Posts Tagged 'Certification'

December 30, 2011

The Pros and Cons of Two-Factor Authentication

The government (FISMA), banks (PCI) and the healthcare industry are huge proponents of two-factor authentication, a security measure that requires two different kinds of evidence that you are who you say you are ... or that you should have access to what you're trying to access. In many cases, it involves using a combination of a physical device and a secure password, so those huge industries were early adopters of the practice. In our definition, two-factor authentication is providing "something you know, and something you have." When you're talking about national security, money or people's lives, you don't want someone with "password" as their password to unwittingly share his or her access to reams valuable information.

What is there not to like about two-factor identification?

That question is one of the biggest issues I've run into as we continue pursuing compliance and best practices in security ... We can turn on two-factor authentication everywhere – the portal, the vpn, the PoPs, internal servers, desktops, wireless devices – and make the entire SoftLayer IS team hate us, or we can tell all the admins, auditors and security chiefs of the world to harden their infrastructure without it.

Regardless of which direction we go, someone isn't going to like me when this decision is made.

There are definite pros and cons of implementing and requiring two-factor authentication everywhere, so I started a running list that I've copied below. At the end of this post, I'd love for you to weigh in with your thoughts on this subject. Any ideas and perspective you can provide as a customer will help us make informed decisions as we move forward.

Pros

  • It's secure. Really secure.
  • It is a great deterrent. Why even try to hack an account when you know a secondary token is going to be needed (and only good for a few seconds)?
  • It can keep you or your company from being in the news for all the wrong reasons!

Cons

  • It's slow and cumbersome ... Let's do some math, 700 employees, 6 logins per day on average means 4200 logins per day. Assume 4 seconds per two-factor login, and you're looking at 16,800 extra seconds (4.66 hours) a day shifted from productivity to simply logging into your systems.
  • Users have to "have" their "something you have" all the time ... Whether that's an iPhone, a keyfob or a credit card-sized token card.
  • RSA SecureID was HACKED! I know of at least one financial firm that had to turn off two-factor authentication after this came up.
  • People don't like the extra typing.
  • System Administrators hate the overhead on their systems and the extra points of failure.

As you can start to see, the volume of cons out weigh out the pros, but the comparison isn't necessarily quantitative. If one point is qualitatively more significant than two hundred contrasting points, which do you pay attention to? If you say "the significant point," then the question becomes how we quantify the qualitativeness ... if that makes any sense.

I had been a long-time hater of two-factor authentication because of my history as a Windows sysadmin, but as I've progressed in my career, I hate to admit that I became a solid member of Team Two-Factor and support its merits. I think the qualitative significance of the pros out weigh the quantitative advantage the cons have, so as much as it hurts, I now get to try to sway our senior systems managers to the dark side as well.

If you support my push for further two-factor authentication implementation, wish me luck ('cause I will need it). If you're on Team Anti-Two-Factor, let me know what they key points are when you've decided against it.

-@skinman454

November 14, 2011

My Road to LPIC-1 Certification

I've been a Linux user for many years, but for various reasons I never bothered to get a certification even though it's a fantastic validation of Linux skills. When I moved up in the world by joining SoftLayer, my attitude quickly changed.

As a new Systems Administrator at SoftLayer, one of the first challenges I was presented with was to try for my LPIC-1 certification. True to SoftLayer's motto of "Challenging, but not Overwhelming," I was given 3 months, a practice environment and reimbursement for my fees if I passed the tests. With an offer like that, it was impossible to refuse.

The LPIC-1 tests are not easy, and it took a lot of work to pass them, but if you're interested all you need to succeed is a solid background in Linux and the time to dedicate to preparation. Here are some of the things I learned along the way:

  1. Don't attempt the LPIC-1 exam unless you have at least a couple of years' worth of hands-on Linux experience. Seriously, it's not for newbies.
  2. Acquire at least two test-prep books, and read one of them every day. I used O'Reilly's LPIC-1 Certification in a Nutshell and LPIC-1 In Depth by Michael Jang. Both are easy to read, have good explanations of concepts you need to understand, and provide valuable tips in addition to practice exams.
  3. Set up a practice environment. It's essential for reviewing commands you may not be familiar with.
  4. When you think you are ready for the first exam, take a few free practice tests online. There are a number of them available.
  5. I didn't buy any test-prep software, but I did download a couple of trial versions as they offered some free practice questions.
  6. Take all of the practice exams available to you several times each. You'll get more comfortable with the format of the test questions and will also learn which areas you need to revisit before the actual test.

After earning the LPIC-1 certification I received a nice surprise in my mailbox along with my certificate. Apparently Novell and the Linux Professional Institute have a partnership: By earning the LPIC-1 I had also satisfied the requirements for Novell's Certified Linux Administrator (CLA) certification, so now I can enjoy the benefits of having two IT certifications for the price of one and I have SoftLayer to thank for it!

-Todd

July 14, 2011

Skinson 1634AR15 Compliance

Skinson's 1634AR15 Competency Controlled Certification of Compliance
New Compliance structure makes a compliance officer's life much easier.

Dallas -- In a world where auditor to auditor reports are out of control and we have a mountain of complex compliances to worry about, one competent compliancy controlled certification of compliance finally comes forth (and not a minute too soon).

"This new groundbreaking idea will change the lives of many competing auditing firms, law firms, accounting firms and so on," says Steve Kinman. "I spend countless hours reading controls for one report and different controls for another report, and the only difference is the verbiage and format."

The new Skinson 1634AR15 Certification combines your SAS70, SSAE16, ROC, VOC, SOC, NIST, SARBOX, PCI, OMB, ACART, CFDA, HIPAA and SAFE HARBOR compliance into a single report using a set framework that automorphs based upon which auditor is touching the report or viewing it in the state of the art Skinson Portal.

"The Skinson portal is mind-blowing," says Val Stinson. "The automorph feature is something straight out of the movies. It knows who is reading and can change the wording on the fly. This keeps auditors from scratching their heads when the words in the report don't match the words their instruction book."

The introductory price for full Skinson 1634AR15 Compliance Certification is $1,000,000 USD. This is all-inclusive and will sufficiently cover all of your compliance needs.

Contact:
Steve Kinman
skinman@softlayer.com

About Skinson
Headquartered in Dallas, Texas, Skinson is a fictional company that likes to poke fun at the difficult job of compliance in the world. While we find that it can be overwhelming at times, we understand that compliance is a necessary evil. We would like to note that something like we dream about above would be very nice and would save the world a ton of work and cut down on our carbon footprint considerably. If you are in a position of control and can make the above happen please help us!!

On a side note, SoftLayer will do everything we can to help you with any compliance you need. Just ask your local sales team for help, and they will find the right person and get you in contact.

-@skinman454

P.S. The actual reason for this blog post is that we just announced that the control procedures and compliance for our 11 data centers have been verified in a Service Organization Control Report (SOC 1) prepared under the terms of the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) by independent auditing firm Weaver.

Subscribe to certification