I am my own Risk area…until I’m part of the Institution

This week, I have the privilege of spending time at Educause.  This conference is all about Higher Education IT, and Security is one of the focus tracks. I actually don’t think I’ll spend a lot of time listening to the Security presentations, although I will certainly be networking with my Security colleagues while I’m here.  Instead, I’m here to learn the business of Higher Ed IT.  Which is as varied as the Universities and Colleges represented.

I’ve been noodling (that’s a technical term, btw) on how to understand the individual and corporate Security risk tolerance at OSU.  There seems to be a wide range of opinion on this matter, such as:

– Using a 45 character password  (full disclosure, my password is not that long!) and changing it every 60 days versus using a memorable password, and changing it as infrequently as possible

– Parking in the dark corner of a convenient garage, versus parking in a well lit parking lot

– Using a laptop lock versus. leaving your laptop on the lunch table, logged in

– Engaging Security when rolling out a new technology project, versus not engaging Security at all

– Encrypting your mobile device versus not using a PIN at all

– Fastening your seat belt versus Death.

It becomes more problematic when we realize we’re not just risking our own stuff; we’re risking the university stuff, and the University Brand.  OSU hits the news for a ton of really great reasons – football, of course, and research breakthroughs, and academic success, and on and on and on.  

However, we occasionally hit the news for not good things, and when that happens, we invariably ask “Shouldn’t someone have known better?”  “What were they thinking?”  “Who let that happen?”  All good questions, and the answer cannot be “because I (the Academic, the Researcher, the Administrator, the Security Professional) was OK with it”, or “because I thought it was too much hassle to do what Security was asking” or “I didn’t want to change my behavior”.  We have an obligation to hold our own Risk stance subordinate to the Security of the mission of the university.

Which brings me back to Educause.  One thing I hope to learn more about here is where technology is taking colleges and universities in the US.  And then to work out how Security aware that thinking is.  And then to work out if OSU is more, or less, Security tolerant than its peers.  Because OSU is a terrific university, and does a lot of terrific things.  But if it gets this Security thing at wrong, it’s not only data at risk , it will be the whole Brand.  O-H-I-O will become synonymous with OH-NO, and that will be a fate worse than Death.

So, wish me luck.   There’s a lot of people here.. and only 4 days to talk to them all.




I Hate Passwords (aka passwords by Ke$ha)

No, really.  I hate them.   Why?  Because they provide a false sense of security.  Don’t get me wrong…  in the absence of all other security measures, passwords are slightly better than nothing.  Like, shutting your front door is better than leaving it wide open, but not as good as locking the door, and having motion detectors on your outside lights, and having an alarm system, and locking up your valuables in a safe.  Having passwords is SLIGHTLY better than nothing.

So why do we ask people to have passwords at all?  Well, sometimes the law requires it.  Sometimes, that’s all we’ve got.

But is that enough for me to hate passwords?  No.  The reason I hate passwords is that people behave as if having a password protects them from everything.  It provides a false sense of security for those who know nothing about security.  It allows people to think that if they put their data somewhere “in the cloud” that it’s safe.  Because they have a strong password.

Here’s a good example of the general user understanding of password management: http://www.youtube.com/watch?v=qz5i171h_no

No. No.  Just No.  Don’t just “change the S to a dollar sign”.  Really?  This is the best you’ve got, CNN?

Passwords, in the beginning, were not designed to be an anti-theft device.  They were used for YOU, to prove that YOU are who YOU say you are.  That’s all.  But if someone else knows your password, no matter how many weird characters you use, they can pretend to be you.  Kind of like Tom Cruise wearing cool masks in “Mission Impossible”.  Passwords are a key to door.  Not a lock.  Somehow, over time, people have begun to think of them like a lock to be opened – and they are about as user-friendly as a lock.  And, just like your keys, it’s pretty easy to lose your password.

So if you can’t help but lose your password, then what can you do?  Changing the password more often is an answer, but not the best answer, and not the only answer.  This is one reason why we’ve gone to #password180 here at the university.   Instead, consider 2 factor authentication for access to critical systems, including your iCloud storage, and your email.  Consider removing sensitive data from your systems as soon as you’re finished with it.  Consider learning more about the security practices of your IT support groups (including vendors) before you share your important data with them.  Consider not auto-forwarding your email.  Consider talking to your friendly security professional and asking for advice.

And when you’re all done with this, turn on your outside lights, lock your door, and arm your security system.  

You’ll sleep much better.