Harvard Kennedy School: Better Security by Design

Trial and Error
For the last week, I have been trialing the password manager LastPass to explore whether the service should be made mandatory for all faculty, students, and staff at Harvard Kennedy School (HKS). As Harvard Information Security (HIS) already offers the community LastPass Personal Premium access there is a low barrier to testing its functionality. This post considers some of the benefits and drawbacks of this service and concludes with the suggestion of implementing a mandatory one-year trial of LastPass at the HKS for 2020–21.
Whilst there is a general awareness that strong password protection is a basic condition of data security many of us still have poor data practices. From using the same password on all our accounts to scribbling them on notes of paper and storing them in our browsers; our behaviors expose us, on both an individual and institutional level, to multiple risks. These range from password re-use attacks to ‘phishing’ from imposter websites. Furthermore, as weak passwords are a frequent source of data breaches within organizations there is strong cause to promote good practice at HKS. (1)
Adoption and Use
The principle function of password managers is to protect users by creating strong and unique passwords for the services they use. For this reason, Bruce Schneier, security technologist and HKS lecturer recommend their adoption. (2) Security and simplification are two benefits of the LastPass management system. The built-in password generator creates long, randomized passwords to protect against hacking. Additionally, the service can streamline processes like online shopping by storing and automatically filling out your payment and shipping details. (3)
The service’s priority is to safeguard users’ data by utilizing strong encryption algorithms to ensure security in the cloud and local-only encryption meaning that your data is encrypted and decrypted at a device level and that your data is inaccessible to LastPass. The process of using LastPass is relatively easy. On signing up you create one ‘Master’ password which protects all your other accounts. Within your ‘Vault’ you’re then able to store details for your various accounts; from HarvardKey to Amazon. This reduces the need to remember passwords individually as LastPass can generate complex passwords for your accounts.
Risks
Inevitably both adoption and inaction on issues relating to cyber-security can lead to resultant hazards. On the one hand, we need to protect the HKS community from a range of bad actors and cyber-attacks, on the other we need to ensure that any mandatory actions are proportional and meaningfully benefit the user and the community. As with other password managers, LastPass has not operated seamlessly. In 2015, LastPass informed its customers of a hacking incident, however they assured users that encrypted vaults were not compromised and that all data stored in vaults remained safe. Furthermore, they took swift action to address the problem. One key development they highlight is the implementation of Hardware Security Modules (HSMs) to protect the cryptographic infrastructure of LastPass. (4)
More recently this September a researcher from Google Project Zero found and reported a flaw in the password manager system (5). The scenario is outlined in this article for Ars Technica (6) and in Last Pass’s response — in summary, the researcher had identified a possible scenario that could enable a bad actor to create a clickjacking scenario. LastPass have confirmed that the bug has been resolved and that no one’s data was compromised (7) Such incidences do highlight the potential vulnerabilities of password manager systems. Given how users utilize their vaults from account passwords to banking details — consequences of a breach and the exposure of multiple accounts credentials could be severe.
Multifactor Authentication (MFA) is a primary route to safeguarding against a password manager hack. As the Harvard community already uses DuoMobile for MFA, and as it is compatible with LastPass, the recommendation would be to this use service both as an additional layer of security and to further safeguard users and their information. In practice, this means a second login would be required before a user could access their vault. (3)
Promoting Good Data Practice
In general, the Harvard community does not take responsibility for good online security. Given the knowledge-gaps that exist and the challenges of getting people to change their behaviours, there is good cause for HKS, in partnership with HIS, to take a leadership role in pioneering mandatory use of LastPass. Additionally, as the cyber risks evolve we must take collective steps to safeguard ours data. Leadership, education, and training are fundamental to instilling an organisational culture where the whole community takes proactive steps to create a data-safe environment. (1)
This is a development from the current voluntary system and adoption by HKS would represent a pilot study for the whole university ecosystem. I would recommend an on-boarding aligned with the use of MFA for the academic year of 2020–21. If the trial is successful then mandatory adoption should be rolled out across the whole university. This recommendation recognizes that password manager software is by non-means perfect but it is currently the best solution to a constantly evolving challenge.
(1) https://www.intheblack.com/articles/2019/11/01/password-protection-in-the-cloud-accounting-era
(2) https://www.schneier.com/blog/archives/2014/09/security_of_pas.html
(4) https://blog.lastpass.com/2015/06/lastpass-security-notice.html/
(5) https://bugs.chromium.org/p/project-zero/issues/detail?id=1930
(7) https://blog.lastpass.com/2019/09/lastpass-bug-reported-resolved.html/
