posted: September 22, 2024
tl;dr: Increased security comes at a price of decreased productivity...
If you want a job, become a software developer. If you want a job for life, become a software security expert.
The security of information and software systems has been an issue my entire career, and it only continues to grow. At this point, forty plus years into my career, I am convinced that it will never be solved. There will always be issues with securing systems and a need for people who understand and can solve those issues.
I am seeing companies pay more attention to security, often in response to widely-publicized breaches. One of the clients that I work with was a victim of the recent Sisense security breach, in which database credentials shared with Sisense were compromised, which could allow the hackers access to the data in those databases. The client got rid of Sisense, a reasonable action to take since they also use Tableau, a competing product. But they are not stopping there: the client is also examining their databases and who has access to them, both inside and outside the company. The end result is a reconfiguration of databases, with more limits placed on who has access to them. While this will increase security, it will also slow down legitimate use of the data, as people who no longer have access to it have to place requests to get the data they need to perform their jobs.
I have to admit that, when the client asked us to list who has access to one of the databases that we control, I was surprised by the number of people who do. The information in this particular database is not especially sensitive: there are no logins, passwords, bank account or credit card data. Still, we were asked to remove access for certain people. Doing periodic audits of user accounts, and expiring the credentials of people who have not accessed a system in a reasonable time period, are good practices.
My own employer, and the clients I work with, are reducing access to their cloud service providers such as Amazon Web Services (AWS) and various Software-as-a-Service (SaaS) tools. So when I need to do something that my default privilege level does not permit, I have to issue a request and either wait for it to be granted or wait for someone else to do it on my behalf. This slows down development.
Emails are getting harder to read and process thanks to anti-spam and anti-phishing technology. This deserves its own post, which I will get to soon.
Last week I burned some of my time when I discovered a strange practice regarding password changes that a client had implemented. After being granted access to a new system and logging in, it instructed me to change my password, which is fine. However something went wrong, and neither my new password nor the old one worked. I was unable to reset my password by having a new, temporary password sent to my email address. After getting someone from the client’s IT department on the phone, it was explained that a policy was implemented which only allows a password to be changed once every 48 hours.
The reason for this policy, I was told, was that the IT department had noticed that some users were gaming the mandatory password change policy, which prevents a new password from being the same as one of the last five passwords. Before the 48-hour policy was implemented, some users would quickly change their password six times in a row, with the sixth password being the same as the original password, so that they wouldn’t have to remember a new password. The “one password change every 48 hours” policy eliminates this problem, but it caused me to be locked out of the system until I could get a human to intervene.
That same client only allows access to certain systems through a virtual desktop interface (VDI). To access the VDI, I fire up the Google Chrome browser on my Mac. After connecting, I have a slightly grainy Windows desktop in the browser window. I then fire up the Google Chrome browser on the Windows desktop and can gain access to the systems that I need. So I end up using two browsers on two different operating systems, with the result being a slightly grainy view and slow response time. It’s secure, perhaps, but it reduces my productivity.
There is an inherent tradeoff between security and productivity. Then there are situations where a malfunction in the security system itself causes a major problem...