upvote

points

by kiitos2 days ago |
comments
upvoteby 9x392 days ago|
next
[-]
A trend for corporate workstations is moving closer to a phone with a locked-down app store, with all programs from a company software repo.

Eliminating everything but a business's industry specific apps, MS Office, and some well-known productivity tools slashes support calls (no customization!) and frustrates cyberattacks to some degree when you can't deploy custom executables.

reply
upvoteby bigfatkitten2 days ago|
parent|
next
[-]
That's why this it's been a requirement for Australian government agencies for about 15 years.

In around 2011, the Defence Signals Directorate (now the Australian Signals Directorate) went through and did an analysis of all of the intrusions they had assisted with over the previous few years. It turned out that app whitelisting, patching OS vulns, patching client applications (Office, Adobe Reader, browsers), and some basis permission management would have prevented something like 90% of them.

The "Top 4" was later expanded to the Essential Eight which includes additional elements such as backups, MFA, disabling Office macros and using hardened application configs.

https://www.cyber.gov.au/resources-business-and-government/e...

reply
upvoteby michaelt2 days ago|
parent|
prev|
next
[-]
Then the users start using cloud webapps to do everything. I can't install a PDF-to-excel converter, so I'll use this online service to do it.

At first glance that might seem a poor move for corporate information security. But crucially, the security of cloud webapps is not the windows sysadmins' problem - buck successfully passed.

reply
upvoteby serial_dev2 days ago|
parent|
prev|
[-]
I don’t think locking down slashes support calls because you will now receive support requests anytime someone wants to install something and actually have a good business reason to do so.
reply
upvoteby 9x392 days ago|
parent|
[-]
Consider the ones you don't get: ones where PCs have to be wiped from customization gone wrong, politics and productivity police calls - "Why is Bob gaming?", "Why is Alice on Discord?".

It's about the transition from artisanal hand-configuration to mass-produced fleet standards, and diverting exceptional behavior and customizations somewhere else.

reply
upvoteby Aeolun2 days ago|
parent|
next
[-]
If you don’t want exceptional behavior, that’s exactly what you’ll get. In more than one way.

Alice is on Discord because half of the products the company uses now give more or less direct access to their devs through Discord

reply
upvoteby bornfreddy2 days ago|
parent|
prev|
[-]
Coupled with protection against executing unknown executables this also actually helps with security. It's not like (most) users know which exe is potentially a trojan.
reply
upvoteby pjmlp2 days ago|
prev|
[-]
This is standard practice for years in big corporations.

You install software via ticket requests to IT, and devs might have admin rights, but not root, and only temporary.

This is nothing new though, back in the timesharing days, where we would connect to the development server, we only got as much rights as required for the ongoing development workflows.

Hence why PCs felt so liberating.

reply
upvoteby betaby2 days ago|
parent|
[-]
It's a standard practice. And at $CURENT_JOB it's driven by semi-literate security folks, definitely not insurance.
reply
upvoteby pjmlp2 days ago|
parent|
[-]
Insurance and liability concerns drive the security folks.

Just wait when more countries keep adopting cybersecurity laws for companies liabilities when software doesn't behave, like in any other engineering industry.

reply
upvoteby stefan_2 days ago|
parent|
[-]
Hello, the security folks in those companies made those up. "cyber insurance" is hogwash. That entire branch has been taken over by useless middle manager types who know to type up checklists in Word but have no understanding of anything.
reply
upvoteby blangk2 days ago|
parent|
next
[-]
Are you arguing non technical people should have root access to company owned and managed PCs? Because I can tell you from experience, that will result in a very bad time at some point. Even if it is just for the single end user and not the wider org.
reply
upvoteby pjmlp2 days ago|
parent|
prev|
[-]
As someone that happens to also be one of those clueless people when assuming DevOps roles in consulting projects, it is a very bad day when some clever user is responsible for a security breach.

A breach can turn out into enough money being lost, in credibility, canceled orders, or lawsuits, big enough to close shop, or having to fire those that thought security rules were dumb.

Also anyone with security officer title, in many countries has legal responsibilities when something goes wrong, so when they sign off software deliverables that go wrong, is their signature on the approval.

reply