
High-stakes security setups are making remote work impossible - Wowfunhappy
https://www.wired.com/story/high-stakes-security-set-ups-making-remote-work-impossible/
======
jupp0r
I think it’s completely sensible for critical infrastructure to be air gapped
and for people maintaining it to go into the office. This should be in the
same category of jobs that cannot do remote work as doctors, nurses, etc that
just have to be on site.

This is not the time to do sweeping IT architecture changes.

That being said, I think lots of normal companies have horrible IT security
infrastructures that focus on compliance and covering peoples asses in case
things go wrong as opposed to actual security. Those usually also make it hard
for remote workers (vs BeyondCorp), which is now coming back to bite them.

~~~
DyslexicAtheist
right now healthcare should really be considered _critical infra_ too.

~~~
jupp0r
I didn’t mean to imply it’s not (now or ever). I doubt that most healthcare
systems need to air gapped though (actual medical equipment should be).

~~~
DyslexicAtheist
I didn't say you were :) my comment was just an additional complementary point
to yours

------
Glavnokoman
Most companies that I worked for and which had troublesome remote work setup
used the "security by obscurity" approach. The IT there were completely
incompetent and the only way they knew to make systems "secure" is to limit
outside access. And most of those crippled infrastructures were windows-based.
As usually there were exceptions though.

~~~
wutwutwutwut
At my employer the issue is the opposite. They don't value security so they
disable all firewalls, encryption, 2FA and everything else in favor of ease-
of-use. My concern isn't that people will have a hard time working from home,
my concern is that whatever malware they have at home is now also roaming the
company network.

~~~
loopz
Let's dig a huge gaping hole into that infrastructure with a VPN and BYOD. And
when it doesn't work, blame IT support for not properly supporting my dusty
old Windows XP installation. Sure.

What you want is separation, though for real work it quickly becomes
impractical. So there are special rules for something, and suddenly, everybody
are running on those not-so-special rules anymore.

IT security is still mostly about people and awareness at this point.

------
jcrawfordor
Most of the issue here is not features or limitations of VPN architecture,
it's the decision to completely air-gap certain systems, which is a common
practice in both government and industry with critical systems. Just e.g.
"doing BeyondCorp" does not address the problem that workers cannot interact
with an air-gapped system without being in the special room in the special
building.

------
dumbfoundded
How do security specialists think about this sort of risk assessment? Not just
for pandemics but anything that would make key people have to access these
systems remotely.

~~~
tptacek
I've done assessment work for utilities, exchanges, large health providers and
similarly regulated/sensitive organizations.

The risk decisions (implied or explicit) being made here are sensible. These
organizations simply aren't set up to operate in anything like a "BeyondCorp"
all-remote model.

The middle of a national crisis is the absolute worst time at which to try to
make sweeping changes to facilitate new models of work. In a very plausible
worst case, you end up with IT disasters that not only force people to work on
site, but force everyone to come in and work extra hours using paper and ad
hoc spreadsheet processes, while essential services are compromised for
customers.

The concern that "opening up" these organizations would pose security threats
isn't just sensible, it's obvious: most large enterprises are set up in the
same perimeterized model we used in the 1990s, line-of-business internal
applications are almost never hardened against attacks, and most internal
segmentation is handwaving; internal site-wide pentests never fail against big
companies.

~~~
bryan_w
Exactly, IBM consultants will still wrap an engagement today with unencrypted
telnet listening on all interfaces of your "AS400".

"It's not open to the world" is quite often justification for some really poor
security decisions.

------
bronzeage
It's interesting that preventing a cyber virus and a real world virus is
mutually exclusive. Some things require connectivity, when it's virtual
connectivity you're exposed to virtual viruses and when it's physical
connectivity you're exposed to real viruses.

~~~
happytiger
The only real network computer security is achieved by unplugging the network.
And even then...

------
rb808
> Staffers at power grids, intelligence agencies, and more often don’t have
> the option to work from home

Yeah I'm good with that.

~~~
PacifyFish
I'd like the power grid staffers to keep doing their jobs thanks very much

~~~
baobabKoodaa
They can keep doing their jobs... at the office.

------
battery_cowboy
I wonder how many affected organizations have begun to turn non-office space
into office space and shift work around? Imagine working at the NSA, you won't
want a few thousand people coming through security and stuff every day, so you
shift the work to be 24/7 and make people come in smaller shifts, then you can
put people in closets with good desks and lights and stuff to separate them.
If hospitals can turn non-ICU rooms into ICUs (I have seen them turn some
doctor's offices into ICUs recently, even) then why couldn't a utility or
secure organization do the same?

------
blablabla123
Availability is actually also a part of security, complementing privacy and
confidentiality...

------
time4tea
Back in the day this was done with a bunch of paired encrypted modems, and a
multiple serial port, getty, and ISDN-PRI are all probably still a thing...

------
k__
I thought zero trust is the only reasonable approach.

~~~
tptacek
This is a thing that people say because it's ideally true and an article of
faith among cool-kid practitioners†, but it is absolutely not the reality in
major enterprises, and wanting it to be the case doesn't make it so.

† _I agree with the cool kids that it 's a good thing!_

------
Spooky23
These types of orgs just need to staff for this type of thing and have work
rules and facilities to manage.

------
bryanrasmussen
I was going to say "a Bond movie where he the biggest threat to his life is
not being able to work remotely", but then that is generally the biggest
threat to his life all the time. I guess these problems here are the actual
ones that should be addressed in the Sam Altman investing in covid-19 startups
thread.

