After self hosting several services for a few users, with SSO, backups, hardware issues etc, I really appreciate how good the IT was in my old company. Everything was connected, smooth, slick and you could tell it was secure. I had very few issues and when I did, they were quickly solved. Doing this all at scale for thousands of employees spread across the world, it is a wonderful sight to see.

Now at my current company, it’s at the opposite end of the scale where I almost believe that I could do a better job by myself! They’ve trying to do everything you would expect but somehow doing it wrong. They are so heavy on security I have a Citrix environment that takes me 3 logins to get to, fails constantly and means I can’t work without internet (like on a long train journey for work purposes recently), and on the other hand they’ve only just turned off admin rights for users so we could’ve installed anything we wanted!!! All our attachments (incoming and outgoing) are saved to a secure website (like OneDrive) and replaced with a link. It doesn’t save the file names on the email so it’s really tricky to find old emails if it’s a document you’re looking for. I could go on but just venting at this point as it’s so frustrating!!!

Thank you to the good IT people out there. Your roles are so important but not appreciated enough!

  • 𝘋𝘪𝘳𝘬@lemmy.ml
    link
    fedilink
    English
    arrow-up
    38
    ·
    8 months ago

    They are so heavy on security I have a Citrix environment that takes me 3 logins

    My daily routine:

    1. Take laptop out of locked shelf
    2. Start Laptop and enter boot password
    3. Enter Bitlocker password
    4. Enter username (not saved) and password
    5. Open Citrix website and login with different username and password
    6. Enter MFA token to access said website
    7. Start server connection
    8. Enter different username/password (not saved) to access server
    9. Enter different MFA token for the server login
    10. Start the business-specific application with 3rd set of not saved and different login data

    They also have plans to make MFA mandatory for laptop login, too.

    Passwords need to be at least 15 characters long for laptops and 30 for servers and 10 for the business-specific application. All need to have uppercase, lowercase, numbers, and special characters and need to be changed every 60 days (for the server login) and cannot be the last 30 passwords.

    • NeoNachtwaechter@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      8 months ago

      My advice for this company: fire 2/3 of all IT staff (including managers). Then tell the remaining ones to cut off unneccessary things and do it better in the future.

      • 𝘋𝘪𝘳𝘬@lemmy.ml
        link
        fedilink
        English
        arrow-up
        3
        ·
        edit-2
        8 months ago

        Big international corporate, IT security hired by personal connections instead of skill, IT security never worked in daily business.

        The fun thing is, that they refer to NIST guidelines. Which is even funnier because NIST says 12 digits are enough, user-generated 8 digits are fine, no complexity rules, and password changes only “when necessary” (i.e. security breaches).

        https://sprinto.com/blog/nist-password-guidelines ff.

    • ThePowerOfGeek@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      8 months ago

      This sounds like my old place, but much worse.

      We used to have laptops we had to lock in a cabinet (yeah, one of those cabinets with a really puny lock that’s easy to pick). And we had to log into n old mainframe system that had numerous environment instances which each required a unique password that had to be changed every 90 days.

      We (the software devs) basically rebelled on the laptop situation and insisted they find a better solution. Thankfully they changed policy and of allowed the laptops to be locked into our docking stations, which in turn were locked to our desks.

      As for the mainframe system credential management, I tried using a standard third party password manager, but a) it wasn’t a good fit for the credentials, and b) the sys admins or security team forcibly uninstalled it because it wasn’t sanctioned software (even though it was a well-respected and actively maintained one). And our security group refused to go out and find one.

      So being a dev, I wrote my own desktop password manager for the mainframe credentials. It was decently secure, but nowhere near as secure as a retail password manager. But it fit the quirks of the mainframe credentials requirements. And after my colleagues and manager did a code review of it, it was considered internal software, and thus fit for use.

      As I was leaving they were in the process of removing all our local admin rights (without a clear path on how to accommodate for us developers debugging code - fun times ahead!).

      But all of those annoyances pale in comparison to the shit you are having to deal with! Holy hell, that sounds like pure misery! I’m sorry.

      • 𝘋𝘪𝘳𝘬@lemmy.ml
        link
        fedilink
        English
        arrow-up
        4
        ·
        8 months ago

        Temporary workaround applications/scripts become de-facto standards sounds familiar. They disabled loading script files in Powershell but you can still copy&paste the file’s content …

        People have no idea how absurd IT in corporations is.

    • databender@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      8 months ago

      This is very close to my workplace but we have about 17 domains to work across, with a separate account for each. It’s frustrating sometimes, but in the end I get paid the same either way.

    • ikidd@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      8 months ago

      And I guarantee every one of those passwords are written on a piece of paper at the desk under the keyboard.