Categories
Insights @en

arago released AutoPilot Community Edition and announced Knowledge Community TabTab

arago AG from Frankfurt, Germany have released the AutoPilot Community Edition, a free of charge version of its knowledge based automation solution for IT operations. The edition addressed small and midsize businesses and startups who are not able to lift the financial act to invest in a modern automation platform.

Autopilot Community Edition

The free of charge AutoPilot edition can be used in environments with up to five systems without any limits. With its knowledge based approach the solution uses the existing enterprise knowledge to autonomous and dynamically automate IT operations by using capabilities like artificial intelligence, machine learning and data analytics. The community edition based on exactly the same similar functions as the enterprise edition. The AutoPilot initially needs to be feed with the necessary knowledge to administrate IT operations, which is stored in the so called knowledge items. Afterwards the solution works like an autonomous administrator by flexible and on demand combining the knowledge into tasks.

Knowledge Community TabTab

Besides five systems the AutoPilot Community Edition can be extended with up to 25 administrated systems. For this purpose an IT expert should participate the new Knowledge Community TabTab, which will start early 2014 and act as a platform for exchanging knowledge items. AutoPilot users are empowered to share their knowledge items with the community and in return to get the knowledge items of other IT experts to extend the knowledge base of their AutoPilot.

As CEO Chris Boos told me during GigaOM Structure Europe, he sees a win-win situation for all involved with the release of both the AutoPilot Community Edition and the Knowledge Community. On the one hand small businesses and startups obtain the capabilities to use a powerful automation solution free of charge. On the other hand arago gets feedback from the community to enhance the AutoPilot more efficient. Moreover Boos especially sees for IT experts the advantage to present their expertise the worldwide IT community using TabTab.

Disruptive: Crowdsourcing for IT operations

After arago and its AutoPilot are on a good way to turn IT operations upside down, the company from Frankfurt, Germany makes the next logical steps to preserve the important knowledge for the AutoPilot. The Knowledge Community TabTab on the one hand becomes a knowledge platform for AutoPilot users to share their knowledge with other users and in return extend their on knowledge base. On the other hand arago gets the opportunity to extend the global AutoPilot knowledge base to a maximum to steadily improve the intelligence of the overall system. For arago the advantage especially persists in the fact to obtain more and more knowledge about not standardized and heterogeneous environments and individual applications to wisely react much better on unplanned situations.

Small businesses and startups should consider the free use of the AutoPilot Community Edition to solely concentrate on its core business and not to bind its important resources and staff exclusively at IT operations, which essentially is responsible for the maintenance of the enterprise IT.

Categories
Insights @en

Building a hosted private cloud with the open source cloud computing infrastructure solution openQRM

Companies have recognized the benefits of the flexibility of their IT infrastructure. However, the recent past has reinforced the concern to avoid the path to the public cloud for reasons of data protection and information security. Therefore alternatives need to be evaluated. With a private cloud one is found, if this would not end in high up-front investments in own hardware and software. The middle way is to use a hosted private cloud. This type of cloud is already offered by some providers. However, there is also the possibility to build it up and run themselves. This INSIGHTS report shows how this is possible with the open source cloud computing infrastructure solution openQRM.

Why a Hosted Private Cloud?

Companies are encouraged to create more flexible IT infrastructure to scale their resource requirements depending on the situation. Ideally, the use of a public cloud is meeting these requirements. For this no upfront investments in own hardware and software are necessary. Many companies dread the way into public cloud for reasons of data protection and information security, and look around for an alternative. This is called private cloud. The main advantage of a private cloud is to produce a flexible self-service provisioning of resources for staff and projects, such as in a public cloud, which is not possible by a pure virtualization of the data center infrastructure. However, it should be noted that investments in the IT infrastructure must be made to ensure the virtual resource requirements by a physical foundation for building a private cloud.

Therefore, an appropriate balance needs to be found that allows a flexible resource obtaining for a self-service, but at the same time must not expect any high investment in the own infrastructure components and without to waive a self-determined data protection and security level. This balance exists in hosting a private cloud at an external (web) hoster. The necessary physical servers are rented on a hoster who is responsible for their maintenance. In order to secure any physical resource requirements, appropriate arrangements should be made with the hoster to use the hardware in time. Alternatives include standby server or similar approaches.

On this external server-/storage-infrastructure the cloud infrastructure software is then installed and configured as a virtual hosted private cloud. For example, according to their needs this allows employees to start own servers for software development and freeze and remove them after the project again. For the billing of the used resources, the cloud infrastructure software is responsible, which provides such functions.

openQRM Cloud

Basically, an openQRM Cloud can be used for the construction of a public and private cloud. This completely based on openQRM’s appliance model and offers fully automated deployments that can be requested by cloud users. For this openQRM Cloud supports all the virtualization and storage technologies, which are also supported by openQRM itself. It is also possible to provide physical systems over the openQRM Cloud.

Based on the openQRM Enterprise Cloud Zones, a fully distributed openQRM Cloud infrastructure can also be build. Thus, several separate data centers may be divided into logical areas or the company topology can be hierarchically and logically constructed safely separated. Moreover openQRM Enterprise Cloud Zones integrates a central cloud and multilingual portal including a Google Maps integration, so an interactive overview of all sites and systems is created.

Structure of the reference environment

For the construction of our reference setup a physical server and multiple public IP addresses are required. There are two options for installing openQRM:

  • Recommended: Configuration of a private class C subnet (192.168.xx/255.255.255.0) in which openQRM is operated. openQRM required an additional public IP address for access from the outside.
  • Option: Install openQRM in a virtual machine. In this variant openQRM controls the physical server and receives the virtual machines from the physical host for subsequent operations of the cloud.

For the assignment of public IP addresses cloud NAT can be used in both scenarios. This openQRM Cloud function will translate the IP addresses of the private openQRM Class C network into public addresses. This requires pre-and post-routing rules on the gateway / router using iptables, configured as follows:

  • iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o br0 -j MASQUERADE
  • iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
  • o More information on pre-and post-routing with iptables can be found at http://www.karlrupp.net/en/computer/nat_tutorial

For the configuration of complex network environments, the IP management plugin is recommended. This enterprise plugin allows to set any network- and IP address configurations for the managed servers. In the openQRM Cloud, it also provides a mapping of networks to cloud users and groups and also supports the automated VLAN management.

In addition, two bridges are needed:

  • One of the public interface with a public IP address.
  • One for the private interface dpe for which DHCP is configured.

The data in the cloud are later stored in the local storage of the physical server. For this purpose, there are two variants:

Recommended:

  • KVM-Storage LVM Deployment (LVM Logical Volume Deployment)
  • Requires one or more dedicated LVM volume group (s) for the virtual machines. For more complex setups a central iSCSI target or a SAN is recommended.

Option:

  • KVM-Storage BF Deployment (blockfile deployment)
  • Create a directory on the Linux server as
    • /var/lib/kvm-storage/storage1
    • /var/lib/kvm-storage/storage2
    • (The storage directories can be set arbitrarily on the plugin configuration.)

  • For more complex setups, a central NAS for the configured mount points should be used.

At the end iptables must be configured according to the rules above and the desired own safety. After that the installation of openQRM follows. Packages for popular Linux distributions are available at http://packages.openqrm.com. After openQRM has been installed and initialized the configuration follows.

Basic configuration of openQRM

The first step after initialization is editing the „/usr/share/openqrm/plugins/dns/etc/openqrm-plugin-dns.conf“, by changing the default value to the own domain.

Configure domain for the private network
# please configure your domain name for the openQRM network here!
OPENQRM_SERVER_DOMAIN=”oqnet.org”

After that we activate and start the plug-ins via the web interface of the openQRM server. The following plugins are absolutely necessary for this:

DNS Plugin

  • Used for the automated management of the DNS service for the openQRM management network.

DHCPD

  • Automatically manages the IP addresses for the openQRM management network.

KVM Storage

  • Integrates the KVM virtualization technology for the local deployment.

Cloud-Plugin

  • Allows the construction of a private and public cloud computing environment with openQRM.

Further additional plugins are recommended:

Collectd

  • A monitoring system including long-term statistics and graphics.

LCMC

  • Integrates the Linux Cluster Management Console to manage the high availability of services.

High-Availability

  • Enables automatic high availability of appliances.

I-do-it (Enterprise Plugin)

  • Provides an automated documentation system (CMDB).

Local server

  • Integrates existing and locally installed server with openQRM.

Nagios 3

  • Automatically monitors systems and services.

NoVNC

  • Provides a remote web console for accessing virtual machines and physical systems.

Puppet

  • Integrates Puppet for a fully automated configuration management and application deployment in openQRM.

SSHterm

  • Allows secure login via a web shell to the openQRM server and integrates resource

Plugins which offer more comfort in the automatic installation of virtual machines as cloud templates are:

Cobbler

  • Integrates cobbler for automated deploying of Linux system in openQRM.

FAI

  • Integrates FAI for the automated provisioning of Linux systems in openQRM.

LinuxCOE

  • Integrates LinuxCOE for the automated provisioning of Linux systems in openQRM.

Opsi

  • Integrates Opsi for the automated provisioning of Windows systems in openQRM.

Clonezilla/local-storage

  • Integrates Clonezilla for the automated provisioning of Linux and Windows systems in openQRM.

Basic configuration of the host function for the virtual machines

Case 1: openQRM is installed directly on the physical system

Next, the host must be configured to provide the virtual machines. For that an appliance type KVM Storage Host is created. This works as follows:

  • Create appliance
    • Base > Appliance > Create
  • Name: e.g. openQRM
  • Select the openQRM server itself as resource
  • Type: KVM Storage Host

This gives openQRM the information that a KVM storage is to be created on this machine.

Case 2: openQRM is installed in a virtual machine running on the physical system

Using the “local server” plugin the physical system is integrated into openQRM. To this the “openQRM-local-server” integration tool is copied from the openQRM server on the system to be integrated, e.g.

scp /usr/share/openqrm/plugins/local-server/bin/openqrm-local-server [ip-address of the physical system]:/tmp/

After that, it is executed on the system to be integrated:

ssh [ip-address of the physical system]: /tmp/openqrm-local-server integrate -u openqrm -p openqrm -q [ip-address of the openQRM server] -i br0 [-s http/https]

(In this example “br0” is the bridge to the openQRM management network.)

The integration via “local server” creates in openQRM automatically:

  • a new resource
  • a new image
  • a new kernel
  • a new appliance from the sub-components above

Next, the appliance of the currently integrated physical system must be configured to provide the virtual machines. For this the appliance is set as type KVM Storage Host. That works as follows:

  • Edit the appliance
    • Base > Appliance > Edit
  • Type: Set KVM Storage Host

This gives openQRM the information that a KVM storage is to be created on this machine.

Basic configuration of the storage function

Now, the basic configuration of the storage follows. For this purpose, a storage object of a desired type is created. This works like this:

  • Create storage
    • Base > Components > Storage > Create
    Case 1, select the resource of the openQRM server
  • Case 2, select the resource of the integrated physical system
  • Name: e.g. KVMStorage001
  • Select deployment type
    • This depends on the selected type at the beginning: KVM-Storage LVM deployment or directory (KVM-Storage BF deployment)

Preparation of virtual machine images

In order to provide virtual machine (VM) later over the cloud portal as part of finished products, an image for a VM must first be prepared. This works as follows:

  • Creating a new virtual machine with a new virtual disk and install an ISO image on it.
    • Plugins > Deployment > LinuxCOE > Create Templates
    • The created images are automatically stored in an ISO pool which each virtual machine within openQRM can access.

Subsequently a base for the master template is created. This serves as a basis to provide users a product over the order process.

  • Create a new appliance
    • Base > Appliance > Create
  • Create a new resource
    • KVM-Storage virtual machine
      • Create a new VM
      • Make settings
      • Select an ISO image
      • Create
    • Select created resource
  • Create a new image
    • Add image as KVM-Storage volume
    • Select KVM-Storage
    • Select volume group on KVM-Storage
    • Add a new logical volume
    • Select an image for the appliance
    • Edit to set a password (The previously chosen password of the ISO is overridden.)
  • Select kernel
    • From the local disk
    • (LAN boot is also possible)
  • Start appliance
    • The automatic installation can now be tracked over VNC.
    • Further adaptations can be done itself.
    • Please consider
      • Misc > Local-Server > Help >Local VMs („Local-Server for local virtual machines “)

Cleaning up

The created appliance can now be stopped and deleted afterwards. The important point was to create an image that can be used as a master template for the cloud.

The created image using the appliance includes the basic operating system which was created from the ISO image.

Configuration of the openQRM Cloud

We have now finished all preparations to start configuring the openQRM cloud. We find the necessary settings at „Plugin > Cloud > Configuration > Main Config“. All parameters which are adapted here have a direct impact on the behavior of the whole cloud.

Basically an openQRM Cloud can be run with basic settings. Depending on the needs and the own specific situation, adaptations can be make. The area “description” in the right column of the table are helpful.

However, there are parameter which are need to consider regardless of the own use case. These are:

Automatic provisioning (auto_provision)

  • Determines if systems are automatically provisioned by the cloud or if an approval of a system administrator is needed.

Provisioning of physical systems (request_physical_systems)

  • This parameter defines if besides virtual machines even physical hosts can be provisioned by the cloud.

Cloning of images (default_clone_on_deploy)

  • By default the cloud rolls out copies (clones) of an image.

High-availability (show_ha_checkbox)

  • Enables to operate the openQRM cloud including the high-availability of the provided resources.

Billing of the used resources (cloud_billing_enabled)

  • openQRM has an extensive billing system to determine own prices for all resources to get a transparent overview of the running costs.

Cloud product manager (cloud_selector)

  • Enables the product manager to provide users various resources over the cloud portal.

Currency for the settlement of resources (cloud_currency)

  • Determines the local currency with which the resources are to be settled.

Exchange ratio for resources in real currency (cloud_1000_ccus)

  • Determines how many 1000 CCUS (Cloud Computing Units) correspond to a previously fixed real currency.

Resource allocation for groups (resource_pooling)

  • Determines from which host an appointed user group receive their virtual machines.

Creating products for the openQRM Cloud

To provide our users the resources over the cloud portal we have to create products first which define the configuration of a virtual machine. The settings for that we find at „Plugin > Cloud > Configuration > Products“.

The “Cloud product management” is used to create various products which users can choose later to build own virtual machines itself over the cloud portal. Products which are available for us are:

  • Number of CPUs
  • Size of local disks
  • Size of RAM
  • Kernel type
  • Number of network interfaces
  • Pre-installed applications
  • Virtualization type
  • If a virtual machine should be high-available

Over the status line by using +/- each product can be activated or deactivated to show or hide it for the user in the cloud portal.

Please note: Products which are deactivated but are still active within a virtual machine continue to be billed.

To create a new CPU product we select the “CPU” tap and define in the area “Define a new CPU product” our wanted parameter.

The first parameter defines how many CPUs (cores), here 64, our product should have. The second parameter determines the value of the product and how many costs occur per hour during its use. In this example, 10 CCUs per hour for 64 CPUs occurs.

With the arrow keys the order on how the single products are displayed in the cloud portal can be determine. The default value is above one.

Please note: In the cloud portal standard profiles in the sizes „small“, „medium“ and „big“ exist. According to the order the profiles are automatically be determined under the respective products. That means that “small” is always the first value, “medium” the second and “big” the third.

openQRM also allows to order virtual machines with pre-configured software stacks. For this openQRM uses Puppet (Plugins > Deployment > Puppet). Thus, for example, it is possible to order the popular LAMP stack.

If we have configured our product portfolio, it’s the user’s turn to order virtual machines. This is done via the cloud portal.

openQRM Cloud-Portal

To create a new virtual machine (VM) we click on the tap “New”. An input mask follows on which we can create our
VM based on the products the administrator has determined and approved in the backend.

We choose the profile “Big” and a LAMP server. Our virtual machine now consists of the following products:

  • Type: KVM-Storage VM
  • RAM: 1 GB
  • CPU: 64 cores
  • Disk: 8 GB
  • NIC: 1

In addition the virtual machine should be “high-available”. This means, if the VM fails, automatically a substitute machine with exactly the same configuration is started to work on with.

For this configuration we will have to pay 35 CCUs per hour. This is equivalent to 0.04 euros per hour or € 0.84 per day or € 26.04 per month.

If we want to order the virtual machine we select “send”.

Below the tap “Orders” we see all current and past orderings we have made with our user. The status “active” in the first column shows that the machine is already started.

Parallel to this we receive an e-mail including the ip-address, a username and a password, we can use to log into the virtual machine.

The tap “Systems” confirms both information and shows further details of the virtual machine. In addition we have the opportunity to change the systems configuration, pause the virtual machine or to restart. Furthermore the login via a web-shell is possible.

If the virtual machine is not needed any more it can be paused. Alternatively it is possible that the administrator disposes this due to an inactivity of the system or at a specific time.

Creating a virtual machine with the „Visual Cloud Designer“

Besides the “ordinary” way of building a virtual machine, the openQRM Cloud portal enables the user to do that conveniently via drag and drop. Here the „Visual Cloud Designer“ helps, which can be find behind the tap „VCD“.

Using the slider on the left below „Cloud Components” it is possible to scroll between the products. Using the mouse allows to assemble the „Cloud Appliance“ (virtual machine) in the middle with the appropriate products.

Our virtual machine „Testosteron“ we assembled in this case with KVM-Storage, Ubuntu 12.04, 64 CPUs, 1024 MB Ram, 8 GB disk, one NIC, and software for a webserver and the high-availability feature.

With one click on “Check Costs”, openQRM tells us that we will pay 0.03 EUR per hour for this configuration.

To start the ordering process for the virtual machine we click “request”. We get the message that openQRM starts rolling out the resource and we will receive further information into our mailbox.

The e-mail includes, as described above, all access data to work with the virtual machine.

In the cloud portal under “systems” we already see the started virtual machine.

Creating a virtual machine with the „Visual Infrastructure Designer“

Besides the provisioning of single virtual machines the openQRM cloud portal also offers the opportunity to provide complete infrastructures consisting of multiple virtual machines and further components, at one click.

Thus, we use the „Visual Infrastructure Designer“. This can be found in the cloud portal behind the tap “VID”.

Using the “VID” it is possible to build and deploy a complete WYSIWYG infrastructure via drag and drop. For this purpose, it is necessary to create ready profiles with pre-configured virtual machines at first, which include for example webserver, router or gateways. These can be deployed afterwards.

Categories
Insights @en

TecArt-CRM Mobile: Modular "All-in-One Business Suite" from the Cloud

The choice of a suitable customer relationship management (CRM) solution is a bit of a challenge for any business. Here, the final decision depends on the specific requirements and special needs. In this context, the flexible use of a solution is of crucial importance in order not to get into long-term contracts and high investment costs. This INSIGHTS report provides an overview of the cloud CRM solution of TecArt GmbH from Erfurt, Germany, shows the functions and what benefits a company receives.

Preface

Despite its history, the importance of the customer relationship management (CRM) is steadily increasing in companies. Without the consistent focus on its customers and the unconditional design of necessary processes, a company is no longer competitive today. Only with a holistic and cross-enterprise relationship marketing the cooperation between a company and its customers can be long-term oriented and strengthened, what has decisive impact on the current and future success. For this, the different departments, such as marketing, sales, customer service, and also the research and development must be integrated into the processes.

On the one hand the comprehensive integration of these departments is organizational not always easy to implement, on the other hand an appropriate IT solution must be found, which meets the requirements of the company almost perfect. For that massive investments in on-premise systems have been made in the past, leading to long-term, inflexible licensing costs. In times of cloud computing respectively of software-as-a-service (SaaS), it is not necessary to commit to long-term provider contracts. Instead, the solution is charged per user and ideally per month, making the monthly or annual cost / benefit ratio more transparent.

It should be noted that the advantage of the flexibility of a SaaS solution is not to have the opportunity to switch a provider annually or even semi-annually. Despite SaaS, a business plans in a long-term. The cost and effort of constantly evaluating a new provider and migrate afterwards, bears no relation to the actual benefit. In some cases, this may be considered if the satisfaction with the vendor decreases. The actual flexibility advantage of SaaS is the scalability in terms of monthly usage per user and functionality. This means that a company can better respond to its monthly requirements by including flexibly respond to employee turnover. This allows for improved planning with seasonal workers, for which usually a certain number of licenses for this period has been purchased in advance and which are no longer needed after the application and turned to dead capital. Using a SaaS solution, the number of required users can be increased for a given month and decreased again. This makes it possible to better plan for the future.

This also applies to a SaaS CRM system, which is much more about than just a database of customer information. In particular, the emerging market of mobile collaboration enables sales representatives to always access current live data and to edit it at the same extent. Moreover, the amount for further services should be taken into consideration. This has the background that current SaaS CRM solutions on the market promise an integration with other external SaaS offerings, for example e-mail services, but are sub-optimal implemented. In this context, among other aspects, it is also important to look on the availability of interfaces to connect the CRM solution with existing systems.

Overview TecArt-CRM

The market for CRM systems from the cloud has grown rapidly in recent years. Led by Salesforce the solutions for customer relationship management have evolved from on-premise installation to web-based cloud solutions. The variety of SaaS CRMs address, depending on the functionality and scope of services, different target groups. From the large corporation, over the medium-sized company up to the freelancer, the market offers a wide range of different systems for the web-based customer relationship management.

The TecArt GmbH from Erfurt, Germany, focuses their TecArt-CRM to medium-sized and larger companies. Apart from a complete web-based solution, the company also offers its software for the on-premise installation in an own data center. The current advantage businesses reach only with the use of the cloud-based solution TecArt-CRM Mobile which this INSIGHTS report describes.

Holistic modules for flexible use

TecArt-CRM Mobile is designed for small and medium-sized businesses who actually do not have a full-time IT department and therefore no powerful IT infrastructure, but also want the advantage of multiple locations.

Six main modules, including services for the management of e-mails, contacts, appointments, tasks, and documents that form the core of the SaaS application and belong to the standard scope of the CRM system. For a fixed monthly fee per user, 5 GB of storage for each user is included as well, which can be increased at an extra cost if required. Hosting, maintenance of the system and the daily backup of the data is assumed by TecArt GmbH.

One of the great strengths of TecArt-CRM Mobile is the ability to expand the base system, as required by additional modules per month and to cancel again. With that companies receive a very flexible access to more value-added services to customize the CRM system according to their requirements. These useful services include inter alia a project management, supply management, contract management or resource planning.

Mobile cloud allows access from any place

Besides the web-based access TecArt-CRM Mobile also allows to retrieve and manipulate the data in the CRM system via mobile. For this, the major mobile operating systems iOS, Android, Windows Phone and Blackberry, but also older systems such as Windows Mobile and Symbian are supported for mobile synchronization.

For the mobile synchronization of information TecArt GmbH has developed the service “TecArt-Push” that extends the browser-based cloud solution TecArt-CRM with a push function. This is comparable with the solutions as known from Google Apps and Apple iCloud. Besides a CRM system companies also receive a full-fledged mobile groupware for different devices to access emails, contacts, appointments and tasks that are automatically synchronized with TecArt-CRM.

And even field worker get the valuable opportunity to access information on the go and both collect and edit data such as emails, calendars, contacts etcetera.

In addition to the synchronization of data the “TecArt-CRM web app” also allows access to further data and information from other services in the backend of the CRM system via a mobile Internet connection. This means that among others also documents, tickets, projects, contracts and offerings can be accessed. Using an integrated geolocation service contacts can also be find in the immediate vicinity of the current location.

Cooperation with cloud marketplaces to increase the reach

Cloud marketplaces belong to the future of cloud computing and are a logical development to enable enterprises and developers a good overview and easy access to IT resources. In addition, there are also less good cloud applications on the market that offer either no real value, are not well thought out or have a poor architecture and are therefore also not well safety implemented. Thus, cloud marketplaces help to separate potential top applications from rather insignificant services and provide decision support for the selection. This is firstly ensured by the marketplace provider itself, and also through an evaluation system, through which the users can post comments and ratings. In addition, cloud marketplaces clean up and summarize the different cloud offers thematically. They form an independent ecosystem of cloud services.

Cloud marketplaces can also help young companies to increase their visibility and reach. But even for established companies that start with cloud services, opportunities arise to present themselves to a wide audience and to prove transparently to the existing competition.

This is also part of the TecArt GmbH strategy, which closed collaborations with two cloud marketplaces for their TecArt-CRM Mobile offering, the Telekom Business Marketplace and the Fujitsu Cloud Store. In particular, the inclusion criteria of the Business Marketplace by Deutsche Telekom are very high and have high requirements in terms of architecture and security of the cloud application, which will be reviewed with audits. Since the Deutsche Telekom focuses on quality rather than quantity, the inclusion of TecArt-CRM Mobile is a very positive sign.

Additional APIs and software simplify integration

Good cloud applications are characterized by their transparency, openness and the associated interfaces (APIs Application Programming Interface) that can be integrated with existing software solutions or which extends the applications themselves.

This also TecArt has understand and offers in addition to the core modules and the advanced services other features and software to enhance the TecArt-CRM product line. Among others with this a synchronization with Outlook via additional software can be established or the integration with a PBX is realized. Furthermore, the range of proprietary web services for enterprise developers is very interesting to also bind existing software solutions like enterprise resource planning, time-recording system or their own website to TecArt-CRM.

Price model: Pay-per-use or on-premise

TecArt-CRM can be used on three different reference models. The traditional on-premise models “Company” and “Enterprise” aimed at those who are still conservative and want to take care of hosting and operating their infrastructure themselves. For that TecArt-CRM can be purchased at a fixed price. Here, however, the additional costs for the operation and maintenance of the required IT infrastructure must not be neglected.

The modern way of obtaining IT is offered via TecArt-CRM Mobile. Here a fixed base amount is calculated for various core modules per user per month. Additional modules can be flexibly added per user and are also charged on a monthly basis. The advantage of this solution variant is that TecArt care to 100% of the hosting, operation and maintenance of the necessary IT infrastructure as well as the TecArt-CRM system. A customer only consumes the needed services.

Security and location advantage

The issues of data protection and data security is still strongly debated in the context of the cloud. In particular, in a very sensitive environment such as customer relationship management, in which many personal but also specifically business-critical data are processed, a company shall not decide for any provider. Instead, a provider must be chosen that meets the company’s standards and in particular meets all privacy and data security technology areas.

In the area of data security TecArt uses SSL encryption, to establish a secure connection during the data transmission between the server and the client. Furthermore, the location of the data center is in Germany and is certified according to the ISO security standard 27001. TecArt guarantees an availability of 98% on annual average for its services. Furthermore, the company offers more protection with override security of documents by a personalized versioning and control that ensures the data is always kept in a consistent state. A read-write user-level protection also ensures that only authorized persons have access to modules, objects, and individual documents. In the case of manual deletion by a user each employee has a personal trash. If this is not enough, automatic backups of the system are made daily, which are stored for seven days.

In addition to data security, data protection needs to be considered with a lot of sensitivity. Due to the German headquarters the TecArt GmbH is subject to the European and German data protection law and guarantees that no data will be passed on to U.S. government agencies. Furthermore, TecArt strictly follows the classification level “CONFIDENTIAL”. This means that all data and documents that are being stored and processed in the TecArt cloud services meet the security suitability of the steps for authorities, confidential and sensitive position.

Awards testify to quality

Even if awards are always in direct connection with the jury, they have a tendency for the quality of a solution. If there are more than one award of operating independently and different consortia or associations, a company may proceed with a clear conscience believe that the quality is actually true.

TecArt already won six independent awards. Including the Hosting & Service Provider Award 2013, the title BEST OF 2013 in the category CRM within the Innovationspreis-IT 2013 of the initiative Mittelstand and the Telekom Innovationspreis 2012.

Management Advisory

The choice of a suitable customer relationship management solution is a bit of a challenge for any business. The final decision depends on the specific requirements and special needs. In this context, the flexible use of a solution is of crucial importance in order not to get into long-term contracts and high investment costs.

At this point TecArt-CRM launch into and offers beside important core features the ability to expand the system monthly as required by other modules with more specific functions, which gives the users a considerable added value in total.

If the entire TecArt-CRM portfolio is considered, it is not just about a pure CRM solution. With fully integrated functions for the management of e-mails, tasks, appointments, contacts, tasks and other services, TecArt-CRM offers a company much more than a standard system for customer relationship management. TecArt-CRM focuses entirely on the standard processes of a company including synchronization of mobile devices and thus supports any company in its future cloud collaboration. For this reason, the solution is in the proper sense a collaborative CRM, which is, in this case, actually better expressed as an all-in-one business suite from the cloud.

Companies that also want to concentrate on the topic of “Social CRM” – The use of modern social networks for customer communication. – TecArt-CRM is currently not the right solution. For that the company from Erfurt currently have no functionality in their portfolio.

Furthermore TecArt-CRMs great diversity and modularity is also one of its weaknesses. This is not necessarily a great negative point. Nevertheless, a customer should bring a lot of time for the selection process for the first registration. In addition, during the decision-making process, on which module should already be selected from the start and which not, one can quickly lose the overview. At this point it is clear that a maximum modularity in this case is not always beneficial and prefabricated packages simplify the decision process.

Bottom line, TecArt-CRM is a highly recommended and well-designed CRM system that brings a lot of DNA and approaches for a modern cloud collaboration and can help each company to cooperate better with its customers in the future.

Categories
Insights @en

Security Comparison: TeamDrive vs. ownCloud

Dropbox polarized within the IT departments. From the executive board up to the ordinary employees, people rely on the popular cloud storage service. This is mainly due to the ease of use that is not provided by internal IT departments today. In particular two in Germany developed solutions attack here, which allow companies to implement their own DropBox similar functions within a self-managed IT infrastructure, TeamDrive and ownCloud. TeamDrive represents a fully commercial and proprietary approach. ownCloud an open source approach, but also offers a commercial version. Both claim the title of “Dropbox for the Enterprise”. However, if we are moving exactly in this environment, the issue of security plays a very important role.

Background: TeamDrive and ownCloud

TeamDrive and ownCloud have two different business models. TeamDrive positioned itself as a fully commercial product for companies in the market. ownCloud uses the open source community in order to gain market share. With a commercial version, ownCloud also addresses the market for professional business solutions.

About TeamDrive

TeamDrive is a file sharing and synchronization solution for companies that do not want to store their sensitive data on external cloud services and would also enable their teams to synchronize data or documents. Therefore TeamDrive monitors any folder on a PC or laptop that can be used and edit together with invited users. With that data is available at any time, also offline. The automatic synchronization, backup and versioning of documents protect users from data loss. With the possibility of TeamDrive to operate the registration and hosting server in the own data center, TeamDrive can be integrated into existing IT infrastructures. For this TeamDrive provides all the necessary APIs.

About ownCloud

ownCloud is an open source file sync and sharing solution for companies and organizations that want to continue to retain control of their data and do not want to rely on external cloud storages. The core of the application consists of the ownCloud server on which the software seamlessly integrates with the ownCloud clients into the existing IT infrastructure and enables the continued use of existing IT management tools. ownCloud serves as a local directory and can be mounted with different local storages. Thus, files are available to all employees on all devices. In addition to a local storage directories can also be connected via NFS and CIFS.

TeamDrive and ownCloud: Security Architecture

In this comparison it is about the security architecture behind TeamDrive and ownCloud. The other functions of both solutions are not considered. So it is about the consideration of encryption techniques, data management, data processing and the user authorization, if information is available. It is assumed that basic knowledge on security exists.

TeamDrive: End-to-End Encryption

Despite its commercial approach TeamDrive is quite informative and provides some security information publicly available. Including on the topic of encryption. They also advertise with the data protection seal of the “Independent Centre for Privacy Protection Schleswig-Holstein”. After a request extensive information has been readily made available, whereby some underlie a NDA (Non-Disclosure Agreement).

Ciphering Method

TeamDrive sets on the following encryption mechanisms:

  • Advanced Encryption Standard – AES 256
    To encrypt the data TeamDrive uses the Advanced Encryption Standard (AES) encryption system with a 256-bit key and sets on the C code implementation of the OpenSSL library.
  • Diffie-Hellman and RSA 3072
    For key exchange TeamDrive sets on the Diffie-Hellman algorithm for its older clients. New clients using RSA 3072. The Diffie-Hellman implementation is based on the C code implementation as it is provided by the OpenSSL library.
  • Message Digest 5/6 – MD5/MD6
    The TeamDrive hash function is based on the MD5/ MD6 algorithm, where the hash value is stored as a random string (salt).
  • PrimeBase Privacy Guard – PBPG
    The PrimeBase Privacy Guard (PBPG) is a proprietary public/ private key system that sets on the Diffie-Hellman key exchange and AES encryption. For the user the behavior of PBPG is similar to the known public/ private key systems of PGP or GnuPG. The PBPG encryption generates random changes and verifies the files during the exchange, so PBPG can detect whether a message or keys have been tampered or altered otherwise. Two messages are never the same. Here, a key pair is generated not only for each user, but also for each installation. The PBPG implementation is open and can be verified by partners and other interested parties, if required.

System Architecture

In TeamDrive data is stored in a so-called Space which determined the number of users who can access. The exchange takes place on a Space Depot, which lies on a TeamDrive Enterprise Hosting Server, a TeamDrive Personal Server or WebDAV.

Each Space has its own 256-bit AES key used to encrypt the data in this Space, if the data leaves the user’s device. Only the TeamDrive software, which is installed on the device of the other users of a Space, has knowledge of the key.

Each server on which a Space Depot is available, is responsible for storing, forwarding and adapting to changes within the Space. So the clients can also exchange data even if not all are online at the same time. Any data that is stored on the server is encrypted by using the 256 bit AES key of the Space.

User Authorization

The registration of a user is done with the TeamDrive client software that checks him against the TeamDrive registration server. This is basically done by entering an email address or a username and a password.

The authorization between the TeamDrive client and the TeamDrive registration server is based on the public key of the registration server. Information such as the e-mail address and the registration password plus other data of the user are transferred in an encrypted form to the registration server using the public key of the registration server.

Only the activation code is sent unencrypted over an unencrypted e-mail to the user. In addition, an encrypted response with the device ID is sent to the TeamDrive client. After the activation by the user, the client software will generate a PBPG key and a matching public key. Following the client software sends the registration password and the public key encrypted back to the registration server using the public key of the server. The activation code is verified and the public key of the user stored. All of the following messages that are sent to the registration server are encrypted with the PBPG public key of the user and need the device ID and the registration password for authorization.

Data Storage and Processing

To generate a Space, the user needs a Space Depot and its password. This tells the TeamDrive client which server it needs to contact in order to create the Space. Subsequently the client software asks for the public key of the TeamDrive Hosting Server. The client software sends the device ID, the Space Depot id, username, user ID, the user’s public key and the name of the Space as an encrypted message to the TeamDrive server. The message is encrypted with the public key of the server. The Space Depot ID and password are checked. For the encrypted transmission of the response the user’s public key is used. The TeamDrive server creates a new Space on the specified Space Depot. A 128-bit “authorization code” is randomly generated for the new Space and sent back to the client.

To access a Space the URL, an authorization code and a Space data key is required. The URL contains the address of the server which is addressed to the Space Depot that includes the contents of the Space, and the Space ID. Changes in the Space are uploaded or downloaded to the Space in the Space Depot. For this purpose, HTTP PUT and POST methods are used. Before a file leaves the client, it is compressed and encrypted with a 256-bit AES key.

To access a Space, the TeamDrive client opens a session with the server. First therein the ID of the Space, to be accessed, is transmitted. After successful testing the server generates a new session ID with a 128-bit random number (RND) and sends it back to the client which stores it locally. For uploading and deleting data, the client uses the RND and the authorization code of the Space and links these in a xor operation including a MD5 operation on the result. The result will be sent along with the session ID and the encrypted data to the server.

The security of a Space Depot is ensured that after each request a random RND value is returned that must be recalculated to a local value each time by the client. In addition a MD5 hash guarantees that the authorization code of the Space cannot be derived. Even if the RND and the local value are known on the client side. This will also prevent that an attacker can infiltrate into a session to upload data to the server.

Summary

The data security in a TeamDrive Space is ensured by encrypting the data with a 256-bit AES key. For this, the key is only known by the TeamDrive clients, which are member of a Space. Provider of storage services based on TeamDrive or system administrators do not have access to the data. The exchange of Space authorization keys between TeamDrive users follows with a secure public/ private key method, which uses a 256-bit AES encryption itself. The access to a Space Depot or a Space is protected with a 128-bit authorization code. The authorization code prevents that the storage of a Space Depot or a Space cannot be used by unauthorized third parties.

In addition to the encrypted data storage on the servers and the clients the data is also always fully encrypted during transmission, whereby TeamDrive delivers a complete end-to-end encryption of the data.

It should also be noted that TeamDrive has received the data protection seal of the “Independent Centre for Privacy Protection Schleswig Holstein”. The official approval number is 2-3/2005. In addition, TeamDrive was named as a “Cool Vendor in Privacy” 2013 in May by Gartner.

ownCloud: Server-side Encryption

At ownCloud one looks in vain for public security information, provided by ownCloud itself. This is a little surprising, since there are apparently many open questions even in the ownCloud community [1], [2] regarding the server-side encryption and encryption in general. Only a blog post can be found in which the fundamental understanding of ownCloud on security is displayed publicly. However, questions on direct demand ownCloud answered without hesitation and made more information available.

Ciphering Method

For data encryption ownCloud 5.0 sets on the Advanced Encryption Standard (AES) with a 256-bit key.

Security blogger Pascal Junod had dealt with the encryption of ownCloud 4.0 in early 2012. The necessary information can be found in the OC_Crypt class. Junod has analyzed the PHP file in this context and published relevant information. Thus, the key is generated in the mt_rand() PHP routine. That implemented the Mersenne Twister, a pseudo-random number generator. Junod commented that this is not a cryptographically good quality. The generated key is encrypted with the user password in conjunction with the symmetric block encryption algorithm Blowfish in ECB mode and then stored in the encryption.key. Junod comes to the conclusion that an attacker who owned this file could get the password using the brute-force method. He also aware, that this key is used for encryption of all the data of a user and the data to be encrypted on the server side. He describes other ways to steal the encryption.key. The password, which is responsible for the encryption of the file is transmitted in clear text (plain HTTP) from the client to the server. If the connection is not secured with HTTPS, everyone is able to intercept the communication, steal the password and could therefore access the ownCloud account and all data. Furthermore, the encryption.key is stored in plain text in the session data on the server side. Most of the time in the /tmp directory. This means that a malicious ownCloud server administrator would be able to decipher the data. Junod also indicates that the encryption is done on the server side, so a system administrator could intentionally manipulate the ownCloud installation. He therefore recommends never use ownCloud 4.0 to store confidential information.

ownCloud confirmed in the inquiry that ownCloud 5.0 itself does not implement a fully integrated end-to-end encryption in the software. However, this can be implemented with third-party tools. Furthermore, encryption is done “at rest“. This means that the data will be physically stored in encrypted form. The connection between the devices and the server is secured with SSL. The key exchange is authorized via the Provisioning API. A comprehensive key management follows in the future.

System Architecture

ownCloud has a plugin for server-side encryption administrators can use to store data encrypted on the server. Users get access to the data and can share them as if they are unencrypted. The new plugin in ownCloud 5.0 replaces the vulnerability in ownCloud 4.0, in which a malicious system administrator could bypass the security architecture by making adjustments to the ownCloud source code to integrate a backdoor or a password sniffer. For data encryption during transmission from the server to the device SSL is used. The password can be changed by a user at any time. All files are encrypted with the new password afterwards.

For server-side security, the administrator must enable the encryption app in the ownCloud management console and set the hook “encryption” in the admin interface. Then a key pair (public/ private) will be created for all users. For this purpose, the user password is used to protect the private key. In addition, for each file uploaded to the server, a symmetric key pair is created. The uploaded user data is encrypted and stored with the symmetric key. As algorithm the Advanced Encryption Standard (AES 256) is used. The symmetric key is encrypted with the private key of the user and stored on the server. If the data is retrieved from the server, it is first decoded and then sent via an SSL connection to the client. The encryption routine behaves with other applications connected to ownCloud, such as the web interface, the versioning and the algorithm for synchronization, exactly the same. If a user changes his password, the private key is decrypted with the old password, and re-encrypted with the new password.

For the user an uploaded and encrypted file on the ownCloud server resembles as a non-encrypted file. The encryption is completely transparent to him. If a file is shared with other users, the public keys of each of these users are stored in the encrypted file. These users can use it to access the file and make changes to it, as it is an unencrypted file. It’s the same with a folder. Users can not open files that are not intended for them. Should a malicious user try to obtain access to the storage backend, files and keys are unreadable.

If the appropriate plug-in is enabled, a system administrator is able to see all files that are stored on ownCloud over the command line. However, the content of the files is encrypted. Regular backups can still be made, but all the files remain encrypted. Even if the data is copied outside the system. An administrator can also configure additional settings to exclude certain file sizes and formats for the encryption.

Summary

With version 5.0 ownCloud now offers server-side data encryption. However, an administrator must explicitly activate a plug-in to encrypt files with AES 256. If a file leaves the ownCloud server it is first decrypted and transmitted over an SSL connection to the ownCloud client. This means that a complete end-to-end encryption is currently not available with simple on-board tools, what ownCloud confirms.

The ownCloud encryption module has been developed for the use within an enterprise data center on the company’s own servers, administered by trusted administrators.

Management Advisory: TeamDrive vs. ownCloud

The comparison of TeamDrive with ownCloud virtually also confronts a commercial with an open source approach. However, what here a little irritates is the openness of the commercial vendor TeamDrive towards ownCloud. Commercial vendors are often criticized for talk little about their security architecture. In this case, we see exactly the opposite. This is probably because ownCloud have not much security respectively encryption implemented to talk about. First with the ownCloud version 5.0, a module for server-side encryption is implemented. However, that there is a need for information and in particular for security, show the questions from the ownCloud community. Here the ownCloud community is still claimed to demand for more public information and security.

In this context the content of the above-mentioned blog article by ownCloud makes sense, which reflects the basic safety philosophy of ownCloud. For ownCloud encryption is an important point. But the focus should rather be on the control of the data.

Security vs. Flexibility

TeamDrive sets on a fully integrated approach and also provides an end-to-end encryption of all data that is transferred from the server to the client of the respective device. Thus, TeamDrive allows despite of a very high claim to the uncomfortable topic of security, the convenient use of a cloud storage service. ownCloud decodes the data first after they are loaded from the server and transfers it over an SSL connection. The lack of on-board tools for an end-to-end encryption can be achieved with external third-party solutions. However, it should be considered that the integration is costlier with it and whether an open source approach provides a cost advantages especially in this case.

But, it should be noted that ownCloud, due to its open source approach, offers more flexibility as TeamDrive and thereby can be completely adapted to the own IT infrastructure according to the own needs. In terms of security ownCloud still need to catch up. This has the consequence that the solution per se does not meet the current safety standards of businesses and is therefore only conditionally recommended.

At the end of the day, the decision must be made whether a company expects a commercial and integrated approach including security mechanisms based on on-board tools and an open source software that requires additional external security solutions which must be integrated themselves. Who is looking for an all-in-one solution, including complete end-to-end encryption and at the same time more security, should decide for TeamDrive.