Tuesday, April 21, 2009

I Find Your Standards Unacceptably Low

We have a set of servers which must be kept up to Department of Defense standards at all times.
If compliance slips, horrible things happen. The details of this horribleness have never been spoken aloud. Nor should they be.
The threat is omnipresent regardless of details.
We have another set of servers with security requirements not spelled out by the government. We can do what we want there, within reason. This was the first group of servers we built to replace the most disgustingly screwed up bunch of broken servers when I started.
Since we had no directive from the Department of Defense, I put them in according to my own ideas of security.
Users have no rights to the local drives. They cannot view the registry. They cannot open a command window. They cannot right-click.
These specific guidelines do not exist in the Department of Defense guidelines. As a result, they are not configured on those servers, even though security is technically tighter.
This company is big. Officially it is the largest employer in the state. The data center is the largest in the state and in the top 2% globally.
There are also many, many levels of management. The CIO is so far removed from my group that only one guy I work with has ever even seen him. To say that there is no direct line between my group (or any I.T. group here) and the CIO is not exactly true. It is just that the line in question crosses half a dozen firewalls and a DMZ.
This is why I was surprised on Monday when my team lead burst into my cubicle before coffee and said my manager needed me in his office immediately since the CIO had an issue with me, personally.
See, once upon a time the CIO didn't like having individual applications published to him. In the old servers, he got a published desktop which looked just like his own.
When the applications were migrated, so was that published desktop.
The issue turned up when he logged in and couldn't do anything with that desktop because of the security measures I had put in place just because I liked them.
The first words I ever heard the CIO say were over my boss's speakerphone: "You said that self-important jerk who took away my rights on the server was here -- Where is he?"
My manager said, "He just walked in."
Oh. So I'm a jerk right from the start. To the CIO. Where do I go from there?
I got a "Shush" gesture from my team lead as I was starting to ask exactly what access he was missing, even though I had guessed exactly what the access was already.
I was asked exactly why I had over-hardened servers people needed to do work on.
I was able to reply that the servers were hardened according to industry standard best practices. I also offered to set up his own server somewhere where he could do what he wanted. I'm all about security, but the government doesn't care about the network I'm putting that server in and I enjoy getting paid.
The CIO seemed satisfied and hung up, leaving just a Director on the phone with my manager.
"I'm going to see if I can get that Post-It note off his desk now," the Director said.
"Post-It note?" I have no idea why I asked. I wasn't even sure it had actually been out loud until I saw my team lead gesture wildly about something. It was actually a full-body flail.
"Yes, Garrick," the Director explained,"When he asked who was responsible for the security on his server the CIO was given your name. Traditionally, he writes down names he collects on Post-It notes which he sticks to his desk for follow up. You do not want to be on one of his Post-It notes."
"Can I have it?" Before coffee, I have less than no impulse control, internet.
The Director, to his credit, laughed as he said,"If you want to get into his office and get it yourself you are welcome to it."
I turned to my manager, who ended the call and gave me a look.
"No, I will not give you a PC repair kit and send you into the CIO's office to collect a Post-It note with your name on it in his handwriting after you engineer some kind of issue with his machine. Please just set up his access and make sure he doesn't call again."
As my team lead and I walked back to my desk, I asked him how my manager knew what I was going to ask for.
"You're starting to get a reputation around here."

No comments: