Using Password Managers as a Consultant

As an independent consultant, I value my customers’ security, particularly around their data.

Why use a Password Manager?

key-2114361_1920I love data and I believe in protecting it. I believe in trying to fix the people and process aspects of security. So that means, I need to think about how to give my customers access to artefacts safely.

Sometimes I set up trial solutions on Azure, such as Azure Virtual Machines, for my customers. I do believe that Azure is secure. However, we know that people and processes are often to blame for cybersecurity breaches. Since I’m dealing with customers and their data, how can I best get their username and passwords to them if I am not with them in real life? This applies to all sorts of technologies: Power BI accounts if I’m setting up trials, logins for Azure SQL Database along with the database server details and so on.

I started to look at Password Managers so I could share details securely with customers. I had a look at two main Password Managers: LogMeOnce and LastPass.

TL;DR I chose LastPass because LogMeOnce had niggles which bugged me, and LastPass was a cleaner, nicer interface that felt more professional for my customers. It boiled down to three things:

  • Do you want to have a browser extension?
  • Conflict between LogmeOnce and Pinterest Add-ins for Chrome
  • Sharing Passwords was a breeze

In terms of security, they don’t differ that much in terms of their integrity.

However, people don’t always use software for it’s integrity; they use things that they like. Although we are moving towards being data-driven, we are still driven by our gut in a lot of ways.

Do you want to have a browser extension?

LogMeIn insists on you installing a browser extension so you can log in to get to your passwords. LastPass does not require a browser extension, and, for customers, this is much easier. Whether you like it or not, installing a browser extension is hassle. It’s extra steps that prevent you from getting to what you need to do, and users do not like extra steps. I also noted that LogMeIn didn’t seem to work when it launched itself from within the browser. If I logged in from the extension at the toolbar, it was ok. however, if I tried to log in as an action in response to it’s challenge ‘Do you want to save this password?’ This didn’t seem to work for me; it just hanged. I suspect that this may be due to a conflict with another add-in, but I never got to the bottom of it. It just meant I had to log in to the browser extension and redo the password saving, which felt very manual and added extra steps to my day.

Can I change those passwords automagically for you, Madam?

butler-159811_1280

Credit: https://pixabay.com/en/users/OpenClipart-Vectors-30363/ 

LastPass Auto Changer is amazing. LastPass will automatically log into your sites and change your passwords for you. Since I had a bazillion sites, it took some time to do it but it worked perfectly. Props to the person who thought of it. Awesome job. It’s like a password butler that takes care of this job for you. I’ve scheduled a note in my diary to do this activity once a month so I can keep on top of password management.

 

Conflict between LogmeOnce and Pinterest Add-ins for Chrome

I use Pinterest a lot. I love it. I use it to save technical diagrams and infographics about topics I’m interested in; everything from Big Data right through to soft furnishings from my home. This annoyance occurs in Chrome, when you have Pinterest installed as a Chrome Add-in. You already need the LogMeOnce add-in, so this means I have both add-ins.

When you go to the LogMeOnce website, it whacks up a great big picture advertising it’s services. Pinterest cheerfully recognizes that it is a big picture, and it offers to save it. Unfortunately, the Pinterest ‘button’ to pin the page is right over the ‘Close’ ‘x’ button for LogMeOnce so you can’t close the LogMeOnce picture advert/challenge- can you believe it? The LogmeOnce button is a tiny button and it is only in one place, so it gets obliterated by the Pinterest button.

God knows  how many times I’ve saved the LogMeOnce advert to Pinterest, just to get rid of the Pinterest button. Usually I have to wait until Pinterest takes the hint and stops trying to save the page.  It’s only then that I can get around to the LogMeOnce page and I can close the advert, and FINALLY I get to log in.

I’m too busy for all that.

Sharing Passwords was a breeze

I can share Passwords with both LogMeOnce and LastPass. However, the LogMeOnce niggles meant that I didn’t want to try to get customers to use it as well. LogMeOnce doesn’t work with Edge but LastPass was fine with it. It means I can give the customers a shared password, and they can log into LastPass however they like, and without installing an add-in.

I thought LogMeOnce was fine but these user niggles put me off it. I guess, at heart, we are all just naive users who want to get things done as quickly as possible and LastPass won here because it offered simplicity, whilst seeming to balance my ‘busy-ness’ with an ability to keep my passwords secure at the same time.

I am not a security expert but I do have to think about data security. What do you think? Do you think I made the right choice? What would you recommend?

 

 

 

 

 

Note to Self: A roundup of the latest Azure blog posts and whitepapers on polybase, network security, cloud services, Hadoop and Virtual Machines

Here is a roundup of Azure blogs and whitepapers which I will be reading this month.

This is the latest as at June 2014, and there is a focus on cloud security in the latest whitepapers, which you can find below..

·         PolyBase in APS – Yet another SQL over Hadoop solution?
·         Desktop virtualization deployment overview
·         Microsoft updates its Hadoop cloud solution
·         LG CNS build a B2B virtual computer service in the cloud
·         Deploying desktop virtualization
·         Microsoft updates its Hadoop cloud solution
·         Accessing desktop virtualization
·         The visualization that changed the world of data
·         Access and Information Protection: Setting up the environment
·         Access and Information Protection: Making resources available to users
·         Access and Information Protection: Simple registration for BYOD devices
·         Success with Hybrid Cloud webinar series
·         Power BI May round-up
·         Access and Information Protection: Syncing and protecting corporate information

Here are the latest whitepapers, which focus on security:

 
Windows Azure Security: Technical Insights. Update to the Security Overview whitepaper which provides a detailed description of security features and controls.
  • Security Best Practices for Windows Azure Solutions. Updated guidance on designing and developing secure solutions.
  • Windows Azure Network Security. Recommendations for securing network communications for applications deployed in Windows Azure.
  • Microsoft Antimalware for Azure Cloud Services and Virtual Machines This paper details how to use Microsoft Antimalware to help identify and remove viruses, spyware, and other malicious software in Azure Cloud Services and Virtual Machines.
  • Joining the Digital Dots: What’s your worst data storage story?

    What’s your worst data storage nightmare? Feel free to comment, I’ve got a few, but I do have a personal favourite.
    A few years ago, I visited a company who wanted to talk Business Intelligence to me. In order to get an idea of the quality of their technical estate, I started to ask about their existing processes about the data. For example, how do they back up their SQL Server databases? What do they have in place for storing data now, and what’s their future plans for SQL Server.

    Well, it turned out that they had a very mysterious plan for storage. They placed backup on on a USB hard drive, which was located on their premises – but that was their only data storage facility for backup. The killer for me was that, when the USB drive was full, they started to back up data to the receptionist’s computer because ‘it wasn’t busy during the day’.

    I am sure, dear reader, I don’t need to tell you what’s wrong with this storage ‘strategy’, but let’s list a few ideas out…

    Simply put, having everything on the premises was a bad idea since the data was business critical. Further, if their premises were ever burgled, the first thing that would disappear would be the receptionist’s computer given its proximity the front door. Given that the USB Hard drive was being shunted from desk to desk and easily accessible (and pinchable!) this could only be considered a temporary dumping place for data at best.


    The resolution was simply to offer the customer a cloud storage strategy, which they could easily afford and put in place quite simply. This was a nimble solution for a small to medium enterprise, who can’t afford the data centres and other facilities of larger organisations.  This is what happened, and the organisation was quite happy once they’d been advised properly, and understood the cheapness of the cloud solution versus losing all their data due to critical loss, theft or simple plain bad luck.

    Looking at data is no longer about looking at only one technology, a ‘one size fits all’ solution. Knowing about the storage is a critical part of looking after data, and there are plenty of options to help organisations to sort themselves out with a strategy on storage.

    Since I run into these horror stories SQL Server customer scenarios quite often, I was happy to see that there are plenty of solutions around that will help.  Azure offer a Windows Azure Backupthat helps organisations to protect important server data off-site with automated backup to Windows Azure.  Another option to consider is Cloud Integrated Storage is something that organisations can leverage so that they get ‘the best of both worlds’ – a balance of cloud and on-premise storage. Microsoft have a spin-off company, called StorSimple, who can help you to achieve cloud integrated storage.

    As a technical influencer in your organisation, you’ll need to know about the options available to you. If you like an in-person event, please take a look at the Cloud OS Community Relay, which is holding free training days on Windows Server 2012 R2 and System Center 2012 R2. These are the ‘latest and greatest’ from Microsoft, and you can find more information here about the Cloud OS Community Relay. It’s organised by MVPs for the community, and I’m one of the UK MVPs helping to organise SQLRelay.

    You might be interested to know about the SQLRelay events, which are more SQL Server focused and run alongside the Cloud OS Community Relay. You can find out more here, or if you’d like to come to the Hertfordshire event on 15th November, please take a look hereIn the meantime, I’ve put some information about StorSimple below in case you’d like to take a look.


    Cloud Integrated Storage: StorSimple
    StorSimple cloud-integrated storage provides primary storage, backup, archive, and disaster recovery, combined with Windows Azure. This allows you to optimize total storage costs and increase data protection and service agility. With StorSimple, you can integrate the public cloud with on-premises storage to reduce datacenter infrastructure complexity, maximize data protection, reduce overall storage total cost of ownership (TCO) by 60-80%, and provision storage more rapidly to reclaim IT time cycles

    MSMDPump.dll connection to SSAS

    I was asked recently if it is possible to create HTTP msmdpump.dll (Per user identity) connection to an SSAS cube.

    Microsoft have produced a White Paper by Edward Melomed, which covers the topic in SQL Server version 2005. However, the architecture is the same in SQL Server 2008, and you should be able to extrapolate from one version to the other.

    I won’t repeat Edward’s excellent paper; instead, I’d like to refer you to his White Paper, which you can find here.

    Item Level Role permissions in SSRS 2008

    SSRS 2008 provides a number of default item-level roles, listed here:

    Browser

    May view folders, reports and subscribe to reports.

    Content Manager

    May manage content in the Report Server. This includes folders, reports and resources.

    My Reports

    May publish reports and linked reports; manage folders, reports and resources in a users ‘My Reports’ folder.

    Publisher

    May publish reports and linked reports to the Report Server.

    Report Builder

    May view report definitions.

    The individual permissions of each role can be found in the following table. Hopefully this will help to see the increasing progression of permissions ascribed to each role.

    Browser

    Publisher

    Report Builder

    My Reports

    Content Manager

    Consume Reports

    Yes

    Yes

    Create Linked Reports

    Yes

    Yes

    Yes

    Manage All Subscriptions

    Yes

    Manage data sources

    Yes

    Yes

    Yes

    Manage folders

    Yes

    Yes

    Yes

    Manage individual subscriptions

    Yes

    Yes

    Yes

    Yes

    Manage Models

    Yes

    Yes

    Manage Report History

    Yes

    Yes

    Manage Reports

    Yes

    Yes

    Yes

    Manage Resources

    Yes

    Yes

    Yes

    Set Security for Individual Items

    Yes

    View Data Sources

    Yes

    Yes

    View Folders

    Yes

    Yes

    Yes

    Yes

    View Models

    Yes

    Yes

    View Reports

    Yes

    Yes

    Yes

    Yes

    View Resources

    Yes

    Yes

    Yes

    Yes

    It is possible to create a custom role by copying an existing role, and modifying it. Note, however, that if you make amendments to the original role, this will not be cascaded to any amended copies of the role. To add this post to Twitter, please click here.