I usually define “expert” as anyone who knows enough more about a subject than I do that I can at best barely understand what they’re telling me.

Regrettably, this means, through the miracle of recursion, that when I claim to be an expert that pretty much means I at best barely understand what I’m talking about.

And so it came to pass that regular correspondent Will Pearce, in response to last week’s KJR, and in particular my advice regarding key rotation (“Bob vs the cloud,” 6/4/2018), kindly commented, “It sounds like your information on password security is a bit old.”

It turns out NIST has revised its security guidelines. Its source document is, shall we say, information-dense (translation: you won’t be able to just skim it). Mr. Pearce suggested a more readable summary to accompany it (“Time to rethink mandatory password changes,” Lorrie Cranor, Federal Trade Commission Chief Technologist).

The very short version: Not only does frequent password expiration provide no additional security, but it’s often counterproductive: Faced with the need to change passwords on a regular basis, many users choose less secure keys, often easily guessed permutations of previous keys.

A bit of additional research revealed that the complementary practice of asking security questions for password recovery (“What is your mother’s maiden name?”) is pretty much pointless given how few secrets any of us have any more and given our natural inclination to choose questions whose answers we’re most likely to remember later on (see “Google Study Shows Security Questions Aren’t All That Secure,” Frederic Lardinois, Tech Crunch, 5/21/2015).

I wasn’t able to find a good source for the question of whether frequent administrative and cryptographic key rotation is still considered good practice.

All of this led me to reconsider my definition of “expert.” Seems to me an expert is someone who, faced with new evidence and logic, reconsiders their beliefs, opinions, and practices. In particular they use the new evidence and logic as a pry bar, to expose to themselves the hidden assumptions on which their current views are based.

Start with the average non-InfoSec specialist’s mental image of who we’re protecting ourselves from. Very likely it’s the standard Hollywood introvert-living-in-his-mother’s basement. But as the estimable Roger Grimes (among others) has pointed out from time to time, these days you’re actually defending yourself against state actors and organized crime syndicates. That puts a very different face on the threat.

As Roger also points out, in a thoroughly depressing article titled, “5 computer security facts that surprise most people,” (CSO, 12/5/2017), 99% of all exploits are “… due to unpatched software or a social engineering event where someone is tricked into installing something they shouldn’t.”

What this means to you: On a personal level you should keep your OS and applications updated. It appears the risk from installing bad patches is lower than the risk of failing to install the important ones.

And, you should take care to avoid falling victim to Trojans and phishing attacks. In particular, inspect any link in an email before clicking on it to make sure it makes sense. This isn’t at all hard. If you receive an email purporting to be from Amazon.com, roll over any links in the message to make sure they point to somethingorother.amazon.com/somethingelseorother. Or, ignore the links altogether and navigate to whatever it was that caught your interest.

On the corporate side, other than the key rotation/password expiration issue, last week’s advice still holds, in particular the points about patch management and frequent white-hat phishing attacks used to educate employees about the same phishing attacks they need to be alert to at home.

And now, the moment you’ve been waiting for. Last week I mentioned my personal financial management software dilemma, and whether to acquiesce to the trends and use a cloud-based service. In the comments, Walt Etten was kind enough to endorse Moneydance, which, in exchange for a $49.99 license fee, stores data locally.

It’s a stark choice. On the one hand it appears there are several worthwhile free cloud-based alternatives (google “free personal financial management software”). On the other there’s Quicken or Moneydance.

It’s the classic dilemma: I can get what I want for fifty bucks, or I can come close to it for free.

It’s a tough, tough call.

Help! I’m desperate!

Not really. To be more accurate I’m minorly inconvenienced.

As mentioned a few months ago, I’m looking for an alternative to Quicken (“Plausibility rules,” 3/12/2018), because it deprecated a feature I rely on, presumably to force me to buy an upgrade.

Not to be bullied into an unwanted expenditure I’ve been on the hunt for an alternative. Thus far, with just one exception, every other personal finance package I’ve found is cloud-based.

Which leads to the question, WHAT????

Look, I’m an open-minded sort, so maybe I’m missing something. Yes, I realize my personal financial data is already in the cloud, assuming we’re all willing to redefine “cloud” to mean “on the web.”

But it’s scattered among a bunch of providers and accounts. If I use any of the non-Quicken personal finance management alternatives I’ve found so far, I’ll be putting it all in one place, just waiting for the next data breach to happen.

There is an exception — a package called GnuCash. I’d use it and be happy, except that the instructions for automatically downloading transactions into it are both impenetrable and, as far as I can tell, don’t … what’s the word I’m looking for? … work.

All of which puts me dead-center in the ongoing debate as to whether data stored behind your corporation’s firewalls are more secure than data stored in a SaaS provider’s data farms.

Now I’m far from an authority on the subject, but I do know what the correct answer to the question isn’t: Yes. I also know it isn’t No.

I know this because I know that in addition to all the well-known information-security basics, the accurate answer depends in part on whether you push your own information security failings onto your SaaS providers.

Here’s what I mean: If I decide to use a cloud-based personal financial management solution, and if I don’t change my password on a regular basis, properly protect myself from Trojans, phishing attacks, and keystroke loggers, and keep my OS properly patched and up to date, it won’t be the solution provider’s fault if someone borrows my data.

This all scales up to the enterprise: If you use, say, Salesforce.com and do a lousy job of key rotation, or your administrators share a super-user login, or you don’t conduct regular white-hat phishing attacks, or you don’t properly protect PCs from invasive keystroke loggers and all the other prevalent intrusion techniques, it really won’t matter what level of security excellence Salesforce.com has achieved.

Also, “secure” means more than “protected from intrusion and misuse. With Quicken (or GnuCash) I can easily backup my data to a backpack drive, knowing how I’d restore it if I need to.

With a cloud-based service provider I’m willing to take it on faith that they backup their customers’ data in case of some form of catastrophic failure. Recovering to the state just before my most recent transaction download, on the other hand, is something I strongly suspect isn’t part of the service.

For the enterprise equivalent, Salesforce.com is always the SaaS touchstone. It recommends customers make use of their own backup and recovery tools, or else rely on third-party services.

But of course, your own backup and recovery tools are exactly as vulnerable as anything else inside your firewall, while third-party alternatives add yet another potential point of security failure you can’t directly control.

KJR first mentioned the cloud more than ten years ago (“Carr-ied away,” 2/4/2008), and yet the cloud continues to perplex CIOs.

From business cases that are always either more nuanced than “the cloud saves money” or else are wrong … to an impact on application development that’s much more significant than “recompile your applications in the cloud and you’re done” … to COTS and SaaS-based application portfolios whose integration challenges put the lie to cloud nativity as the uniform goal of all IT architects … to the ever-harder-to-untangle questions surrounding cloud-level vs internal-firewall-based information security …

If you’re looking for simplicity inside all of this complexity, good luck with that. You’re unlikely to find it for the simplest of reasons: An organization’s applications portfolio and its integration are direct reflections of the complexity of the organization itself.

Modern businesses have a lot of moving parts, all of which interact with each other in complex ways. Inevitably this means the applications that support these moving parts are numerous and require significant integration.

Which in turn means it’s unlikely the underlying technology can be simple and uniform.

And yet, when I need an application that can automatically download transactions into a personal financial database, there’s a depressing uniformity of vision:

“Put it in the cloud.”

Sigh.