We have a lot of sensitive admin tools that our IT Managers refuse to run through VPN tunneling-only services.
Some of them do not have MFA and access large controls databases.
Wondering if anyone is trying to recommend to their teams to offer VPN-only web services for said platforms and tougher MFA standards for web service access admin controls.
Our org just seems way too lenient on info sec and it worries me often, and too much.
No. Everyone must use VPN and MFA, period and no exceptions.
Sounds like a shitshow if IT admins are actively pushing back against MFA/VPN for critical access. Someone above them needs to drop the hammer that that’s a hard requirement. Which means you have to convince someone above them that that’s a hard requirement.
It should be a signal that companies like Microsoft are forcibly making such security requirements mandatory for admin-level access in their tooling.
So, slightly different opinion. Require VPN? No, we don’t do that. “Zero Trust” means that we have web access portals without VPN.
MFA? 10000% required. You won’t get past the oauth login without it.
Managed devices? Yes, MDM (Jamf) is used to control company devices.
Take a look at Zero Trust portals like CCloudflare Warp or Cloudflare Access. Or if you really want to home grow it, oauth2 proxy or Pomerium.
Does you company have a CISO? You know… the one who’s going to jail when the company is compromised….
Absolutely not. VPN only for nearly all of our on-premises stuff and MFA for basically everything else. MFA is getting ready to require YubiKey or similar.
Rproxy via MDA, regular MFA (particularly during elevation), auditing therein, etc - can be trapped elsewhere and funneled back into the automation and you can just go back to work.
Yep, my cousin, it’s working construction
I’d allow reverse proxied traffic that gated access behind SSO/MFA.
We don’t require a VPN, in fact we’ve mostly killed ours. But we require MFA for all employees full stop period. And people with particularly sensitive access (production databases, Screen connect, etc.) are required to use Passkeys/FIDO auth.
Either that or a VDI to get access and MFA for auth.
Change Healthcare was at the center of one of the world’s largest breaches because a Citrix Gateway didn’t require MFA. Their CISO was, in response, reassigned to “Chief Restoration Officer”. That’s the norm. Where do people get these “going to jail” claims from?
This. Also, might be time for training including top management to push the importance/business impact of all this. If IT doesn’t buy in, it’s going to be hard for them to uphold the same standards across all other users.
I worked for an MSP during the proxy logon attacks. In conjunction with me showing extreme uptick in upload data from our exchange and client exchange servers combined with me decompiling the relevant shell code, proved well within reason that our data and client data had been uploaded to the command and control server. We had a law firm ask if we were affected and management told everyone to ignore her email. The entire company planned (and I assumed did) on hiding the fact that we were compromised from our clients. I ended up quitting after calling their behavior criminal. I reached out to various channels in the government to see if there was recourse. There was not, what they did was not criminal. Three years later I’m jobless and they give security conferences to medium and small businesses in the Vancouver area where they teach best practices on how to secure your company from cyber threats. Careful what hill you die on.
I’m very sorry that happened to you - but nothing about that is surprising.
Before working with them I had worked for a company in Surrey that was owned by a fella who’s legal team was run by his lawyer sister and he was always ranting about, how they could get sued for x because “failure to protect” and many companies before that were very serious about security. I’d assumed there were some sort of protections in place and they couldn’t just lie like that. My overall point is, if you see the company doing something wrong, advise them, get in writing and then move on with your life. It isn’t worth losing your job and you just end up looking like an ass. Something, I’m sure you already know but I’m just throwing it out there for everyone else who doesn’t to learn from.
Agreed, this sub likes to believe companies have to do what some sysadmin talking about security demands but it’s not the world we live in.