Ask HN: How to make Enterprise Security not Suck?

[academia_hack]

My org is looking at getting past security audits for enterprise and government customers. I've got a lot of say in how we implement compliance but little say as to if we should do it. We're selling into a highly regulated sector looking at ITAR and CMMC and similar stuff.

Today, we're pretty much a BYOD shop (we buy new employees unmanaged laptops). People manage their own devices and we do colab stuff with Google Workspace. Developers love this because they don't have to "mother may I" IT for every tool and library.

There's a lot of pressure from our compliance lead to go with endpoint management, big corporate antivirus (e.g. Sophos), active directory accounts, kicking people off OSX to windows, etc. We've got an endless parade of MSP consultants and vendors trying to pitch $500k assessment and remediation packages as well and I'm worried leadership will bite and we'll end up developing on devices that can basically only open excel.

My worry is that this'll choke our product operations to death. Clearly we have to do something, but I don't want to go overboard. Everytime I push back I'm told that "security is important" (true but vacuous) and asked for comparable alternatives.

Have y'all experienced any small companies that get this right and strike a good balance?

[ericalexander0]

I've built security programs from the ground up at two companies and have worked in compliance/security/cyber/etc for over 16 years. I'm also a maker and an engineer. I understand how security/compliance side sees the world, and how engineers see the world.

I hate to say it, but security/compliance tends to cargo cult. They implement what's accepted by whatever compliance framework they need to achieve. PCI, FedRAMP, SOX, SOC, CIS, etc, etc.

Engineers want to break things down to components and understand why each component is required. AKA thinking from first principles.

Mixing the two is like oil and water. Security and compliance don't have in-depth explanations for why they need to do something, they just need to check a box, and they know how it's most often checked. They know "nobody got fired for buying Sophos/Windows/AD/etc". They can't explain it from first principles, nor do they want to take the risk of going outside of known solutions.

So how do you negotiate? The box they're trying to check is likely well documented. Ask to see the documentation for the requirement(s). From there you can propose alternate solutions that meet those requirements. Try to find examples of your proposal being accepted, so you don't run into the "nobody got fired for buying x".

[josephcsible]

If security is important to your org, then they should fire for incompetence anyone who says "let's force everyone to switch to Windows for security reasons".

Also, consider that all of those stupid "security" rules generally delay the rollout of updates, which often contain fixes for security vulnerabilities. I wish that companies would say something like "if there's ever a known vulnerability in something in production that a "security" rule doesn't let you immediately deploy the patch for, then said rule is immediately rescinded and may never be reinstated."

[cratermoon]

There are a lot of Voodoo Security Practices out there. Being able to check off all the boxes necessary for regulatory and legal compliance does not mean that an organization has good security. Many of those requirements are as useless as taking off your shoes before you go through security at the airport.

The important thing to know about the consultants pitching assessment and remediation packages is that their assessments will always end up finding "problems" that just so happen to be exactly what their $$$$ remediation product is built to address. The various assessments won't even agree on what might be wrong.

My suggestion, then, is to approach your leadership with examples of how the assessments are really sales pitches in disguise, and have no meaningful relationship to good security practices. Show them where the consultants are pitching their Voodoo Security and how it deviates from and takes time and money away from implementing good security.

[thesuperbigfrog]

>> Today, we're pretty much a BYOD shop (we buy new employees unmanaged laptops). People manage their own devices and we do colab stuff with Google Workspace. Developers love this because they don't have to "mother may I" IT for every tool and library.

BYOD may be fast and easy for employees, but it makes employees a ripe target for attacks:

https://www.securityweek.com/circleci-hacked-malware-employe...

https://www.zdnet.com/article/how-one-hacked-laptop-led-to-a...

https://www.pcmag.com/news/hacker-breached-lastpass-by-insta...

If your shop is serious about security, then more controls over BYOD are a must. That usually means no more BYOD or a more managed BYOD to ensure that there is no vulnerable software on employee devices.

[bob1029]

> We're selling into a highly regulated sector looking at ITAR

> Developers love this because they don't have "mother may I" IT for every tool and library.

And herein lies the friction. Someone is going to walk away from this unhappy. It's either going to be the developers or the compliance teams (and then the customers).

We are a ~10 person company selling software to US financial institutions. Really important software that is responsible for things like filling out legal documents that are not feasible for humans to review every time. For us, compliance/security is basically the #1 product feature. Clearly, with 10 people we don't have a lot of bandwidth for running audits or getting into disputes with our customers' compliance teams over whether or not a QA server's disk is encrypted and using the appropriate key rotation schedules.

What we did is decide to get all the way into the rabbit hole with Microsoft. Like 100% of the way. I know - many things they do really really suck - but the compliance offerings and industry perception they provide are nearly unbeatable (at least for our fintech customers). If you compose your product/service exclusively from components that are compliant [0], you will not necessarily be compliant-by-default but this is a hell of a lot better than any other starting point I've seen. AWS and GCP have similar offerings, but there are other considerations with these vendors for our business.

At the end of the day, making an audit easier is about proving you have less control and trust fewer parties than you would otherwise desire to. In our case, subjecting ourselves to actually having less control and fewer vendors was the best way to achieve this. When you can't touch or see things, compliance usually can't hold you accountable for them anymore. It really is a "game" and you can certainly play it to win.

To be clear - our day to day operations are wonderful. We don't have to screw with janky Citrix-style remote desktops and other security theatrics precisely because we are so aggressively using cloud native resources to prove that we are playing by the rules. Now, if you are a 100 or 1000+ person company, I think there are a lot of different things you could consider. Getting into bed with Microsoft at 10 employees was the only rational thing we could come up with.

Strategically, if you intend to do business with customers encumbered by ITAR, et. al., then you had better be prepared to radically shift your product technology to align with those compliance requirements. Following these rules really sucks but your ability to easily comply with them can become a serious competitive edge. Imagine your competitors willingness to sacrifice technological principles (i.e. "fuck Microsoft") in order to beat you to market. This helped cure me of my cargo cult tendencies pretty quickly.

[0]: https://learn.microsoft.com/en-us/compliance/regulatory/offe...