by Ross Oliver, Senior Technical Consultant at Taos
It’s the beginning of a New Year, time to make those New Year’s resolutions: lose weight, eat more vegetables, write that novel, travel to Europe, get that colonoscopy, etc. But as we all know, doing new things is hard; perhaps stopping things we are already doing is easier, a sort of Anti-Resolution. So I propose these anti-resolutions for IT professionals in 2015:
Stop generating non-actionable alerts: How many alerts have you ignored or deleted from your inbox today? “Alert Fatigue” is a common operations malady. Not only does it waste time and attention, but could drown out relevant alerts that need real attention. This is one of the easiest anti-resolutions: just turn them off.
Stop asking stupid security questions: Commonly used as an attempt to reduce password reset requests or as a cost-saving substitute for multi-factor authentication, security questions fail because people are no better at remembering the answers than their passwords. “What was the name of your first pet?” is a question I would have a hard time answering the first time, let alone later when I needed to reset my password. Security questions also introduce a myriad of new security vulnerabilities to the system. Do you encrypt the answers? Do you lock accounts after a certain number of failures? If you don’t know the answers to these questions, your security questions have most likely already been hacked.
Stop putting useless data on wall displays: IT Operations groups often want to provide visual representation of their activity, and low cost 50-inch flat screens along with proliferation of IT monitoring and graphing tools has made this practice irresistible. But too often the result is little more than eye candy. “Graph blindness” sets in when data on the displays is not relevant to day-to-day tasks. Even worse are the fire drills that result when a passing executive misinterprets the graphs.
Stop deploying local authentication: Most commonly a problem with applications or services developed in-house. To speed development, integration with centralized authentication system is “left until later” which means after deployment, which in reality means never. This means users must create and remember yet another password (or more likely re-use their “usual” password) or even worse, everyone shares the generic admin/admin login and password. Most organizations have some form of centralized authentication systems, so all new application should use it. This should be an item on every Change Control Board’s checklist: no local authentication.
Stop using that 6-year-old admin password: Related to the previous item, usually caused by admin passwords to application and equipment that are difficult or impossible to interface to centrally managed authentication systems (I’m looking at you, network vendors). Stop buying hardware and software that won’t tie in to your central authentication.
Stop requiring punctuation characters in passwords: It’s an interesting contradiction that modern IT organizations deploy cutting edge hardware and software, yet still use password policies from the 1970s. Punctuation characters in passwords is not even a speed bump to state of the art cracking tools, especially since crackers know most people meet this requirement by putting a period at the end of their “usual” password.
The above anti-resolutions are the most generic, but every IT organization has its own particular time wasters. Take a hard look at your repetitive tasks and events and see if they are actually providing any benefit. What can you stop doing today?