A short while ago, Twitter got hacked. I wrote about this, as did Denny Cherry. I think Denny’s piece was more interesting, as he speculates about the security measures that Twitter may, or may not, have had in place.
One of the things Denny brings up is air-gapping administrative machines. I’ve rarely seen this in organizations, and perhaps see this less and less in the pandemic world. There are some high security places that do this, but could your organization do this? How many of us use cloud or co-location facilities where we can’t even physically enter the premises?
I suppose we can use some strong network security controls, perhaps even requiring static IP addresses for people at home and specific routes for certain administrators. I do know some companies that do require specific laptops for access, with limited software, but this certainly isn’t the norm. Too often a general laptop used for most work performs double duty as an administrative workstation with access to production data.
Another thing Denny mentions is jump hosts, without any cut/copy/paste functionality from the remote machine to the host. This is something I am starting to see from customers, even smaller ones, as a way of limiting the chance of ransomware or some security breach. Multi-factor authentication gets an administrator onto a remote desktop session on a jump host, from which they can access production systems with limited tools. This certainly isn’t perfect, and it is annoying for administrators, but it is a good security layer, and it forces organizations to use good, compliant, database DevOps practices to deploy changes.
Perhaps the best part of Denny’s article is the title of the last section: good security shouldn’t be user friendly. It shouldn’t be for administrators. While we might make things slightly easier for average users, anyone that can access bulk amounts of data, especially in a privileged fashion, should have strong security, which is a bit cumbersome. I think the hassles of strong security would be a good thing for more of us to have to deal with. Hopefully more organizations will start taking better precautions and reduce the chance of attack.