ASP.Gary

Use [all] the tools available to you

Chili Cheese Charlie

Generally speaking, we don’t call anybody out direct here.

Generally speaking…

But c’mon MLB! Your password requirements are 8-15 characters with NO SPECIAL CHARACTERS? It isn’t that it isn’t a requirement, you simply cannot use special characters.

And it isn’t just MLB; nor is it just complex password requirements. It is more about using all the tools and security measures available to you, your business, and your clients.

Consider this, imagine logging in to your bank account and having the ability to transfer money or wire money out of your account. Pretty strong stuff, right? You, as a customer, would definitely want to enable MFA at the very least. However, the question now becomes this – why should you have the ability to do that on your own anyway? This would fall under the principle of least privilege (big security words here) – or in marketing terms – zero trust.

Why would you do this? And why is this considered a “tool” available to me?

Think of your house. It has a front door on it at the very minimum. Why do you have a door? Why do you have a lock? Why do you have a deadbolt? All of these things are security measures to keep what’s inside inside, and keep those that shouldn’t be inside, out.

Having a limited amount of doors in and out of your house is one way to limit access to your home. This is similar to the principle of least privilege. It simply means you’ve reduced the number of ways somebody could enter your home and by having a door, lock, deadbolt; you’ve added layers of security to that ingress/egress. The same principles apply to your network, business applications, and web applications.

Let’s add some complexity. ACME Corp makes 3 sizes of doggie doors. One for a chihuahua, one for a lab, one for a horse. You don’t own a dog. Why would you install any of them? Similarly, why would you provide access to features in your application, business, or infrastructure that you don’t truly need? And if there is a perceived need, is it really a need at all?

Let’s flip the script. Say you have a dog. Do you want the dog to have unmetered access in and out of your home? Does it make sense to introduce risk to your property if you live in a high-crime area? Or maybe there is a raccoon problem? A 3AM wakeup call from the local trash-panda gang doesn’t sound very appealing at all! So again, is it a real need or a perceived need? Would it make more sense to take your dog on walks when needed? That works. Is the risk substantial enough to warrant not having such an egress introduced in to your home? The same thoughts and questions need to be addressed when considering your security posture for your application, business, or infrastructure.

One last thought. You’ve got the house, with a door, a lock, and a deadbolt – shouldn’t that be enough? That entirely depends. Where do you live? What do you have inside? How good is the door, lock, and deadbolt? Does it make sense to add motion lights outside? Or perhaps a Ring doorbell or some other camera? Perhaps an alarm? Besides the front door, is there anything important inside that needs to be secured? Jewelry? Bonds? Cash? Firearms?

The same holds true for your application, business, or infrastructure. What function, data, or IP are you protecting? What sort of regulatory compliancies do you need to follow to protect that data? What is the risk to your business and clients should that data be access by unauthorized individuals? Do you need to provide multiple layers of protection and a combination of security measures to protect said data?

Consider this – all of my kids have keys to the house. None of them have keys to the safe. You need to approach your data the same way.