Between Security and Paranoia: Trends in Large Corporations
Watching the lives of large corporations drives me depressed. This is a wild paranoia and at the same time terrible, gaping security holes. However, perhaps these things are just related - because the paranoid is focused on certain things, and can easily overlook the obvious. He can go out into the street, frantically rustling with foil, which he has wrapped from head to foot, and be hit by a bus.
I’ve seen a company where they closed the USB data storage profile for VDI machines, but they didn’t close the USB Hub profile, that is, you could plug in the USB Hub and then a USB flash drive. By the way, the computers there were zavrusovannye. Nevertheless, it is not a dream at all, but the active wakefulness of the mind of the security guards is not aimed at repairing holes, it continues to give birth to monsters. One of these monsters is called
Well, if this makes the storage system when writing to its disks: a small payment on the CPU, that's all. Worse, if encryption is done a higher level - then this encryption kills the deduplication level lower. I wouldn’t be surprised if they make the third level, let’s say, encrypt the data hardware on the disks themselves, and only certify such disks, or require virtual disks to be encrypted. Three foil hats work better than one!
But tell me, what kind of life scenario are you trying to prevent? In the datacenter, a malicious hacker snuck up and stole a disk and NetApp running, getting mess in hands from data striping for some unknown reason? How do you imagine that? In that datacenter, where I was, there were even concrete racks of an armored car from a ram.
Do you see a hacker in the photo with nippers in the lower left corner? I do not see either.
Of course, used discs cannot be thrown away, only destroyed. This is like a standard, and for this there are certified companies with certified bulldozersfor pressure on sanctions . Ok, encrypt it once transparently at the storage level, I don't mind, but then why? Most of all from data encryption at rest suffered
Because RDS on SQL Server Express Edition does not support encryption, and you need at least Standard Edition N times more expensive. And why - if there are only test tables with fake data? Therefore! Because the policy. This is sent over
and is not discussed. As a result, the use of AWS for DEV turned out to be inexpedient.
Generally, with AWS sadness. A person sees how with the help of a couple of clicks on the AWS interface you can create the infrastructure, his hand reaches for the mouse, but there is a cry:
- We create everything only through Terraform!
- Ok, let me create a file ...
- uh, no, we have a DevOps team here, we defined a bunch of variables there, everything is tricky, you can’t do it, we have a three-hour rally of git merge requests for terraform code every day
“But when will I be ready?”
- No, of course. Everything starts only through the Jenkins job.
- Where is it?
- You still will not be allowed there. When creating EC2, you need to correctly specify the inventory code, project code, fiscal code for accounting, you do not know all this, do not meddle, there are special people.
As a result, with the development of DevOps, developers are farther and farther from Ops.
In the network, we also love to encrypt. Well, of course the tunnels between the offices are encrypted. Inside encrypted channels, encrypted connections, all sorts of https. But tomorrow the rally - something else will be encrypted! Everything is not enough for them ...
Again, how do you imagine hacking? Like this?
I found only this picture, but I was looking for another one. In some kind of military film that I watched as a child, military intelligence officers stuck needles into wires and eavesdropped on enemy conversations through headphones. For some reason, it seems night, blizzard, and all black and white. But seriously, the encrypted tunnel is a mess of heaps of packets broken down, what will you do about it? Same as Spring?
Oh yes, this is a great topic. However they write that regular password change is evil, it's still there. And how do you have 12 (yes, twelve!) Different domain accounts with passwords of different lengths, different obsolescence times and incompatible rules regarding their complexity?
We need to break through to some servers like this: under one ekaaunt we go to the Terminal (Jump) server, from there we jump the RDP to another, under another account, then sometimes to the third one. At each level of immersion, the speed of redrawing slows down, the window size often decreases, the whole chain begins to require re-entry of a password (copy / paste is prohibited) or close completely after a small number of minutes in the idle, so you have to run very quickly to the toilet, and only “small” "
I strongly suspect that all these things like timeouts and lack of copy-paste are done simply to make it inconvenient. Pure evil. Not every DBA reaches the production server. However, you can always do even worse, and they are already implementing some kind of system for zero-touch production, which, they say, is even more uncomfortable.
Of course, often all these measures are not pure evil, but “time-tested” (such as password requirements) solutions for auditors. At the same time, the well-known principle “don't ask - don't tell” is realized - we can guess how 80% of employees store passwords. But as if we all said, the rules were laid out, the papers were signed, and if anyone has the papers attached to the monitor, then this is not our fault.
Nevertheless, even with this understanding, with fear I open the mail - you can come across another letter about their favorite “hardening” - the Russian translation “tightening the screws” and guess what else will become worse. You might think that this is not enough for me in life! It seems that concern about security has long become a paranoia. Sometimes real, sometimes feigned - for the sake of auditors. I also recall the 13th journey of Yon Tikhy to the once deserted planet, which was flooded, then turned into the ocean, and everyone could not stop until everyone was drowned ...
I would be glad to comment.
I’ve seen a company where they closed the USB data storage profile for VDI machines, but they didn’t close the USB Hub profile, that is, you could plug in the USB Hub and then a USB flash drive. By the way, the computers there were zavrusovannye. Nevertheless, it is not a dream at all, but the active wakefulness of the mind of the security guards is not aimed at repairing holes, it continues to give birth to monsters. One of these monsters is called
Data Encryption at Rest
Well, if this makes the storage system when writing to its disks: a small payment on the CPU, that's all. Worse, if encryption is done a higher level - then this encryption kills the deduplication level lower. I wouldn’t be surprised if they make the third level, let’s say, encrypt the data hardware on the disks themselves, and only certify such disks, or require virtual disks to be encrypted. Three foil hats work better than one!
But tell me, what kind of life scenario are you trying to prevent? In the datacenter, a malicious hacker snuck up and stole a disk and NetApp running, getting mess in hands from data striping for some unknown reason? How do you imagine that? In that datacenter, where I was, there were even concrete racks of an armored car from a ram.
Do you see a hacker in the photo with nippers in the lower left corner? I do not see either.
Of course, used discs cannot be thrown away, only destroyed. This is like a standard, and for this there are certified companies with certified bulldozers
AWS
Because RDS on SQL Server Express Edition does not support encryption, and you need at least Standard Edition N times more expensive. And why - if there are only test tables with fake data? Therefore! Because the policy. This is sent over
and is not discussed. As a result, the use of AWS for DEV turned out to be inexpedient.
Generally, with AWS sadness. A person sees how with the help of a couple of clicks on the AWS interface you can create the infrastructure, his hand reaches for the mouse, but there is a cry:
- We create everything only through Terraform!
- Ok, let me create a file ...
- uh, no, we have a DevOps team here, we defined a bunch of variables there, everything is tricky, you can’t do it, we have a three-hour rally of git merge requests for terraform code every day
“But when will I be ready?”
- No, of course. Everything starts only through the Jenkins job.
- Where is it?
- You still will not be allowed there. When creating EC2, you need to correctly specify the inventory code, project code, fiscal code for accounting, you do not know all this, do not meddle, there are special people.
As a result, with the development of DevOps, developers are farther and farther from Ops.
Network
In the network, we also love to encrypt. Well, of course the tunnels between the offices are encrypted. Inside encrypted channels, encrypted connections, all sorts of https. But tomorrow the rally - something else will be encrypted! Everything is not enough for them ...
Again, how do you imagine hacking? Like this?
I found only this picture, but I was looking for another one. In some kind of military film that I watched as a child, military intelligence officers stuck needles into wires and eavesdropped on enemy conversations through headphones. For some reason, it seems night, blizzard, and all black and white. But seriously, the encrypted tunnel is a mess of heaps of packets broken down, what will you do about it? Same as Spring?
Passwords and access
Oh yes, this is a great topic. However they write that regular password change is evil, it's still there. And how do you have 12 (yes, twelve!) Different domain accounts with passwords of different lengths, different obsolescence times and incompatible rules regarding their complexity?
We need to break through to some servers like this: under one ekaaunt we go to the Terminal (Jump) server, from there we jump the RDP to another, under another account, then sometimes to the third one. At each level of immersion, the speed of redrawing slows down, the window size often decreases, the whole chain begins to require re-entry of a password (copy / paste is prohibited) or close completely after a small number of minutes in the idle, so you have to run very quickly to the toilet, and only “small” "
I strongly suspect that all these things like timeouts and lack of copy-paste are done simply to make it inconvenient. Pure evil. Not every DBA reaches the production server. However, you can always do even worse, and they are already implementing some kind of system for zero-touch production, which, they say, is even more uncomfortable.
Auditors
Of course, often all these measures are not pure evil, but “time-tested” (such as password requirements) solutions for auditors. At the same time, the well-known principle “don't ask - don't tell” is realized - we can guess how 80% of employees store passwords. But as if we all said, the rules were laid out, the papers were signed, and if anyone has the papers attached to the monitor, then this is not our fault.
Nevertheless, even with this understanding, with fear I open the mail - you can come across another letter about their favorite “hardening” - the Russian translation “tightening the screws” and guess what else will become worse. You might think that this is not enough for me in life! It seems that concern about security has long become a paranoia. Sometimes real, sometimes feigned - for the sake of auditors. I also recall the 13th journey of Yon Tikhy to the once deserted planet, which was flooded, then turned into the ocean, and everyone could not stop until everyone was drowned ...
I would be glad to comment.