96 comments

[ 3.2 ms ] story [ 147 ms ] thread
> Employees often view security protocols as cumbersome. Long, complex passwords, frequent logins and multi-step authentication can feel like barriers to productivity.

This resonates. Juggling Okta and 1P a few times a day is a drag

I think in the security industry, password complexity requirements and frequent re-logging in have been considered bad practises for a while now. Alas they are still seen in places.
> frequent re-logging

We recently had to add that for $bigco requirements at $dayjob, I was stunned: they asked to log people out after — IIRC — 1h inactivity.

That's a not-uncommon "security" feature $bigco will add as a requirement for buying software as well.

Honestly, it's not a terrible policy if you're working with privileged information. A contact mine had with a big insurance company required a 30 minute inactivity logout I think.

OTOH if your job is filling out spreadsheets and forms for a retailer and you don't even have access to customer info, it's way overkill.

Nuance tends to be the first thing tossed out the window when dealing with $bigco though, too many people to manage smartly.

Logging out when there is no activity is quite a common security control requirement in many places.

I've seen 15 minute inactivity log out quite frequently.

Drives users mad of course (particularly admins who are logged in to many machines).

Device logout makes perfect sense, but this is software logout, so would be in addition to the device one, in every piece of software.

I hope and assume it goes along SSO making it less painful but still…

Yes, everything is downhill from the convenience. It's the most basics of things, if there's friction or obstacles, people will go around. And, boy, do companies put up some obstacles:

Does your Intranet site not work with my password manager? Do I have to carry a hardware token generator with me, everywhere I go? Do I need to use an arcane VPN technology to get to your company-approved tool? Are you still making me rotate passwords every six weeks? Are you still making me use bad p@ssword$123 with outdated password policies? Are you logging me out of email every four hours to cycle me through the multi-step login process, even though I'm on a secured-by-you company device?

Obviously. The processes for getting an official exception to cybersecurity practices for a legitimate reason are always slow and agonizing, and the people on the other end are incompetent and condescending.
Why would you make such a blanket generalization? The security team where I work is comprised of competent professionals and generally nice people to boot. Our CISO is a great guy to have a beer with. We've had our disagreements, but they've been of the "smart people championing conflicting business values having a reasonable discussion" variety.
And that still leaves someone not being able to do their job for a number of hours or a number of days while those "reasonable discussions" are ongoing.

It is a hard problem, and the implied solution of "be even more restrictive" is only going to make matters worse.

Those discussions I consider part of the job educating users is very important.
If it's 35% successful as the OP claims, do you think it's working?
They're all great guys with each other.

Do a test. Go to distant office and call IT pretending to be the person who works in that office, with his/her cooperation. See how fast the problem is solved and how you are treated.

I mean, we're a remote company. I work in software, not IT. YMMV I guess. I don't think demonizing an entire department on the basis of a job title is a very intelligent or humane thing to do, and it doesn't resonate with my lived experience.
I work in medical labs. So far I worked for 4 companies and IT support was the same everywhere. It's usually like this:

-ME: I found a problem. The patients get wrong test results in some cases. [explanation]

-IT: No, you don't know how to use the system. [brief instructions for 4y old children, only vaguely related to the issue]

- Look, I did that, it still happens. [attach more instructions to reproduce the problem]

- (1 week later) There could be a problem, but we can't replicate it with your instructions.

- [send video demo]

- Yeah... it could be a small problem, but it's not that serious.

- It's very serious! We send wrong test results to patients! [add more argumentes, examples]

- (1 week later) Yeah... it doesn't seem that serious, it's probably very rare anyway, but here's a workaround [40 clicks procedure]

- I can't do that every time it happens! And it's not rare, it's [x] times a day just the occurences that I know about!

- (1 month no reply)

- Did you read my message? Are you still working on this?

- (1 week later) We sent a support request to [external company]. We're closing this issue until we hear back from them. [closes issue with "invalid"]

- (1 year later, the problem is still there.) Are you still working on this?

- (no reply)

I quit after 7 years and the problem was still there.

This skipped the main reason employees do this: The cybersecurity measures are widely perceived as "security theater", rather than anything that actually enhances security.

Logging me out of an application, where a re-login requires nothing more than a click, is a stupid thing to do. Blocking outgoing (not incoming) ssh is silly when I have outgoing http. Requiring MFA multiple times a day on a work computer that is already secure is overdoing it.

Mostly corporate security is about ass coverage, not about prevention of problems. Though that can be a useful side effect. Ass coverage is about legal liability. If something bad happens, can I wash my hands in innocence and not suffer consequences (financial, legal, etc.)? If "no", take measures until you can because this could get very expensive.

Then the next question is "whose ass". Answer: literally anyone: service providers, your head of IT (who might get fired), your head of sales (who might have to explain to customer lawyers why their data leaked), the CEO, etc. They don't want to be on the spot for your mistakes. For public companies this is worse because now you have publicly traded shares in a very litigious environment with people looking for weaknesses that can be exploited to squeeze money out of any situation. And of course some of the tools in this space are made by publicly traded companies too.

The easiest way to deal with security is applying a shotgun approach of applying any kind of stuff that is vaguely understood to maybe work. The actual effectiveness of these things is besides the point and of course much of it is snake oil. The point is that there are policies and they are being enforced. The more visible and annoying this is, the more effective it is in case of trouble as a means to say "well it wasn't my fault because we did X, Y, and Z".

And of course a secondary effect of putting people on the job of securing a thing is that they will get busy doing their job to justify their existence. Which usually means a whole bunch of policy documents get written, tools get selected (preferably ones with big shiny reputations), and a lot of complexity gets introduced. There will be audits, consultants being consulted, chins being stroked, and a lot of money changing hands all for the assertion that "your ass is covered!" and by extension "theirs" as well. There are whole meta levels of ass coverage here.

That's why security theater is a thing. Because there is a large audience of people that all need to be re-assured about having suitable amounts of ass coverage.

Always assumed they block everything they cannot spy, it's not for security. Https they inject their certificates, ssh you can have your key and they'll be blind. And they spy to prevent exfiltration they say. I cannot ssh into my home network but I can drop tons of company code into an LLM prompt.

Everything else, MFA, password rotations, approved software, stupid training videos... is all there to tick some boxes in a certification process or to easily shift the blame when something bad happens.

Because of MITM-ing TLS with their own certificates, they could also stop you from dumping tons of code into an LLM prompt by blocking all public LLMs (or even all sites not on an allowlist).

The reason it's silly is really that you can always take "secrets" with you, be it by taking photos with your phone ("lets ban phones") or memorizing or writing on paper. Security is useful when it prevents accidental, inadvertent leakage of information ("stop me from shooting myself in the foot"). Anything else, and the inconvenience will make people figure out ways around it.

And the real reason people won't leak information is either ethics and morality, or legal liability.

You overestimate the intelligence of a lot of people. We have caught attempts at exfiltration over channels we can easily monitor.

Is it perfect? No. Can reasonably intelligent people find a way around them? Sure. But we are still going to control that information flow where we can.

So, as the OP claims, it is working for the 35% of the employees, right?

And it likely inconveniences a full 100%.

Does that sound like a smart trade-off?

What is the alternative?

I have actually worked in places that prevented all personal electronic devices in the building, had security guards and bag searches on every floor and no internet access on your desktop. You don't know what inconvenience looks like!

I am sure it can be even worse than what you describe. I, however, do not aspire to taste it.

The question is not what "inconvenience looks like", but rather, what is "enough security with the least inconvenience?"

The alternative is in the answer to that question: if your "measure" is likely to be "bypassed", it is worse than not having it in the first place (because bypassing usually puts sensitive data on even worse medium like flash devices, public cloud, external servers etc).

If your security policy was simply "Do not keep sensitive work data on unencrypted storage" and had informed your employees they are legally liable to adhere to this, they would either choose to not use personal devices or understand the risks if they do.

So like always, getting to that point requires "simply" being reasonable and smart ("common sense" which is, unfortunately, "not that common").

You can just encrypt your stuff and upload it via http. You can even run ssh over http if you work at it.

Encryption is as easy as using zip. And if you uploaded a very large file, they can't realistically log it - so you could even upload it in the clear and it won't be caught unless they are specifically looking.

We scan all file uploads and block encrypted files. Your move.
I challenge you to automatically tell the difference between an encrypted file with a fake header and a jpeg.

A human could see it's not a real image, a tool would not. And that's not even getting into steganography - just literally add a jpeg header to the encrypted file and it will fool most things.

Or any kind of streaming upload. The thing about media compression is that the compression process leads to a file that looks 100% random, an encrypted file also looks that way.

Yeah, you would probably get past it like that, good one. Steganography could also be used to exfiltrate data.

The point of these systems though isn't to stop a determined attacker on the inside. It's to prevent people foolishly, accidentally, or intentionally (because they're lazy) from sending potentially sensitive data out. This happens all the time.

> Password Reuse: 49% of respondents use the same login credentials for multiple work applications, and 36% use the same credentials for personal and professional accounts.

If your company has multiple things you need to log in to, its doing something wrong. Having company-wide single login system is really critical for good security.

> 30% of employees share their workplace passwords with colleagues, effectively nullifying the protections offered by unique credentials or MFA.

This also suggests something is setup wrong in the company (lack of giving people correct access?). Normally sharing passwords should be harder than not sharing, if you have to log out of a global account to log in as another one.

Security is all about incentives. If employees are incentivized to act insecurely, they will. Its not the employees fault, its the people who setup the system in such a way that encourages people to act insecurely. Good security is all about aligning incentives to control risk.

> If your company has multiple things you need to log in to, its doing something wrong.

How does that work for privileged accounts?

Kind of like sudo. Your individual identity is allowed to assume the privileged identity after providing an additional factor/justification (and your access has a TTL).
Sorry, I meant in an actual corporate (ie, Windows) environment, not conceptually.
My solution is: don't use AD for anything privileged in production, route all privileged operations through SSO auth and have the operation executed by servers in production. Separate corp and prod. Add a zero trust layer so that every single privileged operation involves an auth challenge (which can be assisted by an OTP dongle so that users aren't required to re-key their passwords multiple times per 20-ish hours).
You use PIM: https://learn.microsoft.com/en-us/entra/id-governance/privil...

Basically you are eligible for your admin roles but you have to activate them first. Usually there are additional checks + notifications to other admins. These permissions are also only available for a set amount of time and then you will need to re request them :)

I don't understand the point of PIM. If some malicious actor has my token or controls my PC then what's stopping them from PIMing?

Seems to me like it wastes my time more than anything else.

Good question actually! There are multiple layers that add to the security:

- Your login session as a user is normally valid for a day (~10 hours). But a pimmed session that gives you global admin permissions can be for example capped to max 1 hour.

- A normal login as a user can just require login + mfa. But if you want to PIM to certain admin roles you for example are required to use your yubikey as well. Yes it's an extra step but if your account is hacked they only have access to you as a user and not you as an admin unless they also capture your security key.

Also it creates some additional awareness for admins that they are now handling the keys of the kingdom and that the role that they just activated can do a lot of harm. In some organizations users get an admin account without fully understanding the consequences.

- It is way easier to audit. In normal circumstances a user's admin permissions are "always on". Once you start using pim you can also audit when and where additional permissions where requested. This is especially handy when you are monitoring everything and you get an alert saying "Hey sfn42 just requested global admin from a location that they normally do not request this. Can you look into this to make sure that it is legit?" With always on permissions this becomes way harder.

- Easier to manage via groups. You can have groups tied to eligible permissions and subsets of permissions. This is really handy once you start having external consultants who can request permissions via IGA (Identity Governance) policies.

Basically consultants can go to a url (https://myaccess.microsoft.com/) and request an "access package" that might contain 1 or more roles.

For example somebody who has to audit certain items in our organization can request a package that contains the needed admin roles and get automatically added to the correct groups. Once they request that package we can have automated processes (with multiple stages if needed) that first contact the teamlead of that person, and later on maybe another group of person(s) to approve that access.

These groups have access reviews done by the security team / app owner (weekly/monthly depending..) to make sure that all accesses are still needed. It is also really easy to let these permissions expire. So our auditor will have a valid account for the entire year but will have to re-request their permissions every 3 months (or whatever we choose).

This is also _really_ easy to audit :)

- When someone in our security team requests a role the rest of the team automatically receives an email so we know what is going on with our collegues :)

Thanks for the response! You pretty much just described exactly how it works in the organization I work for, as an outside contractor.

But PIM has a max duration of 8 hours and does not require additional authentication like yubikey, it doesn't even require that I authenticate again with my regular MFA login.

In practice everyone just writes what amounts to nothing as their reason. We literally write our team name.

It's also badly set up so all kinds of bullshit like viewing application logs requires PIM and nobody really knows how it works so we just request all the roles instead of considering which one we need because it's all just a big box of magic that few people actually understand. And we do so pretty much every day because we always need to do something in Azure.

So with the way we use it it still seems pointless to me, even with your explanations. Maybe we get some small benefits from it but for the most part it seems like security posturing to me.

In my company the official policy is that nobody but the admins gets administrator privileges. If you need them the workflow is that you go to IT and they do what is necessary. Or they just might say no. People had to complain that makes work impossible for them and will cost the company a lot of money so that they got exceptions -- but only after escalation to upper management.

I think this was a security directive that came from the top.

Maybe if you work at a unitary company with a narrow scope of work. If you have to login to external systems belonging to other organizations, or have terminals for external systems in your facility, unitary identity is not an option.
Having a centrally administered password manager is usually an option, unless there are regulatory reasons not to.
I can't get a few of my clients to adopt password managers and they get logged out of their accounts constantly because an employee will change some password to an account the business depends on. These people want to suffer and roll around in fetid filth.
> If your company has multiple things you need to log in to, its doing something wrong. Having company-wide single login system is really critical for good security.

It absolutely is, but it is only applicable to large corporations and won’t help any SMBs. The issue is that this functionality via LDAP/SAML/OODS is frequently locked behind enterprise subscription tiers that usually represent an extremely high markup over other paid tiers.

Even in larger corporations, it often not possible to have SSO everywhere. We have multiple „shadow IT“ subscriptions for services that only our team uses. Most of them don’t offer SSO functionality, even for those who do a user base of 5 people is not going to be sufficient to have someone from the responsible departments deal with it. So we have passwords

FreeIPA and Authentik works pretty well for me, I did some of this for my self with terraform for fun. Personally I don’t think it’s viable SMB who can’t hire a couple of sysadmins.

But the documentation for FreeIPA is especially good. Personally wouldn’t use samba as windows DC, but one legacy windows server license seems reasonable if you are having a few hundreds of employees.

In a previous job we’ve done Windows DC + Azure AD + FreeIPA + FreeRadius just fine, the entire setup is not super complicated, but still a headache. I think nowadays most of the thing can be terraformed so it could be easier and more scalable for growing SMBs.

Oh absolutely, I am not talking about the provider side. Sure, it is not trivial, it is doable to set up a central directory and maintain it for relatively affordable.

The problem is with the software you are using. A lot of SaaS software has the connection to an SSO provider locked behind an enterprise tier.

Take Figma as an example. Their Pro tier is 15€/mo, their Organization tier is 45€/mo. A 3x markup for the lowers tier that supports SSO. And that is among the more reasonable prices. I’ve seen markups of 10x for an enterprise tier that is essential a pro tier + SSO.

That is why (e.g.) we chose grist over nocodb.
>36% use the same credentials for personal and professional accounts

Does Big Tech even allow multiple accounts? When watsapp asks a phone number to register, what do you type?

You don’t work in IT.

Unless you’re paying for Okta and Office365 and Workspace, you’re only getting maybe 70% of systems _you know about_.

And don’t get me started on automated provisioning or deprovisioning.

> If your company has multiple things you need to log in to, its doing something wrong.

It is inevitable. The SSO tax is often very high and for some products very difficult to justify. And then of course the large tail of smaller vendors that just don't support any SSO period.

> Normally sharing passwords should be harder than not sharing

Talk to marketing, they all share passwords to all the company media accounts because it is often the only way, those vendors don't support anything else.

All the time I've worked in security I've seen that detection beats prevention because of this reality, nice to see some studies on it.

(This is why we built https://crowdalert.com, amusingly)

When I was at MS, I wrote a detailed guide how to trick the central IT system into thinking that your machine had the antivirus software running when it did not. It eventually, years later, got forwarded back to me as some sort of underground currency (with my authorship removed).
I was reasonably impressed by MSFT IT when I worked there. I was primarily a BYOD Mac user and only had to deal with IT two to three times over the course of 8 years. I took it for granted at the time because I came from the startup work where you're basically your own IT person. But other large companies after Microsoft clearly demonstrated to me that Microsoft is on top of their shit and the average is fucking terrible.
This was in the 90s, other than the AV issue, they got high marks from me. I even had a linux and freebsd machine running attached to the corp net with no issues, they did not touch MS infra. The average is indeed terrible.
It is always: security = 1/convenience

And there are lots of confounding factors.

Staying up-to-date with security updates might also mean you get breaking updates, or updates that have counterproductive changes, or downgrade your capabilities or privacy. and why do updates take so long to apply?

also password re-use? sso can fix this. (but if you have to automate things, companies have a varied track record on credentials)

I’m amazed how we have widely available biometrics in the consumer space (anything Apple with TouchID or FaceID) but not in the realm of business where security is far more critical.

A rational market observer would have assumed biometrics would have replaced antiquated passwords years ago.

Feels like this is a solved problem but Microsoft having a monopoly over business computing and software and there being no agreed upon standards for biometrics hardware is holding us back.

You still need to create a password. And since nearly always the biometric option doesn’t replace the password, it’s a moot point.
But that’s my point. Why use passwords at all.

If we’re okay using our face to auth into all mobile apps (business, personal or otherwise) and also to auth into the country every time we fly into it, why not just move towards making it standard.

>If we’re okay using our face to auth

I'm not! If this sort of thing becomes standard, I will become digitally amish.

Until you get into an accident and your face is covered in bandages or something and the computer wont let you in.
> A rational market observer would have assumed biometrics would have replaced antiquated passwords years ago.

Some people prefer that their passwords not be public information.

In the US, passwords are protected by the 5th Amendment. Face and fingerprint are not. Police can make you unlock with those methods with no repercussions.
Seems like we should update that.
Can we not just make a password prompt which is two 8 digit TOTP codes concatenated together (each having different shared secrets)? Why must we use biometrics, SMS, and proprietary lock-in solutions?

Also, the recent Salt Typhoon revelations need to be screaming at you: Chinese intel (and probably others) can likely access SMS codes without hijacking the number, and that it's probably not far out of reach from criminal gangs considering foreign policy jockeying lately.

Phone verification is dead. Also, everyone should be adopting something like SimpleX (plus Orbot/Tor) and get away from unencrypted normie networks. If before it was just to reduce metadata footprint because data sells, now it's because you could be vulnerable to international criminal organizations which have access just as intimate as Salt Typhoon to US public comms infrastructure.

F***! Odds CISA gets funding cut under new admin? I could use a new job...

> A rational market observer would have assumed biometrics would have replaced antiquated passwords years ago.

Why ? I don't want my picture stored on MS' servers every day.

I don't understand why most password manager software that's being used in Enterprise and even targets that market specifically does not have the most basic features that people need.

Sharing passwords to external company accounts is essential for a marketing department, for example. Yet the proposed solution is to use an Android device for that. Good luck recovering that after an attack.

Password policies in Microsoft ADS systems are so broken that they have to change their password every 3 months for no reason whatsoever, effectively making all passwords predictable because the chance of someone using <year/month> or <month> as a password suffix is guaranteed.

Let alone the old messed up SAP systems everywhere that are abused as a login database. SAP doesn't even support special characters, and the max password length is 9 characters (10 if you count the # that is used as a hack to implement MFA). They are so crappy that the password always is set by an external rented plugin that updates all passwords in an interval with password#token. And yes, this also kind of nullifies the token's initial purpose as a secondary system.

Then there's stupid policies that logout a session every 5 minutes, while people need to use a program for hours on end. While also having a single button to relogin in an external window, in a program that is made in 90s Perl or Java.

And then you are wondering why employees reuse passwords if the state of systems is _that_ close to being pwned? Really?

> I don't understand why most password manager software that's being used in Enterprise and even targets that market specifically does not have the most basic features that people need.

> Sharing passwords to external company accounts is essential for a marketing department, for example. Yet the proposed solution is to use an Android device for that. Good luck recovering that after an attack.

Not really. We likely wouldn't allow a marketing tool that couldn't integrate with auth standards. Which is why we have dozens of systems integrated together with one identity and SSO between everything. It's the companies that make dozens of exceptions from their auth standards that have to deal with this password sharing nonsense and security nightmare. Password sharing is a Bad Idea even if sometimes it's the most expedient.

My biggest pet peeve is when the platform forces me to add certain special characters to my password, then I need to write down my altered password and put it on a post-it note on my desk to remember it.

My other pet peeve, with a password manager, is when I forgot my master password and I need to reset it, but then my password manager sends the reset link to my email inbox; which I cannot access since its password is itself inside my password manager (true story).

Thankfully, in that second case, I eventually managed to guess my email's password. I couldn't guess my master password because it required too many weird characters which I couldn't recall. Good thing I didn't let the password manager generate the password for me!

It reminds me of another topic regarding how most software tends to assume that you are a billionaire and everyone is trying to hack you or spam you... Also, like how Gmail hides my newly received emails underneath some weird accordion menu as if my inbox is so full of emails that I couldn't see all of this month's emails in a single view.

Why would you need to write your password on a post-it note if you use a password manager? Also, why would the note need to be specifically "on your desk"? If I really had no other choice than writing down a password, I would keep it in a more subtle/hidden place (my wallet, or my phone case, or in my locker). That's still not secure against a targeted attack, but I wouldn't be the lowest hanging fruit at least.

Also, if you are able to reset the master password of your password manager, then something is seriously wrong with the solution your company uses.

Advice for a good and rememberable master password: use a passphrase. 6 random words are easier to recall than lots of characters. Throw in one number and one capital letter in two random places (replacing o with 0 or i with 1 is not random, neither are start and end of words), use a special character as words separator, and you got an easy to remember password that checks all the security requirements.

Heck, even using a line or two from the lyrics of a song you know (but obviously not your favorite or the one you sing every morning) is easier and better than most passwords. Some time ago I used the first line of "Toxicity" by System of a Down, when I didn't have the time to craft a good passphrase. Checks all the marks (special chars and numbers included), and was not anymore guessable than a random passphrase during the short time I used it.

I only use a password manager on my work computer because my boss forces me to.

I find your question more surprising! Why would you use a password manager voluntarily? It's a torture device. I use it because my paycheck depends on it. What's your excuse?

If I care about a service, I care enough to remember the password. Everything else might as well be a post-it-note on my desk... Though I prefer a simple one-word password that I can easily remember.

Why would a password manager be a torture device? The effort needed to remember hundreds to thousands of passwords sounds way worse.

That last paragraph sounds like you're the type of person that has caused security problems in the past.

Most renown password managers are well integrated, making their use (usually) easier than just typing out a password. There's a good chance your company chose a outlier, or that the company or yourself don't use it correctly (and training employees to use the mandated tools is not always obvious to companies). This with the resettable password makes me think your company should really think again about which solution they chose.

I use a password manager in my daily life because I have 3 e-mail accounts, two domains, a cloud service not tied to any of my E-mail accounts, two banking accounts and the need to sometimes log into my wife's account (because she asks me to while she's at work), one PayPal account, and other services for which I wouldn't dare to write down the password to, nor would I dare to use the same password (or slight variations) for them. Using a password manager makes all of these easy to use at the click of a button, without me needing to remember any.

Post-it notes get lost, thrown away, burn, suffer water damage, and are bothersome to copy for backup purposes. Online password managers take care of backing up the DB for you, or if you don't trust them, offline solutions as pass or KeePass (and variations) let you backup the DB on offline drive and store them safely while you continue to use the main DB.

What's your excuse?

So that you can have secure and unique passwords for every site. It's pretty simple really. Prevents people from doing stupid things like putting their passwords on sticky notes for example.
> If I care about a service, I care enough to remember the password.

Wait, no; you just said,

> My biggest pet peeve is when the platform forces me to add certain special characters to my password, then I need to write down my altered password and put it on a post-it note on my desk to remember it.

So can you remember passwords or not?

> Though I prefer a simple one-word password that I can easily remember.

See, that makes it sound like you can't remember secure passwords and just want to use insecure passwords.

I work at a large software company and recently documented the number of steps it takes me every morning to fully log into every system I need for work. I stopped at 37.

And every year in response to all the breaches in the news the company spends more money to hire another security team who simply pile on another redundant layer on top.

The industry has jumped the shark when it comes to IT security. It's the corporate equivalent of spending tens of billions of dollars on the TSA and making everyone take their shoes off at the airport. Meanwhile someone with intent can stroll into JFK, casually bypass all security checkpoints and get on a plane to Paris without a boarding pass.

I work for a large consulting company (300k+ employees globally) and 99% of our internal resources are all secured by Ping. One identity and MFA app. SSO between just about everything. The client I'm currently working for with that company has all of their auth handled by Entra. All their internal docs, their azure subscriptions, their gitub repos. All the same user identity. Shit IT isn't inevitable. It's a decision, or often lack of a decision and result of "organic" growth.
Same here. We had a very fragmented landscape (multiple idp tools, some tools using internal users,...). We consolidated everything to entra (450 apps and counting) and everybody couldn't be happier. Full sso on everything + scim where available.

We do offcourse have conditional access + PIM for admins but that is to be expected.

You just need a good strategy on how you are going to tackle IAM and then just stick to it.

Security is usually defined as confidentiality, integrity and availability. (Not in order of importance, just to spell “CIA”).

If it takes that long to log in, the system is not available, and therefore insecure. Full stop. The security team responsible for that setup should be fired.

In related news, I’ve been watching old murder mysteries from the ‘60s.

Typical plot points include the fact that you can decide to fly from Los Angeles and arrive anywhere on the west coast with in 2-3 hours because the planes leave every 30 minutes.

Why wouldn’t you just walk up to the gate and buy a ticket?

Why do we put up with this TSA bullshit?

That's security theater. Some decision makers want to "see" it's secure, so that's what some "security" people sell. If I was doing consultation for your employer, I'd tell them that's insane and that they will only push people to circumvent security instead of embracing it.

Others made good points, a decent SSO is the way to go.

(Ironically we also have an internal system that's equally degenerate and mostly a shitload of useless theater; it's secure of course, but there are a few pointless layers stacked on top of what makes it actually secure)

Why is the company hiring a new security team each year? Where the ownership and strategic thinking?

Sounds like your organisation is extremely dysfunctional, and the ridiculous security you have is a symptom of that. None of that is inevitable.

Nor is it uncommon though.. That description sounds very familiar.
When I worked at a large bank they blocked ChatGPT on the network. Unfortunately I was a new grad who didn’t know Java working in a Java team. I just turned off the vpn and copy pasted the code back and forth until it worked. Boss didn’t seem to mind. Left the job after 2 months anyway.
> I was a new grad who didn’t know Java working in a Java team

All the more reason not to use ChatGPT then.

(comment deleted)
AviD's Rule of Usability: "Security at the expense of usability, comes at the expense of security."

Security companies should have more focus on the usability aspect of their product. Some of the enterprise products you see today are just plain bad in terms of UX/UI, and funnily enough, they aren't getting called out since they're only used in the workplace/closed groups.

this is why i have a problem with flatpacks. i’ve tried using an immutable distro with flatpacks and it’s made me want to disable every flatpack security measure because it’s even harsher and less usable than macos’s sandboxing. i don’t know what their goal is but it’s definitely not usable if i can’t connect 1password to my browser or i struggle to get steam to access another drive
Yeah there's a certain amount of effort most people are willing to put in to do something. If it's too high, it won't happen. Yet at the same time a certain baseline is needed to not end up being low hanging fruit for attackers.

I've also seen this, especially in security tools. The usability is often straight out of the 90s which keeps me wondering, who uses this voluntarily?

> Device Security Gaps: 36% delay installing security patches on personal devices used for work, exposing critical applications to exploitation.

> Personal Devices: 80% of respondents access workplace applications from personal devices that lack security controls.

I thought the BYOD fad was over. If cybersecurity is vital to your company, your users shouldn't be allowed to use personal devices for work.

100% agree, just that sometimes not every company has the resources or inclination to do that. The best middle ground is some kind of solution that allows the security team to "manage" personal devices in some way.
>>>The best middle ground is some kind of solution that allows the security team to "manage" personal devices in some way.

No thanks. I'm not compromising the security of my personal devices to save my employer a couple hundred bucks a year.

> The best middle ground is some kind of solution that allows the security team to "manage" personal devices in some way.

Oh that is the "best" "middle" ground, is it? Are you sure?

Why should anyone bring their personal device just because the company is to cheap to buy a few phones and then have them basically owned by their IT anyways? Do you realize how crazy that is?

You might want to think about that one again.

Every SMB can afford a few cheap phones for its employees, MFA apps dont need flagship hardware. If a company can't, maybe it shouldn't be in business anyway.

If your measures include stuff like the password manager, which I need to use constantly, being set up to log me out every two minutes "for security purposes", you're damn right I will try to find a way to circumvent it. Each time you log me out it takes me a full minute to log back in, because I need to take out my phone and do the whole 2fa dance all over again. The first step anyone does is to log in to the password manager, and copy all the passwords they'll be needing for a while into notepad.
Study finds that 65 % of employees bypass cybersecurity measures in companies with terrible cybersecurity practices? Shocking.
We literally have otp in a secure VM. If someone’s already in our secure VM, logging into a random software package is the least of our worries.
My company runs servers in Alibaba Cloud and blocks access to the Alibaba Cloud API endpoints on the grounds that they're in a high risk country.
Do IT/cybersecurity professionals really expect people to Work To Rule? This is a basic and effective corporate sabotage technique.