The 3 – 2 – 1 Principle for keeping your data safe

Memory Stick Collection

I was cleaning out a drawer in my home office this morning and found this collection of old USB memory sticks dating back quite a few years. Remember those days when you thought you were so cool because you had this little storage drive full of all your stuff in your pocket? I recall working in a school back in those days where we actually mandated that every student had to have a “USB”, such was the apparent importance of these things. The intention was for students to keep their personal data safe and secure, but we used to constantly find them left behind in the USB ports of the classroom computers after a lesson. Or they would sometimes mysteriously just stop working. Or the kids would lose them. USBs may have been cool, portable and handy, but they were about the most insecure method for managing data I can think of.

(Side note: I’ve never quite known what to call these things. Calling them simply a “USB” seems stupid to me, because USB – or Universal Serial Bus – is a data interface standard, not a name for a device. Lots of devices might use a USB plug as the connection interface but that’s not the name of the actual device. I’ve owned microphones and printers and cameras and all kinds of things that connect using a USB interface, but we don’t call all these devices “USBs”. That would be silly. If you must use the term USB for these portable memory devices, at least call them a USB memory stick)

Some people seem to feel like their data is perfectly safe and secure if they have it stored on one of these little memory sticks. Let me tell you, for the vast, vast majority of people, letting them manage their own data storage is a really bad idea. The only real explanation I hear for why people feel memory sticks are a secure way to store data is that they “know where their data is”. People actually say that they won’t put their data anywhere that they don’t know where it stored. It might sound good to say that your data is safe as long as you know where your data is stored, but trust me, just knowing where your data is stored has nothing to do with it actually being secure.

As for relying on memory sticks, those things are the least secure way to store your data I can think of. They can get lost, fall out of your pocket, go through the wash, get eaten by the dog, or you leave them in the back of another computer and forget about them, or they simply just stop working for no apparent reason. If you have a few of them it is near impossible to keep track of what’s stored on them. Other than for absolute emergencies or moving a file as a last resort, USB memory sticks, or whatever you want to call them, are probably a really bad idea.

So when it comes to storing data, what IS a good idea then? For most people who never really think much about boring things like secure data storage, the answer is the cloud. Whether it’s Google Drive, DropBox, OneDrive or some other cloud service, it will be infinitely more secure than any storage “system” you could come up with by yourself. Once your data is in the cloud it gets securely stored, safely backed up and is accessible from anywhere, on any device.

I know what you’re thinking. “Yes, but I don’t trust the cloud, I don’t know where my data is stored.” Well, you probably have a bank account but you don’t know where your money is stored either, so I’m not sure what your point is. Claiming your data is more secure on a memory stick would be like putting your money in a shoebox under your bed and claiming it is more secure than the bank. Just like money, data is secured by the processes and infrastructure that store it, not from simply knowing where it is. I’ll say it again. For the average person – yes, you – the safest place to store your data, by far, is in the cloud.

But what if the internet goes away? But what if the cloud loses it? But what if the data centre burns down? Or what if I do store it in the cloud, and that free storage they give me now becomes something I have to pay for one day? (How terrible that you might one day get asked to pay for a service you’re using!)

If you really don’t trust the cloud, then at least get a portable hard drive, so you’re not dealing with these dinky little memory stick things. In fact, while you’re at it, buy a second portable hard drive, because you’re going to need to make a backup of the backup, because what if you lose the first one?

Which brings me to my main point. Data security – or keeping your important data safe – is a big deal. The truth is most people wouldn’t really care if they lost that Word file of a resume for a job they applied for 10 years ago. But losing your entire photo collection? Or all your music? Or videos of the kids when they were little? Or letters from your deceased parents? This is the stuff that’s a big deal. This is the stuff that you don’t want to put at risk. This is the stuff that you don’t ever, ever, ever want to have just stored on a memory stick.

So how should you store it? There’s a general principle of keeping data safe. The 3-2-1 rule. Three copies of the data. Stored in at least two different mediums. One of which is in a different physical location. Let me elaborate…

Three – you need to have three copies of important data. One is clearly not enough because if you lose it or it gets destroyed, that’s it. It’s gone for good. A second copy – a backup – is important. But if the data is really critical, the I-really-cannot-lose-this kind of stuff, then a third copy gives you peace of mind.

Two – you need to store the data in at least two mediums. There would be no sense having three copies of your data if each copy was on floppy disks. I don’t know about you, but it’s been a while since I’ve seen a floppy disk reader, so having everything stored in one now-obsolete format means you can’t read any of the copies. You might think floppy disks are a silly example. Well how about this? I own a number of computers – mostly Macs and Chromebooks – and not one of them has a port that can read those USB memory sticks in my drawer. Those old memory sticks use a standard called USB-A, but all modern computers use the newer USB-C format, rendering all those old memory sticks now obsolete. Sure I could use an adapter, but the fact is those old memory sticks are yesterday’s technology. You should keep the three copies of your data in at least two different formats because you never know how technology will change and you want to make sure that you’re always using formats that will still be readable.

One – you need at least one of those copies to be stored offsite. There’s no sense having your three copies in two different formats if they are all stored in your house and the house burns down. At least one of them needs to be kept in a completely different physical location. Offsite. Your parents’ house. A friends’ place. Or in the cloud. Somewhere. Just not in the same place as the others.

As it turns out, having your important stuff stored in the cloud addresses every one of these requirements – it’s another copy, it’s in a different format, and it’s offsite. And regardless of how well you think you can manage your own data on those portable drives, putting your data in the cloud puts it into a real data centre which stores it in real time, with real backup processes, real biometric security, real disaster management plans, and real data management processes. I don’t care how well you think you can manage your own data, you’re an amateur compared to the way the data centre looks after it.

If you’re still not sure convinced that the cloud is a safer alternative than that old SCSI Zip drive you can’t seem to find right now, take a look at this video tour of a Google data center.

Should you have all your data only in the cloud? Of course not! 3-2-1! Weren’t you paying attention? Go get yourself a couple of hard drives and set up Time Machine or SuperDuper with a regular scheduled backup. Then after you’ve done that, go upload everything to a reputable cloud service.

But stop relying on those stupid USB memory sticks!

Something you know, Something you have

I read an article today in an educational newsletter about keeping your accounts safe with a strong password.  It suggested a range of sensible things like having at least 8 characters, using a mix of uppercase, lowercase, numbers and special characters, and not reusing old passwords.  All pretty good advice.

I hear a lot of people expressing concern about the security of “the cloud”.  They worry that their data could be compromised if kept on a server they don’t own themselves, or a server that is located somewhere else, possibly even in another country.  They express concerns about data breaches from hackers, security breaches of data centres, or even data being accessed by foreign powers during a government uprising. Is any of this possible?  I suppose so. Anything is possible. Unlikely perhaps, but possible.

If it’s true that anything is possible, and we want our data to have zero risk, then we need to not keep data anywhere. The only sure way to have no risk with our data is to have no data, but that’s obviously not possible, because we live in the real world where having data is important and useful. To live in a world without data is not an option. So when it comes to the security of your data, we need to decide what level of risk is acceptable to us.

Putting aside the likelihood of secret hacking attempts or tinfoil-hat conspiracy theories, can we all just acknowledge that the single most likely way your data will be accessed by someone else is if they get hold of your password.  Either you didn’t pick a very secure password to start with, or they guess it because they know your pet’s name, or you do what so many people do and write it on a post-it note and stick it to your monitor at work. Or maybe you are away from your desk without locking your computer. Or maybe you’ve shared it with someone you know.  Whatever the reason, that password, those eight or so little characters, are all that stands between you and potentially disastrous consequences.

So why, oh why, do more people not use Two Factor Authentication (or 2FA)?  I have had literally hundreds of conversations with people who will argue about the alleged insecurity of the cloud, and who get all freaked out because they don’t know where or how their data is physically stored, and who claim that they can’t possibly rely on a cloud service to store their precious data, but who don’t use 2FA on their account!  It’s insane.

Look, I get that some people might be mistrustful of the idea of putting their data somewhere other than a server that they own themselves. But unless they at least use 2FA to secure their account I cannot take anything they say about security seriously.  They are not even taking the most basic of steps to secure their own data, while they bleat about highly unlikely potential worst case scenarios.

So what exactly is two factor authentication?

Many people have two locks on their front door – a top lock and a bottom lock, each with it’s own key. Unlocking either one of the locks is not enough to open the door – you need to unlock both locks at the same time. That’s two factor authentication. You need both factors – in this case, both keys – to open the door.

When it comes to data, you also want to have two keys, or ‘factors’. And ideally you want to have two different kinds of factors – something you know and something you have. 

The something you know is the password, and yes it’s still a good idea to have a strong password, something with enough length and complexity that is hard to guess but easy to remember.  But it’s not enough. It’s just one factor.

The second factor is something you have, or something you physically carry with you, such as a phone or touch key. Unless the hacker or foreign power actually has your phone, they can’t access your data, even if they know your password.  Just like the two keys for the front door, they need both your password AND your phone at the same time. If they have both those things, you may just have bigger problems to deal with.

Some people think that using two factor authentication can be a pain, but it doesn’t have to be. It’s easy and absolutely worth whatever very minor inconvenience it might cause.  You probably have your phone with you all the time anyway, so it’s really not a big deal. Once you set it up, when you log into your account on a new device you simply enter your username and password as usual, then tap a button or enter a code on your phone to complete the login.  No phone, no login. Take that, hacker!

There are a number of ways to get that second factor, from receiving a text message, to entering a secret number that gets generated every 30 seconds, to tapping a ‘Yes’ button on your phone, to having a dedicated Yubikey in your computer. It’s an extra step, sure, but it makes your account very, very difficult to hack.

So please, if you don’t already use 2FA (on every account you own!) then set it up now. Your online life will be exponentially more secure. And if you don’t, then please do not ever express an opinion about the security of the cloud or anything else. If you can’t take even the most basic steps to protect your own online data then you have no business expressing your opinions about whether a cloud system is secure enough or not.  You just sound silly.

Getting out of Password Hell

A while ago I realised that my online life was in password hell. I was using literally hundreds of sites and services that required passwords, but they were held together with a confusing mess of old passwords that I’d mostly forgotten, numerous passwords which were being used on more than one site,  passwords that didn’t meet the usual complexity rules usually required across the Internet, and so on. I often found myself having to do a password reset just to access a site, and of course that new password became yet another one I had to remember. Or forget.

I felt things were a little bit out of hand so I finally took a few steps to clean up my digital life.

First, using the same password for everything is an exceptionally stupid idea. Instead, I came up with my own system that helped me create hard-to-guess, but easy-to-remember passwords that I could apply to any site.  Having a clear system for this meant that when I signed up for some new online service I could quickly come up with a password that was memorable while also being unique to that site. It really helps to have a system. I made sure that my system always met the minimum complexity rules usually found online… that is, they contained uppercase, lowercase, numbers and symbols and were at least 8 characters long. If you do nothing else, come up with a system for your passwords! It’s so frustrating when you attempt to log in to a site that you’ve been to previously and can’t remember your password. So come up with a system for yourself, and please don’t just use the same password everywhere!

Secondly, I turned on multistep or 2-Factor authentication  for passwords on every site that offered this option (and there are a lot of them now). This is probably the single biggest thing you can do to improve the security of your online life. If you go online and don’t use 2 factor authentication, you’re not really serious about your online security. It’s that simple. I find it both amusing and frustrating when I hear people questioning the security of online services, and then find out they don’t use 2-Factor passwords. If you don’t use 2-Factor on every site that enables it,  please, don’t ever complain about the dangers of online security.  It just makes you sound silly. It’s not hard to set up, and if you use something like Google Authenticator to manage your second factors, it’s very simple to use.  The minor inconvenience of having to enter the second factor is far outweighed by the added security. Trust me on this. Turn it on. Now.

Finally, I set up a password manager. I chose LastPass,  but there are others. It took a while to get my head around how LastPass works but once I did, it made life so much easier. If you want to try LastPass for yourself you can get it on this link.
https://lastpass.com/f?7253846

If you are in password hell like I was,  take some of these positive steps to sort it out.