Satya Nadella just fixed Microsoft’s biggest problem

For as long as I can remember there have been two Microsofts: Microsoft Sales and everyone else. It’s a split that exists in most tech companies, but those that are most successful at the moment have a different divide; Google is Engineering and everyone else, AWS is Engineering and everyone else, Apple is Product and everyone else.

But Steve Ballmer is a salesman and that philosophy fit the 90s’ tech scene fairly well, so Microsoft became Sales and everyone else and remained so even after Satya Nadella took over.

That’s finally changing.

Last week, Kevin Turner, the last of the Ballmer-era executives and the leader of Microsoft’s Sales org announced his departure from the company. Shortly after, Nadella announced that he was breaking the Sales silo apart.

It’s the best change he’s made at Microsoft so far.

Read the rest on

A local colo is not the place to start your cloud migration

If you’re in IT leadership, you’re probably getting flooded right now with salespeople from regional colos and managed services companies trying to get you on-board for their cloud services.

Most of those services are just rebranded flavors of what they’ve been offering for years — I’ve seen some ridiculous stuff where a three-year-server lease with colo hosting was being sold as “consumption-based cloud”. It’s a lot of desperate grasps at buzzwords from companies that are years behind the ball.

Cloud support is a terrible job, and that’s a good thing for security

Of all the arguments that people make against moving their workloads to AWS or Azure, lack of control of vendor staff makes the least sense to me.

“The cloud isn’t secure because we don’t control the hiring or their people.”

I still have an involuntary eye twitch from the first time I heard this.

“They could hire literally anyone off the street and they could get access to our data.”

I think the reason it bugs me so much is that it is based on so many faulty assumptions — that your internal hiring practices are awesome, that your processes and controls are awesome, that you have as much control over your staff or environment or literally anything else in the world as you think you do.

It’s a comfort thing, but like a lot of comfort things, it’s based on premises that aren’t real.

Read the rest on

Don’t stop at IaaS

Two years ago, I sat in a room of engineers listening to a Microsoft instructor describe Azure’s Infrastructure-as-a-Service. One of the engineers who worked for a large retailer rolled his eyes at everything the instructor said. It was clear he wasn’t attending out of personal choice.

During one of the breaks, I asked him about what his company was doing with cloud and what he was hoping to learn about during the day. He confirmed my suspicion.

Read the rest at


Last year, Jarin Dykstra and I launched with the idea that it would be a little like The Wirecutter for enterprise IT products and services.

We created recommendations for Desktops-as-a-Service, Identity-as-a-Service, and several other categories with the hope that other IT people could leverage our research and testing to save time and have at least the outline of a path to the cloud.

While designing and building cloud IT for our current employer, we found ourselves constantly reaching for a lifeline that wasn’t there, so we wanted to be that lifeline for others. That’s still our goal, but we’re changing our approach.

Read the rest on

Do’s and Don’ts For Writing Online

If you were to ask me for one thing to do to advance your career, my answer would be: write.

Even if no one ever reads what you write, it’s worth it. Writing helps you think things through and work out problems, both personally and professionally. Over time, it also makes you a better communicator, more able to get your ideas onto the table and acted upon.

Putting your writing online helps you connect with people. It drives conversations that make you think and revisit your assumptions. If you establish a unique voice and present solid ideas, it’s also a really good way to market yourself.

Ultimately, I think that writing makes you a better person, someone who is more self-aware and able to empathize with others.

I’ve been writing online off and on for more than fifteen years, working as a freelance copywriter for some of that time. Here are a few things I’ve learned along the way that I try to improve upon every time I write.


Write like you talk. The world is clogged with overly formal academic- and corporate-speak. Formality and circular language put a wall up between you and the reader. Peppering in $10 words when 2 cent words work just fine doesn’t make you look smarter . It makes you look like a blow-hard who isn’t worth listening to and shouldn’t be trusted.  Here’s an example:

If, for a while, the ruse of desire is calculable for the uses of discipline soon the repetition of guilt, justification, pseudo-scientific theories, superstition, spurious authorities, and classifications can be seen as the desperate effort to “normalize” formally the disturbance of a discourse of splitting that violates the rational, enlightened claims of its enunciatory modality. – Homi K. Bhabha via The Bad Writing Contest

If you can figure out what Mr. Bhabha is trying to get across, you are smarter and more patient to me. I made it to “ruse of desire” before I started zoning out. It could be that he is saying something really profound, but no one will ever know because he wanted to be smart and fancy more than he wanted to express his idea.

There are times to jump into the deep end of English to pull out words that are beautiful and complex, but hammering people over the head with your word choices tends to dull your message.

Be clear and concise. I’m not advocating that you dumb things down, only that you need to be clear in what you express. Even if you use simple language, you can write a maze that’s difficult for people to follow.

Read some Ernest Hemingway, then read Charles Dickens. It depends on the subject and your personal voice, but using the razor-sharpness of Hemingway’s short, direct sentences often conveys more information than Dickens-style paragraphs.

Start simple, cut your ideas to the bone, then add meat if needed. Everything else is dead weight that gets in the way of understanding. You may end up at Dickens if that’s what’s needed to get your idea across, but start with Hemingway.

It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity, it was the season of Light, it was the season of Darkness, it was the spring of hope, it was the winter of despair, we had everything before us, we had nothing before us, we were all going direct to Heaven, we were all going direct the other way – in short, the period was so far like the present period, that some of its noisiest authorities insisted on its being received, for good or for evil, in the superlative degree of comparison only. – Charles Dickens


Sometimes things are good and bad at the same time, and that can be confusing. – Me

Be honest. This doesn’t just mean “tell the truth.” It also means “be yourself.” The closer you can get to “yourself”, the more compelling your writing will be.  It’s scary to be honest, because you start expressing things that matter to you and make you feel (and look) vulnerable.

If you’re angry, happy, sad, or scared, express it. If you’re uncertain, even better.  It doesn’t matter if you’re journaling or writing professionally, let the doors open, even if it’s just a little. That’s not an excuse to rant or gush. It’s more effective to focus those emotions into surgical strikes that support the truth you’re telling without overwhelming it.

Showing that you are human creates a connection that helps people care about you and your writing. No one likes showing off their soft underbelly, but if you want an audience that cares, you’ve got to give them something.

Why else are songs about broken hearts so popular?

Admit when you are wrong. I screw up all the time. Last week I screwed up by not attributing a cartoon I used in a blog post to the artist. A couple of people called me on it. At first I was a little annoyed by being called out, but then I took a breath and said “You’re right. I screwed up.” and took the image down.

People often bring up angles I haven’t thought about in my arguments. I do my best to fold their feedback into my thought process and change course when needed. Sometimes that means retracting things I’ve written.

I do this for two reasons:

  1. I care about figuring out the truth of things more than “being right”.
  2. It’s more embarrassing to me to puff up and be dishonest than it is to say “I was wrong”.

The muscle you have to exercise in this is learning to let go of your ideas, both during and after you write. I don’t know how many times I’ve started writing something with a conclusion in mind only to do a 180 once I get a few paragraphs in – thinking the idea through and putting myself inside of the counter-argument forces me to let go of my idea and take hold of a new one.


Tie success to page views. The truth is, for every post you publish that gets thousands of readers, you’ll probably have written millions of words that almost no one read or responded to. Sometimes it feels a bit like shouting into a bottomless pit and it’s easy to get discouraged when you never hear an echo.

Even if no one is reading, keep writing. Write and write and write and write. Get comfortable with the idea that you may never have readers and learn to write for the sake of writing. The point when you stop caring is often the same point when you start getting readers. It just works out that way.

From time to time, go back and read your past writing. If you’re embarrassed by it, keep writing, because it means you’re improving. If you’re not at least slightly embarrassed by or frustrated with it, it’s probably OK to stop writing, because something is wrong – you’re either an egomaniac or you’re not getting better.

Forget to read. If you want to write well, you need to read. Immersing yourself in other people’s’ writing will help you identify strengths and weaknesses in your own writing.

Don’t limit yourself to a particular genre or type. Fiction, non-fiction, long-form, short, sci-fi and the classics – it all helps give you perspective and broadens your knowledge of what is possible.

Books about writing should be read with caution as they tend to steer people down rabbit trails where they spend all their time reading about writing instead of writing. There’s a danger in getting trapped in a search for “the secret” that will unlock your writing magic. However, used sparingly, some books about writing can be really helpful.

Here are a few that have helped me:

Be afraid to have an opinion. Take a stand. Don’t be so worried about people disagreeing with you that what you write is watered down, boring, and sounds exactly like everyone else. Why bother if you’re going to play it safe and generic?

People will disagree with you. That’s OK. If you’re writing stuff that no one would disagree with, it’s probably not very interesting.

One of the benefits of these disagreements is that they help you figure out who your audience isn’t. Something to keep in mind as well is that people who disagree with you are much more likely to respond than those who agree, so the negative voices will almost always outweigh the positive. If you need proof of this, look at Yelp.

There are people you will never be able to please, and you shouldn’t try to. It’s wasted effort. It’s OK to consider other people’s opinions, but focus your energy on the people who like your writing. In Seth Godin terms, those people are your tribe. Lead them.

You may be worried about turning off potential employers with your opinions, but consider this: if you have to hide who you are to work for someone, do you really want to work for them? If your views are polarizing, it may be a good idea to temper them a little, but if they are fundamental to who you are, you’re going to be miserable working for someone who would judge you for them.

Lastly, don’t feed the trolls. 

Some people will go past disagreement and try to drag you down with insults. It’s not worth engaging with them. Roll your eyes and move on. They just want a reaction and are starved for attention. Don’t give it to them.

Photo credit: Fredrik Rubensson

Oklahoma City will never be a tech hub


When people talk about tech communities, they tend to have the coasts in mind – Silicon Valley, Seattle, Boston, Brooklyn. Few cities in the middle of the country stand tall as pillars of tech – Austin, Dallas/Fort Worth, and increasingly Kansas City and Omaha being the exceptions.

I know a lot of people who want Oklahoma City to join that club, to be a place where startups prosper and talent gravitates towards. It’s something I want too.

But, given current conditions, Oklahoma City will never be a serious tech hub, because Oklahoma City is in Oklahoma.

“What are these ‘priorities’ you speak of?”

While Oklahoma’s infrastructure decays and our schools are being shut down due to lack of funding, our legislature is busy moralizing and drafting reactionary, idiotic laws that anyone with even a middle schooler’s understanding of constitutional law would immediately recognize as indefensible.

Bridges and roads are literally falling apart. Schools are closing and already underpaid teachers are being laid off in a system that is 48th in the nation. Mental health services and poverty assistance have been completely gutted.

Core services are in a death spiral, yet the state legislature seems determined to spend all their time banging their heads against a wall instead of addressing actual problems. I’m not sure what litmus test they are using but it’s certainly not “Who does this help?” or “What does this improve?” or “What problem does this solve?”

It’s a continual cycle of:

  1. Pass law
  2. Law challenged, millions of dollars wasted
  3. Law struck down
  4. Return to line 1

Whether you agree with the ideas behind each piece of legislation or not, it would be hard to argue that repeating the same process over and over and expecting a different result is a sane tactic.

Attracting tech talent

Building a strong tech community is at least partially about attracting and retaining talent. Oklahoma City is doing a decent job of that right now, but the state is failing miserably.

I’ve heard several people say that Oklahoma City is becoming the “Austin for tech people with families”, which I think misses the mark. Austin is “Austin for tech people with families.” Oklahoma City is turning into “Austin for people who don’t care about having nice things or their children getting a decent education.”

It doesn’t matter how much OKC progresses or improves when everything around it and connected to it is burning to the ground.


Look on Twitter and Reddit and you’ll find tech people anguishing over whether or not they should stay in Oklahoma. I’m faced with the same question, even more so now that I have a child. I wake up every day asking “Is it worth it?” and “Is there anything I can do to make this better?”

Unfortunately, the answer is increasingly, “no”.

I have family and friends here. My wife and I have built a life here. Neither of us really wants to move, but we also want the best for our son and the prospect of that being Oklahoma is dimming.

At this point, I honestly have no idea what to do. I vote. I write letters and make calls. I work within my sphere of influence to make things better, but it’s like chipping away at a boulder with a plastic fork. None of it seems to help and that’s both tiring and heartbreaking.

What IT departments can learn from a Chick-fil-a drive thru

I’ve found that if you pay attention, there are lessons hiding almost everywhere you look. Sometimes it takes a bit to catch on, but the world is rich with things to learn.

Let’s take the standard fast food drive thru as an example.

If you go through a drive thru, the process normally goes like this:

  1. You get in line behind other cars and wait.
  2. Once it’s your turn in queue, you place your order through an intercom in front of a big menu.
  3. Once it’s your turn in queue, you pay for the order.
  4. Once it’s your turn in queue, you receive the order.

This design works pretty well, especially for restaurants that are slow to moderately busy. Because of that, it’s become the universal standard for U.S. fast food restaurants.

But if you’ve been to a Chick-fil-a lately, you may have noticed they are doing something a little different with their drive thrus.

Chick-fil-a problems

There are generally two problems I encounter at Chick-fil-a.

  1. I usually only think about going there on Sundays, when they are closed.
  2. Most Chick-fil-a franchises are ridiculously busy.

Ignoring the first, let’s talk about the second problem and its ramifications.

What do we do when we drive past a restaurant with a packed parking lot or a drive-thru line that extends into infinity? Most of us keep driving and go elsewhere.

Restaurant owners generally want their stores to be busy. More customers === more sales, after all. However, “too busy” is a problem for low-margin, competitive businesses like fast-food where you can’t throttle demand with price. Customers who go somewhere else because they don’t want to wait are lost sales.

Surviving on low-margins requires selling at scale, which an individual restaurant can address one of two ways – make the store bigger, or make the store faster.

Bigger isn’t an option most of the time. Developers cut restaurant pads in standard sizes and would rather have more tenants than sacrifice space for a fast food tenant who wanted to build a bigger store.

So that leaves faster.

The Chick-fil-a solution

A few months ago, I went to a Chick-fil-a at lunch and instead of submitting my order at the menu intercom, I was greeted by a worker with an iPad who followed along beside my car while I proceeded in line.

The rest of the process was the same as usual. I paid at the window, received my food, and drove away thinking “that was weird.”

On my next visit, the worker with the iPad took my order and my payment and printed a receipt on a mobile printer. Looking at the line of cars, I thought, “Hmm, this is actually making the line move a little faster.”

The next visit? A worker took my order and payment and provided a receipt, while following my car. Then a second worker brought my order to me while I was still in line.

During my last visit, a third worker came into the process. Worker A took my order and payment, Worker B provided me with a receipt, and Worker C brought the order to my car.

Driving away it occurred to me that at no point in the process had my car stopped. The Chick-fil-a drive-thru was a continuous flow. Their throughput at the height of lunch hour seemed to be double what it had been.

“Holy sh*t! They’re using lean for a drive-thru.”

Across all my visits I had been watching them measure, identify bottlenecks, and iterate their system.

How this applies to IT

Seeing lean concepts at work in a drive thru reinforced to me that lean design can be used for almost any process.

In the case of Chick-fil-a, they had acknowledged the exponential effects of bottlenecks and moved outside the kitchen. Everytime a car stops, even if it is just for a few seconds, adds up and impacts the overall throughput of the system. So they attacked the bottlenecks and achieved constant flow – the dream of any factory manager.

IT faces the same challenges. Ticket queues, individual resources, and manual tasks are all bottlenecks. They slow down the system, causing work to pile up, and limiting how fast the business can adapt and deliver.

The old style of managing IT was to go big and throw people at problems. “Project not going fast enough? More people.” “Tickets piling up? More people.”

No one wants to do that anymore nor are they willing to. “More people” doesn’t work, it doesn’t scale. You’re not going to get more people.

Your recourse is to work faster, which doesn’t mean cracking a whip behind your workers and yelling “Mush!” That only works temporarily and ends up costing a lot of time and money when you have to replace your team.

You move faster by embracing lean. Identify bottlenecks, resolve them, and automate or do away with the low value cruft that’s clogging up the assembly line.

Bringing lean practices and DevOps to the datacenter and app stack is only the starting point. We can bring the value of our competencies in data, processes, and automation to problems IT people have traditionally ignored.

We need to be willing to look at everything, anywhere in the business. The future of IT isn’t to go big, it’s to chop away all the small things – to help the business flow and accelerate.

Photo: Mike Mozart

Building a better salesperson

My first tech job was with a regional VAR (value added reseller). I started in phone support, then moved up to bench tech, then to field engineer – a path that increased my exposure to customers and the rest of the business with each move.

I liked the technical work and helping people with their problems, but as I began to notice the sales engine that was at work around me, I started to dread coming to work.

Over time my reaction to the projects the owner and salespeople would bring to me went from “Yes, I’m on it!”, to “Huh, this is kinda weird.”, to “WTF is wrong with you people!?”

I found myself having conversations like:

Me: “Yes, we could upgrade every part in the customer’s PC, but wouldn’t it be better and cheaper for them to just buy a new computer?”

Salesperson: “Just put in the upgrades. It’s a big sale.”

Owner: “Go to their office, install this drive, and setup backups for them.”

Me: “Umm, we’re selling this? It’s 3 years old and the box is covered in dust.”

Owner: “It’s what we have in stock.”

Me: “But these things are worth like a 100th of the price on this invoice.”

Owner: “They don’t know that.”

Salesperson: “Can you look over this bid for these school lab computers?”

Me: “Why are you putting $1000 video conferencing codec cards in them?”

Salesperson: “Because we already have them and the grant allows it.”

By the end, I wanted to burn the building down with everyone locked inside. At the time I thought my experience was unique, that my employer was just particularly evil.

That was, of course, stupid. I was new to the workforce and naïve. Working for that VAR gave me the first insight into a cancer that is easily spread into any sales org.

Cracks in the system

Sales is an important job and I have met some amazing salespeople who are both good at their job and good at being decent humans. But sales is usually a pay for performance role which has inherent flaws, at least in the way it’s structured for most companies.

Quota-driven motivation tends to isolate the salespeople on a team and can lead to acts of desperation. Even some team-based quota models drive a culture of “every man for himself” that can never end well.

Traditional quotas recreate the cutthroat conditions of a medieval bazaar and living day-to-day in a system of “I must sell five more goats or my family will starve.” has an effect on the morality and judgement of an individual. How can it not?

I feel sympathy for people stuck in this situation. They have mortgages, kids to feed, whatever else and they feel like they don’t have the convenience of always fighting to do the right thing. It’s a crummy place to be – to have a moral compass and not be allowed to follow it.

In general, I find performance-based compensation off-putting.”You sell more, you make more.” makes sense and works pretty well on a small-scale, but crank it up to multi-million-dollar-mania levels and you’ve self-selected for a certain psychology.

The worst of humanity reveals itself when you put a bunch of people in a room who tie their level of effort to how much money they make. Extrinsic motivation is the stuff of pyramid scheme tycoons, politicians, and serial killers.

The status quo is ugly

On the customer side, I have multiple conversations a week that go a little like this:

Me: “In detail, here is the problem I am trying to solve. Could your widget help fix that problem?”

Salesperson: “Yes!”

Me: “So your product can cure cancer, solve world hunger, and keep our network free of viruses?”

Salesperson: “Yes!”

Me: “Do you understand anything that I’ve said?”

Salesperson: “No.”

Me: “And you still think your widget is the right solution for me?”

Salesperson: “Yes! It’s what I’m getting the highest comp on this quarter.”

I can’t express how frustrating this is and how much this sucks, especially when the person has swaggered in presenting themselves as a trusted advisor.

Customers need honest answers and guidance. They need help, even if it’s in the form of “Hey, I don’t think our product is a good fit for this problem.”

If you’re a salesperson who wants to build trust and a long-term pipeline that practically vomits money, be willing to walk away from a sale that doesn’t make sense. Spouting half-truths and outright lies may work in the short-term, but it’s a clichéd path that leads to gold chains, cocaine addictions, damaged relationships, and early heart attacks.

Personally, I respect the heck out of salespeople who tell me “no” and “I don’t know.” I will go out of my way to seek them out for future projects even if what they’re selling costs double the competition. I’ll come back to them when they change jobs and do my best to always take their calls.

A better path (maybe)

Being honest in sales requires a company culture that allows the person to be honest. The dude-bro, hyper-competitive environment that many companies create for their salespeople is not that. Quotas don’t support that, neither does performance pay. All those things box salespeople in and make them feel as if they have to lie, cheat, and steal to keep their job.

How about this:

  • Pay salespeople a good, fixed salary based on their skill and experience.
  • Get rid of sales quotas and replace them with other metrics like customer satisfaction and product usage. These are imperfect measures as well, but have a longer-term focus.
  • Manage salespeople like everyone else. If there’s a performance problem, coach and support them. If that doesn’t work, help them move on to something else.
  • Hire people who are motivated to do a good job because it’s the right thing to do, not because they want/need to chase carrots.

What about the salespeople who need the carrot? The ones who love the game, and are going to shuck and jive even when they don’t have to.

Honestly, eff those people. That’s not a personality trait that helps move humanity forward or builds a solid foundation for a business. If they can’t adapt to a healthier culture, they can go pound sand.


In pursuit of a modern password policy

The phrase “convenience shouldn’t trump security” sounds good. It carries the weight of authority, of someone who is taking a stand to do the right thing, and in most cases they are. Problem is, outside of a high security setting, inconveniencing users tends to make things less secure.

The classic example: An IT department implements a high complexity password requirement. Numbers, letters, uppercase, lowercase, symbols, all that jazz. Policy in place, IT tells management “We’re more secure” ignoring the fact that most users are now writing their passwords down on sticky notes and putting them under their keyboard.

Someone from security will go around and occasionally wag their finger at users telling them they are stupid for writing their password down. Users will momentarily stop writing down their passwords, password reset calls to the helpdesk will spike, and then users will go back to writing down their passwords. Rinse & repeat, over and over again.

“$p4rkY_&bT” is more difficult to crack than “Bobby” and the corporate-wide use of complex passwords guards against certain kinds of attacks, but opens up doors to other attacks – like a disgruntled coworker staying late, flipping everyone’s keyboards, and using their password to metaphorically burn the business to the ground, which is a much more likely scenario than scary internet hackers trying to brute force crack end-user passwords.

Most businesses gravitate to a standard password policy that’s based more on culture and audit compliance than real world efficacy. It tends to look like:

  • 8 character minimum
  • A mix of symbols, uppercase, lowercase, and numbers
  • 90 day expiration

In certain contexts, this is absolutely the right policy, but it is the wrong fit for most. It’s based on outdated assumptions: that the most common threats are external, that stale passwords are a common attack vector, and that a blanket policy is best. Here are some different approaches.

Passphrases, vaults, and pins

It’s no longer novel to use passphrases (strings of words, usually 16 characters or more) instead of passwords. An XKCD comic from several years back helped popularize their use and highlighted their strength versus traditional complex passwords. The technical advantage isn’t as much as it once was as cracking tools evolved, but the ease of memorization remains.

“popcorntreefortunicorn” or “thereisacowinmyfrontyard” are both easier to remember than a complex string like “4_%Ca*f2(k” and less likely to be written down or forgotten.

Using a password vault like 1Password is a better option in general, as it allows you to still use complex passwords and not have to remember them, but user adoption and support keep vaults from gaining widespread use in businesses – vaults are hard to scale. Depending on your user base, passphrases may remain the better option.

The future of authentication is being driven by mobile and largely does away with passwords. Windows 10 supports secure-pin login that functions much like an iPhone. A short pin number (or biometric signature – fingerprint, face recognition, etc.) can be encrypted and stored on the local device on a dedicated, secure chip. Plugging in the correct pin unlocks the device and from there, authentication to different apps and services can be claims-based, using a standard like SAML or FIDO. Usernames and passwords may need to be occasionally re-entered to refresh an authentication token, but day-to-day, users won’t be typing in many passwords.

The pin only works with local login, so if the pin is compromised it can’t be used remotely.

What about expiry? Everyone hates setting up a new password every three months. Expiry breaks apps tied to service accounts and drives end-user helpdesk calls. So why do we force passwords to expire several times a year? Because reasons?

There’s no good reason to expire passwords every 30, 90, or 120 days. It’s not an effective countermeasure, it just causes problems. If an attacker gets access to corporate passwords, they aren’t going to sit on them, they’re going to use them almost immediately, or sell them to someone who will. The threat of stale credentials isn’t a real thing and luckily, there are now government agencies and standards bodies stepping up to the plate to say so.


No password policy can keep passwords from being compromised, especially when applied to humans. Multi-factor authentication helps though and is no longer optional. Using a soft token app on a device secured by biometrics (think fingerprint locked iPhone) as well as a password is an easy way to boost your security posture.

Multi-factor tools aren’t as difficult to manage as they once were. Solutions like Duo and Yubikey are simple to add and companies like Microsoft and Okta are building multi-factor directly into their product suites.

Right now, the most popular methods of multi-factor auth are biometrics (fingerprints), tokens/certs (Yubikey), and SMS. Challenge questions are on the way out. They face the same issues as passwords and can be compromised using the same method. From a support perspective, if a person can’t remember a password, they are probably going to have issues remembering the answer to a challenge question.

Behavior will be the next big thing in multi-factor auth. Behavioral analytics tools like Exabeam can be used to create risk profiles for user activity and trigger actions based on risky or out of the norm behavior. Geo-fencing is the simplest form of behavior MFA – “Are you logging in from somewhere you aren’t normally, like southeast Asia?”

As these tools develop they’ll be able to look deeper into the actions performed with each app a user logs into and match them to a threat profile.

“User (based in Minnesota) logged on from the UAE, downloaded 4 gigs of data from Box, then sent e-mails with attachments to several blacklisted countries.”

“Something you do” is being added to the authentication triad of “Something you are, something you have, or something you know.”

Context and controls

End users and administrators should not fall under the same authentication policy. They are not operating in the same context and have access to different resources.

Following a policy of least-access – meaning users only exist in the systems they need and only have access to the minimum functionality necessary goes a long way toward beefing up security. Paired with separation of duties, these soft controls are often more effective than a strong authentication policy.

Effective controls allow you to give your end users an easy-to-live-with password policy that matches the scope of impact. They can also guide sane password policies for admin users, who should have an easier time dealing with password vaults (like Thycotic or 1Password for Teams – Seriously, don’t use a spreadsheet.) and more strict MFA requirements.

If you’re worried about brute force attacks, lockout policy is far more effective than password complexity. Some businesses lock out with as few as 3 incorrect passwords, which is a bit too few, in my opinion. Settling around 10 or so feels more appropriate. If a user needs 4 attempts to login to get it right, maybe they are having a bad day. If they need 11, they’re either an idiot or someone malicious.

So what’s a modern password policy look like?

How about this:

For users

  • 14 character minimum, no complexity but common passwords like Password123456 are blacklisted
  • MFA required for off-network access and for critical apps
  • No password expiry
  • 10 attempts before lockout

For admins

  • 20 character minimum (or highly complex)
  • MFA required for all access
  • Yearly password expiry
  • 5 attempts before lockout

My goal isn’t to prescribe – everyone’s needs are different – but I do think it’s important to question established wisdom. If your team never revisits the “why” of things, they’ll always be protecting against the attacks of the past instead of what’s coming.

Image Credit: marc falardeau