OT: Dealing with a hosting company with it's head up it's rear end

Tim Daneliuk tundra at tundraware.com
Fri Aug 14 17:49:01 UTC 2020

On 8/14/20 12:13 PM, Jon Radel wrote:
> I'm a bit unclear on how a frank admission that the controls can be
> circumvented translates, in your head at least, into a false sense of
> security.
> The playground is a bit bigger than the technical sandbox where you
> appear, and I most certainly am, most comfortable.  The CISO also has to
> be comfortable hanging out with the compliance lawyers behind the shed
> at the far end of playground, not to mention keeping HR happy.
> If you write a policy document, implement controls that make
> "accidental" circumvention of the policy difficult, while still keeping
> a close eye on what else the staff is doing, you can:
> 1.  Reduce the noise of having to track unthinking, largely innocent
> violations and endless, tedious discussions about who deserves to be
> fired. 
> 2.  Reduce the plausible deniability of the actual attempts to cause
> harm to the company, now that actual "tricky" actions are required to
> circumvent controls that give you big warnings in your browser, making
> for much better confidence in making termination decisions and/or taking
> legal action.
> None of this particularly has anything to do with the technology.

Hear, hear.  Unlike universities and government agencies, businesses do
not have A) An essentially limitless line of credit and B) Huge immunity
to legal action.   Businesses therefore must act in way to limit risk,
and said limitations cannot be avoided just because they are imperfect.

The irony is that of much of this risk avoidance is inflicted at the hands
of political agents and bureaucrats who themselves have no expertise in
the technology nor any actual risk exposure themselves.  This doesn't
prevent them from writing law and regulations the force CIOs and CISOs to
make unpleasant compromise decisions.

The truth is that technical elegance and ease are the least important
inputs into any CIO's calculus.  They have exposure to far larger problems
than whether or not you can tunnel ansible playbooks over an ssh session ...


Tim Daneliuk     tundra at tundraware.com
PGP Key:         http://www.tundraware.com/PGP/

More information about the freebsd-questions mailing list