The Diversity Blog - SaaS, Cloud & Business Strategy » security

Closing the Door Before the Horse Bolts – On Passwords For Cloud

Ben Kepes — Wed, 23 Nov 2011 11:08:55 +0000

The advent of the Internet (actually the advent of software used by the general populace) has create an entire new bunch of folks with ulcers caused by the worries around password management. Passwords it seem are both the bane of our existence and, apparently, the most important thing in our lives.

Unfortunately the Cloud doesn’t really change this, good password protocols are as important in the Cloud as they were in an on-premise world and potentially even more so.

In the Cloud security report we wrote for CloudU, we spent a bunch of time talking about what Cloud users can and should do to ensure they keep themselves safe, at least when it comes to passwords. It’s always worthwhile reminding people of stuff that, frankly, they should know about anyway – sometimes it’s the most obvious things….

So to that end, here’s our checklist for good approaches to password in the Cloud;

Complexity – the more, the better. Combinations of letters, numbers, cases and special characters wins the day here 9and please don’t use “password” as your password!)
Expiration – A fancy way of saying that you shouldn’t use the password you used for your first email address in high school when you’re 45. Passwords should be refreshed regularly (kind of like your underwear)
Differentiation – The Lord of the Rings was all about One Ring to Rule Them All, passwords aren’t like this so please don’t use the same password on the 53 gazillion social sites you’re a member of
Minimum requirements – A system that would allow me to chose the password “1” is just plain dumb. Administrators need to introduce minimum password requirements into their policies
History – There’s nothing worse than users who have a revolving door policy to passwords, alternating between the two same passwords every time a change is required. Keep ‘em fresh is the best approach

Follow our guidelines and your cloudy (and non-cloudy) life will be a whole lot safer.

This series of posts are companion pieces to the CloudU series of educational material. We’d love you to join in some of our webinars or read the whitepapers the CloudU homepage is – here – and you can register to have updates sent to your inbox (in a non-spammy way of course!) there.

A Checklist for Customer Cloud Security

Ben Kepes — Fri, 11 Nov 2011 11:53:57 +0000

I often hear how Cloud is insecure from people who claim that unauthorized access is a real and significant risk for users of Cloud Computing. It always kind of frustrates me as, in my (admittedly somewhat biased) view, Cloud is as secure, if not more so, than traditional IT.

In our Cloud security whitepaper on CloudU, we spent a bunch of time talking about why Cloud Computing is in fact potentially significantly more secure than traditional models of IT delivery while at the same time pointing out the fact that there’s still stuff that organizations need to think about when using Cloud.

At the same time however we were totally realistic about the fact that there are still some things that end customers need to think about in terms of security. Sometimes the most useful thing for folks making a change is a simple checklist of things to think about and so, to that end, here’s our picks of things to think about when moving your organization to the Cloud;

Firewalls – Customers still need to think about controlling the traffic in, and out, of their organization. Hardware and software firewalls ensure your traffic can bunch through, but the baddies are kept at bay
Patches – You may be using lots of Cloud applications, but it’s still a safe bet that you have some desktop applications or, if not, at least some operating systems. These all need to have the latest versions of software running on them
Backups – Unless everything you have is on the Cloud, you need to think about backing up your data, preferably off-site
Controlling access to the Cloud – there’s no use being hyper secure if your employees leave mobile devices sitting around the place that people can access your sensitive data from. You need to think about policies and password protection for any device accessing your data
Staff security – your biggest threat comes form within. Hire your staff well and make sure they don’t put you at risk, either maliciously or otherwise
Passwords – the bane of our existence. Such an important area that we’ll come back to this one for more detail

Ensure these six points are dealt with, and you’re all set to enjoy a safe and rewarding Cloud experience.

We’re covering all things Cloud at CloudU, our Cloud Computing educational series. We’d love you to sign up to receive whitepapers and webinar invitations.

Cloud Security – It’s All About Partnership

Ben Kepes — Thu, 03 Nov 2011 12:39:52 +0000

Cloud Computing, like marriage, is an example of a situation needing ongoing work from both parties to make for success. It was the over-arching theme of the CloudUreport we published recently which took a deep look at Cloud Security. In the report we reflected on the fact that, rather than the traditionally held view that by outsourcing IT, end users can forget about security, Cloud security is truly a two way street with both parties needing to bring something to the table.

There seems to be conflicting messages going on from vendors – the traditional vendors decrying the security issues raised by the Cloud, while the Cloud vendors seek to ignore the security issues that Cloud does indeed raise.

It was interesting then, given the conflicting messages, to read a blog post recently. In the post, Jon Oltsik tells of presenting at a Cloud conference in Washington DC and having the overwhelming feeling that Cloud security concerns are real, this despite the contrasting view of former Federal CIO Vivek Kundra who perceives that;

a lot of people are sort of driving this notion of fear around (Cloud) security, and the reason I think that’s been amplified, frankly, is because it preserves the status quo.

Oltsik reflects on recent research that suggests that 43% of respondents in one particular survey rated “data security and privacy concerns” as their top issue when it comes to Cloud Computing. This perception isn’t helped any by well-meaning, but ultimately unhelpful comments on the risks involved in Cloud Computing. A good example of this popped up recently with an emotive article titled “Cloud’s Shady Side”.

The article talked about a new initiative being discussed in new Zealand that would see a Cloud code of practice developed to help protect customers. In the article mention was made of the security risks of Cloud Computing, especially to small and mid sized businesses who might put “all the business data and personal information of clients in a Cloud without having good controls or knowing where it was”.

What the article fails to mention is the fact that the biggest security risk to small and mid sized businesses comes not from outside parties looking to steal or nefariously use their data, rather it comes from insidious risks such as;

rogue employees looking to cause damage to the organization
losses from the failure of poorly maintained systems

Yes, Cloud Computing, like any system that relies on more than information stored in one person’s memory, has security risks. But these risks are both manageable, and relatively low compared to the alternative. Cloud users need to understand what they need to do to keep themselves safe in the Cloud, but understanding and planning for the risks is different from putting Cloud in the “too hard” basket.

Cloud security is a two way street – both vendors and customers have a part to play in keeping it safe but, notwithstanding this fact, Cloud is still the best option for a number of SMB use cases.

LastPass Demonstrates Impeccable Crisis Handling

Ben Kepes — Thu, 12 May 2011 12:40:00 +0000

By now it’s old news – password service LastPass (possibly my favorite app of all time) noticed some unusual activity from their logs and went into the highest levels of DEFCON, contacting all its users (myself included) and forcing a password change and other measures. There’s been a bit of to-ing and fro-ing in different blogs about what this means for the web, for the cloud, for password sites and the like. I’ll not dwell on that aspect other than to say that, in my opinion at least, there are two options. Firstly to have unique and secure passwords for your different services in the hands of a company whose very existence rests on keeping those password secure. Secondly to rely on 9as is generally the case) one password for all your sites, to hardly ever change that password and (sacre bleu) to write said password on a post-it note attached to the inside of your laptop.

What I really wanted to talk about is the actions of LastPass and in particular their CEO, Joe Siegrist. It’s also worthwhile contrasting his actions with those of Sony during the recent security debacle where thousands of user details, of the highest sensitivity, where breached. Bear in mind that in the case of LastPass, there is no proof that and real loss occurred, and yet Siegrist came out with a hyper-cautious approach and embarked on a course of action that included multiple levels of checks and balances.

It is well worth reading an exclusive interview over on PC World. Most telling is Siegrist’s final statement;

We tried to handle this the way we’d want it to be handled if we were users. And that’s what we’re looking at. We’re trying our best to do what’s right.

In my opinion the actions of LastPass have been exemplary – the actual loss in this instance was either non-existent or negligible. Many larger companies would have simple brushed this under the table and perhaps introduced some new security measures under the cloak of a version update. LastPass however was completely up-front and transparent about what happened, what they knew and, more importantly, what they didn’t know, potential results and solutions to the issue.

In the process, of course, LastPass got huge amounts of media attention that, once the storm over the security breach has died down, will have an ongoing benefit. I’ve met Siegrist however and have talked at length to him about what he’s doing and I totally buy the story that his handling of the incident was purely and simply a desire to “do the right thing”.

If only other vendors had the same moral perspective…

Capturing CAPTCHAs

Ben Kepes — Sun, 07 Sep 2008 18:44:24 +0000

I read this amazing post over on ZDNet that details the massive operations out of India providing contract CAPTCHA solving services.

It seems the contractors pull down hundreds of thousands of CAPTCHAs automatically from the likes of Craigslist, Gmail, Yahoo, MySpace, YouTube and Facebook, charging around $2 per 1000 solved CAPTCHAs.

Call me naive but it would be so nice if we had a perfect interweb where I didn’t have to spend collective hours typing CAPTCHAs to register on websites, where Indian contractors didn’t offer to break them and where dodgy Eastern European phishing operators didn’t then use those CAPTCHAs to make everyone’s lives less pleasant.

Yeah yeah – naivete I know…

The post came to the conclusion that text based CAPTCHAs are on their deathbed. I guess that means they’ll be replaced by something similarly annoying, that the underworld will crack in five minutes. There has to be a better way.

On mobile banking…

Ben Kepes — Sun, 06 Jul 2008 17:49:59 +0000

With the release of the iPhone 3G, movement on affordable mobile dataplans and a myriad of new entrants in mobile applications, it is interesting to look at perceptions around mobile data.

An interesting research piece from Unisys brings up the following statistics;

worldwide there are 3.3 billion mobile phone subscribers
71% of survey respondents (surveyed in 14 countries) would not consider using a mobile device to shop or bank
59% do not trust their mobile devices to provide a secure transaction
Only 9% currently use their devices to process secure transactions

Overall what is interesting is that less than 10% of respondents trust a telecom provider to provide a secure transaction, but instead overwhelmingly favour banks to provide this functionality in a robust manner.

Clearly there is some advice that comes from all of this – Telco’s who want to be in this space should look at forming partnerships with trusted providers where the Telco provides the back-end technology but the trusted provider (ie bank) is the clearinghouse for the transaction.

Or will people’s fears about security reduce given time and increasing exposure to a mobile world?

Can you really trust a bootstrapped startup?

Ben Kepes — Tue, 17 Jun 2008 18:31:38 +0000

RWW reports that online storage company DivShare, has had a security breach. Apparently a malicious user accessed their database which included user e-mail addresses and other profile information. They also say that no financial information has been accessed by any unauthorized parties. It’s not the first of these sort of problems, and there have been many tails of start-ups disappearing without trace and leaving user data floating around the web somewhere.

The specific cause of this breach aren’t important, what is important however is that users of web services feel secure using them. Can they feel secure when the start-up is living off the smell of an oily rag and not knowing where the next chunk of cloud storage (let alone salary paycheck) will come from.

It’s one of the reasons that Xero CEO Rod Drury gives for the fact that they IPOd very early on. Theirs is an application utilising the most sensitive of data, business financial’s, and Rod is adamant that publicly listing was imperative to build trust.

But what about other types of service? I use SugarSync, an online sync/backup solution. I’ve personally spoken with the CEO and I’m comfortable that they’re well funded and stable, but that is a perception based on faith rather than actual knowledge – who’s to say they also won’t go down tomorrow, next week or some other time.

Now I’m not suggesting that it’d be preferable to have every web app on earth rolled into either Google or Microsoft, but I would suggest a two pronged approach from users;

Think about the end results of security breaches for the web apps you use – use multiple backups (even in the clouds), segregate data and don’t keep super sensitive stuff there
Do good due diligence on providers. Enterprise customers have long known the necessity of this but individual users need to consider it as well

I know a number of bootstrapped start-ups (or started-ups) read this blog – I’d be interested to hear their thoughts on this subject.

Banking and security…

Ben Kepes — Fri, 13 Jun 2008 00:17:18 +0000

An excellent post over on Geekzone about a customer experience with a bank. Seems that the bank contacted their customer by phone in order to make some changes to their account. Said customer was asked to verify their identity by password but when he rightly pointed out to the bank that he had no way of knowing if the person from the bank itself was legitimate – the bank officer was somewhat stumped.

I’ve always been a little laissez faire when it comes to banking and security, kind of having (blind and unwarranted) faith in those venerable banking institutions. I’m not sure why this is, bank lending is unsecured and banks are just another business, albeit one with some regulation lording over them. I have a friend that has spent years doing contract IT work within banks in the UK, she laughed when I told her about my hands off attitude and recounted the number of times she’s seen unencrypted customer username and password information passed around behind the bank’s firewalls.

Sure Internet banking is protected at length by encryption and SSL, but do we know what happens within the banks own systems? Bank tellers often get caught out stealing from the bank, what’s to stop a dodgy bank IT staffer from mining some user information.

SaaS providers talk often about the fact that customer data and customer authentication is separated on their system and within their organisation, thus ensuring that one individual within the SaaS organisation doesn’t have access to a users data – I wonder why we don’t demand the same level of security from our banks?