Too much (corporate) MFA

I work for a company that needs good security.

They recently re-organized their network infrastructure and let the cyber guys build whatever they wanted to build "in their image" and of course, now everything requires authentication. Email, Teams, AWS, VPN, command-line tools, and even on your work laptop, certain privileged commands are limited by dzdo (more modern sudo) and the laptops, servers and VMs are all whole-disk encrypted. APIs are turned off for fear of security exploits and people are just generally upset about the amount of security. It's a horrible environment.

There used to be a saying, "security is the inverse of usability" and I tend to still agree that the saying holds water.

The the days of startups and the wild west of the internet, there was a philosophy of the "hard crunchy outside and the soft gooey center" which meant that there was a firewall surrounding all of the internal networks and everything inside of the firewall was pretty much open and accessible by anyone who was allowed inside the firewall (by being in the office or access via VPN). This was fantastic. People could do whatever the heck they wanted to do. The developers were happy. Sysadmins had very few points of entry, so monitoring for intrusions was in just one or two locations. I get that "cyber" didn't really exist back then for most companies and the world was a different place, but it really was the best of all options.

Nowadays, "cyber" has their fingers everywhere. They control your browser. They limit what software is installable on corporate laptops and which commands can be run. They require encryption everywhere even when the data doesn't leave a system (like communications in-flight inside of a kubernetes cluster for example). They limit urls on the edge firewalls. They install wildcard SSL certificates that are loaded into the root cert store on laptops so the firewalls can do man-in-the-middle interception to peek inside of HTTPS requests that transverse the firewall. You can't just reboot a server or VM now because the whole-disk-encryption password has to be entered before the server will boot. They run multiple agents on every computer that can that watch software versions, open ports, and use peoples' laptops as network scanning agents. And you can't use USB thumb drives or hard drives anymore. They're forbidden.

Turning off APIs removes the option to do any kinds of automation. APIs are good things! Automation is good. It improves performance. Stop making us do everything manually. Computers are powerful. Why neuter them?

How can "cyber" be happy with the number of times someone needs to log into the corporate AD server, enter their username, password and MFA every time they switch to a different app or service? Email, O365, ServiceNow, Time-keeping, etc. They're all different systems but auth from AD and AD cookies expire after just a few minutes, so we have to re-auth dozens of times a day! Passwords need changing every 90 days (which NIST has proven to be WORSE for security and encourages poor password creation). They have to deal with the same systems too. Don't they get fed up with the number of times they need to authenticate in a day too?

Even modern commercial apps don't require constant auth like corporate security does. Gmail keeps login cookies for days if not weeks and there's no issues there. Why does corporate security need to be so anal-retentive about authorizing so many damn times a day? OMFG!

I was thinking. Can't we use the old adage of the "hard crunchy outside and the soft gooey center" in today's world? Provide VPNs for every project that needs silo-ing? Have a DMZ network for things like email, chat, phones, corporate services, etc. Use on-disk encryption at the SAN-level and take it off of the VM-level? The only difference would be that cyber wouldn't know what's installed on peoples' laptops and authing would only happen once when punching a hole in the firewall or walking into the office.

Physical security is ok with the locks only being on the outsides of the office buildings. Once you're inside, you can move from office-to-office without issue and bring anything you want with you in and out of the building. If this is allowed, why should the network/laptop/server security be any different?

Don't even get me started on password/secrets vaults. Cyber doesn't like that users keep passwords floating around in 100 different places and ways, so they came up with a password vault. Now all secrets and passwords are in a single location and accessible by anyone that can auth. So, Julie in HR who's password is snoopy123 can access every password that the organization uses for everything! Does that sound like a secure system to you? Now your one personal password is even more important to not lose. I did some asking around when password vaults first arrived on the scene and the authors of the password vaults even admitted that the only good reason for password vaults as far as security goes is that AFTER an intrusion, the access logs can be checked to see who requested the password used in the intrusion. That and automated password-rotation is really the only reasons that I can see using a password vault over the traditional method of password management.

Personally, If I were designing a new secure infrastructure, I'd make a damn secure VPN and not use any external services (Office 365, I'm talking to you). Once you're inside the corporate firewall, feel free to use email with a normal email/password, chat can be done internally, we don't need Teams or Slack or anything crazy like that. Firewalls can allow NAT'd traffic to stop any unwanted outside connections from coming in. If this were the case, the only thing that we wouldn't have that corporate security wants is control over the user's laptop. There's nothing stopping someone from downloading a virus. There's nothing stopping an employee from picking up a USB thumb drive from the parking lot and plugging it into a laptop and a virus running rampant. To protect against these things, use password protection (and allow for password vaults) to add an additional level of security to sensitive things (databases, internal documentation, proprietary code repositories, etc.) which are already available in most tools. Personally, I don't see anything wrong with the old way of doing things. If/when an employee leaves, their VPN access is revoked and that's that. The door's locked.

If someone from "cyber" can tell me why the old way is bad and the new way is better, please tell me, because I'm so frustrated every time I have to re-authenticate everywhere, all the time, that it's the number one worst part of my job.