14 August 2012

Dropbox Security, From TrueCrypt to BoxCryptor and 1Password

(If you want to skip the below and just get the recommended answer, go buy Boxcryptor and 1Password on all your platforms.  Job done.)

When Dropbox had various security issues last year (the no passwords required for some hours was the kick I needed to sort my security out), I started using Truecrypt to contain all sensitive material I was keeping in Dropbox.  Truecrypt felt good as it was opensource, free, stable, secure, and reasonably usable on OS X and MS-Win.

While I felt a 1000x better about my security situation, I also lost a lot of the convenience of Dropbox by moving to Truecrypt:
  • File sync.  Truecrypt stores its filesystem in a single file.  While Dropbox is efficient at syncing big files at a block level, it doesn't cope well with changes to that file happening roughly concurrently from two or more locations.  If you mount your Truecrypt filesystem from two or more machines and make even vaguely concurrent changes (within a sync activity for example), you end up with two conflicted Truecrypt files.  One quickly learns to only open the Truecrypt volume on one machine at a time.
  • Multi-platform access.  One thing Dropbox did well was to have clients available on all major platforms.  I could access my Dropbox files from OS X, MS-Win, iOS, Android and Linux.  When I switched to TrueCrypt, I was limited to PC, Linux and Mac only (and one at a time at that), no mobile/tablet access.
  • Password management.  I won't say much about this other than it became harder using Truecrypt.
That was last year.  One of the great things about tech is that problems that need solving tend to get solved if you're patient enough.
Enter Boxcryptor for file security and improvements to 1Password for password management.
While there are a number of solutions available to encrypt what you store in Dropbox, I consolidated onto Boxcryptor:
  • Secure.  Uses AES-256.  No cloud aspect to Boxcryptor and therefore no third party has my master key and can take a peak at my data.
  • Plays nice with Dropbox.  Boxcryptor uses a folder+file structure (aka "package" on OS X) with each file encrypted separately enabling Dropbox efficiently sync.
  • Multi-platform access.  Working clients on all major OSs.  At least read access on iOS and Android.
  • Stable.  I've not had a single crash or corruption yet (although I'm still backing up more frequently than I might otherwise).
  • No major delays in supporting the major OS upgrades.
  • It allows for up to 2GB for free and more if you license it.  2GB is a lot.  Once I got comfortable with it I bought a license to get rid of the 2GB restriction.  I feel the license is a nominal cost versus the upside of more user friendly security and vendor support.
I considered Datalocker, Cloudfogger, Hyperdrive, and encrypted zip files.  All of them failed in one or more of the above.
An aside on Dropbox and sharing files:  I don't retain Dropbox's easy sharing of (encrypted) files using Boxcryptor.  Encrypted zip files still perfectly acceptable and secure way to e.g. share a single file in Dropbox with colleagues so long long as you unzip into a secure location and not into Dropbox.  Then you have to zip+encrypt and move the result back into the shared folder in Dropbox.  Zipfile usability compared to regular Dropbox sharing and syncing is poor as a result.  Note that today Boxcryptor doesn't appear to (easily) support multiple concurrently-open Boxcryptor filesystems.  When it does I could see having a Boxcryptor filesystem dedicated to sharing a set of folders/files with a specific workgroup.  Each group to have its own Boxcryptor filesystem - still somewhat painful but better than zip files.
Moving on to password management.  I have to admit my previous method wasn't overly secure and certainly TrueCrypt decreased it's usability.  As I was digging into secure storage, I also had a hunt around for how to improve password management.
Enter 1Password.  Yes, it's been around awhile, but used to be very OS X centric.  I don't know when they went multi-platform but they have.  While they've been the premium (i.e. expensive!) choice for OS X password management for awhile, the lack of support for other platforms had always been a showstopper for me.
Here is the thinking that led me to 1Password:
  • Multi-platform: MS-Win, OS X, iOS, Android.  It's not on Linux, but I don't use a Linux desktop for the 1Password primary use case anyway.
  • Secure.  While I can't keep 1Password's database in Boxcryptor's filesystem (I could, but I lose mobile/tablet access), the 1Password security approach is fine.  My passwords don't go to another third party password service to maintain them.  While Dropbox has my password files, they are encrypted.
  • Plays nice with Dropbox.  The 1Password DB is also a folder+file (package) structure, just like Boxcryptor.  As a result, Dropbox syncing works well.
  • Well supported browser plugins.  I use Chrome and Safari and both are well supported.  Support isn't quite so good on mobile/tablet platforms, but it's better than what I had before.
  • Widely used.  The tech community seems to widely use it.  While not a particularly scientific measure, it seems to be on its way to being a "best practice" solution in my peer group.
I've now deployed 1Password's database into Dropbox.  It'll take me awhile to load all my credentials into 1Password but I think it's a durable investment.
One downside is that 1Password isn't overly cheap.  You have to pay for licenses for each platform (Android still free).  However, just like with Boxcryptor, I think it's worth the cost for the stability, support, and commitment to keep up with OS changes.
I did have a serious look at and play with Keepass for password management.  I like that it's free and opensource.  I liked aspects of it's design and usability.  However there were a few factors that put me off:
  • Fiddly.  There are two different and somewhat competing database and application tracks, 1.x and 2.x.  Both are under active development.  There are various "unofficial" platform ports of each track to various OSs.  You have to pay attention to what version you use on e.g., OS X to make sure it's compatible with the version you use on iOS.  
  • Not keeping up with OS upgrades.  The main OS X port indicated support for OS X 10.6 as most recent and today OS X is at 10.8.  I don't want to be the beta tester for new Keepass releases - what I'm securing is too critical to mess about with.
  • The Keepass database is a single file, meaning that like with TrueCrypt you might have to deal with Dropbox sync collisions.
As a result, I'm an even happier Dropbox user now that I have secured files and passwords and reasonable usability to access both.  All in the licenses across all the platforms for both Boxcryptor and 1Password cost me about $125 (£80).  Yes, this is a lot, but conversely I now feel like I have the best of both worlds - the convenience of Dropbox and the comfort of strong security where it's needed.

10 June 2012

The Changing Role of the Technology Leader

Infoworld has recently taken a view at How will the CIO's role change by 2020 which was followed up with discussion on linkedin.  I found the article more focused on taking a guess at changing technologies more than changing roles so I decided to take a crack at how I see the role and related skills changing (or staying the same) over the next 5 or so years for technology leaders (CIOs, CTOs, et al):

1. Technical innovation skills.  For companies where technology doesn't enable them to differentiate or compete in the marketplace (that is, no technology development just technology enablement), the technology role will be less critical and demoted to a lower position in the organisation and led by a more operational tech leader.  In companies where technology is developed in a unique way to compete and create value, the role should stay at an executive level and require more innovation and advanced business skills.  Technology innovation leaders will need to know how to speed up rate of change, decrease the costs resulting from rapidly changing requirements and how to scale.  Separation of innovation vs non-innovation business types and resulting change of roles underway now and continuing for the next few years.

2. General technical skills vs other business skills.  Technology leaders aren't business leaders, P&L owners or product managers, otherwise they would be in one of those roles.  They are at the leadership table to be the experts on how technology can delight customers and enable and grow the business.  They fulfil P&L owner aspirations and create highly functional fulfilment envelopes around product and service owners.  This is no different than the HR or Finance leaders, each experts in their area servicing the needs of business line owners.  Similarly tech leaders need to be business savvy and communicate effectively by translating technology concerns to and from business ones.  No change other than non-tech leaders are becoming more knowledgable about tech resulting in increasing communications fidelity of tech concerns in the future.

3. Technical understanding of data security. Due to technical complexity, the technical leader will have to increasingly expand their knowledge of cybersecurity.  They will need the business acumen to strike a competitive commercial balance between flexibility and cost versus risk.  This means increasing knowledge requirements on the technical security side to effectively manage related staff and vendors balanced with sufficient knowledge on the commercial side to collaboratively determine an appropriate commercial balance.  Increasing rapidly the last few years and will continue to do so for some years.

4. Technical understanding of regulatory, legal and compliance requirements.  As nations increasingly understand and depend on the Internet there will be changes in regulations and taxation on Internet activity and supporting infrastructure.  Changes will continue to come from government, banking and infrastructure providers.  This is an area of risk management typically at board level and the technology leader must not get caught out by the changes.  Gradual changes on-going for last 10 years and will continue with occasional "surprise" activity spikes.

5. Ability to identify and remove non-core business and technical activity.  Business process analysis, service delivery, remote staff management and change management are assumed technical leadership skill sets.  Similarly outsource/offshore skills should already be standard for cost reduction and scaling access to talent.  These will increasingly combine in the future to remove non-core processes, products, and services from the business - not just for IT but across the business.  Crowd-sourcing and flexible staffing models will expand.  Changing rapidly for the last few years and will continue for some years.

6. Understand the management of a highly distributed and integrated solution.  Technology delivery continues to fragment requiring increasing expertise at sourcing, integration, and service delivery.  The technical leader must orchestrate different suppliers, a growing number of which are outside of the company and the technology leader's direct control through commercial/contractual expertise and building deep relationships.  Continuing to increase and fragment over time.

7. Budgeting in an opex world.  The technology leader will need to understand how pay-as-you go cloud models and how to transform an organisation dependant on capitalised project thinking into an opex oriented one.  Just starting to change and will accelerate rapidly for next few years.

8. Management of legacy systems and data sets.  The "cruft" of legacy systems and data repositories along with data retention driven by regulatory requirements continues to to expand cost inertia around the technology leader's responsibilities.  Hooking costs to business owners will help.  Knowledge of rapid legacy virtualisation, tiered storage technologies, and integration "envelope" architectural approaches will be required.  Long time problem and will rapidly worsen until better solutions and special-purpose outsource providers come into play in a few years.

9. Understanding of data architecture, access and reporting.  IT has become increasingly effective at monitoring and reporting on technology concerns, including monitoring of customer related data, and is seeing benefit to converging the data into a single reporting system.  Similarly the business has opted for separate and expensive reporting, dashboarding and bolt-on analytics further fragmenting the data.  Further compounding the challenge are cloud/SaaS solutions being sold "around" IT which will eventually need to be integrated and virtually consolidated using data aggregation.  Technology leaders will need to understand the organisation of data, it's benefits and how to make it pervasively and transparently available and what tools and data sets to converge on to enable the business to have a more consistent view of business results and customer activity. Many fragmented efforts underway now from different directions consolidating in the longer term.

10. Understanding and encouraging the use of collaboration tools that cross organisational and corporate boundaries.  As less technical staff learn to use collaboration tools technologists have been using for a long time, they will also increasingly access sources of outside information and informal networks to better compete in a global labor market.  Corporate borders will become increasingly porous and if managed well this proliferation of "commodity" information can be used to drive non-core activity out of the business. Becoming increasingly common and with usage increasing rapidly over the next few years.

The fundamental responsibilities of a technology leader such as people management, budgets, strategy, operations, and development all remain.  However, how most of them are done will see significant changes in the future.