First, let me get some disclaimers out of the way: I won't describe myself as a security expert and what I am about to share is my personal opinion, which is based on my personal experiences. By no means does this article reflect the opinions of my present or past employers and I have no business relationship (or gain from) any of the products or companies I am mentioning here.

With that out of the way, I would like to share a couple of security related practices that I have adopted over the years. I sometimes get asked questions about these topics, so I hope that you find this article informative.

Let me start with passwords:

We need passwords for a ton of things in our professional or personal lives. Password complexity requirements have gone up and there is no way we can remember all of the passwords we need to use on a regular (or not so regular!) basis. There are several vendors that provide single sign-on (SSO) solutions on the web and they basically work by establishing one master password (that you hopefully CAN remember) and then automatically log you into your web applications or let you look up your passwords. So far so good, except that you have to trust the vendor of this kind of solution 100% to keep your information safe and to have safeguards in place that their employees are not helping themselves to your passwords.

Therefore, I dislike all of these types of solutions and prefer the ones where I can personally control the security and encryption of the password file. And apparently I am right given the recent hack of LastPass (http://www.engadget.com/2015/06/15/lastpass-hacked/). I used different apps over the years - first on the iPhone (http://www.apple.com/iphone/). It was eWallet by a vendor called Ilium Software and I liked the fact that it had a Windows companion app that allowed me to sync the files to the PC. These days I am on a windows phone (http://www.windowsphone.com/en-US/) and use a product called SkyWallet (http://skywallet.net/). It works by having a file on share (I am using OneDrive (https://onedrive.live.com/) and it lets you personally generate and specify the crypto key to secure that master file. It also has a desktop companion application so all your passwords stay in sync between devices. It does not provide SSO, but I am actually fine with that and can simply launch the app, look up what I need, and then log in. The important part is that no third party stores my master key and the password file itself is encrypted.

What about files?

There were the days when all your files, photos, and music resided on your PC and you had to make CD-ROMs or DVDs to back up your stuff every once in a while. That was really painful. I later added secondary hard drives to protect myself from disk failure by establishing a RAID configuration, but that didn't protect me from the total physical failure of my PC in case of hurricanes, home fires, floods,  or other nasty (yet very unlikely) surprises.

I started using a product called HandyBackup (http://www.handybackup.com/), which I liked, because I could simply backup my stuff. I had some $5 per month web hosting service with virtually unlimited storage that I used for the purpose and handybackup allowed me to use my own encryption of the data using the blowfish algorithm (https://en.wikipedia.org/wiki/Blowfish_(cipher)) . This worked reasonably well, but had two major shortcomings: because I chose to encrypt the data, handybackup did not allow me to configure actual file synchronization and I could not simply get to my files from a public terminal or mobile device. Well, it was a backup solution and a fine one at that. I used it for several years, but never had to actually restore anything during that time frame.

I finally got to like online file storage (I happen to use OneDrive, but there many other solutions available as well). My problem here was again that I really don't trust any company to keep my personal data safe from prying eyes, so encryption is key to me. Initially, I started by just storing photos and personal videos on the service and kept my financials and tax returns between my local machine and the handybackup solution. Then I discovered BoxCryptor (https://www.boxcryptor.com/en), a software solution from a German provider that allows you to automatically encrypt all your stuff in a cloud data solution. What I like about it that it also allows you to create your personal key file, which is never stored on any third party cloud service. This suits me just fine and now all of my personal data is 100% encrypted by BoxCryptor and stored (and sync'ed) on OneDrive. The boxcryptor client is available for all my mobile devices, so now I am enjoying insta-access of all my stuff with a high degree of privacy. Note that there is an option to store the crypto key with the vendor's cloud service, but I chose to manage it myself. Should I ever lose it, it won't be recoverable, so there is an added level of personal responsibility involved here.

What about my PC?

Not much to say here. Windows 8.1 / Windows 10 with BitLocker (http://windows.microsoft.com/en-US/windows7/products/features/bitlocker). Enough said. If someone steals the laptop or gets hold of my desktop PC, have fun decrypting that stuff. I have no idea if some has tried to hack BitLocker by using brute force techniques, but I don't think that there is another alternative that would also be seamless to the user experience. Then again, all the files I have are still encrypted by BoxCryptor, even at rest on the local machine, so I think I am good.

I personally can't wait until the general availability of Intel's RealSense and Windows Hello technology to simply use my pretty self as a password :)

What about corporate BYO things?

This could very well turn into a soapbox, so I will try to keep it brief. Some companies adopted BYO policies under which employees are allowed to bring their own mobile devices, laptops, and PCs to work. The idea was that employees could simply choose the device they like and in some cases the employer would provide a stipend to help cover the cost. I always thought that this was a terrific idea, and as an employer, I would basically use centralized application hosting with terminal servers, citrix (www.citrix.com), vmware(www.vmware.com), etc. and virtual desktops. I would configure things in a way that none of the corporate data could be copied to the user owned device. These technologies are so mature these days and internet access is so ubiquitous that this can easily be achieved without compromising the end user experience. The old philosophy was that everything inside a building was considered secure (because the building had access controls and physical security. I think that the new philosophy needs to be that anything in an office space is considered not secure and only things inside the actually data center are considered to be secure.)

The reality is sometimes a bit different though. One group I met during my days as a Citrix consultant erred far on the side of user convenience and let employees use any device on the network without any restrictions whatsoever. People could install corporate and personal  applications and also freely download all the corporate data to their personal devices. Trust over draconian security measures was the word! This worked until the day an employee quit and basically took all of her work data with her (no chance for the rest of team to continue her projects.) This is also problematic from the point of view that people sometimes join competitors and having them keep access to critical internal data is just inviting trouble. That group also allowed departing employees to often keep their laptops that the company had paid for (especially if they were 2 years or older as those could not really be given to new employees either). Again with all the data , email archives etc. Interestingly, one day my counterpart there told me that one of his team members resigned and joined a competitor. He did the right thing and turned in his (corporate owned) laptop and was honest and upfront about his move. The manager notified HR and IT, access was revoked and all seemed well until IT started tracking the person's manager down and demanded a complete forensic analysis (to be performed by the manager, mind you) as to which files may have been copied off the device or emailed to a personal account etc. Insane. Especially given the otherwise wide open policies.

So, security is never really free, but there is always a tradeoff between security and convenience. Luckily, many vendors really make our lives convenient and enterprises have good practices and tools at their disposal to strike the right balance - if they choose to.


Florian
twitter: @florianbecker