I can’t say for sure. Please post screenshots and I’ll let you know.
But it is a real Security issue, where the org has such a strict policy on ALL users to maintain a high level of security hygiene that it’s impossible to keep up with while doing normal work. It’s why there is such a big push for SSO systems/portals. As that way you can have 99% of users be kind of dumb - as long as they use your company portal - they should be good.. and a smaller team focused on the security of that portal and looking for odd login actions per user.
Requiring rotating key/authenticator access for remote work and allowing users to come up with a solid terminal password on local access is pretty good.
That way all local connections can be verified and remote logins have the extra security layer.
That being said, if a priveleged user manages to compromise their local work machine it's all fucked.
Are you saying the incoherent ramblings of my phone notes app could be compromised?
I can’t say for sure. Please post screenshots and I’ll let you know.
But it is a real Security issue, where the org has such a strict policy on ALL users to maintain a high level of security hygiene that it’s impossible to keep up with while doing normal work. It’s why there is such a big push for SSO systems/portals. As that way you can have 99% of users be kind of dumb - as long as they use your company portal - they should be good.. and a smaller team focused on the security of that portal and looking for odd login actions per user.
Requiring rotating key/authenticator access for remote work and allowing users to come up with a solid terminal password on local access is pretty good.
That way all local connections can be verified and remote logins have the extra security layer.
That being said, if a priveleged user manages to compromise their local work machine it's all fucked.
That’s where security experts who are checking for things to go bad come in.
Making everyone a security expert + doing their job is some uphill ice skating.
A good bet it to open a dummy ssh port that no one should ever connect to, then immediately add any ip that tries to connect to it to a blacklist.
At the end of the day every security measure can be bypassed, you just need to be prepared for that inevitability.
Locks are based on time/difficulty/detectability in the real world. The goal is “can’t to break in without getting caught”
It’s all a balance between risk/security and actually being useful.