Multiple employees at Microsoft have mentioned to me that separation-of-duties and access privileges are so intense these days they don’t even get to tour customer-facing Azure datacenters anymore. (Microsoft has entire dev/internal datacenters)
The privileges system to administer Azure at lower levels is also apparently just absolutely incredible with time-boxed privileges, locks on administrative machines, and multiple-person consent required for stuff.
And then the _physically distinct_ Government tier and Classified facilities, which are a literally different staff that require clearances from everyone.

I assume this is similar in AWS, post is not an Azure advertisement. Microsoft doesn’t even give me free MSDN anymore.
Office365 and Azure are also physically different as well. O365 is not run on Azure and you cannot hop from its hosts to anything else.
The spend that public cloud can invest in absolutely bonkers levels of security is just positively beyond any comprehension of enterprise IT staff, who can all clear or disable the security logs on any machines they administer.

In cloud, FBI might get called for natsec reasons.
If you want similar abilities, “Azure AD Privileged Access” feature can give you a lot of this. Timeboxed roles restricted to certain machines, group membership, access rights, etc. It’s pretty cool I’m used to using it now. Also removes worries about “clicking the wrong button.”
The fundamental problem with on-perm infrastructure is separation of roles.
If you make me a low-level IT Ops contractor in most F1000 companies, you cannot stop me and you very likely can not detect me. I know how the logs work, what you can see, and what you’re looking for.
This is not to be defeatist, if you invest you can get the fundamental audit planes on-prem that on-cloud provides and detect me as an interloper, but you’ve got to be very special in who you hire and the culture you have to pull that off.

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with SwiftOnSecurity

SwiftOnSecurity Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @SwiftOnSecurity

22 Sep
Tuning knobs are not ratcheting mechanisms. When you tune security, that doesn't mean cowardice in the face of the status-quo.

If there's a security control with too much overhead you're not supporting well, it's okay to put it aside.

Not for laziness, but prioritization.
I have a control in my security stack that checks a box, but we're just not doing it well. Everyone has become inured to it as an operational requirement that can't be better.

But maintaining it has stunted multiple, more effectual staff priorities.

So I'm pulling it for now.
In fact, one of the problems in this control was the onerous upgrading and maintenance.

By literally removing it and starting over, it's going to be less work than trying to save a sinking ship everyone wants on the sea floor anyway.
Read 5 tweets
22 Sep
One of the problems with walled gardens is you rely on the groundskeeper to keep it maintained. And if they're incompetent or absent, you're just screwed. There's no way to manage any aspect of most of the iOS photos metadata, like people. There's no interface. It's been years.
If you want to reset the People database in iOS, you have to let it scan all your pics, go into the list, then drag-select every face.
Then it will ask you to reset it.
There is no option for this. Because it's too much work. So it's behind a stupid undiscoverable quirky hack.
By not providing a way to manage any aspect of the low-level state of a system, you make it increasingly inscrutable and subject to tacked-on bloat with no user recourse.
Read 11 tweets
21 Sep
CD players skipped during large physical jolts was because there was no technology that could store even a small part of the CD in a memory buffer. CDs were bigger than hard drives, you couldn't just buy a chip to hold enough data to wait for the laser to start reading again.
In 1982, the Commodore64 cost an inflation-adjusted $1,600 - and had 64KB of RAM.

A compact disc outputs 176KB. Per second.

The CD is basically a temporal aberration and should not have existed at all.
That's 1411000 bits flipping per second. Every second. 74 minutes. 4400 seconds. In 1982.

Basically 40 years ago.

The simplified and abstracted units we use to talk about technology obfuscate facts of operational magnitude and timescales our minds can not biologically fathom.
Read 12 tweets
20 Sep
Why does Raspberry Pi Ubuntu video even have an overscan option in the defaults. Who's outputting to NTSC televisions on a box that only has HDMI ports.
I bought a Linux PC and forgot when you buy a Linux PC your life becomes a Linux PC
Read 5 tweets
17 Sep
I worked in Helpdesk for ten years. The mere existence of information is not enough. You have to endlessly whittle away and optimize how things are communicated and conveyed. That's the job in being an expert resource.

You do it better until you stop getting the same questions.
I spent a year on and off an upgrade package and guide website to teach sales users how to upgrade their computer past Office2007 by themselves.

By the end, we were doing entire offices with no calls.
Twitter is similar, but even more stark. There is no restriction on communicating ideas across literally endless strings of tweets.

But when you can fit an atomic unit into one envelope - that's the packet people respond to.

But this takes just incredible amounts of carving.
Read 4 tweets
16 Sep
I think my problem with the padding-laden design aestetic is the feeling of a lack of precision. Is stuff a few pixels off? Do things not line up? I can’t tell. It feels like training wheels for people who are being paid way too much to hide flaws through human analog senses.
This precision is directly applicable to physical objects. Things that fit together exactly require orders of magnitude more investment and process design. Tons of tiny elements aren’t rewarded there either, but I can feel with my fingertips the things I can’t see with my eyes.
A human’s eyes are not its most precise sense. What you are experiencing is the massive cortex investment in its processing.
The most sensitive human sense is the fingertip, which can feel bumps on the order of 50 microns.
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!