I’ve written of bunch of blog posts on the right way to architect your cloud or on-premises network applications. Those are pretty popular posts–but yet we continue to see organizations (ahem, Garmin) have major problems with ransomware, but security is hard, and as we’ve seen in the last few months, people can’t even do easy stuff like wearing a mask to prevent the spread of a deadly pandemic. So let’s talk about some security stuff you can do that doesn’t require any effort on your part. I recently had a chance to talk to Flip Jupiter, CTO at a stealth startup Software as a Service company about their security practices.
SQL Server Runs Faster as SA
This is a secret I only tell my best clients, that Microsoft hides from you. You see when you login to SQL Server and execute a query, there’s an in-memory cache that gets checked to see if you have permissions against an object. You know how to fix that problem? Make everyone SA and you bypass that cache, and your workload can now run .00004% faster. You also probably want to run all of your queries with NOLOCK hints, because everyone knows locks are stupid and slow everything down.
Many organizations have tiers to their networks, and limit traffic between these tiers. While this is typically enforced at the network layer, operating systems like Windows and Linux have software firewalls which provide an additional layer of overhead that you have to deal with when trying to connect disparate systems. If you keep these “security enhancements” in place, it means you actually have to understand your network traffic and know what ports talk to which other other ports. Ain’t nobody got time for that.
Networks should have the Topology of the Netherlands
Many organizations have layered networks that limit the flow of traffic from one segment of the network to another. This requires a network administrator that knows what they are doing in their job, and means you probably can’t play CandyCrush on the same network your production servers are on. Worse, it means, you might actually have to have a jump host, or learn how to run commands remotely. That sounds hard–I really prefer to RDP directly to my production servers. (Pro-tip–if you give your servers a public IP address, you can RDP to them without “the man” monitoring your web traffic over the company VPN). It also means you should be able to access all of your customer data from every laptop in the company, we don’t want to delay our metadata sales process.
Patches? We don’t need no stinking patches
We’re a serious enterprise, and that means our servers need 12 9s of uptime (yeah, I know, but we didn’t have budget for that second node, or second data center). And since one time, my cousin’s friend’s sister bricked her eight year old laptop because of a Windows Update bug (or maybe the battery died, but who can be sure) we can’t risk the downtime to patch production. Everyone one knows software is best the moment its shipped and gets better all the time, which is why our production workloads run on Windows 2003 and SQL Server 2005.
Security Team? We need more Devs
Security is such a boring topic–you can tell because no one goes to security talks at IT conferences. Besides, security features don’t sell–everyone knows that. So we killed our security team and replaced them with a team of offshore devs. We saved money, and those security people were always nagging us about our network. The offshore dev team is writing some excellent code with their entity framework toolkit.
Kerberos, or Spot as we call it.
One of the key tenants of Active Directory is Kerberos, which is named for the dog that guards the gates of Hades in Greek mythology. We like to call that spot. Kerberos is complicated, with its identities, SPNs, and that damned double hop problem. We solved for this by making all of our users domain admin. Some people say this might be a “security risk”, but we trust all of users, and we know that they won’t do anything like click on a phishing email or download software from the Russian mafia.
You Made it This Far, What’s the Punchline?
In case you haven’t figured it out yet, Flip Jupiter is not a real person, and I’ve just walked through six of the worst security practices that you can possibly do. You should note you should never, ever do any of these practices in real life (though I’ve shutdown Windows Firewalls in way too many demos because I procrastinate). Security should be at the front of mind for all IT professionals whether they be administrators, developers, DevOps, or CTOs. Security isn’t a tool you can bolt on to your killer app, you need to think that way from the beginning. Note: for those you who are really dense: this post is sarcasm and you shouldn’t do any of this