Comment by scottlamb
20 hours ago
> When you are talking about access like they had "make firings as abrupt as possible including terminating all access immediately" not doing this is incompetence.
You're proving my point—employers take the most extreme lesson and it's considered expected practice. They absolutely should have immediately terminated the credentials that granted unilateral access to sensitive databases. (Ideally those would never exist in the first place—there are two-person schemes. A pair of bad actors...well apparently happens according to this article...but is far more unusual.) But employers regularly (but shouldn't) terminate all access including credentials that allow last email to colleagues exchanging personal contact info or something.
For most of my career (over 30 years now) where I've had sufficient access privileges to matter, I've fairly diligently maintained a "Important credentials and access" list, which I've sent to my employer when leaving, strongly advising them of the need for them to disable or rotate those credentials.
This especially includes creds like root or admin level access to AWS/GCP/whatever-cloud-or-hosting-service, and other critical creds like user/password management, domain name registrations, AppleStore and GooglePlay accounts, source code repos, documentation and internal tooling, external services like observability/analytics/crash-trcking. It also keeps a current(ish) list of all clients/projects where I've had any access at all, listing things like API keys, ssh keys and bastion hosts, project or platform admin creds, as well as systems like databases (SQL and KV caches), firewall rule specific to me.
I also try to list anything else I could, if I were a malicious disgruntled ex employee, use to cause grief to the employer or their clients.
I point out in this email that if I were to be rouge, I'd most likely have intentionally left something out or left behind backdoors or timebombs, and while I am not that kind of person and I have not done those things, they owe it to themselves and their clients to have someone else senior and experienced enough to carefully audit everything to ensure I cannot access anything.
I send this from a personal email account, so I still have timestamped records of having sent it. If an ex employer ever gets hacked shortly after I leave, I want evidence I did everything I reasonably could to remind them to lock me out.
(Writing this down reminds me it's been a while since I updated this - I guess thats something I'll ned to get on to soon.)
The first option is flipping one switch. The second option is flipping some switches now, and flipping the rest later. Of course the safest (first) option is the correct option from a liability standpoint, which is all a company should operate on since it's first responsibility is to protect the company for those that are still there. There's plenty of ways to communicate with ex-colleagues that don't involve company resources or opening the company up to liability.
Let’s not forget the third option: proper security practices and principle of least privilege. No one should have been able to do this in the first place. Why were they able to get plaintext passwords with a simple query? Why did they have delete permissions on production db tables? Why were they able to modify system logs and delete backups?
> Of course the safest (first) option is the correct option from a liability standpoint, which is all a company should operate on since it's first responsibility is to protect the company for those that are still there.
Isn't this an unrealistically black-and-white mode of thinking? Humans are complicated and have many values and perceived responsibilities. It's not healthy for them to throw them all out and act as if they only have one responsibility that needs to be maximally upheld at all costs. They should balance their actions thoughtfully.
System security is not a human value. Access key rotation effective immediately is a compliance requirement, and completely orthogonal to human decency, which is delivered trough garden leave or severance, not extended system access
So, never lived in corp land? Healthy isn’t on most corporations radars except where it causes liability to them.
1 reply →
I'd argue that failing to segregate things so that there's a switch for the sensitive stuff and a separate switch for the not-sensitive stuff is an operational failure. A rank and file employee having access to his email account should never pose a serious liability to the business.
Yeah I don't see why that's necessary. I'm sure you can always reach out to HR and ask (I have facilitated this in the past, pulling contact lists and phone numbers) but that also gives them ways to exfiltrate data. It's company data. Just think of all the info you have in your inbox. Unless you've managed offboarding for high level IT positions it seems harsh, but the risk is just too high to allow the user to do that stuff themselves.
> Just think of all the info you have in your inbox.
Meh? Sure, stuff that would help assemble a credible phishing attack, but not customer SPII or huge amounts of intellectual property or anything. If the assumption is that employees' inboxes are full of dangerous things, I would focus on fixing that.
No you don't get it, we have to take a harsh approach to firing people because we keep pallets of high explosive in the break room and management doesn't want to change that. /s
High level IT positions are not risky. This is the db admin who can do most of the damage.