Lock the windows but open the door



  • An expensive team of contractors spent over a year building a bunch of read-only web services for one of my clients. Since they are designed to distribute sensitive data, the web services have all the security bells & whistles to make sure that nobody can use them to read something they should not; besides basic access control, data is filtered at the row and column level following complex business rules associated with AD groups, and all kinds of analytics are deployed to catch anyone trying to abuse the system. There is also heavy encryption, location-based and time-based access controls, granular kill switches in case of emergency, etc. Very impressive stuff done by people who know their trade.

    Two weeks ago during a pow wow meeting some big wig said he was not happy with the web services because he could not aggregate data without downloading "everything" in Excel (which is mostly true). The solution architect, a nervous little fella known more for his butt-kissing skills than technical expertise, almost ate his tie out of shame then promised a solution by the end of the week.

    The "solution" is beautiful. The database diagram will be published on the corporate network so everyone can cook up a SQL query and pass it to a new service that will execute it and return the entire data set; to make sure that no funny injection stuff can hurt the data the query will be executed with a low-privilege/read-only impersonated account. Of course this has the unfortunate side-effect of bypassing the layers of security built in the "normal" services and impersonation prevents proper auditing at the database level, but to "mitigate risk" everybody who has access to the corporate network will sign a NDA. Problem solved.

    The cost for that team of contractors was over 12k per day and they've been working on the services since April 2011. The new service and its supporting artifacts (i.e.: the database diagram and the 1-page user manual) took about one day of work and was done by a summer intern.



  •  I admire your determination to keep things done correctly. Sadly, this is what happens in the real world. I guess 30+ years of doing this has jaded me as things like this no longer shock me.



  • The reason the real world works like this is that the original requirement are typical -- and impossible.  They wanted all data access to be highly secure, validated, and audited.  But, they also wanted ad-hoc data access.



  • @Jamie: I think it stems from the fact that we're employed to assist the company with running the business, not doing IT properly. They don't care about IT, or doing things the right/wrong way. All they care about is: get me the info I need now.

    As an example, my brother is a CPA. He has about 10 PCs in his office. He refused to move off of Win-98 until each PC physically died. He didn't care that once he started replacing individual PCs, there were incompatibilities, etc. He didn't care that some of the newer software wouldn't run on Win-98. He couldn't run his business without software or computers, but he simply won't spend money on them. Even today, he still has one Win-98 machine, six on Win-XP, and two on Win-7. His file server is running $Deity-knows-what, and there is a warning duct-taped to the box: DO NOT TOUCH THIS MACHINE - IT IS FRAGILE. I don't even know what to do with that, but 20 years of pleading with him to let me straighten things up a bit have fallen on deaf ears.

    Big businesses are more sane when it comes to hardware, but IT policies are still merely a necessary evil that can be circumvented when someone high enough is inconvenienced by them.

     

     



  • @snoofle said:

    someone high enough
     

    I found the problem!



  • @dhromed said:

    @snoofle said:

    someone high enough
     

    I found the problem!

    Would that be high as in pay or high as in dope?

     



  • @Jaime said:

    The reason the real world works like this is that the original requirement are typical -- and impossible.  They wanted all data access to be highly secure, validated, and audited.  But, they also wanted ad-hoc data access.

    This issue has been raised before they started writing the services but at that time the solution architect was adamant that it was the way to go and users "did not need" free-form access. Now sh*t appears to be hitting the fan with auditors so the solution is already evolving, the new plan is to have a secondary database that contains only the data that requires no filtering other than having a valid account and point the "open bar" service to that database. It's a good thing they are so Agile.



  • @KattMan said:

    Would that be high as in pay or high as in dope?
     

    High as in "I run the [portion of the] company therefore I am superior to you, and you have to do whatever I say nyeh nyeh nyeh"



  • So, both, then: a dope that is high in pay.



  • @Xyro said:

    So, both, then: a dope that is high in pay.

    Which is unusual, since the social ladder for drugs is:
    crack/freebase cocaine -> heroin -> crystal meth -> hash -> mescaline/mushrooms/pcp -> marijuana -> ecstasy/ketamine -> bootleg anxiolytics -> cocaine -> newborn spinal cord fluid



  • @snoofle said:

    As an example, my brother is a CPA. He has about 10 PCs in his office. He refused to move off of Win-98 until each PC physically died. He didn't care that once he started replacing individual PCs, there were incompatibilities, etc. He didn't care that some of the newer software wouldn't run on Win-98. He couldn't run his business without software or computers, but he simply won't spend money on them. Even today, he still has one Win-98 machine, six on Win-XP, and two on Win-7. His file server is running $Deity-knows-what, and there is a warning duct-taped to the box: DO NOT TOUCH THIS MACHINE - IT IS FRAGILE. I don't even know what to do with that, but 20 years of pleading with him to let me straighten things up a bit have fallen on deaf ears.

    I used to work for a company that made tax and accounting software, so yeah, that sounds about right for an accountant/CPA - fairly typical, actually.  We had customers that left us when we stopped developing the DOS-based version of our tax program in (IIRC) 2001 or 2002, and when asked they explicitly said it was because they didn't have a computer capable of running Windows.  I can understand not wanting to toss it until it's fully depreciated, but geez...



  • @BPFH said:

    I used to work for a company that made tax and accounting software, so yeah, that sounds about right for an accountant/CPA - fairly typical, actually.  We had customers that left us when we stopped developing the DOS-based version of our tax program in (IIRC) 2001 or 2002, and when asked they explicitly said it was because they didn't have a computer capable of running Windows.  I can understand not wanting to toss it until it's fully depreciated, but geez...
    We set up DOS-based cash registers (running on plain DOS - no Windows) for a client in 2006. Network support was provided by MS LanManager client accessing Windows 2000 workstation acting as a server. We only got them to switch to Windows as OS when we demonstrated that supporting that cost them several times more than the Windows license cost, because anytime there was a problem on the register somebody had to hop in the car and drive 100-200 km to fix the problem instead of it being resolved remotely.


    We also just got a new client that's in a bit of disarray - they use no less than 5 different accounting programs, of which one is still DOS-based. But at least they're all on Windows, though most of the machines run XP (except for two or three newer ones that run 32-bit 7).



  • @Speakerphone Dude said:

    Of course this has the unfortunate side-effect of bypassing the layers of security built in the "normal" services and impersonation prevents proper auditing at the database level, but to "mitigate risk" everybody who has access to the corporate network will sign a NDA. Problem solved.
     

    I must've missed the story.  When did they repeal Sarbanes-Oxley?


  • Discourse touched me in a no-no place

    @da Doctah said:

    @Speakerphone Dude said:

    Of course this has the unfortunate side-effect of bypassing the layers of security built in the "normal" services and impersonation prevents proper auditing at the database level, but to "mitigate risk" everybody who has access to the corporate network will sign a NDA. Problem solved.
     

    I must've missed the story.  When did they repeal Sarbanes-Oxley?

    SOX doesn't apply to private or non-American companies.



  • If only some technology existed that would take data from an on-line, transactional system and store it in a pre-processed state for use in reporting solutions.

    Like a big "warehouse" where you would store "data".



  • @BPFH said:

    I used to work for a company that made tax and accounting software, so yeah, that sounds about right for an accountant/CPA - fairly typical, actually.  We had customers that left us when we stopped developing the DOS-based version of our tax program in (IIRC) 2001 or 2002, and when asked they explicitly said it was because they didn't have a computer capable of running Windows.  I can understand not wanting to toss it until it's fully depreciated, but geez...

    A former controller at my current employer retired, rather than learn to use Windows. His old 286 was the one computer I wasn't allowed to touch in any way. It ran Lotus 123. He used it as a calculator, and nothing more. The real books were paper ledgers. "What do you want them to say?"


  • ♿ (Parody)

    @MrBigDog2U said:

    If only some technology existed that would take data from an on-line, transactional system and store it in a pre-processed state for use in reporting solutions.

    Like a big "warehouse" where you would store "data".

    That would be sweet. And then, to get the data down from the shelves, we could use, like, ladders....Shelf Quick Ladders. Of course, we'll still need a way to keep people out of aisles where they don't belong...



  • @taustin said:

    A former controller at my current employer retired, rather than learn to use Windows. His old 286 was the one computer I wasn't allowed to touch in any way. It ran Lotus 123. He used it as a calculator, and nothing more.
    A client recently bought a new computer. i7, 8GB RAM, 2TB HDD, Windows 7 x64. Only problem? We had to make Quattro Pro work on it, because that's the only spreadsheet he uses. Luckily it worked fine in DOSBox, and we made sure that the printer that went with the machine had PCL support.



  • @snoofle said:

    He couldn't run his business without software or computers, but he simply won't spend money on them.

    I come across this attitude a lot. It pisses me off. I want to scream at those people "it's not rocket science, morons - you want good results, you buy good tools!". Whether those tools are hammers or concrete mixers or computers, it still applies.



  • @BPFH said:

    @snoofle said:

    As an example, my brother is a CPA. He has about 10 PCs in his office. He refused to move off of Win-98 until each PC physically died. He didn't care that once he started replacing individual PCs, there were incompatibilities, etc. He didn't care that some of the newer software wouldn't run on Win-98. He couldn't run his business without software or computers, but he simply won't spend money on them. Even today, he still has one Win-98 machine, six on Win-XP, and two on Win-7. His file server is running $Deity-knows-what, and there is a warning duct-taped to the box: DO NOT TOUCH THIS MACHINE - IT IS FRAGILE. I don't even know what to do with that, but 20 years of pleading with him to let me straighten things up a bit have fallen on deaf ears.

    I used to work for a company that made tax and accounting software, so yeah, that sounds about right for an accountant/CPA - fairly typical, actually.  We had customers that left us when we stopped developing the DOS-based version of our tax program in (IIRC) 2001 or 2002, and when asked they explicitly said it was because they didn't have a computer capable of running Windows.  I can understand not wanting to toss it until it's fully depreciated, but geez...

    Gotta say that my lawyer clients were worse. The strangest mix of spend-what-you-need-to-keep-them-billable and don't-spend-more-than-you-have-to that I ever worked with. Getting gear for the lawyers - no problem. Getting a replacement for the mission critical bililng system running on 7U Compaq servers with NT4 and MSSQL6.1 - no way. And yes, they were running NT4 in 2007...


Log in to reply