurity’s meaning to be inclusive of what could just be considered good data housekeeping and not just fighting off hackers from foreign countries.  For example, are they backing up data off-site, or keeping their software up to date or training staff on how to see a phishing email?  They might not be meeting the same IT housekeeping and security posture as a local restaurant who could be exercising more care and diligence about the financial and other information they just received.

In the past 18 months the United States has experienced much turmoil because of repeated cyber breaches that either steal data for to gain access a banking account or credit card number or ransom essential company data for a hefty price.  This has brought many people and companies to a screeching halt while they scramble to recover their data and business.  This has been brought to the attention of many via the world media.   For example, in the past few months the news has reported about ransomware affecting national gas pipelines and as well as daily reporting about how thousands of American businesses have been exploited. In fact, the current presidential administration is proposing $2 billion for cyber defense grants to government agencies at federal, state and local levels.    This topic is squarely now on the minds of the American consumer more than any time before so you can be assured that it is on the minds of travelers who are passing through FBO and Charter operator doors as well.

When looking at audit and program management documents from industry leaders like NBAA, Wyvern and the FAA, for example they currently do not seem to address data security in the ways that other industries like retail, banking, or healthcare do.  For example, retail organizations that process credit card transactions have to abide by PCI compliance, which is audited on a regular basis additionally business insurance companies are requiring a formal policy program be adopted list the NIST Cybersecurity Framework.  

However, because no one is auditing the actual security posture of places like FBOs, their security may be lacking leaving the business and their client’s data vulnerable.  The scope of the information that needs to be protected includes, for example, aircraft maintenance and operational records, passenger manifest data, and support staff information not limited to personally identifiable information (PII)

In other industries the full embrace of security frameworks like the NIST Cyber Security Frameworks and other standards are a requirement for day-to-day operational integrity coupled with training programs specific to cyber security.   Yet, there is a glaring absence of a discussion about this outside of the airline industry in air travel.    Only one article in NBAA in 2020 addressed the issue, outside of that in a literature search in the past few years, the rest of the information is typically geared toward security avionics systems of the aircraft with no mention of actual good cyber security hygiene to protect consumer information. 

Most FBO and Charter operators also fall into state and local cybersecurity laws outside of obligations to current healthcare laws and other financial contractual requirements they agree to with their credit card merchant accounts.  

The issue I believe lies with the lack of governance and routine inspection from industry peers on implementing best practices.    Some are just simply unaware they are not doing what is an attempt to secure data little less the best practice.  This is however not uncommon as similar bad habits and liabilities open up in other industries like legal and accounting who are likewise holding similar data and not held accountable.

Industry leaders and auditors must pick up the process rapidly and adjust their programs to incorporate a specific and direct approach to information security management programs to help their business members and those audited by them understand the responsibility of the data they hold, where it is and how to protect it.    Otherwise, it’s my opinion that the insurance companies will start to direct these programs as they are doing in other non-regulated industries now.     Things like Multi-factor authentication attestations are in the last 6 months now a commonplace requirement for businesses now seeking data breach insurance or other forms of cybersecurity insurance.

Practically speaking, while we wait for the changes to those documents and processes to take place, what can businesses do to protect themselves?  My recommendations come from two standpoints, tactical and strategic.  

From the tactical standpoint security practitioners individually have their own hot-button items, but if you piled the top 5 into one list I think that it would look like this:

  • First – backup, backup and then backup off-site.    Hurricanes, tornadoes, fire, ransomware all have this in common.  Have MULTIPLE backups of data and systems, one of which is Off-site.    
  • Multi-factor authentication to all cloud services and remote access.  Passwords without a random factor (PIN) are just incidents waiting to happen.   
  • Patch everything and patch often.  Applications from your vendors like QuickBooks and computer operating systems need to be on a managed patching platform where you can run a report to check those tasks are being executed. 
  • Endpoint  Detection and Response – In the past this would be called anti-virus.  Now, it’s more computer artificial intelligence protection to see the EDR anticipate malware is working on your machine and about to move to another platform.
  • Train your staff – Security awareness training about what things like hackers and malware want you to do and the steps to report when they see something suspicious are critical. 

From the strategic and long-term business standpoint.  Implement a framework of policies that are based on best practices to get your staff, IT service providers or any other person involved onto the same page.   For this industry and many others, the National Institute of Standards and Technology has created the Cybersecurity Framework (NIST CSF).   This is a very well-organized set of checks on 5 areas: Identify, Protect, Detect, Respond and Recover your businesses data.   The framework is not something that only a technical person should review.  This is a core business document that should at least be reviewed and familiar to the owner or CEO.  It is not tech, rather it covers all business management to check on the policies and if technical tools are implemented correctly.   For this, I recommend a consulting firm with tools in place where they have experience with these areas and helping implement them.    

For the most part, a good managed cybersecurity firm will have the services to perform both strategic and tactical consulting, while most managed IT services firms will be able to complete some of the tactical services.   

About the author – Russ Hensley is a Cyber Security professional with over a decade of direct security experience consulting banks, healthcare entities, flight departments and a lengthy list of other industries.  With over 26 years of general IT experience running one of Kentucky’s largest IT service companies.   He is also a multi-engine commercial instrument airplane pilot, and private helicopter pilot AOPA Life Member, NBAA member, Civil Air Patrol member and avid aviation supporter having served on several airport boards and sub-committees.  Hensley / Elam is an NBAA corporate member.


Management and inspection guides

Airline Association Resource

Articles about aviation safety inspections and cybersecurity (2020)  (2020) (2019) (2019) (2019)

Articles on proposed Cybersecurity regulations:

Executive Order for Cybersecurity:

Cybersecurity Policies for Business that Operators should implement

HIPAA – Healthcare Rules

Banking Rules

Be concerned about Cybersecurity…even if your data is in “The Cloud”

By Russ Hensley, CEO CISSP

”The Cloud” is  a  vague but sexy marketing term that has evolved as technology has moved from servers being located inside your business to somewhere on the internet.     First  used around 2006, the cloud was commonly referred to as “server co-location” or “hosting”.  Simply put, customers rent computer services using the outsourced companies computer hardware that is connected to the public internet.    Most of the time, that hardware is shared with other companies and depending on the company you’re renting it from could be dozens or thousands of other people.  An example of these companies include Microsoft, Google, Amazon and private-cloud providers.

The cloud environment should be properly separated because that is the business they’re in – renting and sometimes dedicating space to you.   But it’s not just the server that we need to be concerned about securing. 

For example,  you have to first log into a PC in your office and at least connect to the local network which is connected to the public internet and then into your “Cloud Service Provider” for anything from Microsoft Office to your practices billing system or credit card processing.

In this real-world scenario, we must protect the layers of use.  The PC itself ( Apple Mac or Microsoft Windows)  needs to constantly have a flow of supported security patches (software updates) applied on a regular basis as they are delivered from the manufacturer.  Even your iPhone (which can be connected to your network) has a flow of patches that are applied sometimes weekly.    These  updates (patches) are how that the manufacturer is protecting their product and in the process  you the end-user.

Most operating systems also need some kind of anti-virus and malware protection to protect the machine from inadvertent corruption    Here’s where “my data is in the cloud and I don’t need to worry” scenario leaves the rails.   If you were to only use your computer for one thing  and allow no other internet traffic to anything on the internet other than your cloud service provider and no other devices onto your network, then you would be in a somewhat better position.  However, that’s not typical reality .   At the very least, most businesses allow employee devices to come and go, for example notebooks.    Let’s talk about two scenarios where you as the user have a desktop computer never leaves the office and the other where you have a notebook computer you travel with for work.   In the first scenario while at work on your desktop – you’re browsing the internet looking for office supplies.    Now in the process of this, we hope that you have a firewall with the correct software installed on it to stop malicious software from being installed on your desktop while looking at search engines.    You see, the threat actors (new name for hackers) purchase malicious advertisements that perform some kind of “code injection” of bad code into your web-browser.    You don’t even need to click on it for it to try to do something.   If you don’t have the proper firewall software on your network device, then we hope that the anti-virus software stops it or the anti-malware software once the page actually loads on your computer web browser.    However, if none of those tools are in place and your operating system is not up to date to protect it from malware, then well you could have something like a keylogger installed on your desktop computer.  

And why is this bad you might ask?   Well, if you’re cloud service is not protected with a multi-factor authentication process and you enter your user name and credentials or bank account routing information while a keylogger is running on your computer, the threat actor now has access and your information from your own keyboard. 

Sidestep with me into an actual scenario.  A few years ago, we had a client who was very confident in their anti-virus software now commonly called end-point detection and response (EDR) application, but it was NOT monitored.    As a suggestion, we offered to cover that client for 5 agents of our SentinelOne agents for a month for free.   Within 5 hours of installing the tool, it detected 7 keyloggers installed on the 5 computers one of which was actively sending information back to a server in New York from the assistant CFO’s computer which was used to access all of that companies banking information holding millions of dollars in a handful of bank accounts.    This example could be your company if it’s not taking the proper steps for protection of the process of handling data from the device connecting to the cloud, where potentially you could expose financial or customer information. 

On to the laptop which has several scenarios where data can be compromised.   It’s as simple as having the device stolen from your car.    Some users when accessing their cloud service provider often download data to work on their notebook when not connected to the internet.   So, they pull down customer sales information or patient data for analysis for whatever calculation the business might need to understand.  So that cloud data is now stored on your laptop and unencrypted.    You go to the beach, get your laptop stolen from your rental car.  The bad guys pull your hard drive out into a $20 device from ebay and search the drive for anything looking important and sell it on-line in a DarkWeb group for $3 to $190 for the identities.  This type of theft accounts for about 4% of data theft. 

My last example involving your laptop in case you diligently encrypt all of your files involved your computer leaving your now well protected business network and you simply go home. At home we have networks in today’s age of smart televisions, AppleTV, Roku and Amazon Firesticks, Nest thermostats and others.  Then there are the other people at home, your spouse and perhaps children who all have devices which share your network.    The prudent scenario of network design is to separate your smart devices into their own network at home, your kids into their own network and your work device in its own protected little piece of the network, but that’s also not reality for the majority of homes.  We simply pile as many things as we can into the same network, give our friends kids the WiFi key when they come over and move on assuming the world is great.    

However, I can tell you from personal observations in our retail operations that those devices are often infected with malware that the kids and spouses have no idea that is installed.    Simply, a piece of malware Emotet somehow makes it onto your network.    This malware is able to move across the network from machine to machine and install itself onto unprotected devices sit and wait and listen for banking information.   Once it gets it’s payload it will be used by the threat actor for remote access and then for ransomware deployment. 

So, your work laptop, now infected with Emotet, goes back to work with you the next day and connects to your work network presenting it with an entire new network of targets or your spouses now infected notebook at their office.    The threat actors see this new treasure trove and start the scanning process.  If they are able to exploit a machine and gain access, they simply download your customer data quietly in the back ground using common tools like DropBox or OneDrive to not alert network monitors to their systems.   Once they have it, the send the command to explode the ransomware in your business network and any machine they have a foothold in is now encrypted.   

You get a nice “pay me to decrypt your data” message on any machine they control.    Now, even though your data is in the cloud, you have to reload any machine in the network and start a containment and cleaning process.  If you’re unlucky and the data you need is not in the cloud, you will have to recover from backups or pay the ransom.   Ransom’s could be from $5,000 into the millions, there is no real understanding yet on the rates applied based on my experience.   If your systems have customer information you have to hire a cyber forensics company to attest if your data was viewed or compromised.   Hopefully, you have Cyber insurance to pay for the average $100,000 that will be needed for all of these services.

In short, just because your data is in “The Cloud” it doesn’t relieve your responsibility to protect the computers and networks that access it there.    Proper policies and tools should be in place to understand and protect your systems. 

We’ve made a short checklist for your business to review for the MOST basic steps for your business to consider:

  • Does your business have Cyber insurance?
  • Do you have multi-factor authentication enabled on all of your cloud services providers where you need a password and a PIN from an authenticator app on your phone to log into the cloud service.
  • Does your internet firewall have content filtering and malware protection?
    • Is it on?
  • Do you have your critical files on your server, computers and cloud environment backed up? 
    • Have you tested that backup?
  • Do you have anti-virus software with an actively supported subscription?
  • Do you at least have automatic patching enabled on your computers and reboot them as needed for the patches to be installed?
  • Do you have a basic security training company for your users to educate them about hacking and phishing to prevent attacks?
  • Do you have a framework for your business to check that you have an understanding of your businesses data and policies like the NIST Cybersecurity Framework?
  • Does your IT person understand the things in this checklist above?
    • If you use an IT company do they have someone on staff who is certified like a Certified Information Systems Security Professional?

Hensley / Elam Partners with PSI to Provide Professional Testing Services in Kentucky

Hensley / Elam announced today the opening of Lexington Testing Center, an authorized PSI testing site in the heart of downtown Lexington. 

The Lexington Testing Center will provide a secure on-line location for a variety of computer based professional testing for Federal agencies including TSA, CBP, and FBI.  State license testing will including real estate broker/agents, appraisers and corporate exams including Microsoft among others.

“A testing center of this level  aligns with our level of service we already provide our customers and excited to offer to our existing clients and new ones”, said Russ Hensley, CEO of Hensley / Elam.

Hensley / Elam is now in its 23rd year of operation has been providing information technology services including cybersecurity, managed IT services, managed security services, computer support for networks and servers, business telephone systems as well as off-site backup and IT consulting to businesses in the Central and Southeastern Kentucky area.

Release distribution here:

Patching computers is very important for modern cybersecurity.

By: Russ Hensley, CEO CISSP
Lexington, KY

Day in and day out we’re asked about operating system patching and it’s role in managed services or managed cybersecurity.

What is patching? What happens to cause patching? Do I need patching? Why is patching important to cybersecurity or normal operations? Why did the patch break my computer? Who’s fault is it when the patch break the machine?

How did it start?

Starting in 2003 Microsoft started to get structured about patching because honestly, it broke a lot of things and random sporadic chaotic patching was not efficient to say the least. Since then the patching process has evolved into a tier of patching from security, critical, emergency and application, workstation and server patching to name a common groups.

Cybersecurity firms and software developers produce a list of “holes” in software called vulnerabilities through intentional or unintentional discovery. The process of the vulnerability identification is a double edged sword. Once confirmed, it can alert the developer, Microsoft or Adobe for example, that there is in fact a confirmed hole, the nature of the hole and give it an entry in a database for identification. The downside, is well now not only does the developer know and the user, but also the threat actor who might look it over and choose to figure out how to exploit this vulnerability to use it for a hack.

Now a days with ransomware and the internet, these patches are often and plentiful and come very fast some times when there are really bad vulnerabilities. Just last week patch Tuesday alone (May 11 2021) contained 55 vulnerability patches, 4 were Critical and 50 Important and 1 Moderate just from Microsoft’s resources. The break down is here from the CompTIA ISAO weekly update video.

Surface devices get firmware updates for example now on the the Third Tuesday and non-security patches for Office are on the First Tuesday.

Patching in general is developed with the white box and tested as best as it can to not nuke your machine and create Crash Wednesday when the patch actually might get applied to your system and a reboot if you’re not on a managed patch plan. Sometimes, the patches are just not compatible or fail and if you’re in a patch management system then you might see a scenario where bad patches are Blacklisted and will not get applied to other machines once they fail in either testing or deployment. Microsoft delivers the best product they can but the customers environment can vary dramatically from a testing scenario.

How much is enough?

I personally believe in aggressive patching where they’re downloaded and workstations are rebooted frequently and servers as needed based on the patch level no less than once a week in some cases. When businesses have users with internet access and email access involved it patching is critical to address security issues and in fact in environments where consumer data is held should be taken very seriously but anywhere that production is based around technology working should be managed.   These environments are typically the best suited for managed services and managed cybersecurity services.

What drives cost?

Some customers opt to not patch or be on a patch management process for various reasons. Perhaps conflicts with software applications, or budgetary constraints. However, with the interconnected tissues of virtual machines, hardware firmware levels and so on it’s almost impossible to not have to catch up patching at some point for security reasons. All of this of course is not talking about software versions that have been end-of-support marked and not receiving any patches, but current production operating systems. Even the End-point-detection and response engines require the operating systems to be patched in order to provide the security levels necessary for them to operate successfully. Otherwise, it’s like sailing a leaking boat.

Our clients who aren’t in a patch management or managed services process opt to pay for exorbitant service fees for patching rather than our fixed managed services fees. Our NOC team tests, blacklists, deploys and remediates any server operating system patches and some applications in our fixed fees in the long run saving thousands of dollars through continuously patching and keeping the operating systems up to date.

It is a complex discussion and some times there are complex answers, but for the most part, managed services addresses the huge amount of patching that is going on for the best value.

Cybersecurity is broken because of the loose approach by business management

By: Russ Hensley, CEO CISSP
Lexington, KY

The current approach to cybersecurity is broken.   In general, the public has embraced the “it won’t happen to me” mentality.  In the end, the safety net is that the IT service provider or in-house IT admin is “taking care of that.”

If you are one of our clients, you have been presented with a set of quotes that we internally call our security stack.  Our stack is built around the National Institutes of Standards and Technology’s Cybersecurity Frameworks (CSF).    The NIST CSF is a derivative of computer security guidance that is woven into healthcare, banking and national security information security policies.    Quite simply, ALL businesses should understand what these frameworks are telling your business to have in place.   If your business is technology driven and if you think that there would be OUTRAGE if the business was off-line for 3 days then you should already have implemented it.

Our job is to work with our clients to provide the technical tools to help prevent intrusion.    With our assistance, our clients must also invest by implementing frameworks and structuring policies.   Security program recommendations for data backup policies, remote worker policies, password policy and security training program for employees are the foundation to protect your business.

Our banking and healthcare clients have lived in overload dealing with these requirements.  However, many businesses in the nation pay little to no attention to the threat.   Often cybersecurity services are viewed as unnecessary overhead UNTIL something happens.    At that point the “overhead” is exorbitant and they realize they do not have insurance that will be needed to pay for the $100,000 or more labor bill to cover recovery, the $30,000 legal bill for their attorney’s, the $80,000 cyber forensics investigators, not to mention the media/pr control and loss of revenue while they are down.     Insurance companies are not shy about letting it be known that they are reducing payouts and increasing premiums because of the lack of implementation and rise in the number of attacks.

Something needs to be done to better prevent and inspect actions that are being taken with incidents like the Colonial Pipeline ransomware attack.   A single attack CAN affect the average American.  “It can’t happen to me” is no longer adequate.

Fixing the approach begins with our legislators starting to understand these issues not from the nerdy intrusion and penetration hacker level, but policies being implemented and educational programs about what it is that is to be dealt with.

How growing hybrid cloud usage will double in two years


This article excerpt, by author David Deans, originally appeared here: http://www.cloudcomputing-news…/

Cloud enables IT agility, empowers DevOps teams and helps to transform legacy business models. The fifth annual Future of Cloud Computing survey investigates key trends in corporate cloud usage. This year’s insightful survey findings offer perspective from cloud service practitioners across all industry sectors.

“Cloud has been gaining momentum year­-over-­year since the Future of Cloud Computing survey was launched five years ago. Looking at the adoption rates and trends at such a detailed level, it’s undeniable that the most successful technology leaders of today and tomorrow are scaling in the cloud,” said Jim Moran, General Partner at North Bridge.

“Last year, we discussed the second cloud front and the rise of cloud­-native companies. This year, we’re seeing the pervasiveness of cloud disrupt industries across the board as companies look to maximize and implement cloud as a strategic and integral technology,” Moran added.

“We’re also seeing the emergence of the cloud as the only way businesses can truly get more out of their data including analysing and executing on it in real-­time. This will be a huge opportunity, but as the survey showed, because data rarely moves between clouds companies must first learn how to interconnect disparate data sources into new applications.”

Savvy business leaders are no longer debating whether or not to use cloud, but how pervasively they will use it in their digital transformation plans. The latest survey results highlight record levels of corporate adoption of cloud computing, both for business functions and in areas such as content management and application development in the cloud.

Even the most traditional IT teams are finally evolving. Some are taking back technology strategy from the forward­-looking line of business leaders that led the way to progress. Therefore, North Bridge believes that digital technologies – delivered from the cloud – are becoming differentiating factors for more businesses.

Cloud is the business transformation catalyst

  • Significant processing, systems of engagement and systems of insight are moving to the cloud ­­– 81.3 percent of sales and marketing, 79.9 percent of business analytics, 79.1 percent of customer service and 73.5 percent of HR & Payroll activities have already transitioned to the cloud.
  • IT is moving significant processing to the cloud with 85.9 percent of web content management, 82.7 percent of communications, 80 percent of app development and 78.9 percent of disaster recovery now clou­d-based.
  • While business users have been a fan of cloud’s ease of use, accessibility and scalability since 2011, the importance of cloud agility has jumped from fourth to second in importance within five years.
  • Among all survey respondents, the top inhibitors to cloud adoption are security (45.2%), regulatory/compliance (36%), privacy (28.7%), vendor lock-­in (25.8%) and complexity (23.1%).
  • Concerns regarding interoperability and reliability have fallen off significantly since 2011 (15.7% and 9.9% respectively in 2015). However, the cost of cloud services are now three times as likely to be a concern today, versus five years ago.

Raised expectations for public and hybrid cloud

  • Today, three quarters of company data in significant volumes is living in private or public clouds. However, company data in hybrid cloud systems is forecast to double over the next two years.
  • Corporate cloud computing strategies are focusing on public (up 43.3%) and hybrid (up 19.2%) while private cloud has taken a significant back seat in comparison (down by 48.4%).
  • SaaS is the most pervasive cloud technology used today with a presence in 77.3 percent of all organizations, an increase of 9 percent since 2014.
  • Accordingly, ROI expectations are high with 78 percent expecting to see results within three months. Fifty eight percent expect ROI in less than three months for PaaS services.
  • Among users taking the survey, the biggest factors preventing use of public cloud offerings are security (38.6%), privacy (29.8%) and expertise (22.8%). Regardless, the outlook for ongoing cloud service adoption is very bright.

Azure Partner Community: Business continuity and disaster recovery

This article excerpt, by US Partner Technology Strategist Nick Johnson, originally appeared here:

This month we’re talking about business continuity and disaster recovery, two of my favorite IT topics. While they might not sound exciting, they are critical for customers to think about. A good plan for each can mean the difference between long-term success or being one of the 40% of businesses that never re-open following a disaster (as cited in this PDF from the FEMA website).

For partners, helping your customers go through the process of robust business continuity planning, implementation, and testing can solidify your trusted partner status. It can also be a source of revenue when added to your existing capabilities or as a new practice altogether.

Microsoft Azure has two fantastic services, Azure Backup and Azure Site Recovery, that enable a host of use cases.

Identifying the opportunity

As a partner, how do you uncover the opportunity and determine what your customers need? I encourage partners to stop talking and listen more when in customer conversations. Listen for these statements that relate to business continuity—then ask clarifying questions.

  • “We have distributed systems across Windows Server, Hyper-V, and VMWare. They all need protection.”
  • “Protecting data and applications continues to grow in complexity.”
  • “We have so much data and we’re not sure if we’re protecting it all properly.”
  • “Are we spending too much money and effort, or too little?”
  • “Our industry requires long data-retention for compliance reasons.”
  • “Our legacy recovery plan is very labor intensive.”
  • “Testing disaster recovery is hard and often does not work as expected.”
  • “The tier 1 workloads are protected, but protecting tier 2 and 3 has been a challenge.”

If you’re not hearing these things from your customers, use the list above to create a few questions that you can use. I think you’ll find that when you dig into this topic that the need is there.

Assess your current practices

Once the need is identified, you need to spend time assessing your own practices. These questions will help you connect what you have been doing with new opportunities.

Question Opportunity
Have you been designing storage solutions using on premise solutions?
  • Extend those solutions to leverage Azure storage
Have you been designing disaster recovery solutions for on premise solutions on physical hardware, Hyper-V, or VMWare?
  • Begin using Azure as the failover site for the solutions
Are you using System Center DPM, Windows Server Backup, or third-party backup solutions with your customers?
  • Extend current solutions to leverage Azure
Have you sold Azure disaster recovery or backup solutions?
  • Assess implementation status and drive further Azure consumption
  • Extend the solutions to other parts of the customer’s business
  • Turn them into reference customers
What are your sales motions for backup and recovery solutions?
  • Build a pipeline with existing customers
  • Train your current sales teams on selling backup and recovery solutions
Do you have anyone trained on Azure backup or recovery solutions implementation?
  • Train your technical staff and sellers

If you are going to add new practices or capabilities, it needs to make financial sense. Use our new Microsoft Cloud Profitability Scenarios and financial models to understand the considerations for investing in a new cloud-oriented practice. For more partner profitability resources, refer to our online guide.

Recommendations for monetizing a business continuity practice


  • Design a Disaster Preparation evaluation to go through with your customers. This should provide opportunity to discover all the servers that need to be backed up or opportunity for Azure Backup to be used for data storage. May also stretch to StorSimple.

Upgrades to on-premises systems

  • Customers that want to run Azure Site Recovery will need Server 2012 R2 if using Hyper-V. Earlier versions of Hyper-V hosts will present an upgrade opportunity.


  • Drive services revenue through setup of the plan
  • Build repeatable IP with scripting/tools


  • Provide regular monitoring and maintenance

Ongoing testing

  • Run regular test failovers and validation for customers

Ongoing assessments

  • Regular assessment to review new parts of the business and make sure the overall DR plan still meets the needs for the customer.


  • Regular, predictable Azure consumption

Apps are going to get a lot smarter with help from Microsoft Office

This article excerpt, by Business Insider author Matt Weinberger, originally appeared here:

Today, Microsoft officially released the Microsoft Graph, a nerdy solution that opens the doors wide for developers to do a lot more with Microsoft Office.

The critical idea here is the “application programming interface,” or API. Programs use APIs to talk to each other — popular fitness app Runtastic, for example, uses the Google Maps API to display a real-time map on the app.

The Microsoft Graph, first announced in beta back in April, is a set of APIs that blow open theMicrosoft Office 365 productivity cloud to developers, letting them build apps that take a user’s data and put it to use in cool, new ways. 

Basically, it means that any developer can build an app that taps straight into the data that lives inside Office 365, making their wares smarter and faster.

“It’s not just all about Microsoft,” says Rob Lefferts, Microsoft general manager of Office exentensibility.  “It’s a huge starting set of information.” 

And just like Facebook’s famous social graph, the Microsoft Graph lets developers ask questions of the data like, “Who does my customer work closely with?” The intelligence is handled by Microsoft on the back end. (And no, it’s not as creepy as it might sound — like any other app, you’d have to give it permission to access data.)

For instance, Lefferts says, over 850 million meetings per month get booked via Microsoft Outlook for Office 365. That means that there’s tons of data there for an enterprising app developer to build a predictive calendar based on how users spend their time. 

At launch, the Microsoft Graph supports data from sources like e-mail, the address book, and calendars. Later, it’ll be able to support data taken from OneDrive storage, OneNote cloud notes, and other Microsoft data.

The Office Graph also goes both ways. For example, security startup Skyhigh Networks is already using the Microsoft Graph to enforce enterprise policies on customers’ Office 365 installations, scanning and quarantining files that live in the cloud.

For developers, the first taste of Microsoft Graph is free, Lefferts says. But if they’re using Microsoft Office data at volume in their own apps via Microsoft Graph, the company will collect a fee.

It will be a while before most developers figure out how to best access all that data, since the Microsoft Graph is new.

But it has the potential to make apps much smarter, in a behind-the-scenes kind of way. And it’s good for Microsoft, because it means that customers can get more out of the money they’re sinking into Office 365.

“The demand of customers is to say, ‘make it seamless, make it great,” says Lefferts.

    10 Ways Microsoft Office 2016 Could Improve Your Productivity

    This article excerpt, by TechRepublic, originally appeared here:…/

    On September 22, 2015, Microsoft released Office 2016 to the masses. At first glance, you may not notice much has changed since Office 2013. But when you look deeper, you will find some interesting and productivity-enhancing differences.

    For years we’ve been promised wonderful benefits from cloud computing, and Microsoft Office 2016 is trying to deliver on those promises. It’s designed to meet our expectations of what a cloud-based, mobile-ready productivity suite can and should be. Only time will tell if Office 2016 actually delivers the goods, but the initial reviews are promising.

    Here are 10 things Microsoft Office 2016 offers as it aspires to be the last productivity suite you are ever going to need.

    1: Real-time co-authoring

    Co-authoring has been around for a long time for many Office apps, but with Office 2016 that collaboration can now take place in real time. That means you will be able to see what your co-conspirators are doing in a Word document or PowerPoint presentation as they do it—and conversely they will be able to see what you are doing. It won’t even matter where you are or what device you are using.

    2: OneNote notebook sharing

    OneNote is one of the most useful applications available in Microsoft Office, and it is also one of the least appreciated. Office 2016 allows you to share a OneNote notebook with as many people as you want. And because OneNote works with text, images, worksheets, emails, and just about any other document type you can think of, it can be a great central resource for a team working on a project. That is, if they know to use it.

    3: Simplified document sharing

    Office 2016 simplifies sharing of documents by adding a Share button to the upper-right corner of your Office apps. Clicking that button will give you one-click access to share your document with anyone in your contacts list. You don’t even have to leave the document to do it. That does sound pretty simple.

    4: Smart attachments

    If you’re like me, you have to send email attachments just about every day. In previous versions of Office, adding attachments to an email required you to navigate to the location where the document was stored. You can still do that in Office 2016, but if the document in question was one you worked on recently, it will now show up in a list of shareable documents right there in Outlook. Essentially, Office 2016 keeps a universal recently worked on list for you.

    5: Clutter for Outlook

    Like most of us, you probably get a ton of email every day. Wading through the Outlook inbox to prioritize each email takes time and hampers your ability to be productive. Office 2016 adds a new category to your inbox triage toolbox, called Clutter. You can designate certain emails as low priority and they, and future similar emails, will be deposited automatically into a Clutter folder in Outlook. So now you have four categories for email: important, clutter, junk, and delete.

    6: Better version history

    Collaboration and creativity can be a messy process, with shared documents changing drastically over time. Office 2016 compensates for potentially lost ideas by keeping past versions of documents and making them available directly from Office applications under the History section of the File menu.

    7: New chart types in Excel

    The ability to visualize data with an Excel chart has always been a welcome and powerful capability. However, the list of available chart types found in previous versions of Excel needed an update. Office 2016 adds several new chart types to the templates list, including Waterfall, which is great chart if you like to track the stock market. Other new chart types include Treemap, Pareto, Histogram, Box and Whisker, and Sunburst.

    8: Power BI

    Between the release of Office 2013 and Office 2016, Microsoft spent a great amount of time and capital acquiring technologies that shore up its business intelligence and analytical applications. Power BI, a powerful analytics tool, now comes bundled with your Office 365 subscription. Knowing every little detail about how your business is running is essential information, and Power BI can bring it all together for you.

    9: Delve

    Delve is another new tool that comes with an Office 365 subscription. The best way to describe Delve is as a central location that gives you access to everything you have created, shared, or collaborated on using Office 2016. It is another recently worked on list, only this version of the list is stored in the cloud—so you can access it from anywhere with any device using the Office 365 Portal.

    10: Purchase choices

    Office 2016 is generally available only as a subscription. Even if you buy a boxed version of Office 2016, you are buying access to an annual subscription, with one exception. If you purchase the Office Home & Student 2016 box, you pay a one-time fee of $149.99 for just the basic Office apps.

    Microsoft has definitely stacked the deck so that the best bang for the buck is a subscription to Office 365, which includes Office 2016 plus all the cloud services. Businesses should be looking at one of the Office 365 for Business subscriptions. It is also going to be your best deal.