Security is a moving target. Just a couple of days ago, in the German newspaper, we read that the mTan system to secure banking transaction was circumvent allowing attackers to transfer money without authorization. What was considered as secured was not anymore.
What is really interesting nowadays is that we moved away from a local threat to a remote threat. You are now more likely to suffer data loss from a remote bad actor than from someone breaking into your office or house.
To model the threat for the security of Céondo's systems, we need a trusted and secure root. For us, it is pretty simple, it is a safe at the bank. The safe is only accessible with a physical key, a bank card and a PIN associated to the bank card. The PIN is not the same as the normal PIN of the card. The bank is the key and document backup root location, it also the place where we keep a rotation of encrypted backup hard drives.
At the office, the laptops are secured this way:
- encrypted home directory (with Ubuntu OS);
- login password composed of 8 characters remembered by the user plus a 30+ long password stored as static password on a Yubikey.
On each laptop, a KeePassX vault is used to store all the login/passwords of the different services. All the passwords are unique per service and randomly generated with KeePassX.
The vault itself is encrypted using the same approach as the login, with passphrase composed of normal remembered password and then a long password stored on a Yubikey. Some have the same key for the login and the vault, some have two different keys.
The combination of a remembered password and a long password from the keys for the static passwords allows good resistance to the local threat, that is, someone stealing a laptop with the key on it (as long as the remembered password is not 1234 of course).
For the highly critical accounts, a simple login/password, even randomly generated is not enough. For them, we use another authentication factor. This can be OTP with Gandi or U2F for FastMail.
For each key, we keep a backup key at the bank. Only few services are using OTP/U2F, so for the moment this is not a problem to go to the bank and pull the backup key the time to register it. This may need to be changed as U2F is more widely used.
Using this approach, our systems are well secured and they are still easy to use in the daily life which is really important.