Wednesday, April 26

Security and Password Myths

Kaliya Hamlin pointed to an article about password security and what its author (Prof. Eugene Spafford) calls security myths. It's an interesting article, but I don't agree with the main point, which is that mandatory password changes do not increase security. He calls these policies folk wisdom and claims that best practices are "intended as a default policy for those who don’t have the necessary data or training to do a reasonable risk assessment". Well, I don't agree with that statement or Prof. Spafford's conclusion.

Best practices as I use the term describe an ideal state without knowledge of a given environment. Every environment has exceptions and special needs. Therefore, it's not always possible to implement best practices. But, they should serve as an ideal to work toward. Default policies, on the other hand, are often what's easiest to implement -- just ask any company that sells hardware for wireless home networking products. These products are usually shipped with default settings that make it easy to setup. Best practices, however, require that the installer configure encryption keys that prevent people in close proximity from accessing the network.

Let's move to the password change policies. While there are certainly (as Prof. Spafford writes) a number of password failure modes, these policies are in effect to minimize the effectiveness of one of those failure modes - cracking. We may only differ in our definitions of weak cracking. This article by Geodsoft discusses password cracking techniques. The takeaway is that with a strong password policy, a brute-force cracking attempt will take over two months at 6 characters and two years at 8 characters. It's certainly possible to improve that timeframe with heavy hardware infrfastructure, but I think the policy will serve it's purpose of reducing the threat. And that's ultimately the goal. We all know that nothing in IT is 100% secure, but we should probably implement as many practical policies and solutions as possible to reduce the potential threat.

Thursday, April 20

IT Pragmatism

There's been a lot of blog discussions lately about IT practicality, software companies and enterprise architecture. It's refreshing to hear people taking a step away from large, complex and "enterprisey" architectures. I'm a pragmatist. I think IT solutions should solve a business problem and NOT introduce new ones. When I was in the services business, I tried to design and implement solutions that were simple, easy-to-use and efficient. I joined MaXware because they have very practical software products that work without complex architectural requirements. People that want to spend years to implement an IT solution seem to me to be confused - the business requirements will change drastically over those years. You need a direction and a goal to work toward, but implement quick-win real-world solutions that provide value and you'll move toward your goal while minimizing cost and frustration. I think this has been especially true of Identity Management solutions and will continue to be so for years to come. So, if you're embarking on an Identity Management journey, try to work out a 3 month cyclical pattern of building real business value while driving toward a long term goal. You'll generate executive and team support for the project by showing quick success and you'll be ready to adapt as the business landscape changes.

Wednesday, April 12

RSA Secured and Next Generation IP Networks

MaXware is now RSA Secured for SecurID Authentication and ClearTrust Access Management. Not really anything new from a technology standpoint, but worth mentioning.

Also, thanks to Kim Cameron for his nod toward Marcus Lasance's article in European Communications. Marcus discusses Identity Management for IMS (IP Multimedia Subsystem). Marcus is well-seasoned in telecommunications and really knows his way around that arena. I'm interested to see how triple- or quadruple- service offerings come to market and where IdM will play its part.