Terrible passwords outlawed in Microsoft’s new Azure tool

Kudos to Microsoft for heading down this path and taking one more step closer to better password security.  It is still not a perfect world scenario, but it is better than the basic controls inherent to the OS.


Google Rolls Out Advanced Protection for High-Risk Users

This is an excellent step forward in the effort to protect sensitive Google data.  U2F is a strong, reliable authentication mechanism and will afford Google more flexibility as this program moves forward.  There are certain limitations with mobile devices and third party applications that will need to be navigated, but if someone finds him or her self in a highly sensitive or high-risk situation, then this is the best security option available to date for the Google email ecosystem.


Security’s #1 Problem: Economic Incentives

This article is an very intriguing read.  The economics of software are hard, whether the applications are public facing and for resell or the development is internal to an organization.  Security is far too often an afterthought or a nice to have in the development cycle.  True devops programs and security officers should partner.  Instead, they complete.

Sadly, the only real mechanism that addresses these problems today is fear – fear of penalties and fear of non-compliance.  We should be motivated by security itself – a desire to protect customer data, to provide a more secure, robust service.  It will take consumers willing to demand such a high-caliber standard before the market will adjust and the economics will justify a more mature, secure development cycle.


Verizon Report: Businesses Hit with Payment Card Breaches Not Fully PCI-Compliant

Companies struggle to maintain PCI compliance within a year of meeting it, according to a new payment security report by Verizon.

Sadly, this is not surprising.  Many businesses are chasing compliance and not seeking real security.  They are trying to check boxes and not secure data.  True data centric security requires dedication and effort.  It is not a package to purchase or a spreadsheet to fill out.


CIPA Compliance and Cybersecurity: You Can’t Have One Without the Other

Though unabashedly sales centric, this blog post by Fortinet provides a good overview of the intentions and goals associated with CIPA (Children’s Internet Protection Act).  It is well worth a read as both a parent and a potential technology provider in the K-12 space.