| ▲ | Spooky23 2 days ago | ||||||||||||||||
You don’t. You hire them for other lower priority roles, but they are inside the firewall. Most large organizations have an immature zero trust environment. Look at the Microsoft PKI breach. The adversary was able to compromise certificate services in a corporate dev environment and parlay that in accessing US government mailboxes in a supposedly isolated cloud tenant. Microsoft has a world class security practice. The average Fortune 1000 is toast. | |||||||||||||||||
| ▲ | stackskipton 2 days ago | parent | next [-] | ||||||||||||||||
Microsoft PKI was because they were not doing world class security practice. For some reason, consumer environment could sign corporate environment logins. Also, they acquired some company and instead of issuing them new hardware to ensure it wasn't compromised, they just let them onto their network. When you read the report, it was very clear that Microsoft wasn't doing "World Class Security Practice", they were taking shortcuts like everyone else does. | |||||||||||||||||
| |||||||||||||||||
| ▲ | impossiblefork a day ago | parent | prev [-] | ||||||||||||||||
But Microsoft doesn't take this approach at all. Their software is huge, with all sorts of things integrated into it and no focus at all on keeping the software small enough that one person can read it through with such care that it can be assured to be secure. They probably run their cloud stuff on processors that can reorder instructions and all sorts of things, whereas what I'm arguing for is simple computers, things that can run a text-only search engine and where the text editor is substantially simpler than nano. Where you decide exactly what your requirements are and make a system which solves that problem and nothing else. | |||||||||||||||||