Let’s get (remote) connected. Mmmkay?

You start work on Monday at the reputable company KickedInTheFace.com, makers of robotic death machines for sale to anyone with a credit card. Their motto is “security is never secure enough“, referring to their super-duper extra ultra mega turbo secure environment. The rumor is that it was created by the previous CIO before he was convicted of embezzlement, but that’s not discussed at KickedInTheFace.com anymore.

After you check in at the front desk, and get your picture taken, badge printed, finger-printed, retinal scanned and voice printed, you’re escorted to the conference room, shown the coffee area and pile of sugary stuff. After a few minutes, your “ambassador” person walks in and begins your orientation.

Them: “Are you excited?!” (loud, startling clap and over-caffeinated facial movements) “Let’s begin!

(several back and forth challenges “That’s not an enthusiastic reply. Let’s try that again!”)

You: “Yes! Okay, where do we start?

Them: “First, you need five separate physical machines, which are all on order. Each running a different operating system. We use the ‘Isolated Divided Independent Operating Trust’ security system, or IDIOT for short, here at KIF. It prevents hackers from hacking us.

You: “Five devices? Really?

Yes. One device is too easy to compromise, so you’ll need five.

Why not VM’s?

You still need a physical device to connect to the VM’s, right?! Well, we don’t trust VM’s or other VM’s with VM’s, or phones to VM’s either. And we *never* trust one machine by itself. Actually, we take zero trust to a whole new level: We don’t even trust you! Anyhow, the five devices run Windows XP, MacOS, Ubuntu, Redhat, and OS/2 Warp 3. Nobody bothers hacking Warp, so it’s the safest.

Ok. Um, wow. So then what?

You’ll need Cisco AnyConnect on machine 1. Global Protect on machine 2. Pulse VPN on machine 3. Azure Connect VPN on machine 4. And the NetExtender VPN client on machine 5. But machine 1 will also need the the RSA agent, and some crap we’ve been using since 2005. Oh, and you’ll need 3 separate FIDO keys for machines 2, 4, and 5. Then you’ll need Microsoft Authenticator on all of your company phones. Oh! I almost forgot. You’ll also need the BeyondTrust remote access client on machines 1, 3, and 5. And, last but not least: All five will need Citrix.

Phones? Plural? But I already have a personal phone.

We don’t trust personal phones. Ever. You’ll need to carry all work phones with you at all times, 24×7. We require one for each environment, so five (5) in all, unless you’re on-call, then eight (8). You’ll get a separate number and email account for each phone, and the Authenticator activation on each.”

This seems like...”

Overkill? There is no overkill! Not when it comes to security. Do you think the hackers are worried about overkill? We strive to overkill the overkill!

(office tour)

Is this my cube?

We prefer to call them ‘workspaces’. So, yes, that’s your workspace. Except for when you need to connect from machines 3 or 5, then you need to move to either SCIF 1A or 7C, which are over in building 6, 8th floor. If you need those, be sure to bring your retinal scanner. They don’t have one over there.”

Retinal scanner?”

See Jimmy. He’ll get you set up.”

I may need to find you if I have questions or forgot something.”

No worries. If it helps, just write all of it down on a sheet of paper and tape it up on your cube shelf. That’s what the rest of us do. Get settled. Lunch is at noon, and we’re all going to Twin Peaks.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s