Solutions to Password Overload

If only technologists had their way, passwords and PINs would have long been replaced with more innovative (and admittedly, better) security solutions. But such is not the case. Those alternative solutions, which include biometrics, smart cards, and password fobs, effective as they may be, are just way too expensive to implement.

So although passwords and PINs may not be here to stay, they certainly won’t be going away soon either.

Why keeping passwords in memory is no longer possible

A couple of decades ago, it would have been nearly impossible to crack an eight-character password using brute force. Today, however, advancements in computing power are rendering the typical passwords of the past easily decipherable, forcing us to come up with passwords that are not only much longer, but also much more complex and hence difficult to recall.

For instance, memorable words like your favourite character (e.g. ‘skywalker’) may have been acceptable then, but not anymore. Today?s security systems will encourage you to insert numbers or even other keyboard characters as a means to once again counter brute force. Hence, ‘sk5%ywa936lker@#’ may be more acceptable.

Remembering that one alone can be pretty daunting.

To further complicate matters, the number of applications that require passwords for access is much greater than before even for a single end user. Ordinary end users have to keep track of passwords for their email account, network login, workstation login, online services, and so on.

The burden is even greater for your IT admins, who have to remember a larger collection of passwords that protect business critical systems and applications. Clearly, the team in charge of your IT security will need a way to manage all these passwords.

Password management solutions

Existing password management solutions typically come in the form of software applications that store passwords. Basically, all you need to remember are your login details for the app a.k.a. the ?master password?. Once you’ve gained access inside, you can then retrieve any password you stored there.

Some of these apps are installed in portable devices like Pocket PCs, PDAs, or smartphones, which you would normally take along with you. For as long as the device stays with you, your passwords will be in safe hands. What’s more, you can retrieve them anywhere you go.

But obviously, there’s a problem. What if the device gets misplaced or stolen? Although the person who ends up with your device may not be able to gain access into the app and your passwords, neither will you. A better solution would therefore be an app that can be accessed anywhere but is not susceptible to getting lost.

Web-based password manager

A web-based password manager fits the bill. You don’t have to take it with you, but still you can access it almost anywhere. A typical web-based password manager will have all your passwords stored in a centralised, highly secure location.

If you want, you can even use your mobile password manager along with the web-based one. Ideally, your web-based password manager would have a copy of all the end-user passwords as well as the master passwords of your organisation.

With an easy to access but highly-secure web-based password manager, you no longer have to come up with passwords that (ironically) are supposed to be easy to remember but hard to crack at the the same time.

Furthermore, password managers are ideal for keeping passwords that have to be changed every-now-and-then; a requirement that’s becoming all too common in organisations bent on enforcing more stringent controls.

Check our similar posts

What Is Technical Debt? A Complete Guide

You buy the latest iPhone on credit. Turn to fast car loan services to get yourself those wheels you’ve been eyeing for a while. Take out a mortgage to realise your dream of being a homeowner. Regardless of the motive, the common denominator is going into financial debt to achieve something today, and pay it off in future, with interest. The final cost will be higher than the loan value that you took out in the first place. However, debt is not limited to the financial world.

Technical Debt Definition

Technical debt – which is also referred to as code debt, design debt or tech debt – is the result of the development team taking shortcuts in the code to release a product today, which will need to be fixed later on. The quality of the code takes a backseat to issues like market forces, such as when there’s pressure to get a product out there to beat a deadline, front-run the competition, or even calm jittery consumers. Creating perfect code would take time, so the team opts for a compromised version, which they will come back later to resolve. It’s basically using a speedy temporary fix instead of waiting for a more comprehensive solution whose development would be slower.

How rampant is it? 25% of the development time in large software organisations is actually spent dealing with tech debt, according to a multiple case study of 15 organizations. “Large” here means organizations with over 250 employees. It is estimated that global technical debt will cost companies $4 trillion by 2024.

Is there interest on technical debt?

When you take out a mortgage or service a car loan, the longer that it takes to clear it the higher the interest will be. A similar case applies to technical debt. In the rush to release the software, it comes with problems like bugs in the code, incompatibility with some applications that would need it, absent documentation, and other issues that pop up over time. This will affect the usability of the product, slow down operations – and even grind systems to a halt, costing your business. Here’s the catch: just like the financial loan, the longer that one takes before resolving the issues with rushed software, the greater the problems will pile up, and more it will take to rectify and implement changes. This additional rework that will be required in future is the interest on the technical debt.

Reasons For Getting Into Technical Debt

In the financial world, there are good and bad reasons for getting into debt. Taking a loan to boost your business cashflow or buy that piece of land where you will build your home – these are understandable. Buying an expensive umbrella on credit because ‘it will go with your outfit‘ won’t win you an award for prudent financial management. This also applies to technical debt.

There are situations where product delivery takes precedence over having completely clean code, such as for start-ups that need their operations to keep running for the brand to remain relevant, a fintech app that consumers rely on daily, or situations where user feedback is needed for modifications to be made to the software early. On the other hand, incurring technical debt because the design team chooses to focus on other products that are more interesting, thus neglecting the software and only releasing a “just-usable” version will be a bad reason.

Some of the common reasons for technical debt include:

  • Inadequate project definition at the start – Where failing to accurately define product requirements up-front leads to software development that will need to be reworked later
  • Business pressure – Here the business is under pressure to release a product, such as an app or upgrade quickly before the required changes to the code are completed.
  • Lacking a test suite – Without the environment to exhaustively check for bugs and apply fixes before the public release of a product, more resources will be required later to resolve them as they arise.
  • Poor collaboration – From inadequate communication amongst the different product development teams and across the business hierarchy, to junior developers not being mentored properly, these will contribute to technical debt with the products that are released.
  • Lack of documentation – Have you launched code without its supporting documentation? This is a debt that will need to be fulfilled.
  • Parallel development – This is seen when working on different sections of a product in isolation which will, later on, need to be merged into a single source. The greater the extent of modification on an individual branch – especially when it affects its compatibility with the rest of the code, the higher the technical debt.
  • Skipping industrial standards – If you fail to adhere to industry-standard features and technologies when developing the product, there will be technical debt because you will eventually need to rework the product to align with them for it to continue being relevant.
  • Last-minute product changes – Incorporating changes that hadn’t been planned for just before its release will affect the future development of the product due to the checks, documentation and modifications that will be required later on

Types of Technical Debt

There are various types of technical debt, and this will largely depend on how you look at it.

  • Intentional technical debt – which is the debt that is consciously taken on as a strategy in the business operations.
  • Unintentional technical debt – where the debt is non-strategic, usually the consequences of a poor job being done.

This is further expounded in the Technical Debt Quadrant” put forth by Martin Fowler, which attempts to categorise it based on the context and intent:

Technical Debt Quadrant

Source: MartinFowler.com

Final thoughts

Technical debt is common, and not inherently bad. Just like financial debt, it will depend on the purpose that it has been taken up, and plans to clear it. Start-ups battling with pressure to launch their products and get ahead, software companies that have cut-throat competition to deliver fast – development teams usually find themselves having to take on technical debt instead of waiting to launch the products later. In fact, nearly all of the software products in use today have some sort of technical debt.

But no one likes being in debt. Actually, technical staff often find themselves clashing with business executives as they try to emphasise the implications involved when pushing for product launch before the code is completely ready. From a business perspective, it’s all about weighing the trade-offs, when factoring in aspects such as the aspects market situation, competition and consumer needs. So, is technical debt good or bad? It will depend on the context. Look at it this way: just like financial debt, it is not a problem as long as it is manageable. When you exceed your limits and allow the debt to spiral out of control, it can grind your operations to a halt, with the ripple effects cascading through your business.

 

9 Cloud Security Questions you need to ask Service Providers

Companies in Ireland and the UK who are considering cloud adoption might already have a general idea of the security risks inherent in cloud computing. However, since different providers may not offer the same levels of risk mitigation, it is important to know which providers can give sufficient assurance on cloud security.

Here are 10 cloud security questions to ask service providers vying for your attention.

1. Where will my data be located?

There are a variety of reasons why you will want to ask this question. One big reason is that there are certain countries that don’t have strict legislation (or any legislation at all) pertaining to cloud computing. In that case, the provider won’t be as motivated to apply high levels of risk mitigation.

So if your data is hosted off shore, then you might want to reconsider or at least conduct a deeper study regarding the security conditions there.

2. Do you have provisions for regulatory compliance?

Certain standards and regulations (e.g. PCI DSS and possibly the EU Data Protection Directive) have specific guidelines pertaining to data stored in the cloud. If your organisation is covered by any of these legislation, then you need to know whether your provider can help you meet requirements for compliance.

3. Who will have access to my data?

In a cloud environment, where your data is going to be managed by people who aren’t under your direct supervision, you’ll have to worry as much about internal threats as you would with external threats.

Therefore, you need to know how many individuals will have access to your data. You also need to know relevant information such as how admins and technicians with data access rights are screened prior to getting hired. You also need to determine what access controls are being implemented.

4. How is data segregated?

Since there will be other clients, you will want to know how your data is going to be segregated from theirs. Is there any possibility of an accidental or intentional data breach due to poor data segregation? Find out if your data is going to be encrypted and how strong the encryption algorithm is.

5. How will you support investigative activities?

Sometimes, even if strong cloud security measures are in place, a data breach can still happen. If it does happen, the provider should have ways to track each user/administrator’s activity that can sufficiently support a detailed data forensics investigation.

Find out whether logs are being kept and how detailed they are.

6. Are we protected by a Disaster Recovery/Business Continuity plan? How?

Don’t be fooled by sales talk of 100% up-time. Even the most robust cloud infrastructures can suffer outages too. But the important thing is that, when they do fail, they should be able to get up and running in the soonest time possible.

Don’t just ask about their guaranteed RPOs and RTOs. Find out whether your data and applications will be replicated across multiple sites. Unless the provider says they will be, you need to find a provider with a better infrastructure.

7. Can I get copies of my VMs?

In a cloud infrastructure, your servers are actually in the form of files known as virtual machines (VMs). Because VMs are just files, they should be easily copied. There may be issues though, like the VMs might be stored in a not-so-popular proprietary format. Another possible issue is that the provider may simply not allow copying.

Having copies of your VMs can be useful should you later on decide to transfer to another provider or even duplicate your cloud infrastructure on your own.

8. What will happen to my data when I scale down?

One outstanding benefit of cloud computing is that when your business demands drop, you can easily scale down computing resources and reduce your cloud spending. ?But what will happen to your data when you decommission virtual servers? Will they be discarded?

You might want your data to be retained up to a certain period. On the other hand, you might also want them to be deleted immediately. Ask about the provider’s data deletion/data retention policies and see if they are in line with yours.

9. What will happen to my data if I decide to close my account?

There might come a time when you’ll want to terminate your contract with your cloud provider. Just like in issue #8, you’ll want to find out more about data deletion/data retention policies.

Although some providers can give you detailed answers, many of these answers can include a lot of technical jargon that can leave you totally confused. If you want someone you can trust to:

  • simplify those answers;
  • help you pick the right cloud service provider, and
  • even make sure cloud security is really upheld once your cloud engagement is ?under way

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
Choosing Routes for ESOS Compliance

Along the introduction of Energy Savings Opportunity Scheme in UK is the quick emergence of various companies that offer ESOS compliant services. While some energy audit providers can help, qualified businesses should understand what their compliance options are, how these routes work and learn both the pros and cons in order to carefully take their pick.

Independent ISO 50001 Certification

ISO 50001 comprises the integration and application of processes geared to motivate energy saving and overall improvement. Simply stated, it is a framework that drives the organisation’s governance to realise energy saving strategies by allocating resources and participating in energy management. The good thing about ISO 50001 is that it includes an energy review that documents ideas and opportunities to save more energy.

However, ISO 50001 does not obligate organisations to cover 90% of their overall energy consumption. In case of partial coverage, the company needs to undergo additional energy assessments to evaluate all the significant energy consumption areas.

In order for an ISO 50001 certification to be valid, it must be certified by the United Kingdom Accreditation Service (UKAS), by an accreditation body which is a member of the International Accreditation Forum, or by a body accredited by another EU member state?s national accreditation body.

Display Energy Certificates and Green Deal Assessments

These two kinds of energy assessment reports can also contribute to ESOS compliance. Both of them are carried out by qualified lead assessors and valid for 10 years. However, they are only based on the building structures and services. They do not cover the overall significant areas in energy consumption. Since these reports are valid for 10 years, they would be used for two ESOS reporting periods. Thus, they would not be as current as the ISO 50001 certification. Aside from that, the assessments are purely based on energy efficiency and anyone can qualify to use the software that produce the certifications after taking the accreditation course.

Energy Audits

A successful energy audit leads to better understanding of the company?s energy consumption, identify alternatives, determine cost-effective energy saving opportunities and stimulate energy efficiency. Energy audits are beneficial to the organisation. What makes it complex is that the organisation applying it, needs to clearly define the scope and type of energy audit to use in order to comply with ESOS. Furthermore, the organisation also has to identify the teams that would be competent enough to do the audit work for the building, transport and industrial area, respectively.

Each route is not formed equal. Thus, organisations have the option to either choose one or combine the routes and meet their company needs. The options mentioned are different approaches to ESOS and the core value is to grab the opportunity towards acquiring more savings through efficient energy system.

How Ecovaro Can Help

Ecovaro is passionate about making a difference. We are knowledgeable when it comes to ESOS legislation and regulation, ISO 50001 energy management system, DECs and Green Deal Assessments. More than that, we recognise the great impact of efficient management system to your organisation. And with this, we provide an enthusiastic team of software engineers and expert project managers to offer you our professional help at reasonable price. Ecovaro comes to you fully equipped with services tailored to your organisation’s energy management needs.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK

Ready to work with Denizon?

Contact Us Today