Contrary to What You Learned in Grade School… Sharing is Bad, Okay?

There is a place and time for sharing. Share your color crayons, share your toys… share your feelings with those you love. But when it comes to business technology and infrastructure, sharing isn’t always the best approach. Some things you should just keep for yourself… like the servers you use for hosting business desktops, desktop applications and business data.

When we first began the journey of bringing small business desktops and applications like QuickBooks to the Internet, the “cloud” was not yet a thing. Hosting providers put up servers in racks in data centers, installed software and stored data on behalf of customers, and did their best to find ways of making the service affordable. Elastic resources, massive scalability and built-in redundancy (which are benefits of a real cloud fabric) were not generally available nor were they even remotely affordable. Because the hardware, networking and other resources that make up the hosting infrastructure is costly, it is important for the hosting service provider to be able to spread those costs across the entire customer base.

In most cases, this meant creating shared servers where many customers run their applications and store their data. Even when a provider suggests that a customer has a “private” server, there is still a good chance the server is using shared storage and/or networking resources made accessible in the environment.

Sharing can be a good thing or a bad thing, and it often depends on the behavior of those involved. In shared application hosting environments, particularly desktop hosting environments, there is a lot of potential for intentionally and unintentionally causing problems that can and will impact other users and customers on the platform.

A simple provisioning error might allow a user to see data belonging to another company or have access to applications or services they should not.

With shared resources, bad actors and intruders can often escape permission boundaries, attaching to network shares and other computers on the platform.

Malware accidentally introduced by an innocent user from one company could easily penetrate the entire system, following paths to data storage locations and other servers, spreading the problem to many customers and systems and even data centers.

If you are operating on the compromised system you are at risk, even if the compromise wasn’t initiated by one of  your users or from within one of your applications.

In the realm of QuickBooks hosting providers, the issues around sharing infrastructure and resources have created some very difficult situations for hosts and for their customers alike – especially when it comes to dealing with computer viruses, malware and ransomware. A few high-profile events, as well as numerous incidents which have flown under the radar, have revealed just how damaging the shared approach can be.

With the IRS, AICPA and other agencies issuing increasingly strong guidance for tax and accounting professionals to protect client information, finance professionals should strongly consider the risk introduced through shared hosting service arrangements and evaluate if it is greater than the costs of having a more private system.

Cloud platforms available today are fully matured, delivering scalability and agility at price levels that are affordable even for very small businesses.  No longer solely for enterprise enjoyment, real cloud solutions and delivery models can be used by small businesses for desktop and application hosting without compromise. Every business deserves their own cloud, and we know how to make that affordable.

Cooper Mann works with teams deploying on the Microsoft Azure platform, offering an agility in design not previously available with legacy computing approaches. Because every delivery is absolutely private to each customer, the solution can be scaled up (or down!) on demand to suit the specific needs of the individual business. More important is the fact that each customer operates separately, so any bad behavior the system may suffer from is their own.

jmbunnyfeetMake Sense?

J

Advertisements

4 Rules of Thumb Regarding Passwords and Authentication

Many people believe passwords are dumb.  They store their credentials for easy login, or maybe even leave the password blank if the app allows. For IT managers, forcing users to come up with a strong, unique password is definitely not an easy task.  Resting on convenience over security, many people would prefer to use familiar names and dates or simple phrases they can remember.  Even when IT departments try to enforce best practices there is often a struggle between honoring those standards and influencing user behavior.

Relaxed password standards allow users to set passwords that may be as easy to guess as they are to remember, and very strict requirements for strong and complex passwords often results with users storing passwords in document files or on post-it notes on the monitor. Setting password standards and managing the policy implementation requires a balance between usability and security, but more often than not the balance skews toward simplicity. Yet passwords aren’t going away any time soon, even while biometrics and multi-factor authentication methods grow in prominence.

It is most likely that new technologies and standards will be combined with passwords to protect critical data. Using only a password to protect information may not be the ultimate in security, but it is important to recognize that passwords remain as a key element in any security model. For now, passwords should be as strong and unguessable as possible.  As technologies and standards rise up to meet the demands of users as well as enterprises, there are likely to be changes in how passwords are used. Here are 4 rules of thumb to consider regarding passwords and where authentication technologies are going.

1. Your face might be your password.

Biometrics won’t fully replace passwords right away, but the use of biometric data for authentication is growing rapidly. Face recognition, fingerprinting and voice identification are all being employed as authentication mechanisms and users are embracing the technology because it is easier to use than a remembered password.  Smartphones and PCs have sensors for reading fingerprints and cameras for seeing faces, and microphones for hearing your voice.  Many systems are also now able to use geodata with the biometric data (matching person to place), making it harder to compromise an identity while also being less disruptive to the user. While the technology isn’t foolproof, it represents a major step towards creating more secure systems without placing the responsibility strictly on the user.

2. Two pieces of ID are better than one.

The point of multi-factor authentication is that there are two different pieces of evidence a user must present in order to gain access. For example, a password may be the first piece of evidence presented, with a pass code sent to a mobile device as a second. Even as biometric authentication grows in prominence, industry participants recognize that no single method covers all the bases all the time. Multi-factor authentication is gaining in prominence as users become more familiar with the methods and the implementations become less intrusive. AI may also influence how these systems are applied. As user behavior and transaction parameters are “learned”, systems can identify activities that fall outside of normal routines and additionally prompt users for single-use pins or passwords sent to their mobile device.

3. Businesses should learn from past mistakes.

With news of hacking, ransomware and malware being daily fare, companies and their users are realizing that password security really is important and are stepping up their security efforts. The information is available to help prevent businesses from making the same mistakes that others have, offering worst case scenarios a’plenty to learn from.  Using default passwords and recycling passwords across work and personal accounts, using unsecured network connections, not encrypting files that contain password information and failing to patch or update systems and software are entirely preventable situations that put information at risk. Taking the reports seriously and identifying mistakes to avoid is highly useful in designing security for the business.

4. There’s a growing ecosystem for authentication.

With the number and type of systems requiring authentication – from industrial control systems to dating websites – there is a great and growing need to find highly secure methods of authentication that are actually usable for the user. Even in the world of blockchain there is a need for “identity assurance” and confirmation when documents or biometrics are captured via smartphone. Fast IDentity Online (FIDO) is a set of security specifications for strong multi-factor authentication, developed by the FIDO Alliance. The FIDO Alliance includes members such as Google, Aetna, Amazon, Microsoft, Bank of America and Samsung, and developed the spec as an initial basis for standardizing authentication across platforms and systems at the client and protocol layers.  

Technology is changing rapidly and solutions once reserved for government and large enterprise are now entering mainstream consumer use. You’ve probably already noticed that banking and other apps are employing the use of fingerprint and other biometric data with increased frequency as users demand easier access to applications and features from their smartphones and other mobile devices.

These technologies sometimes replace traditional password entry as the primary means of authentication or augment password use in some manner. Even MasterCard has announced a component in its payment card solutions that allows users of next-gen payment cards to register their fingerprint data on their credit card.

The push is to allow users to interact with their tasks without putting up barriers to access.

A combination of usability and enhanced protection, the new standards are developing to address not just system security but identity verification for various purposes. Corporate information must be secured and so must personal identity information; simply read the news to understand what can happen when digital identity information gets compromised.

Whether the data is business or personal, keeping hackers and bad actors away from it isn’t easy, so strengthening the most basic first layer of protection – the password – is the best place to start.

Make Sense?

J