Wednesday, September 24, 2008

On Becoming What We Hate

As one of the "Security Guys" for a major corporation, a lot of my work centers around keeping the bad guys outside our network from getting in and mucking things up.
The sad reality of my function is that keeping hackers out is only a percentage of my total work.
The bulk of my work is to keep users, our own stupid users, from breaking stuff accidentally or intentionally from the inside.
There are thousands of people in this organization with the capacity to really screw things up on our network and we, as part of their employment agreement, have just plugged them into our network on the inside. The hardest part of hacking is done for them.
The potential for an average user to break something which impacts someone else is still slight, though.
The real threat comes from the other administrators around me.
These people have access and the skill to break things on almost any scale, and they are subject to the same human weaknesses we all share -- lack of sleep, simple carelessness, or complete disregard for the suffering of others.
Mistakes happen, and that is largely unavoidable. The true danger comes in Admins just changing stuff for whatever reason, and we see that a lot.
The sad part is a lot of cases an Admin makes unauthorized changes in an attempt to relieve user pain, but good intentions still have to follow procedure.
In "the business" we refer to this as an Admin "going rogue", in part because he or she is acting outside the procedural environment and in part because it sounds totally bad ass.
As part of the transition away from our old and busted environment, the care and feeding of this old environment has fallen on my team, specifically two of us.
And it seems that all of the compliance issues from the past seven years suddenly have to be fixed. In the next month. Before we turn these servers off forever.
Now, since my primary role revolves around the new servers, I have limited time to set up complicated and compliant configurations on the old servers. Also, my rights to do so officially have not extended into the technical past the procedural. That is, I'm responsible for doing it, but my account still doesn't have rights. I've also got four hours per Sunday to do all of it.
Seven years worth.
Every change needed has to go through a review board for approval.
No one even knows who the application owners are anymore.
Just researching that has taken eight months and we still have gaping holes in that knowledge base.
The solution, unfortunately, is that my teammate and I must "go rogue".
We will configure things during the day using a generic account and push updates around the approval structure to just get the freaking things in place.
"Tech Ninja" has never seemed so appropriate -- Or so dark.

No comments: