AzureAD and shares

scottalanmiller

@brandon220 said in AzureAD and shares:

The auditors, especially in the financial sector, argue this all the time and try to penalize you for using FOSS tools.

No actual auditor, quite the opposite.

scottalanmiller

@brandon220 said in AzureAD and shares:

If it were for me, it would be samba 100%. I have to "fight" people all the time who will argue to the death that they don't want a Linux server of any type, because it is "free" and "not secure".

I feel like you have a really low opinion of these people, not technically, but as people. You think that they are capricious, illogical, and out to screw their business for emotional / personal reasons (e.g. willing to hurt the business without any concerns for what is good for it, just what sounds good to them personally.) I find that IT often feels this way about businesses, but once I speak to them, they were never like that. LIterally had this happen with a bank four days ago. I bet if you present the real reasons, they aren't running a bank and this crazy. It might feel that way, but I bet if presented with good logic and factors, they are probably way more sane and trying to do a good job than you think.

brandon220

Here is an example from the FFIEC Cybersecurity Assesment Tool:

The more OSS you have, the lower your score will be.

scottalanmiller

@brandon220 said in AzureAD and shares:

The more OSS you have, the lower your score will be.

Then it's an anti-audit. I mean it's that easy. If they are specifically penalizing security, that literally makes these guys social engineers / hackers. Instantly, you have a requirement to ban them from the company. Financial regulations actually makes that criminal.

scottalanmiller

@brandon220 said in AzureAD and shares:

The more OSS you have, the lower your score will be.

Remember, all SEC regulated banks are 100% core on OSS. All, 100%. No exceptions. And their security is a million times the needs, audits, and requirements of small banks and little financials. In the REAL financial world, better security means better scores.

Literally, I'd consider legal action here. As the IT adviser, you have a legal requirement to let them know that they are being scammed and have a legal requirement to take action.

scottalanmiller

@brandon220 said in AzureAD and shares:

FFIEC Cybersecurity Assesment Tool

It is REALLY fishy that a government agency is trying to put small banks at risk and goes directly against requirements for the big institutions.

brandon220

@scottalanmiller said in AzureAD and shares:

@brandon220 said in AzureAD and shares:

The more OSS you have, the lower your score will be.

Then it's an anti-audit. I mean it's that easy. If they are specifically penalizing security, that literally makes these guys social engineers / hackers. Instantly, you have a requirement to ban them from the company. Financial regulations actually makes that criminal.

Not to derail this thread, but I deal with this every year. These auditors come in and HAVE to find something "wrong" even though what they find are not actual problems. It just justifies the money spent for the audit. I know there are others on here who deal with these auditors. They know exactly how bad it is.

scottalanmiller

@brandon220 said in AzureAD and shares:

@scottalanmiller said in AzureAD and shares:

@brandon220 said in AzureAD and shares:

The more OSS you have, the lower your score will be.

Then it's an anti-audit. I mean it's that easy. If they are specifically penalizing security, that literally makes these guys social engineers / hackers. Instantly, you have a requirement to ban them from the company. Financial regulations actually makes that criminal.

Not to derail this thread, but I deal with this every year. These auditors come in and HAVE to find something "wrong" even though what they find are not actual problems. It just justifies the money spent for the audit. I know there are others on here who deal with these auditors. They know exactly how bad it is.

Right, so you have a criminal activity going on for personal gain. The bank needs to understand that the auditors are being paid to put them at risk, because that's how they get compensated. Doesn't change that it's illegal.

scottalanmiller

@brandon220 said in AzureAD and shares:

It just justifies the money spent for the audit.

Not ot competent management, it would do the opposite. Only a real audit would justify the audit.

Obsolesce

@brandon220 said in AzureAD and shares:

Here is an example from the FFIEC Cybersecurity Assesment Tool:

The more OSS you have, the lower your score will be.

To basically if there is any Linux / Unix in use, you get a bad score... Wtf.

brandon220

@scottalanmiller said in AzureAD and shares:

@brandon220 said in AzureAD and shares:

The more OSS you have, the lower your score will be.

Remember, all SEC regulated banks are 100% core on OSS. All, 100%. No exceptions. And their security is a million times the needs, audits, and requirements of small banks and little financials. In the REAL financial world, better security means better scores.

Literally, I'd consider legal action here. As the IT adviser, you have a legal requirement to let them know that they are being scammed and have a legal requirement to take action.

Exactly. Our main core is 100% Unix. Makes no sense how they come up with this stuff.

brandon220

@Obsolesce Yes. Unbelievable.

scottalanmiller

@brandon220 said in AzureAD and shares:

@Obsolesce Yes. Unbelievable.

Worse, is that someone pays and/or believes them. How could it come to that?

brandon220

@scottalanmiller As far as samba goes - if they could manage it with Cockpit or the likes, it would be an easy choice.

Obsolesce

@scottalanmiller said in AzureAD and shares:

@brandon220 said in AzureAD and shares:

@Obsolesce Yes. Unbelievable.

Worse, is that someone pays and/or believes them. How could it come to that?

Someone better call up Linus Torvalds and tell him his kernel isn't secure enough for financial institutions and so to do a better job.

brandon220

That "tool" comes directly from https://www.ffiec.gov/ and it is apparently the "Gold Standard" that all financial institutions are graded by. It is a glorified Excel file with multiple tabs.

brandon220

I know @Obsolesce uses samba too. How well does this work if the MS users connecting to samba sign in to their PCs with MS accounts instead of local user accounts? Basically, does it work properly with email addresses for usernames? I don't use MS accounts personally and have never tried to connect to a samba share that way.

scottalanmiller

@brandon220 said in AzureAD and shares:

That "tool" comes directly from https://www.ffiec.gov/ and it is apparently the "Gold Standard" that all financial institutions are graded by. It is a glorified Excel file with multiple tabs.

That's so weird, because it's directly in opposition to SEC rules.

scottalanmiller

@brandon220 said in AzureAD and shares:

I know @Obsolesce uses samba too. How well does this work if the MS users connecting to samba sign in to their PCs with MS accounts instead of local user accounts? Basically, does it work properly with email addresses for usernames? I don't use MS accounts personally and have never tried to connect to a samba share that way.

I thought that they were dropping those weird things for local or AD?

scottalanmiller

@Obsolesce said in AzureAD and shares:

@scottalanmiller said in AzureAD and shares:

@brandon220 said in AzureAD and shares:

@Obsolesce Yes. Unbelievable.

Worse, is that someone pays and/or believes them. How could it come to that?

Someone better call up Linus Torvalds and tell him his kernel isn't secure enough for financial institutions and so to do a better job.

Someone had better tell EVERY bank and the SEC, too. And the stock exchanges.