Joey on SQL Server

IT Security Isn't Supposed To Be Easy

Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

• By Joey D'Antoni
• 06/29/2020

Security is not a free option. Think about a bank -- an old-school, actual bank with a vault. It has multiple layers of security. There's a secured front door, a security guard and, beyond that, a vault with many additional security controls within it. The vault is a heavily fortified door with a combination lock. Even if a thief were to penetrate that door, inside the vault are safety deposit boxes, each of which requires an additional key.

That's a real-world example, but security in computer systems should have a similarly multilayered, defense-in-depth model.

I decided to write this column after I read this Wall Street Journal column by a technology professional who talked about the challenges of security in personal computing. I acknowledge that setting up good security processes is challenging and does, in fact, your make your day-to-day operations harder. However, with no disrespect to the column's author, there's a reason for that. As shown in the bank example, defense-in-depth makes it a little harder for you to get into your systems, but while that initial pain is annoying, you wouldn't leave your valuable stack of gold bullion on the street, would you?

Just Use a Password Manager Already
One of the points the WSJ column made is that using a password manager is challenging.

About three years ago, after a major hack caused one of my passwords to be compromised, I switched to using 1Password. Using a password manager completely changed the way I think about passwords. I used to have a mnemonic formula that was probably hackable if one of my passwords was breached. Now, I don't even know what my passwords are, for the most part. The password manager generates them, and they are synced across my devices.

There are some pain points. Every now and then, you will run across a site that doesn't allow you to paste in a password (I'm looking at you, Amtrak.com), or you'll have to enter your complex Netflix password using the TV remote. For the most part, though, my experience has been seamless -- and I use really complex passwords.

The one major challenge with using a password manager is logging in to your local machine. You don't have access to the password manager until you are logged in, so you can't copy your password. You have a couple of options here. You can use a device PIN or Windows Hello to authenticate. Or, if you want another level of security, you can use a secondary USB key like a YubiKey in conjunction with your device log-in.

Backups Hurt, But That's What Cloud Is For
Here is where I agree with the WSJ column: Taking full backups of your operating system is painful and has never been a pleasant process.

I have a MacBook. The Time Machine backup tool that came with it is more friendly than most backup solutions but, even as I write this column, I've had to reboot my machine in order to make my backups stop failing.

In most cases, in 2020, I don't recommend taking a full backup of your PC. Why, you may ask? Because cloud services like OneDrive and Dropbox are far more effective at protecting your files (and they even have version control and support soft deletes, in case you screw up and your machine does not). Having your data synced on someone's cloud means you don't have to worry about the condition or location of your backup drive if you have to recover your data after a disaster.

Additionally, configuring a machine from the ground up doesn't bring the same headaches that it did in the past. Windows 10 installs in about three clicks, and you can use a program like Chocolatey to perform scripted installs of the software you need. It's just a faster process than restoring from backup files on what might not be a terribly fast disk.

Exceptions to this rule are developers or admins who work with lots of virtual machines (VMs) and might want to roll back from a fatal change to /etc/fstab on the VM on which they run on all of their Kubernetes demos. (Yes, that was me.)

Multifactor Is a Necessary Good
Multifactor authentication (MFA) is the biggest step you can take to improve your own or your organization's security footprint, and it doesn't have to be that painful. This is a hill I'm willing to die on.

Adding an authenticator app or a key as a second authentication factor prevents an attacker with a compromised password from gaining access to a system. I've used some type of MFA since I started worked in IT. In the early days, it was the RSA SecurID that you kept on your keychain. I also had the misfortune of having to manage the server side of one those systems, and it was a manual effort to deploy tokens to users.

Things have evolved a lot since then. Now I can enable MFA from Azure Active Directory. It works through my phone and can integrate with every facial recognition technology on that device. Software clients are much smarter about how they handle MFA and, in general, the process is accessible to end users.

The WSJ column did mention that restoring your MFA configuration to a new device, while painful, is designed to be a challenge because registering a new device is an inherent attack vector for hijacking someone's identity.  

Rant over! Just kidding. It's just interesting to see a different user's perspective. As IT professionals, hearing user feedback on systems is something we should always think about.

[User requests feature already in product]
Junior dev: "lol dumb user"
Staff dev: "Closed - fixed"
Senior dev: <opens usability bug>

— Vicky Harp (@vickyharp) May 27, 2016

As my friend Vicky, who's a product manager at Microsoft, says, you need to listen to your users and design better systems. At the same time, you should realize that to achieve good security, you are going to deal with some minor inconveniences.