undefined | Better HN

0 points__jal8y ago0 comments

Well, for one thing, if you can't ensure that a given privileged person can be locked out of your systems quickly, you have a problem to fix. This should be a 1-minute operation.

Note that I don't know the details and am making assumptions that may be wrong about the case in question, but in general, if you can't deny access quickly to any given account, you really want to fix that. Not just because of rogue ex-employees - what happens when $important_person's account is compromised?

0 comments

ars8y ago

> This should be a 1-minute operation.

No. It's easy to revoke access to a user. An admin is different - an admin can install whatever he wants to give him backdoor access. Or a timebomb.

__jalOP8y ago

Yes, but backdoors/malware are a different question. I was talking about authorized access - LDAP, ssh keys, etc.

Detecting unauthorized software from a rogue privileged user is a different problem with very different mitigations. It is a great topic that I'm personally interested in, given that I'm implementing controls for that, but I wasn't discussing that.

j / k navigate · click thread line to collapse