Over the past few years there has been a lot of discussion and research on the weakness of password use. Should passwords be changed on a periodic basis? What's the best compromise on complexity requirements and one's ability to memorize the password? Is single sign on too risky? Are passwords even effective at all? The arguments, and proponents or opponents for each, can be found everywhere.
Being the rational, level headed guy I am, I like to look at each scenario from a risk based perspective. You really have to consider the vulnerability and threat and pick a proper control to address the specific risk identified. In some cases you'll pick multiple controls to address multiple risks.
Will changing passwords every 90 days stop a phishing attack? No. End user training should address this risk. Will it stop a brute force attack? No. Complex passwords should address this risk. What it does address is the length of exposure from a compromised account. Will a savvy attacker create a new account to use so that when the compromised password is changed they still have access? Yes. Hopefully someone is reviewing the creation of new accounts via event monitoring and will identify the attacker's newly created account though.
The truth is, no security control is perfect. They are designed to address risk, a specific threat against a specific vulnerability. The lesson is to only use the controls which address risks which concern you. So when deciding to use passwords, determine first your risks, and then choose the controls which minimize the risks you're most concerned with.
Visa and MasterCard are both reporting massive breaches impacting millions of card holders today. Looks like we're all playing the lottery whether we buy a ticket or not. This is just the beginning folks. I hope we don't become numb to it. That would be really bad.
It seems that cloud security is a hot topic these days. I was in Cedar Rapids last week at the chapter meeting for both the Institute of Internal Audit (IIA) and Information Systems Audit and Control Association (ISACA) presenting on cloud security and audit issues. I'll also be presenting to the Des Moines chapter of the Information Systems Security Association (ISSA) meeting today about the same topic. If you'd like a copy of the presentations feel free to contact me.
The "cloud" is a touchy subject when it comes to security. Some companies are wholeheartedly embracing it while others are running from it. Which it the right approach? That really depends on one thing. Control. How much does it mean to you and how much are you willing to spend to keep it. Everybody assumes that data is less secure in the "cloud". I'd argue that thinking is really more of a control issue. Many cloud providers, not all mind you, have top notch security programs and systems which far exceed what many small to medium companies can afford on their own. In that respect security is better. However if you measure security by other matrix such as access control, the security value may be weakened. Long story short. You must define what "secure" means and then compare your security to a cloud provider's security. Only then will you know which road to follow.