The security policy was draconian to the extent I’m sure it was well intentioned but led you to do things in the least secure way possible as it was the only way to complete a contract.
I.e the servers on the other end running Windows 7 (in late 2019) where so old they didn’t have the required cpu instruction set to run some required software. Likewise input lag was extremely noticeable to the point you hit a key, wait one second then press again thinking something went wrong only to have to press delete some seconds later.
How did I deliver that project? Developed on my own local machine, emailed the artifact to the cooperate email address obfuscated, log in to the corporate laptop, then Citrix, ssh the artifact up to the cloud ec2 servers.
That’s another one. The cloud ec2 servers. No public outbound internet, no internal trusted repositories. What was the accepted way of setting up the servers? Going to random internet sites, downloading random binaries to your Citrix account, scp’ing then to the servers. Trying to explain how stupid this is gets no where in organisations with thousands of people. When you mention trusted artifact repositories, immutable / reproducible builds, deployment pipelines the answer was we don’t have this as they didn’t meet security guidelines.
This was a tier 1 bank. Experience is the bigger the company the worse things are due to the size and different teams/departments being so disconnected.
The organization has externalized all the responsibility for the next breach to you, the individual contributor who is breaking security protocol to get work done.
When we little employees roll our eyes and say "this doesn't make sense," we're telling ourselves a comforting lie because the situation you describe DOES make sense- from the organizational perspective.
Management did everything their rules allow to make the computing environment safe, but you, the individual, hacked an unsafe circumvention into the workflow by finagling some personal website and using SCP. I bet none of that process is documented- and if it is, whoever made that documentation is now the responsible party and fall guy.
Get email approval, aka written documentation, of all process steps from people one step up on the food chain. Explain why it’s needed so they are squarely the section maker.
The setup you describe sounds less like draconian security and more like a half baked solution that confused usability hurdles for security. Just because security usually brings lower usability, it was probably (wrongly!) assumed that lowering usability will bring security.
The security policy was draconian to the extent I’m sure it was well intentioned but led you to do things in the least secure way possible as it was the only way to complete a contract.
I.e the servers on the other end running Windows 7 (in late 2019) where so old they didn’t have the required cpu instruction set to run some required software. Likewise input lag was extremely noticeable to the point you hit a key, wait one second then press again thinking something went wrong only to have to press delete some seconds later.
How did I deliver that project? Developed on my own local machine, emailed the artifact to the cooperate email address obfuscated, log in to the corporate laptop, then Citrix, ssh the artifact up to the cloud ec2 servers.
That’s another one. The cloud ec2 servers. No public outbound internet, no internal trusted repositories. What was the accepted way of setting up the servers? Going to random internet sites, downloading random binaries to your Citrix account, scp’ing then to the servers. Trying to explain how stupid this is gets no where in organisations with thousands of people. When you mention trusted artifact repositories, immutable / reproducible builds, deployment pipelines the answer was we don’t have this as they didn’t meet security guidelines.
This was a tier 1 bank. Experience is the bigger the company the worse things are due to the size and different teams/departments being so disconnected.