25 July 2015

Microsoft security still lives in 1998.

Whether we like them or not, our passwords are the last roadblock to a hacker accessing our information. So, here is how you can keep your information safe:
  • Use dual layer authentication with every provider that offers it.
  • Use a unique password for every single site and have a reputable password manager track them.
  • Do not choose a password that can be easily guessed by someone who knows you or knows where you reside.
  • You can ignore special characters and upper/lower case, if the site will permit you because studies have shown that the length of your password is what slows down a hacker.
  • Feel free to use combinations of words or phrases to get the password length up there.
  • For important web sites (Google, Microsoft, Apple, Facebook, PayPal, banks) use a password over 14 characters long - ideally nearly 20.

Do all of these things and odds are that you will not have an account hacked. Unless we are talking about your Microsoft Live password, of course, because the folks in Redmond love to remind us that their security measures are still a step more ancient than everyone else. This is particularly troubling because most of us use our Microsoft Live password as our login to our Windows desktops and tablets, too.

It is not all storm clouds in the Seattle area. They did recently start offering dual layer authentication, which I highly recommend. One particularly negative part of the process is that I had to wait 6 weeks with limited access to my Microsoft Live account while they made the change. I have no idea why since other companies (ahem - Google) can make this adjustment in seconds. But - I still recommend it, despite the delays.

Even with text verification in place, it is still possible for someone who steals your phone to access your account if they can figure out your password. Until we all start putting RFID chips under our skin, the number one security measure is to use passwords that are at least 14 characters in length. Which is why I continue to be in shock that since Microsoft merged Windows logins with Microsoft Live accounts that they have a secret limit to password size of 16 characters. The information I store in OneDrive is worth my typical 20 character length and so every few months I go back to see if I can increase the size of my password. No such luck.

Password length should be unlimited. If someone wants to use a 500 character password then let them do it - they will have the most secure Microsoft account anywhere. The time it takes to break a password that is 10 characters (meets your requirements) is as little as 40 seconds. If you require at least 14 characters it would take 8 thousand years and 18 characters would require 3 billion years.

Please, Microsoft ... Get this bug fixed. 



19 July 2015

Forwarding address: The Cloud

Should you move your business into the cloud? Only you can truly answer that question but I hope to provide a little perspective on good reasons for and against evaporating the server room.

Let's first clarify what I am defining "the cloud" to be today. The term is used to describe anything connected to the information superhighway and while we could argue the semantics, for this article we will say that "moving to the cloud" means that you will no longer manage some or all of those servers. If done correctly and you successfully eliminate all servers, you could stop cutting checks for network staff and potentially even do away with your chief propeller head so that your business is purely run by those who understand it best.

It is a grand idea and has made the playing field a little more level for small businesses. A shop with less than 50 employees should seriously consider not having any servers in house and avoid the need to hire any purely technology staff. Find an outside consultant to handle workstation, phone and tablet setup and help desk and your business can focus on your core mission. Unless you are in the tech business, you should avoid it and let the experts run that stuff.

If you happen to be one of the fortunate (or unfortunate) souls that is managing a business that is growing (or shrinking) your FTE (full time employee) count by double digits annually, then that is another reason to focus on cloud options. They are quick to scale and you can typically make a quick phone call to increase or decrease you license count.

For everyone else, though, this decision requires a little more thought. It is critical to see beyond the (ahem) cloud created by the hype and acknowledge the disadvantages of server evaporation.

The Cost

Cloud servers and support cost more than keeping them in-house. Companies have a vested interest in moving you off in-house servers because they want to control every part of the process, and when a tech company wants you to move they have a way of fudging the numbers. They will advertise how much you will save because you will not have to buy hardware, operating systems, applications, server space, cooling and tech staff - and their figures will quote the most expensive scenario for each of them to compare against their low monthly cost. They will quote you a per user, per month cost to make it seem like it only costs a few dollars. The more employees you have, the more extra money you will pay for the privilege of not having that hardware.

For just one example, let's pick on the popular hosted Exchange Server. One of the biggest sellers is Rackspace who can get you out of managing that Outlook box for a mere $10 per user per month with discounts for more than 50 employees. Let's assume you have 100 employees and pay only $8 per month. (8 * 12) * 100 = $9,600 a year.

It is good to think of technology investments over their lifespan. While a new server and software could last 7 years today, let's assume you want your tech to be fresh - so let's assume you throw away all tech hardware and software every 3 years. Moving that one server to the cloud is a $28,800 cost.

The cost to putting an Exchange Server 2013 box in-house for 100 users over that three (or four or five or six) year span, assuming you do not have any hardware or software licenses - we will round up and assume zero discounts: Windows Server ($1K), Exchange CAL's ($8K), Exchange Server 2013 ($4K) and the hardware ($5K). So ... Less than 18K. Add another 2K to have a consultant install it for you and your employees and you will easily save one third your money. Again .. The more staff you add and the longer you keep the investment, the more you save.

Performance / Availability

Cloud products put you at the mercy of your internet connection and the reliability of the provider. Even Microsoft has had their entire Office 365 cloud go down before. Amazon is the biggest cloud provider out there and they have outages seemingly every month.

Now, if your internal server infrastructure is regularly having unplanned outages (then sack your tech person) and your internet connection never goes down then you can ignore this word of warning entirely. But most businesses have a server structure that virtually never has any problems and you are almost guaranteed to have an occasional blip when you do not have the box on premises.

Security

Cloud services may be no more likely to keep customer data secure than your internal server. All of the biggest names in the coding company world (Apple, Amazon, Google, Microsoft, Facebook) have been hacked on numerous occasions. This is not because they are doing a poor job at securing the servers - it is because they are huge targets. The bad guys go after what they know and/or whatever will reward them.

If you keep your information on an internal server behind a competent modern firewall then odds are your customer's bits of data are safer than if you had your infrastructure in the cloud. That is because the data is mostly kept just on your network. The advantage of not having the servers in your home is that you can access the data anywhere, but that also means the hackers can access it anywhere. And if you are keeping them on Amazon's servers (for example) then that just happens to be a place they are trying to break into anyway.

That said - security is also a reason to get rid of the servers, too, if you make certain that the provider is responsible for any hack onto their network. Unfortunately, almost all of them will require you sign an agreement that holds them harmless and essentially nullifies any possible security advantage they might have.

Competitive Advantage

When you toss your applications into someone else's hands you have decided to use the technology in the exact same way everyone else has. By managing your own servers, with a tech person or two that understand your business, you can create some custom functions that your competitors do not have. While you may not be in the tech business, everyone in the world uses this stuff and customers often select a business because they are better at it than anyone else. Those internal servers and the custom workflows or custom applications you have created can improve productivity and potentially be a huge selling point. Name it, market it and use it to sell your products and business.

Microsoft Office

My final note is an area where moving to the cloud, or to another product, could save every business: Dump Microsoft Office. This is the software product that brings in most of Microsoft's profits and allows the company to start giving away Windows 10 for free. Using FreeOffice, OpenOffice, WPS Office, Google Docs or LibreOffice could easily save a company 10K per 100 employees every year. The problem is that nearly every person in the universe knows Microsoft Office and abandoning is a difficult pill to swallow. But, if your goal is to save money (OpenOffice) or to fully embrace the cloud (Google Docs) then there are some huge savings that could await by not using this one little Microsoft product. Just be aware that you will be in a very limited crowd if you go down that road.