Comment by mosura
8 hours ago
The opposite was/is true. If your cloud box can only be used by two people and IT don’t even know about it then IT can never be persuaded to provide the keys to the rest of the company as they were predisposed to doing.
I saw this stuff too many times, and it is precisely why the cloud exploded in use in about 2010.
What you're telling me is two people potentially have regulated or confidential data not secured by IT, which nobody knows if got leaked.
For many organizations, that's literally illegal, and anyone who does this should be fired.
One notable example was signing keys for builds for distribution actually. And IT had a habit of handing them out to absolutely everyone. Being able to audit who did the signing was done in spite of IT who could, of course, never be persuaded of the merit of any process they don’t own.
But sure jump to more conclusions if you want.
I won't discount your IT can be bad, but also if you're keeping something as core to your security as signing keys somewhere your IT can't audit, you are just as bad. And your IT won't be the ones fired when your keys leak.
1 reply →
>, that's literally illegal, and anyone who does this should be fired.
I mean yea, but who knows how long that box would sit around before it was discovered.