One day I get a text from the illimitable Kai Davis. He’s had a Bad Moment.
Adam. I have terrible OpSec.
A former user had deleted a bunch of files. Luckily, he was able to recover.
Teach me how to OpSec.
No worries buddy. I got you.
Kai is a power user, and in today’s Internet that means he subscribes to two dozen hosted services. How do you manage two dozen services and keep any kind of sanity? I do it with checklists (⬅️ read this book).
Before I show them to you, we need to cover one of the Big Important Things from Mr. Gawande’s book. Kai already knows how to manage his services. He just needs to make sure he hasn’t forgotten something important like disabling access for former users.
I wrote Kai two checklists. One to use monthly to make sure nothing gets missed and one to use when setting up new services to reduce the monthly work. I assume he has a master spreadsheet listing all his services. Kai’s Bad Moment categorizes as OpSec, but I didn’t limit these lists to that category.
Hopefully, these help you as well.
The Monthly Checklist
- Can I cancel this service?
- Should I delete users?
- Should I change shared passwords?
- Should I un-share anything?
- Should I force-disconnect any devices?
- Is the domain name about to expire?
- Is the credit card about to expire?
- Am I paying for more than I use?
- Should I cancel auto-renewal?
- Are there any messages from the provider in my account? (new!)
- Is the last backup bigger than the one before it?
The Setup Checklist
- Add row to master spreadsheet.
- Save URL, account ID, username, password, email address, and secret questions in 1password.
- Sign up for paperless everything.
- Enter phone number and mailing address into account profile.
- Review privacy settings.
- Enable MFA.
- Send hardcopy of MFA backup codes offsite.
- Setup recurring billing.
- Set alarm to manually check the first auto-bill.
- Set alarm to revisit billing choices.
- Set schedule for backups.
- Check that backups contain the really important data.
- Create a user for my assistant.
- Confirm my assistant has logged in.
- Can I cancel this service? I always ask “can I”, not “should I”. There’s always a reason to keep it, but I want a reason to nuke it.
- Am I paying for more than I use? I look at current usage, not predicted usage. The number is often not actionable, but it’s a good lens.
- Save URL, account ID, username, password, email address, and secret questions in 1password. The URL matters because 1password will use it to give you warnings about known vulnerabilities that you need to change your password to remediate. The email address and username may seem redundant, but having both has saved me a bunch of times. Same with secret questions.
- Enter phone number and mailing address into account profile. These make recovery and support calls easier.
- Review privacy settings. Remember, Kai already knows how to manage his services. He knows how to pick good privacy settings. But privacy settings are often hidden and it’s easy to forget them when signing up.
- Enable MFA. I know it sucks, but the security landscape gets worse every day. Use this for anything expensive or private.
- Send hardcopy of MFA backup codes offsite. I have watched people spend months on account recovery when their phones die and they lose their Google Auth.
- Set alarm to manually check the first auto-bill. This saves me all the time. All. The. Time.
- Set alarm to revisit billing choices. This has saved me thousands of dollars.
- Set schedule for backups. Even if it’s an alarm to do a manual backup once a month.