Between Security and Paranoia: Trends in Large Corporations
Watching the lives of large corporations makes me depressed. This is a wild paranoia and at the same time terrible, gaping security holes. However, perhaps these things are just related - because the paranoid is focused on certain things, and can easily overlook the obvious. He can go out into the street, frantically rustling with foil, which he has wrapped from head to foot, and be hit by a bus.
I’ve seen a company where they closed the USB data storage profile for VDI machines, but they didn’t close the USB Hub profile, that is, you could plug in the USB Hub and then a USB flash drive. By the way, the computers there were zavrusovannye. Nevertheless, it is not a dream at all, but the active wakefulness of the mind of the security guards is directed not at repairing holes, it continues to give birth to monsters. One of these monsters is called
Well, if this makes the storage system when writing to its disks: a small payment on the CPU, that's all. Worse, if encryption is done higher - then this encryption kills deduplication below. I wouldn’t be surprised if they make the third level, let’s say, encrypt the data hardware on the disks themselves, and only certify such disks, or require virtual disks to be encrypted. Three foil hats work better than one!
')
But tell me, what kind of life scenario are you trying to prevent? In the datacenter, a malicious hacker snuck in and stole the disk and NetApp running, getting mess in hands from data striping for some unknown reason? How do you imagine that? In that datacenter, where I was, there were even concrete rails from an ram armored car.
Do you see a hacker in the photo with nippers on the left in the bottom corner? I do not see either.
Of course, used discs cannot be thrown away, only destroyed. This is like a standard, and for this there are certified companies with certified bulldozersfor pressured sanctions . Ok, encrypt it once transparently at the storage level, I don’t mind, but then why? Most of all from data encryption at rest suffered
Because RDS on SQL Server Express Edition does not support encryption, and you need at least Standard Edition N times more expensive. And why - if there are only test tables with fake data? Therefore! Because the policy. This is sent over
and is not discussed. As a result, the use of AWS for DEV turned out to be inexpedient.
Generally, with AWS sadness. A person sees how with the help of a couple of clicks on the AWS interface you can create the infrastructure, his hand reaches for the mouse, but there is a cry:
- We create everything only through Terraform!
- Ok, let me create a file ...
- uh, no, we have a DevOps team here, we defined a bunch of variables there, everything is tricky, you can't handle it, we have a three-hour rally for git merge requests every day for terraform code
“But when will I be ready?”
- No, of course. Everything runs only through the Jenkins job.
- Where is it?
- You still will not be allowed there. When creating EC2, you need to correctly specify the inventory code, project code, fiscal code for accounting, you do not know all this, do not meddle, there are special people.
As a result, with the development of DevOps, developers are farther and farther from Ops.
In the network, we also love to encrypt. Well, of course the tunnels between the offices are encrypted. Inside encrypted channels encrypted connections, all sorts of https. But tomorrow the rally - something else will be encrypted! They are not enough ...
Again, how do you imagine hacking? Like this?
I found only this picture, but I was looking for another one. In some kind of military film that I watched as a child, military intelligence officers stuck needles into wires and eavesdropped on enemy conversations through headphones. For some reason, the night, the blizzard, and all black and white. But seriously, the encrypted tunnel is a mess of heaps of packages broken down, what will you do with it? Same as Spring?
Oh yes, this is a great topic. No matter how they write that regular password changes are evil, it's still there. And how do you have 12 (yes, twelve!) Different domain accounts with passwords of different lengths, different obsolescence times and incompatible rules regarding their complexity?
We need to break through to some servers like this: we go to the Terminal (Jump) server under one ekaunto, from there we jump RDP to another, under another account, then sometimes to the third one. At each level of immersion, the speed of redrawing slows down, the window size often decreases, the whole chain begins to require re-entry of a password (copy / paste prohibited) or close completely after a small number of minutes in the idle, so you have to run to the toilet very quickly, and only "
I strongly suspect that all these things like timeouts and lack of copy-paste are done simply to make it inconvenient. Pure evil. Not every DBA reaches the production server. However, you can always make it even worse, and they are already implementing some kind of system for zero-touch production, which, they say, is even more uncomfortable.
Of course, often all these measures are not pure evil, but “time-tested” (such as password requirements) solutions for auditors. At the same time, the well-known principle “don't ask - don't tell” is realized - we can guess how 80% of employees store passwords. But as if we all said, the rules were laid out, the papers were signed, and if anyone has the papers attached to the monitor, then this is not our fault.
Nevertheless, even with this understanding, I openly open the mail with fear - you can come across another letter about their favorite “hardening” - the Russian translation “tightening the screws” and guess what else will become worse. You might think that this is not enough for me in life! It seems that concern for security has long turned into paranoia. Sometimes real, sometimes feigned - for the sake of auditors. I also recall the 13th trip of Yon Tikhy to the once deserted planet, which was flooded, then turned into the ocean, and everyone could not stop until everyone had drowned ...
I would welcome comments.
I’ve seen a company where they closed the USB data storage profile for VDI machines, but they didn’t close the USB Hub profile, that is, you could plug in the USB Hub and then a USB flash drive. By the way, the computers there were zavrusovannye. Nevertheless, it is not a dream at all, but the active wakefulness of the mind of the security guards is directed not at repairing holes, it continues to give birth to monsters. One of these monsters is called
Data Encryption at Rest
Well, if this makes the storage system when writing to its disks: a small payment on the CPU, that's all. Worse, if encryption is done higher - then this encryption kills deduplication below. I wouldn’t be surprised if they make the third level, let’s say, encrypt the data hardware on the disks themselves, and only certify such disks, or require virtual disks to be encrypted. Three foil hats work better than one!
')
But tell me, what kind of life scenario are you trying to prevent? In the datacenter, a malicious hacker snuck in and stole the disk and NetApp running, getting mess in hands from data striping for some unknown reason? How do you imagine that? In that datacenter, where I was, there were even concrete rails from an ram armored car.
Do you see a hacker in the photo with nippers on the left in the bottom corner? I do not see either.
Of course, used discs cannot be thrown away, only destroyed. This is like a standard, and for this there are certified companies with certified bulldozers
AWS
Because RDS on SQL Server Express Edition does not support encryption, and you need at least Standard Edition N times more expensive. And why - if there are only test tables with fake data? Therefore! Because the policy. This is sent over
and is not discussed. As a result, the use of AWS for DEV turned out to be inexpedient.
Generally, with AWS sadness. A person sees how with the help of a couple of clicks on the AWS interface you can create the infrastructure, his hand reaches for the mouse, but there is a cry:
- We create everything only through Terraform!
- Ok, let me create a file ...
- uh, no, we have a DevOps team here, we defined a bunch of variables there, everything is tricky, you can't handle it, we have a three-hour rally for git merge requests every day for terraform code
“But when will I be ready?”
- No, of course. Everything runs only through the Jenkins job.
- Where is it?
- You still will not be allowed there. When creating EC2, you need to correctly specify the inventory code, project code, fiscal code for accounting, you do not know all this, do not meddle, there are special people.
As a result, with the development of DevOps, developers are farther and farther from Ops.
Network
In the network, we also love to encrypt. Well, of course the tunnels between the offices are encrypted. Inside encrypted channels encrypted connections, all sorts of https. But tomorrow the rally - something else will be encrypted! They are not enough ...
Again, how do you imagine hacking? Like this?
I found only this picture, but I was looking for another one. In some kind of military film that I watched as a child, military intelligence officers stuck needles into wires and eavesdropped on enemy conversations through headphones. For some reason, the night, the blizzard, and all black and white. But seriously, the encrypted tunnel is a mess of heaps of packages broken down, what will you do with it? Same as Spring?
Passwords and access
Oh yes, this is a great topic. No matter how they write that regular password changes are evil, it's still there. And how do you have 12 (yes, twelve!) Different domain accounts with passwords of different lengths, different obsolescence times and incompatible rules regarding their complexity?
We need to break through to some servers like this: we go to the Terminal (Jump) server under one ekaunto, from there we jump RDP to another, under another account, then sometimes to the third one. At each level of immersion, the speed of redrawing slows down, the window size often decreases, the whole chain begins to require re-entry of a password (copy / paste prohibited) or close completely after a small number of minutes in the idle, so you have to run to the toilet very quickly, and only "
I strongly suspect that all these things like timeouts and lack of copy-paste are done simply to make it inconvenient. Pure evil. Not every DBA reaches the production server. However, you can always make it even worse, and they are already implementing some kind of system for zero-touch production, which, they say, is even more uncomfortable.
Auditors
Of course, often all these measures are not pure evil, but “time-tested” (such as password requirements) solutions for auditors. At the same time, the well-known principle “don't ask - don't tell” is realized - we can guess how 80% of employees store passwords. But as if we all said, the rules were laid out, the papers were signed, and if anyone has the papers attached to the monitor, then this is not our fault.
Nevertheless, even with this understanding, I openly open the mail with fear - you can come across another letter about their favorite “hardening” - the Russian translation “tightening the screws” and guess what else will become worse. You might think that this is not enough for me in life! It seems that concern for security has long turned into paranoia. Sometimes real, sometimes feigned - for the sake of auditors. I also recall the 13th trip of Yon Tikhy to the once deserted planet, which was flooded, then turned into the ocean, and everyone could not stop until everyone had drowned ...
I would welcome comments.
Source: https://habr.com/ru/post/431412/
All Articles