Tag: data security

Posted on

4 Rules of Thumb Regarding Passwords and Authentication

Many people believe passwords are dumb.  They store their credentials for easy login, or maybe even leave the password blank if the app allows. For IT managers, forcing users to come up with a strong, unique password is definitely not an easy task.  Resting on convenience over security, many people would prefer to use familiar names and dates or simple phrases they can remember.  Even when IT departments try to enforce best practices there is often a struggle between honoring those standards and influencing user behavior.

Relaxed password standards allow users to set passwords that may be as easy to guess as they are to remember, and very strict requirements for strong and complex passwords often results with users storing passwords in document files or on post-it notes on the monitor. Setting password standards and managing the policy implementation requires a balance between usability and security, but more often than not the balance skews toward simplicity. Yet passwords aren’t going away any time soon, even while biometrics and multi-factor authentication methods grow in prominence.

It is most likely that new technologies and standards will be combined with passwords to protect critical data. Using only a password to protect information may not be the ultimate in security, but it is important to recognize that passwords remain as a key element in any security model. For now, passwords should be as strong and unguessable as possible.  As technologies and standards rise up to meet the demands of users as well as enterprises, there are likely to be changes in how passwords are used. Here are 4 rules of thumb to consider regarding passwords and where authentication technologies are going.

1. Your face might be your password.

Biometrics won’t fully replace passwords right away, but the use of biometric data for authentication is growing rapidly. Face recognition, fingerprinting and voice identification are all being employed as authentication mechanisms and users are embracing the technology because it is easier to use than a remembered password.  Smartphones and PCs have sensors for reading fingerprints and cameras for seeing faces, and microphones for hearing your voice.  Many systems are also now able to use geodata with the biometric data (matching person to place), making it harder to compromise an identity while also being less disruptive to the user. While the technology isn’t foolproof, it represents a major step towards creating more secure systems without placing the responsibility strictly on the user.

2. Two pieces of ID are better than one.

The point of multi-factor authentication is that there are two different pieces of evidence a user must present in order to gain access. For example, a password may be the first piece of evidence presented, with a pass code sent to a mobile device as a second. Even as biometric authentication grows in prominence, industry participants recognize that no single method covers all the bases all the time. Multi-factor authentication is gaining in prominence as users become more familiar with the methods and the implementations become less intrusive. AI may also influence how these systems are applied. As user behavior and transaction parameters are “learned”, systems can identify activities that fall outside of normal routines and additionally prompt users for single-use pins or passwords sent to their mobile device.

3. Businesses should learn from past mistakes.

With news of hacking, ransomware and malware being daily fare, companies and their users are realizing that password security really is important and are stepping up their security efforts. The information is available to help prevent businesses from making the same mistakes that others have, offering worst case scenarios a’plenty to learn from.  Using default passwords and recycling passwords across work and personal accounts, using unsecured network connections, not encrypting files that contain password information and failing to patch or update systems and software are entirely preventable situations that put information at risk. Taking the reports seriously and identifying mistakes to avoid is highly useful in designing security for the business.

4. There’s a growing ecosystem for authentication.

With the number and type of systems requiring authentication – from industrial control systems to dating websites – there is a great and growing need to find highly secure methods of authentication that are actually usable for the user. Even in the world of blockchain there is a need for “identity assurance” and confirmation when documents or biometrics are captured via smartphone. Fast IDentity Online (FIDO) is a set of security specifications for strong multi-factor authentication, developed by the FIDO Alliance. The FIDO Alliance includes members such as Google, Aetna, Amazon, Microsoft, Bank of America and Samsung, and developed the spec as an initial basis for standardizing authentication across platforms and systems at the client and protocol layers.  

Technology is changing rapidly and solutions once reserved for government and large enterprise are now entering mainstream consumer use. You’ve probably already noticed that banking and other apps are employing the use of fingerprint and other biometric data with increased frequency as users demand easier access to applications and features from their smartphones and other mobile devices.

These technologies sometimes replace traditional password entry as the primary means of authentication or augment password use in some manner. Even MasterCard has announced a component in its payment card solutions that allows users of next-gen payment cards to register their fingerprint data on their credit card.

The push is to allow users to interact with their tasks without putting up barriers to access.

A combination of usability and enhanced protection, the new standards are developing to address not just system security but identity verification for various purposes. Corporate information must be secured and so must personal identity information; simply read the news to understand what can happen when digital identity information gets compromised.

Whether the data is business or personal, keeping hackers and bad actors away from it isn’t easy, so strengthening the most basic first layer of protection – the password – is the best place to start.

Make Sense?

J

Posted on

4 Rules of Thumb for Better Mobile Device Security

Security threats are everywhere, lurking in alley ways and around corners and even in your favorite coffee shop. Yet mobility is in demand, and people will use their smartphones and other mobile devices because it’s convenient, even if company policy suggests against it.

This is a big deal for IT and security professionals and CIOs, which is why it took a while for IT to recognize the need to address mobile device security rather than simply deny mobile device use. With data breaches, ransomware attacks, hacks and information leaks happening on an almost daily basis, businesses must find ways to protect their valuable applications and data from loss or misuse while at the same time enabling mobile device use.

The following 4 rules of thumb are not comprehensive but are four essential rules of thumb to help guide business owners in addressing mobility management and security within their organizations.

Rule 1: Make sure there are clear mobile device use policies and support them with ongoing administration and strict enforcement.

I can’t say enough about having good security and mobile device policies and keeping them modernized, relevant, and actually enforcing them. Too many businesses say they have a “security and use” policy in place, yet it is outdated and doesn’t reflect the actual tools or processes currently in use.  Even more frequently a business will develop a policy just to say it has one, but won’t actually train workers or enforce compliance.

Rule 2: Require and enforce strong passwords, manage access in real time, and force password changes with some frequency.

It is essential that all user access to applications or data be controlled at minimum by password-protected logins to the device and corporate resources coupled with periodic forced password changes. Users often prefer to not require passwords or other authentication for device access, but corporate policy should not only require them but also enforce their use.  Also, user access should be managed in real time, meaning that any aspect relating to access should be disabled or revoked immediately upon employee termination or reassignment. Too often these forgotten chores are relegated to after-the-fact IT administration, which allows users to access resources beyond their rightful boundaries.

Rule 3:  Do something to contain the applications and data on the device.

Whether the approach is with containers, cloud hosting, server-based computing or something else, it is really important to try to “contain” the applications and data accessed from the mobile device. Risk is created when users sync data directly to the device’s storage or install applications directly on the device to access corporate data. Password and other security measures prevent unauthorized access, but allowing applications, credentials or data to be stored directly on the mobile device allows those things to interact with other things on the device.  Containers, hosting and server-based computing models keep the applications and data within secured spaces, often not even storing essential items on the device but only accessing them via the device. This allows the business to provide users with the access and functionality they need to do their jobs, but also reduces the vulnerability of applications and information assets.

Rule 4: Keep device software up to date and download fewer apps.

Updating mobile device operating system versions and release levels is important to make sure the device has the most current security patches and threat protection.   Some mobile OSes even have capabilities which can help keep personal and work apps separated.  Limiting the number of apps users can download to their devices should also be considered. Users may randomly download and install applications to their devices with little regard for the quality or security of the app, and often accept terms of use without really reading them. Consumer apps from app stores may pose risks to data and the device, so IT should check regularly for problematic apps if the device is used to access the corporate network, applications or data.

Mobile and wireless are in demand

Just about every business has people who use their phones and tablets for some business use, and every one of those mobile devices and the apps running on them could open the door for a hacker, ransomware, data theft or compromise. While there are many benefits to be gained by enabling remote and mobile devices in the business workflow, unrestricted access only creates risk.

Keeping mobile devices secure for business use takes multiple approaches, as there is no single method or solution that works for every situation. Our 4 rules provide a basic foundation for business mobility management, offering a starting point for developing a more thorough and detailed plan.

Make sense?

J

Posted on

Centralize and Secure Business Applications and Data

laptop drawingThe portable computer is an essential business tool for day’s mobile workforce, having the power and portability to meet the demands of executives and professionals working away from the office.  While executives and mobile professionals get the applications and data they need to keep productivity high, carrying business data on devices outside the network introduces significant business risk.

There are studies which estimate that as much as 80% of the data a small business owns (data like customer files, contracts, product information and financial data) is copied to or stored on portable computers.  When valuable business data is lost or stolen, the business can be exposed to a variety of problems – loss of revenue being just one. Losing track of business data can create legal issues, too. Customer privacy may be compromised, sensitive information could be exposed, or confidential plans might be made public if a business doesn’t take the right steps to secure its data.

It isn’t just the possibility of loss or theft which increases risk when data is copied to portable computers – the increased vulnerability of the information sits with the likelihood that the user will access unsecured networks, launch non-corporate applications, access private email accounts and perform other non-business related tasks with the computer because they have more access than with a fully secured corporate in-office desktop.  User behavior is often what puts corporate data and assets at risk, regardless of the policies that might define correct and acceptable procedures. It is very easy for workers to unknowingly lose and leak data, and when the data is present on the portable computer it gets even easier.

A 2014 study commissioned by Cisco Systems found that employees around the world continue to engage in “risky” behaviors that put business and personal information at risk:

  • The majority (70%) of surveyed IT pros believe that as many as half of their data loss incidents are due to authorized program installations
  • 44% of employees share work devices with others without supervision
  • 39% of IT professionals have dealt with employees trying to access unauthorized parts of the company’s network
  • Almost half of the employees admitted to copying data between work and personal computers when working from home
  • 18% (up to 25% in some regions) of employees shared passwords with their co-workers

Companies must not only protect their data for their financial well-being, but must recognize their legal obligation to protect much of the information, as well.  The risk extends beyond the walls of the enterprise, to vendors and customers and consumers whose information may be stored in the company data. Additionally, portable computers exposed to malware and virus attacks are likely to pass the bad code to other systems they come in contact with, introducing not just risk for the recipient but liability for the infected laptop owner.

Where mobile computing brings huge advantages to today’s business, owners would do well to consider the benefits of enabling mobility through the use of server-based and hosted computing models. Rather than installing software and copying data to PCs and mobile devices, workers should be able to access a central system where the applications actually run. IT management is more efficient and security is easier to enforce when applications and resources are contained exclusively within the corporate boundary, even if they are accessible from without.

Virtual desktop and remote application solutions offer features that address a variety of potential risk factors as well as enabling improved management and security of IT assets.  Centralizing and securing applications and data resources at the server allows businesses to deliver the mobility and functionality users need while enabling the information security and management the business demands. This is a foundation upon which remote desktop and remote application technologies were built, allowing users to have the real-time access to applications and data with full functionality and desktop modality, but without the requirement to install, manage and secure applications and data on the individual devices.

Make Sense?

J

Posted on

Confusing Value Propositions: Cloud Platforms and Hosted Applications

it-balancing-actConfusing Value Propositions: Cloud Platforms and  Hosted Applications

When a service provider is in the business of selling computing resources – like bandwidth, processors and memory, and disk storage – it makes a lot of sense to also leverage the value of software products and systems which drive consumption of computing resources.  In short, they market and sell software that runs on the platform in order to get folks to buy the platform, no different from selling desktop and server software in order to sell the hardware to run it.  It’s just that these days the hardware and networking components are often referred to as the “platform” or maybe “the cloud”.

Let’s face it… cloud computing platforms are just no fun if there’s nothing to run on them, and a hard drive has little value when there isn’t anything stored on it.  Once there is something there – an application, data… something – then the part has actual value in terms of driving revenue.  This is the difficulty and the basis for confusing value propositions when it comes to offering and delivering services in the form of a hosting platform.  Once again: platforms are just no fun if there’s nothing to run on them.  Is the value is really about the applications, not the platform? Or is the value in the platform, because it’s necessary for running the applications?

The truth is that both are essential parts of the entire “solution”, and the value of how the solution is packaged and offered is purely up to the purchaser to determine in terms of applicability to the business.  When it comes to hosted application offerings for businesses, there isn’t a single one-size-fits-all approach that will work.  Sometimes people want to purchase from different vendors and put their own solutions together, and sometimes folks want turnkey delivery of whatever they need.  Even channel partners and value-added resellers are finding that, with diminishing margins and aggressive competition prevalent in the market, removing the time-consuming aspects of solution delivery becomes paramount to achieving some level of profitability on the work.

What this means is that providers are looking for ways to increase the overall value and usability of their solutions, and when it comes to platform services there are only two directions to look: automation to support self-service, and application software delivery to drive consumption and usage on the hosting platform.

So now we’re back to the applications again.  There’s no way to avoid them, but there’s no great way for platform companies to engage with them, either.  Working with business application software is sometimes complicated, often annoying, and can be exceptionally time-consuming and resource intensive. And there are few licensing models which make it really easy for hosts and ISVs (Independent Software Vendors) to work together.  Then, of course, there is the desire for exclusivity on one side or the other.

Software companies don’t generally want to select a single platform provider for their software for a very simple reason: they don’t want to limit their potential user base.  Now that Windows platform is available just about anywhere – on local computers, on mobile devices, from platform and infrastructure hosting providers – how does the ISV make a decision on a single delivery channel or model or provider?

Some lean towards working with hosting providers to create branded, point-deliveries of the application.  Too often, however, this approach removes the ability for customers to benefit from other applications or integrations, eliminating some of the value of the solution and certainly curtailing benefits for integrating partners of the ISV.

Host it themselves?  The last thing most software developers want is to be responsible for hosting and maintaining some other guys’ software products; they have enough to worry about with their own offerings.  If the solution is standalone, maybe this approach works.  But there are few solutions made for the desktop which don’t have some strange integration point with MS Office apps, Adobe reader, Internet browsers or other things prevalent on the user desktop.

There isn’t any proven or easy path for software developers, IT suppliers or small business customers looking to create mobility and managed subscription service around desktop and server applications, and there is likely never going to be a single story line that all will follow.  This is among the reasons for the popularity of the “hybrid” cloud approach and growing importance of managed application hosting and ISV-authorized delivery models.  Yet even key providers in those areas have a tough time really communicating what they do in a way that is meaningful to the buyer.  Are they selling a platform, applications, or both? Folks in the industry know the jargon and how to use it, and are often skilled at adjusting their language in order to obfuscate or confuse certain sticky issues regarding software licensing in the cloud and other similar aspects of hosting.  It’s no wonder that many customers remain confused as to what, exactly, they’re being asked to buy, and where the lines of flexibility and responsibility are drawn.

The applications justify the platform, and there are possibly multiple platform approaches to delivering the app. It is a confusing situation for business buyers of IT as well as for their resellers and suppliers, and the increasing number of options for how businesses approach purchasing and using information technology makes it unlikely that the process will become as simple as some suggest.

jmbunnyfeetMake Sense?

J

Posted on

Small Business IT Governance: You really need it now

it-balancing-actBig changes are going on in the world of information technology and business.  Where social computing and  mobility are no longer purely consumer concerns, enterprise IT departments face a growing requirement to embrace user devices and access in environments which were once strictly and closely controlled.  Enterprise IT may be challenged when presented with user personal devices and demands for remote access to enterprise data, yet the governance of systems is generally well-defined and strictly performed.  In small business, however, the people, policy and process issues (collectively incorporated into “governance”) tend to be more organic, and the use of personal devices and open access is more frequently considered to be a normal part of the overall business IT profile.

It is a focus on defining controls and processes, and influencing the activities and attitudes of the people involved, which has become an essential requirement in small business.  Where management of information technology resources was not of great concern to the small business owner before, increased device and information mobility (removal of physical boundaries) and erosion of logical boundaries around personal and business computing have become a really big deal for everyone in business. Small businesses just don’t often have departments of people working on the problem.

Technology use in business has always come at a price, and as various influences continue to change how users interact with devices, applications and systems, business owners and IT managers will continue to face difficult choices between balancing security of information resources and providing a productivity-enhancing user experience.   Too many security barriers result in avoidance of security protocols, slow or immobile company computers result in users working on their own machines and portables, and restricting access for mobile users results in “shadow IT” implementations of mobile sync and other data access approaches.

Yet “shadow IT” tends to be the norm with many small businesses, where there are often fewer barriers to implementing solutions which address individual user issues or problems.  Lacking the resources or understanding to develop a strong plan for managing information systems and technology within the business, small business owners often consider the computer systems and computerized data to be tools to get jobs done rather than strategically valuable assets to be strictly controlled and protected.  These business owners are not recognizing the ever-increasing need to not simply secure business information, but to establish processes and rules which will govern how users and devices access and interact with the information and systems.

Enterprise IT departments have often viewed their small business counterparts (customers, suppliers, etc.) as potential points of vulnerability, an attitude which was once considered to be centered not on real assessments of the risk but more in terms of ego, level of sophistication, and hierarchy in the food chain.  In today’s world of real risk introduced by myriad technological and human elements in every link in the supply chain, enterprise IT conclusions regarding the risk potential of doing business with anyone – including small businesses – may not be entirely unfounded.  Whether it be commentary and information distributed by individuals via social media or malware or corruption introduced inadvertently (or not) via computerized interaction, there is the possibility of risk introduced with every system, person and process involved.  Enterprise to enterprise, these issues may be more often recognized and remediated; where the SMB is involved, not always so much.

This is a brave new world of computing, and there is truth in that even the smallest of businesses can “compete with the big guys” when the right mixture of technology and process is applied – for good or bad.  Technology enables businesses to be more productive, get more done with fewer resources and perform at higher levels. IT Governance in small business is no longer an optional area of focus, addressed only during infrequent discussions with the local contract IT guy when he comes in to defrag the hard drive on a slow computer.  Establishing the proper processes and controls to wrap around IT use in the business has become an imperative; a necessarily specific and considerate approach to how information technology is used within the business, who uses it, and what IT is composed of.

Just about every business, and most individuals, are connected in some manner via some type of network, representing a dramatic and dynamic change to the traditional composition of business IT and the landscape of vulnerabilities which threaten it.  The increased connectedness, capability and complexity of systems and networks requires a greater focus on overall IT governance – exercising authority and controls – as the impact (just like the information) can easily and unintentionally reach far beyond the boundaries of the individual business.

jmbunnyfeetMake Sense?

J

“People are nothing more than another operating system”, says Lance Spitzner, training director for the Securing The Human Program at SANS Institute.  “Computers store, process and transfer information, and people store, process and transfer information,”  How Hackers Fool Your Employees

Posted on

Turning a Product or Service into a Solution: the Value Add of a Reseller

Turning a Product or Service into a Solution: the Value Add of a Reseller

There is quite a bit of chatter on the web and among IT resellers about how opportunities to serve business customers are diminishing, yet business adoption of cloud computing, managed services, and mobile technologies is growing tremendously.  It seems that use of technology is increasing, but the opportunity for “traditional” IT resellers and channel partners to make money by selling IT-related products and services is diminishing.  This is not new, and is simply a finer form of the problem that has been revealing itself for years.  In order to provide value, suppliers must provide businesses with solutions to business problems rather than just trying to sell them products and services with a hefty profit margin.

Whether it is a physical item like a computer or an intangible item like consulting services, businesses will buy if they see value in it.  In the eyes of the consumer, the value is likely tied to far more than the item at hand; the value tracks to some expectation of business benefit to be achieved now and in the future.  Businesses will pay for solutions to problems they experience more readily than they will pay for shiny things or big ideas, and it is this truth that many “value added” resellers tend to forget even though it is part of their business description.

For many years channel resellers have struggled with competitive elements that reduce revenue and profit potential on core products and services.  When computer hardware prices dropped years ago and businesses found that going through distribution or direct to the manufacturer was often a more affordable path than buying through a reseller, the resellers re-trenched and began providing more value in terms of solution architecture, training and implementation support, and system management services.  As the delivery chain for information technology continues to compress and more products and services are delivered direct-to-consumer, the pressure for resellers to discover their “value add” grows even more severe.

The days of simply reselling technology products to make a living are quickly coming to an end. There isn’t enough profit margin available to eek out a living just selling hardware and software, and it takes a large volume of subscribing customers to reach any significant revenue level by reselling commoditized cloud services. Yet the customers are there to be won if the offerings represent solutions to defined and recognized business problems – solutions that introduce quantifiable business benefit rather than creating more business problems – and where the reseller plays an integral part in making the selection a successful one for the customer.

While it may seem that business cloud computing, hosting services and SaaS solutions all come with easy-to-read instructions, do-it-yourself installation and painless upkeep, the truth is often very different. Some consumers realize this when they go shopping for solutions and come up with more questions than answers; some only figure it out after they have made the wrong decision. Either way, these businesses could use the help of a professional who will provide the added value of taking time to understand the problem to be solved, consider the variables which exist in the client organization, and clear a path which takes the customer business to a better place.

Cloud computing and SaaS may be changing HOW businesses purchase and use technology, but it is not changing WHY they do it.  Businesses buy IT because they think it will solve a problem – they have expectations. The reseller can find and provide the added value: the reasoning (meeting expectation) for selecting the solution, why it is the right choice for the customer organization, and how they will ensure that the solution delivers the benefits described and expected.

Joanie Mann Bunny FeetMake Sense?

J

Read  more about Helping a Small Business Customer Choose Your Solution