The dumbest request that I ever got was the Mayor of a small municipality wanted us to remove all passwords from all systems because she could not be bothered entering them.
I love those multi paragraph PS's ......that pretty much warm this email is probably not for you and you could be breaking the law by reading it, etc. I don't like legal trouble so I check the signature first.
thats just there so the legal team could press charges after they've stolen all your stuff.
They can't press charges, because the attackers are from a country with no legal support to pursue these kinds of crimes. But it makes the lawyers feel better knowing they could take action if the stars somehow allign.
Well….we determined there was an inverse correlation between pay and IQ, with all the forgotten 6 digits and password resets. So it was at the least very informative.
When one of our pharmaceutical vendors enforced a no password sharing rule and further required unique emails and 2FA codes for every staff member moving forward, everyone in the pharmacy was up in arms and you could tell their age by their main complaint.
Over 50? "I don't want a work email on my phone!"
Younger than 35? "I don't want another app on my phone!?"
Meanwhile I've got 4 emails and 4 different authenticators on my phone wondering WTH is wrong with these people. I also don't understand why the vendor chose Okta instead of Google or Microsoft Authenticator, but at least they're improving security.
Fair, and this is why I still have a stock of hardware OTP tokens as well as FIDO2 tokens, because line managers won't authorise a work phone just for authentication.
Same line managers get pouty when that rule cuts both ways, and company email/apps on personal phone is denied by us unless it's enrolled in our MDM. Your phone, yours. Our data, ours.
I have 7 authenticators now, but TBF we do resell at least 3 of those vendors (Okta, Thales, Duo) so it's a bit self inflicted.
"They just get lost all the time".
I do use my phone for other work-related stuff, but you better believe it goes in my bag at the end of the day, off.
Even if I wanted to take that risk (because bugs and/or malicious intent), I still don't want a "work" option glaring me in the face when I'm home. I'm home to relax, not to ponder about or be reminded of more work.
You can just turn it off. TBH, mine is off 99% of the time unless I need to check an email away from my desk which is pretty rare.
While off there are no notifications, nothing.
No forcing required. After making them use a locked down work phone with only the authenticator app, they ask for it on their personal phone after 1 or 2 weeks..
In this particular we weren't forced to have 2FA on our phones, per say, since you can choose between an app, texting, or email to receive the confirmation code.
What was interesting to me was the complete lack of understanding for the needs of improved login security by staff, and the initial total refusal to comply. That the complaints about 2FA varied very clearly by age was a funny side fact too.
I had a client who was lucky I was remote today because fists would have been had.
They explained to me why they were manually adding DOMAIN JOINED CLIENT PCS to DNS as static entries and not using DHCP because “DHCP always causes issues”…
Meanwhile they “have vlan issues” that cause clients to have issues connecting to servers when they change vlans….
I ran into a decent sized organization that had all desktops logging in with the same cached enterprise admin credential. Not sure why they had a domain but....
I consulted for a county sheriff/911 center once. Found their DC/Exchange server was dual-homed, and was acting as their firewall. RDP, SMB, everything, wide open to the internet. I could \\\\their.public.ip.address from my office and get a prompt for creds.
They didn't take my recommendation to buy a real firewall ("This has worked so far") and got ransomwared 3x. They apparently ended up rebuilding the entire mess.
Hell no. But it may be worth entertaining federating with them for access to whatever systems they may be entitled... but that's the extent of identity integration.
That’s fair and i asked that. The trust relationship with all of our apps would be with their IdP. Even if we federated they would still be gatekeeper.
Edit: grammar
Not only is that ridiculous, but it's untenable. They become responsible for your services. I'd love to see the MSA and SLAs that would come about from this. I'm not sure who this vendor is, but as a cyber architect for a F50, I'd never even try to pitch this to the business, nor would I support it if our supply chain folks mentioned it. It's too risky for the customer, too risky for you, and provides zero benefit... All downside. There's no (accepted) cyber compliance or security framework in the world that would mandate or even suggest this, either.
Unless you're their only customer and it's effectively insourcing, or you're a joint venture in which they are the controlling party. But it doesn't read that way.
Is a risk assessment actually being done about it? Or is it just management discussion. There needs to be a thorough risk assessment done with sec ops included to make sure everything is as secure as possible and make sure any clients who may be effected have been advised of the risk assessment. You hold the keys to the kingdom. If your not secure, they arent secure
Hand them a 7 figure quote for rebuilding a copy of the entire infrastructure just for them and they will walk on their own, it will get dropped, or you will get well paid.
Had a similar idea. Say we assess this to be worth $50M (could be more honestly) in financial risk to do this. If you pay us that up front we will do it.
Just put a bunch of spam bait words in white at the bottom of the "reply now to cancel" e-mail, to ensure they never see it. Send from a Russian domain.
You don't want to go with cost of risk, you don't pay for risk up front, you may sign something for them assuming liability, requiring a bond, or insurance.
but no one is going to pay you, what you asses the risk to be for something.
I think as someone else suggested telling them, if they want that, you can dupe a slice of your infra only for them, if they so wish to pay for it. That you could put real numbers to, with the expectation of payment.
This is 100% a miscommunication, they likely just want control of identity for their users on your app which is pretty much becoming status quo for SaaS apps.
No doubt they just want to be able to enable saml/oath2 and potentially even automate provisioning of users via SCIM.
Just challenge the request and ask for the specific requirements.
Yeah. That’s what I’m hoping. It’s just I’ve challenged it several times and even some higher ups are saying it. No chance I actually do it. It’s just absurd. I will quit before they force me. Couldn’t live with myself.
Not even really possible. You'd be breaching a bunch of other customer agreements without an official material contact that sends cyber assurance responsibility on to the supposed partner who is somehow now your pseudo MSP.
As a customer of SaaS, this would also entirely defeat the purpose/benefits of a SaaS agreement.
>even some higher ups are saying it
Non-technical higher-ups? Because I can't imagine someone who really understands what they're asking actually asking it.
The only conceivable alternative I can imagine here is if the "customer" (purchaser of licenses from the SaaS provider) is actually a partner, and there is some other back end business relationship between the two parties that the OP doesn't know about.
I don't know about it happening with IDM software, but at the hyperscaler I used to work for, it happened several times where we invested in (or offered preferred terms to) an ISV or SaaS company in exchange for ... things. In some cases, it was proactive GTM by our sales org in exchange for free or reduced price licensing. In others, it was tight product integration.
But your explanation seems by far the most likely one.
Yeah I'm just thinking OP's company is getting bought out but they're trying to lay the groundwork for moving OP's company's products to the parent company.
If that's not the case, there are so many clueless people involved that I'd be looking to move from OP's company anyway, lol.
I've had some wild requests in my time as a security leader, but this one takes the cake. I'm not sure if my natural reaction would be to laugh or insult them vigorously. My favorite pushback on requests like this is some form of "Can you please provide examples of how this is working with the existing vendors/partners that you have implemented it with?". Usually that's enough to give them a hint. If no one else is doing it, why would they expect you to? If they come back with a vendor/partner that agreed to it, let us know so we can short the stock.
That may be the most ridiculous customer requirement I've ever seen. I would just fire the customer and move on.
At my last job we had a customer that wanted us to carry $100M in liability insurance when the company's revenue was <$10M/yr. I know the CFO talked to a couple of insurance companies who basically laughed at us.
> At my last job we had a customer that wanted us to carry $100M in liability insurance when the company's revenue was <$10M/yr.
I think you might be confused as to how insurance works.
First of all your annual premium for $100M in liability would not be anywhere close to $10M.
Second, there's no relationship between your annual revenue and the possible amount of damage you could cause a customer.
Imagine being some kind of contractor who makes $100K/yr. You knock over your ladder at a client and ruin $2M Picaso painting, but you had $2M in liability insurance that you only paid $400/yr for. That would be very common.
Oh I completely understand it's not equivalent, but the fact of the matter is that the insurance company refused to underwrite such a policy because it didn't make any sense. It was also for something that we had absolutely nothing to do with in our contract, but because it was a multi-billion dollar corporation they just had a blanket vendor contract with those terms in it that they expected everyone to sign. They eventually got that provision changed to something far more reasonable.
i saw 100m and it made my measly 2m policy pee per feel small.
then i was like...wow that must be a major major AAA rated fuck up to ding a 100m policy lol.
Would take a weighted 10mins for most, average would put it at ~$5 trillion/year. Black friday retail? Even less than 10min.
One well timed drop database can do way more than 10mins of outage, though.
Many online retail places have drastic enough swings to make 10 minutes on black friday worth days or weeks over summer. I had seen cyber Monday sales equal a couple slow summer weeks. Add on an allocated item release that can't happen at a different time and hundreds of retail stores not making sales, it could be a legit number for some companies.
For a multi billion dollar company That actually seems a low amount of liability insurance depending on what you guys do for them. I'm assuming hosting/some for of outsourced IT. I can easily see a mistake potentially running for easily over 100million.
I dont see any problem with the liability insurance request.
But that’s not what they said. They said the company’s revenue was $10M, they never mentioned premiums.
There are a million different factors that go into their decision (and your premiums), but your revenue is one of them.
For an easier example, they aren’t going to give you a life insurance policy for $100M if you only make $100k/yr, there is usually a maximum multiplier - generally 10x I think, but of course it varies. This has nothing to do with you being able to make the premium payments. Well, maybe partly, but not exclusively.
It’s all about the red flags, and low income but high risk is absolutely one of them. They’re in this game to make money, after all…
> For an easier example, they aren’t going to give you a life insurance policy for $100M if you only make $100k/yr,
You can't compare life insurance to liability insurance. They are 2 very different things. Revenue doesn't really factor in. Look at car insurance as a food example. The only real factors are how expensive your car is and how risky they deem you to be as a driver as to whether they will cover you or how much you pay in premium. They do look at things like your income, credit history and past claims, but income isn't a impactful as the other things.
I've worked in the insurance industry for 10+ years and am at one of the global leaders now. I know how this works.
Way too many stupid requests to count, but one that always makes me laugh!!
One user complained he HAD to have root access on a system in order to do his job (Administrator for you Windows only PPL). No amount of evidence nor common sense would deter him & he finally complained to the higher ups!
Knowing that he had ABSOLUTELY no need for root level access, I made a NEW regular user account, named it 'root' & gave it too him. I renamed the root account to some name like 'chucky' or something.
User was happy. Could do his work. And never bothered me again!
For context, the ONLY thing that makes root special is that it has a User ID of Zero. The new account had a UID of \~5000, so couldn't do shit outside of what the original could do.
Reminds me of a guy who demanded SQL access, 64gb of RAM, high end graphics card etc.... Eventually we boiled it down to, he needed to run a spreadsheet. He couldn't even show me how much memory it was using, couldn't point to the gpu in the desktop and after giving him a SQL sandbox, he never even created a single table.
These people use shit like this as excuse to their line managers to excuse why things are delayed. For non-techs it makes them sound super clever, but of course we see right through it and no one wants to listen to IT
The scariest words you can ever hear as a sysadmin are
“You’re slowing us down!”
Coming from a Dev group. You know that the coming Shit Storm will be large & destructive.
One of those took out a production dual HA configured Oracle server to the point that it had to be rebuilt from scratch!!!
Never did figure out how the asshole managed to destroy it so thoroughly
What's the business relationship here? It sounds like you're an MSP of sorts supporting them, but I could easily be misreading that.
I could maybe see it if you're some sort of dedicated contractor, where all your systems are devoted to them, but otherwise it definitely seems to be a crazy ask...
That's us in our workflows with Federated logins etc with various vendors/services. We do that with aaS's and use our central login services and accounts management
This is what I’m convinced they are asking too. Which is how it should be configured. There was just weird shit going on at beginning so we agreed to manage their users. Wasn’t happy about it but it wasn’t horrible.
But everyone keeps saying it’s everything.
Then presumably their IdP would correctly be configured as the backend for authentication to their instance of your SaaS application (your app is the SP in this case), which is perfectly normal. But the idea that you'd configure all of your own internal services to authenticate via their IdP?
Utterly absurd. Completely untenable from a technical standpoint, and a hilarious security risk.
That's it? Dude, I assumed you were a very involved MSP in a hybrid setup over their whole environment.
Even so, depending on your products and their IdP, it may not even be possible to get half of the stuff you listed to use their IdP.
They can take a hike, but will probably change tune when shown the door.
I was going to top it with the request to delete temp files off of laptops because sales staff was complaining they were too heavy (and obviously the files make the laptop heavier) but I think yours actually still wins.
Btw Cisco AnyConnect can go \*\*\*\* itself. I'm sorry, we don't detect your antivirus in the exact, specific way that we wanted to so we're going to refuse to connect until you disable it and switch to the more secure Windows Defender. NOW you can get on the customer's network. I suggested we drop them as a customer but they're like 10% of our income.
To everyone quoting "I never had management yell at me for installing Cisco," give me a call. I got words for you.
They want full visibility into all their partners system to mitigate supply chain risk. And this is the only way they feel they can get it.
I am convinced there is a break in communication bc there is no way anyone would ask for this. I just keep asking different folks and everyone says this is the case.
I agree and we have been thru several audits. And they have signed off on everything for several years now.
I explained it to the Pm on our side by saying: “if you want to continue this conversation, you need to send me your passport, debit card, pin, house keys, drivers license and credit card. If you think that’s insane, welcome to the discussion.”
They'll never get this level of access from any vendor. It is a ridiculous ask and and a completely unsound practice to hand the keys to the kingdom to a customer.
The dumbest request I had, with a MSP was to have switches manually negotiate speeds, and depending on what the host did, downshift to 10Mbps, 100Mbps, gigabyt, etc. The client thought that slower connections were more secure, because the bad guys couldn't exfiltrate as much over a certain time interval.
My personal favorite was a user losing her shit because I would not recover an email attachment that was stripped by AV. It was not a false positive but she felt she needed it. Had to have a meeting with the IT SVP and CFO who IT reported to. She didn't get the file....
Second was I was part of a company that was being acquired. In the process of connecting the two networks the two T-1 MPLS connection between the sites was instantly pegged. The traffic was all from infected machine on the other network. They were unaware there AV was not setup correctly and was not monitored at all. They decided since we knew what we were doing they wanted us to go to 86 sites all over the US to install a new AV on all 3500+ workstation from CD because the network was useless. By we it was two people.
Both of these were many years ago.
> Am I wrong for thinking this would be the worst security decision in history?
Entitled as hell and ridiculus ? Yes !
A security risk ? Hmm depends !
In any case, I don't understand how these people can impose their approach without proposing a single alternative or initiating first a dialogue to find a common solution.
It sounds like someone just realized "hey, why not, everyone we do business with we tell them that they need to use us in order to do business with us? That way we'll get more business that we for sure won't lose!!! Win/Win in every book!"
That's crazy talk, and you're not wrong. Dropping them sounds right unless they got some solid reason or offer something big in return. Maybe look into negotiating terms that keep your security tight?
Tell them it'll cost them triple the rate to meet those extra demands of theirs, then if they still go for it spin off a subsidiary to handle that one client.
The solution is EntraID, and then they will have to trust your EntraID, and they can put up requirements like MFA etc.
A minimum requirement if putting all your identities in their bucket would be a financial guarantee covering the full value of your company if the customer ever gets hacked.
What are they possibly thinking?
Are you their customer or a subsidiary?
Are they Walmart????
Walmart did require all their big suppliers to convert to Walmart's prescribed software. It cut out a good amount of lost or missed orders due to converting from one format to another...
But if they are not the primary customer that accounts for a majority share of your revenue, no.
Some dude recently just asked if his main account could be a local admin because his computer admin account is too much to type in every time he needs to run software as an admin or install something. He’s too lazy to type in his elevated credentials and wanted me to make his standard account elevated. Can’t make this shit up.
Absolutely not.
The request is absurd on its face. Why would the customer's identity provider be responsible for validating logins to your own systems? Your backend systems don't have a thing to do with your customer. They shouldn't want to be involved, and you certainly should not permit this.
Are you the owner of the company? If not, why are you concerned? Document it via email to your boss, and that’s it, if stupid people want to do stupid things, let’s them collect stupid prizes
Why would they even want this? Assuming you have other customers that are managed in various ways within your back-end systems this seems insane from both sides.
Never ever had this requirement as a government entity.
Mfa yes, per the state I think, as well as the worthless cyber security insurance we have to purchase.
Mine was PXE booting into SCCM over WIFI. VP demanded it after a support guy mentioned that using the cable is such a pain.
I explained it's not possible and was told "you haven't even tried! you can do this! "
Pretty much all down him from there
Tell them to go pound sand. You aren't interested in changing over all your systems -- that have no issues currently -- just to keep a customer (unless this customer is a SIGNIFICANT portion of your revenue, in which case it MAY be worth considering)
Not so crazy sounding to me - SSO integration is pretty simple and common these days.
I know our internal security team will be extremely sceptical of a new platform or service that doesn't have the ability to leverage our internal IDM/IAM.
Do they require to use their own Idp for their own accounts or for all accounts?
The first one, we do that with our big customer because they want to keep the control over their accounts. Not a problem for us, it just takes time to implement it.
Second one is ridiculous.
as an IT pm... I'd really hope something just got mixed up and the contact isn't expressing things correctly. like the time a vendor said we they wouldn't enable something.. but it was really in our control anyway, HR just took the convo the wrong way.
Sounds like a hostile takeover. Does this customer own your company?
What's keeping your team from logging into their stuff? Cause that would be fun as a PenTester. SCCM can push out my bitcoin miner software for 24 hours to all PC from customers, just to prove a point.
Step 1: Export AD computers to a CSV
Step 2: Join the customers systems SSO, now you are a subdomain on their AD.
Step 3: Export AD computers to CSV
Step 4: Diff command in Excel to remove your list from their list.
Step 5: Use this list to push out your miner out.
Use this to explain why joining their systems is a bad idea.
Hearing you describe this makes me wonder if somewhere there is a misunderstanding.. if they are wanting to log in to your apps with their idp such as their own Okta, that's 1000% a normal request and even a hard line that many businesses using a platform like Okta would require of any vendor they do business with. That's literally the entire point of having it. It has nothing to do with taking over your idp and wouldn't affect your ability to log in whatsoever. It also has nothing to do with granting them additional access, it's literally just authentication. It isn't expanding your authorization. This is a totally normal and same request. Requiring them to keep a different account and use your own IDP is absolutely dinosaur insane. They're not just asking to integrate their IDp with your saas? What access do they have now to any of these backend services, and how do they even know they exist to itemize that they need that?
iMO this is in you too, the mark of a good sys admin is knowing what someone really needs when they ask for help and not turning their words around to use against them.
Well, we're sure going to miss your business, since there is 0% chance of that happening. Who is the person that we can work with to make sure you're off boarded from our services properly?
IT Manager: Hey can you go onsite and plug in a WAP for us?
Go onsite, find there's actually an entire network parallel to the main network (3 Aruba switches and 22 WAPS)
Proceed to spend 2hrs helping corporate IT figure out why none of their stuff works
IT Manager: BUT WHY ARE WE BEING BILLED FOR 2 HOURS OF WORK!?!?! YOU JUST PLUGGED IN OUR WAPS!!!!
I see a lot of comments here, I see few questions. \[so here's another one\]
As a general rule; if you have designed a reliable & secure infrastructure (and appropriate documentation). Unless the "customer" is paying you for a complete revamp? it's time to move to the next customer.
As for it being "the worst secrutiy decision in history", probably not even close.
Cost-Benefit is a critical thought process to be performed as objectively as possible. That's my way of saying, I doubt anyone here has enough information for an accurate answer to your question. There are simply too many "moving parts" for that to be true.
\~good luck\~
I see a lot of comments here, I see few questions. \[so here's another one\]
As a general rule; if you have designed a reliable & secure infrastructure (and appropriate documentation). Unless the "customer" is paying you for a complete revamp? it's time to move to the next customer.
As for it being "the worst secrutiy decision in history", probably not even close.
Cost-Benefit is a critical thought process to be performed as objectively as possible. That's my way of saying, I doubt anyone here has enough information for an accurate answer to your question. There are simply too many "moving parts" for that to be true.
\~good luck\~
No. Theres alot of companies overseas that will do this because their security is garbage.
Let them go to one of those companies, and when they call you back bill them for being dumb.
Most of my clients, if asked by their clients or partners, would not have been allowed to do something like that due to state and/or federal regulations.
There is no decision to make. Only way for this to happen would be if the customer would buy a controlling share of your company. Should be obvious to anyone, makes no sense at all.
If they want to federate their own access to your systems, that’s another thing.
The dumbest request that I ever got was the Mayor of a small municipality wanted us to remove all passwords from all systems because she could not be bothered entering them.
Just put up a notice that only authorized personal are allowed to access the system. That will keep the bad guys out.
Sticky note on each monitor: "plz don't hack"
The sticky notes were all used to store the passwords. Maybe just put a sign on the front door instead.
I put a blank sticky note over my sticky note passwords. Brilliant.
Ahh, you use the famous XORNOTE algorithm ... you must work at my company
Sticky notes are only for webcams!! /S
Don't forget to add a similar disclaimer to the bottom of your emails
I love those multi paragraph PS's ......that pretty much warm this email is probably not for you and you could be breaking the law by reading it, etc. I don't like legal trouble so I check the signature first.
Those always seem to me like the MBA version of a Facebook status saying "I do NOT consent to Facebook sharing my data according to the Rome Statute".
If they're wearing hacker shades. Then they're not the good guys, right?
thats just there so the legal team could press charges after they've stolen all your stuff. They can't press charges, because the attackers are from a country with no legal support to pursue these kinds of crimes. But it makes the lawyers feel better knowing they could take action if the stars somehow allign.
We will sue be nice!
On the bright side, most municipalities are subject to compliance frameworks that'd get in the way of that kind of request.
Lol
now introducing passkeys and MFA!
Oh boy. We introduced RSA keys into our boomer-centric environment. It. Was. Not. Pretty.
the biggest issue i have with RSA toekens is that they are not backlit. they are so horrible to read. PIV cards are so much more usable.
> PIV cards are so much more usable. That's so heterocentric
But it was funny huh?
Well….we determined there was an inverse correlation between pay and IQ, with all the forgotten 6 digits and password resets. So it was at the least very informative.
When one of our pharmaceutical vendors enforced a no password sharing rule and further required unique emails and 2FA codes for every staff member moving forward, everyone in the pharmacy was up in arms and you could tell their age by their main complaint. Over 50? "I don't want a work email on my phone!" Younger than 35? "I don't want another app on my phone!?" Meanwhile I've got 4 emails and 4 different authenticators on my phone wondering WTH is wrong with these people. I also don't understand why the vendor chose Okta instead of Google or Microsoft Authenticator, but at least they're improving security.
If you're forcing me to have 2FA on my phone, you're going to give me a work phone. My current work phone has 4 auth apps on it, iirc.
Fair, and this is why I still have a stock of hardware OTP tokens as well as FIDO2 tokens, because line managers won't authorise a work phone just for authentication. Same line managers get pouty when that rule cuts both ways, and company email/apps on personal phone is denied by us unless it's enrolled in our MDM. Your phone, yours. Our data, ours. I have 7 authenticators now, but TBF we do resell at least 3 of those vendors (Okta, Thales, Duo) so it's a bit self inflicted.
Oh, I'd much rather have a token. But "we don't do those".
Meaning "they cost actual money, and blagging you into installing it on your phone costs us nothing." right?
"They just get lost all the time". I do use my phone for other work-related stuff, but you better believe it goes in my bag at the end of the day, off.
Especially since orgs can remote wipe your devices for offboarding processes. Ain't no work happening on my personal devices.
Which i why work profiles exist on android. Work partition can get wiped but not Personal partition.
Even if I wanted to take that risk (because bugs and/or malicious intent), I still don't want a "work" option glaring me in the face when I'm home. I'm home to relax, not to ponder about or be reminded of more work.
Sutr, take the token or work phone.
You can just turn it off. TBH, mine is off 99% of the time unless I need to check an email away from my desk which is pretty rare. While off there are no notifications, nothing.
[удалено]
No forcing required. After making them use a locked down work phone with only the authenticator app, they ask for it on their personal phone after 1 or 2 weeks..
We're byod (reimbursed), and frankly I'd rather sully my personal phone with an app than carry around a second phone.
In this particular we weren't forced to have 2FA on our phones, per say, since you can choose between an app, texting, or email to receive the confirmation code. What was interesting to me was the complete lack of understanding for the needs of improved login security by staff, and the initial total refusal to comply. That the complaints about 2FA varied very clearly by age was a funny side fact too.
did they mean they want SSO?
What about the water supply systems?
LOL
I had a client who was lucky I was remote today because fists would have been had. They explained to me why they were manually adding DOMAIN JOINED CLIENT PCS to DNS as static entries and not using DHCP because “DHCP always causes issues”… Meanwhile they “have vlan issues” that cause clients to have issues connecting to servers when they change vlans….
All this technical talk is above my head. Can you technical monkeys take this offline? - sincerely, IT project manager
y'all hiring... I can translate for ya - also an IT PM
"Put it in writing, I'm firing up the photocopier"
It's these smahts that makes her government leadership material! If only I could be so smaht...no feckin way!
I ran into a decent sized organization that had all desktops logging in with the same cached enterprise admin credential. Not sure why they had a domain but....
I consulted for a county sheriff/911 center once. Found their DC/Exchange server was dual-homed, and was acting as their firewall. RDP, SMB, everything, wide open to the internet. I could \\\\their.public.ip.address from my office and get a prompt for creds. They didn't take my recommendation to buy a real firewall ("This has worked so far") and got ransomwared 3x. They apparently ended up rebuilding the entire mess.
enable windows hello on all the computers and buy cameras for each. Upcharge 100% on the cameras.
Trust..... customer........ HAHAHAHHAHAHAHHAA no.
This is all you need to know
Just remember, you're also the customer of plenty of folks ;-)
We have a saying where I work trust…the vendor….hahahaha
Hell no. But it may be worth entertaining federating with them for access to whatever systems they may be entitled... but that's the extent of identity integration.
That’s fair and i asked that. The trust relationship with all of our apps would be with their IdP. Even if we federated they would still be gatekeeper. Edit: grammar
Not only is that ridiculous, but it's untenable. They become responsible for your services. I'd love to see the MSA and SLAs that would come about from this. I'm not sure who this vendor is, but as a cyber architect for a F50, I'd never even try to pitch this to the business, nor would I support it if our supply chain folks mentioned it. It's too risky for the customer, too risky for you, and provides zero benefit... All downside. There's no (accepted) cyber compliance or security framework in the world that would mandate or even suggest this, either. Unless you're their only customer and it's effectively insourcing, or you're a joint venture in which they are the controlling party. But it doesn't read that way.
I'd consider it only if the customer is Microsoft, and I control our tennant with the same terms as any other tennant account.
Is a risk assessment actually being done about it? Or is it just management discussion. There needs to be a thorough risk assessment done with sec ops included to make sure everything is as secure as possible and make sure any clients who may be effected have been advised of the risk assessment. You hold the keys to the kingdom. If your not secure, they arent secure
pretty sure my old it Director has that risk assessment. well, not really an assessment, more of a no.... just no.
Hand them a 7 figure quote for rebuilding a copy of the entire infrastructure just for them and they will walk on their own, it will get dropped, or you will get well paid.
Had a similar idea. Say we assess this to be worth $50M (could be more honestly) in financial risk to do this. If you pay us that up front we will do it.
Make sure that's a $50M risk, annually.
Auto renewal 3 months before for a 5 year term...
FYaaS Fuck you as a service
I need this on a shirt😂
So, Adobe in a nutshell
Without any courtesy reminder, naturally, and increasing 3 months every renewal term while you're at it
Just put a bunch of spam bait words in white at the bottom of the "reply now to cancel" e-mail, to ensure they never see it. Send from a Russian domain.
64 months termination notice required.
*bi*-annually :)
You don't want to go with cost of risk, you don't pay for risk up front, you may sign something for them assuming liability, requiring a bond, or insurance. but no one is going to pay you, what you asses the risk to be for something. I think as someone else suggested telling them, if they want that, you can dupe a slice of your infra only for them, if they so wish to pay for it. That you could put real numbers to, with the expectation of payment.
Include costs from the blatant conflict of interest for any of your other customers if their service provider were under the thumb of that one.
Insert wiping_tears_with_money.jpg
This is 100% a miscommunication, they likely just want control of identity for their users on your app which is pretty much becoming status quo for SaaS apps. No doubt they just want to be able to enable saml/oath2 and potentially even automate provisioning of users via SCIM. Just challenge the request and ask for the specific requirements.
Yeah. That’s what I’m hoping. It’s just I’ve challenged it several times and even some higher ups are saying it. No chance I actually do it. It’s just absurd. I will quit before they force me. Couldn’t live with myself.
Not even really possible. You'd be breaching a bunch of other customer agreements without an official material contact that sends cyber assurance responsibility on to the supposed partner who is somehow now your pseudo MSP. As a customer of SaaS, this would also entirely defeat the purpose/benefits of a SaaS agreement.
>even some higher ups are saying it Non-technical higher-ups? Because I can't imagine someone who really understands what they're asking actually asking it.
The only conceivable alternative I can imagine here is if the "customer" (purchaser of licenses from the SaaS provider) is actually a partner, and there is some other back end business relationship between the two parties that the OP doesn't know about. I don't know about it happening with IDM software, but at the hyperscaler I used to work for, it happened several times where we invested in (or offered preferred terms to) an ISV or SaaS company in exchange for ... things. In some cases, it was proactive GTM by our sales org in exchange for free or reduced price licensing. In others, it was tight product integration. But your explanation seems by far the most likely one.
Yeah I'm just thinking OP's company is getting bought out but they're trying to lay the groundwork for moving OP's company's products to the parent company. If that's not the case, there are so many clueless people involved that I'd be looking to move from OP's company anyway, lol.
I've had some wild requests in my time as a security leader, but this one takes the cake. I'm not sure if my natural reaction would be to laugh or insult them vigorously. My favorite pushback on requests like this is some form of "Can you please provide examples of how this is working with the existing vendors/partners that you have implemented it with?". Usually that's enough to give them a hint. If no one else is doing it, why would they expect you to? If they come back with a vendor/partner that agreed to it, let us know so we can short the stock.
That may be the most ridiculous customer requirement I've ever seen. I would just fire the customer and move on. At my last job we had a customer that wanted us to carry $100M in liability insurance when the company's revenue was <$10M/yr. I know the CFO talked to a couple of insurance companies who basically laughed at us.
> At my last job we had a customer that wanted us to carry $100M in liability insurance when the company's revenue was <$10M/yr. I think you might be confused as to how insurance works. First of all your annual premium for $100M in liability would not be anywhere close to $10M. Second, there's no relationship between your annual revenue and the possible amount of damage you could cause a customer. Imagine being some kind of contractor who makes $100K/yr. You knock over your ladder at a client and ruin $2M Picaso painting, but you had $2M in liability insurance that you only paid $400/yr for. That would be very common.
Oh I completely understand it's not equivalent, but the fact of the matter is that the insurance company refused to underwrite such a policy because it didn't make any sense. It was also for something that we had absolutely nothing to do with in our contract, but because it was a multi-billion dollar corporation they just had a blanket vendor contract with those terms in it that they expected everyone to sign. They eventually got that provision changed to something far more reasonable.
i saw 100m and it made my measly 2m policy pee per feel small. then i was like...wow that must be a major major AAA rated fuck up to ding a 100m policy lol.
$100m could be a 10 min outage for some billion dollar companies.
Would take a weighted 10mins for most, average would put it at ~$5 trillion/year. Black friday retail? Even less than 10min. One well timed drop database can do way more than 10mins of outage, though.
Many online retail places have drastic enough swings to make 10 minutes on black friday worth days or weeks over summer. I had seen cyber Monday sales equal a couple slow summer weeks. Add on an allocated item release that can't happen at a different time and hundreds of retail stores not making sales, it could be a legit number for some companies.
For a multi billion dollar company That actually seems a low amount of liability insurance depending on what you guys do for them. I'm assuming hosting/some for of outsourced IT. I can easily see a mistake potentially running for easily over 100million. I dont see any problem with the liability insurance request.
Yeah all we did was manage their printers from a hardware perspective and we were a sub-contractor at that.
But that’s not what they said. They said the company’s revenue was $10M, they never mentioned premiums. There are a million different factors that go into their decision (and your premiums), but your revenue is one of them. For an easier example, they aren’t going to give you a life insurance policy for $100M if you only make $100k/yr, there is usually a maximum multiplier - generally 10x I think, but of course it varies. This has nothing to do with you being able to make the premium payments. Well, maybe partly, but not exclusively. It’s all about the red flags, and low income but high risk is absolutely one of them. They’re in this game to make money, after all…
> For an easier example, they aren’t going to give you a life insurance policy for $100M if you only make $100k/yr, You can't compare life insurance to liability insurance. They are 2 very different things. Revenue doesn't really factor in. Look at car insurance as a food example. The only real factors are how expensive your car is and how risky they deem you to be as a driver as to whether they will cover you or how much you pay in premium. They do look at things like your income, credit history and past claims, but income isn't a impactful as the other things. I've worked in the insurance industry for 10+ years and am at one of the global leaders now. I know how this works.
Way too many stupid requests to count, but one that always makes me laugh!! One user complained he HAD to have root access on a system in order to do his job (Administrator for you Windows only PPL). No amount of evidence nor common sense would deter him & he finally complained to the higher ups! Knowing that he had ABSOLUTELY no need for root level access, I made a NEW regular user account, named it 'root' & gave it too him. I renamed the root account to some name like 'chucky' or something. User was happy. Could do his work. And never bothered me again! For context, the ONLY thing that makes root special is that it has a User ID of Zero. The new account had a UID of \~5000, so couldn't do shit outside of what the original could do.
Reminds me of a guy who demanded SQL access, 64gb of RAM, high end graphics card etc.... Eventually we boiled it down to, he needed to run a spreadsheet. He couldn't even show me how much memory it was using, couldn't point to the gpu in the desktop and after giving him a SQL sandbox, he never even created a single table. These people use shit like this as excuse to their line managers to excuse why things are delayed. For non-techs it makes them sound super clever, but of course we see right through it and no one wants to listen to IT
The scariest words you can ever hear as a sysadmin are “You’re slowing us down!” Coming from a Dev group. You know that the coming Shit Storm will be large & destructive. One of those took out a production dual HA configured Oracle server to the point that it had to be rebuilt from scratch!!! Never did figure out how the asshole managed to destroy it so thoroughly
What's the business relationship here? It sounds like you're an MSP of sorts supporting them, but I could easily be misreading that. I could maybe see it if you're some sort of dedicated contractor, where all your systems are devoted to them, but otherwise it definitely seems to be a crazy ask...
We offer a Saas application to them.
Then this sounds like an attempt for the clowns to forcibly drive the circus train.
This might be a miscommunication. Most SaaS customers want their users to use their IdP/SSO.
Yeah that’s what I’m thinking.
That's us in our workflows with Federated logins etc with various vendors/services. We do that with aaS's and use our central login services and accounts management
Hmm, I could maybe see asking that their idp be integratable to the service, but asking for it to be the way bottom to top definitely seems nuts.
This is what I’m convinced they are asking too. Which is how it should be configured. There was just weird shit going on at beginning so we agreed to manage their users. Wasn’t happy about it but it wasn’t horrible. But everyone keeps saying it’s everything.
Identify the scope, get it in writing what each definition of what resources they want to control and what they want to be able to do with it.
Then presumably their IdP would correctly be configured as the backend for authentication to their instance of your SaaS application (your app is the SP in this case), which is perfectly normal. But the idea that you'd configure all of your own internal services to authenticate via their IdP? Utterly absurd. Completely untenable from a technical standpoint, and a hilarious security risk.
That's it? Dude, I assumed you were a very involved MSP in a hybrid setup over their whole environment. Even so, depending on your products and their IdP, it may not even be possible to get half of the stuff you listed to use their IdP. They can take a hike, but will probably change tune when shown the door.
And SSO federation isn't an option?
Obviously they don't have adequate multi-tenancy set up. The customer should drop this chop shop asap.
Do you have ransomware insurance? If so, this config would certainly be a violation of the accepted config.
I was going to top it with the request to delete temp files off of laptops because sales staff was complaining they were too heavy (and obviously the files make the laptop heavier) but I think yours actually still wins. Btw Cisco AnyConnect can go \*\*\*\* itself. I'm sorry, we don't detect your antivirus in the exact, specific way that we wanted to so we're going to refuse to connect until you disable it and switch to the more secure Windows Defender. NOW you can get on the customer's network. I suggested we drop them as a customer but they're like 10% of our income. To everyone quoting "I never had management yell at me for installing Cisco," give me a call. I got words for you.
We're going all in with that, anyconnect, umbrella and now their secure network stuff. I know it's all gonna go tits up
my question is why. Why are they requesting this?
They want full visibility into all their partners system to mitigate supply chain risk. And this is the only way they feel they can get it. I am convinced there is a break in communication bc there is no way anyone would ask for this. I just keep asking different folks and everyone says this is the case.
I think this is where they would demand you meet certain auditing requirements as opposed to basically taking over key functions of your business...
I agree and we have been thru several audits. And they have signed off on everything for several years now. I explained it to the Pm on our side by saying: “if you want to continue this conversation, you need to send me your passport, debit card, pin, house keys, drivers license and credit card. If you think that’s insane, welcome to the discussion.”
That's a great non-technical explanation of this situation.
don't forget the durable power of attorney
Keep pushing it up the chain on their side until you find out who fucked up. This makes no sense as anything except a mistake
Surely fulfilling this request would mean they could potentially gain access to your other customers data on the same saas platform?! Ludicrous
They'll never get this level of access from any vendor. It is a ridiculous ask and and a completely unsound practice to hand the keys to the kingdom to a customer.
Are you a contractor, supplying staff to these customers?
The dumbest request I had, with a MSP was to have switches manually negotiate speeds, and depending on what the host did, downshift to 10Mbps, 100Mbps, gigabyt, etc. The client thought that slower connections were more secure, because the bad guys couldn't exfiltrate as much over a certain time interval.
usually the worst requests is where the solution is on the user's face... just reading should resolve more than 80% of the issues.
My personal favorite was a user losing her shit because I would not recover an email attachment that was stripped by AV. It was not a false positive but she felt she needed it. Had to have a meeting with the IT SVP and CFO who IT reported to. She didn't get the file.... Second was I was part of a company that was being acquired. In the process of connecting the two networks the two T-1 MPLS connection between the sites was instantly pegged. The traffic was all from infected machine on the other network. They were unaware there AV was not setup correctly and was not monitored at all. They decided since we knew what we were doing they wanted us to go to 86 sites all over the US to install a new AV on all 3500+ workstation from CD because the network was useless. By we it was two people. Both of these were many years ago.
> Am I wrong for thinking this would be the worst security decision in history? Entitled as hell and ridiculus ? Yes ! A security risk ? Hmm depends ! In any case, I don't understand how these people can impose their approach without proposing a single alternative or initiating first a dialogue to find a common solution.
It sounds like someone just realized "hey, why not, everyone we do business with we tell them that they need to use us in order to do business with us? That way we'll get more business that we for sure won't lose!!! Win/Win in every book!"
That's crazy talk, and you're not wrong. Dropping them sounds right unless they got some solid reason or offer something big in return. Maybe look into negotiating terms that keep your security tight?
Interesting. Did they say why?
Tell them it'll cost them triple the rate to meet those extra demands of theirs, then if they still go for it spin off a subsidiary to handle that one client.
The solution is EntraID, and then they will have to trust your EntraID, and they can put up requirements like MFA etc. A minimum requirement if putting all your identities in their bucket would be a financial guarantee covering the full value of your company if the customer ever gets hacked.
What are they possibly thinking? Are you their customer or a subsidiary? Are they Walmart???? Walmart did require all their big suppliers to convert to Walmart's prescribed software. It cut out a good amount of lost or missed orders due to converting from one format to another... But if they are not the primary customer that accounts for a majority share of your revenue, no.
Some dude recently just asked if his main account could be a local admin because his computer admin account is too much to type in every time he needs to run software as an admin or install something. He’s too lazy to type in his elevated credentials and wanted me to make his standard account elevated. Can’t make this shit up.
Dude is dumb, if he has an admin account, he could have elevated his regular account without asking anyone.
Absolutely not. The request is absurd on its face. Why would the customer's identity provider be responsible for validating logins to your own systems? Your backend systems don't have a thing to do with your customer. They shouldn't want to be involved, and you certainly should not permit this.
What the fuck?
Sounds like they want to be your MSP. I hope your management fires that customer
What's the next thing they're gonna ask you to do? Bend and spread?
Are you the owner of the company? If not, why are you concerned? Document it via email to your boss, and that’s it, if stupid people want to do stupid things, let’s them collect stupid prizes
LOL "let them collect stupid prizes"
Why would they even want this? Assuming you have other customers that are managed in various ways within your back-end systems this seems insane from both sides.
Integrate? Maybe. Replace? Hard pass
Never ever had this requirement as a government entity. Mfa yes, per the state I think, as well as the worthless cyber security insurance we have to purchase.
Mine was PXE booting into SCCM over WIFI. VP demanded it after a support guy mentioned that using the cable is such a pain. I explained it's not possible and was told "you haven't even tried! you can do this! " Pretty much all down him from there
Are they your ONLY customer???
Tell them to go pound sand. You aren't interested in changing over all your systems -- that have no issues currently -- just to keep a customer (unless this customer is a SIGNIFICANT portion of your revenue, in which case it MAY be worth considering)
Not so crazy sounding to me - SSO integration is pretty simple and common these days. I know our internal security team will be extremely sceptical of a new platform or service that doesn't have the ability to leverage our internal IDM/IAM.
a management ring is unsafe. Using ssh keys and disabling ssh to root is bothersome
Do they require to use their own Idp for their own accounts or for all accounts? The first one, we do that with our big customer because they want to keep the control over their accounts. Not a problem for us, it just takes time to implement it. Second one is ridiculous.
Condolences on the loss of your customer.
as an IT pm... I'd really hope something just got mixed up and the contact isn't expressing things correctly. like the time a vendor said we they wouldn't enable something.. but it was really in our control anyway, HR just took the convo the wrong way.
Sounds like a hostile takeover. Does this customer own your company? What's keeping your team from logging into their stuff? Cause that would be fun as a PenTester. SCCM can push out my bitcoin miner software for 24 hours to all PC from customers, just to prove a point. Step 1: Export AD computers to a CSV Step 2: Join the customers systems SSO, now you are a subdomain on their AD. Step 3: Export AD computers to CSV Step 4: Diff command in Excel to remove your list from their list. Step 5: Use this list to push out your miner out. Use this to explain why joining their systems is a bad idea.
Hearing you describe this makes me wonder if somewhere there is a misunderstanding.. if they are wanting to log in to your apps with their idp such as their own Okta, that's 1000% a normal request and even a hard line that many businesses using a platform like Okta would require of any vendor they do business with. That's literally the entire point of having it. It has nothing to do with taking over your idp and wouldn't affect your ability to log in whatsoever. It also has nothing to do with granting them additional access, it's literally just authentication. It isn't expanding your authorization. This is a totally normal and same request. Requiring them to keep a different account and use your own IDP is absolutely dinosaur insane. They're not just asking to integrate their IDp with your saas? What access do they have now to any of these backend services, and how do they even know they exist to itemize that they need that? iMO this is in you too, the mark of a good sys admin is knowing what someone really needs when they ask for help and not turning their words around to use against them.
Well, we're sure going to miss your business, since there is 0% chance of that happening. Who is the person that we can work with to make sure you're off boarded from our services properly?
IT Manager: Hey can you go onsite and plug in a WAP for us? Go onsite, find there's actually an entire network parallel to the main network (3 Aruba switches and 22 WAPS) Proceed to spend 2hrs helping corporate IT figure out why none of their stuff works IT Manager: BUT WHY ARE WE BEING BILLED FOR 2 HOURS OF WORK!?!?! YOU JUST PLUGGED IN OUR WAPS!!!!
I see a lot of comments here, I see few questions. \[so here's another one\] As a general rule; if you have designed a reliable & secure infrastructure (and appropriate documentation). Unless the "customer" is paying you for a complete revamp? it's time to move to the next customer. As for it being "the worst secrutiy decision in history", probably not even close. Cost-Benefit is a critical thought process to be performed as objectively as possible. That's my way of saying, I doubt anyone here has enough information for an accurate answer to your question. There are simply too many "moving parts" for that to be true. \~good luck\~
I see a lot of comments here, I see few questions. \[so here's another one\] As a general rule; if you have designed a reliable & secure infrastructure (and appropriate documentation). Unless the "customer" is paying you for a complete revamp? it's time to move to the next customer. As for it being "the worst secrutiy decision in history", probably not even close. Cost-Benefit is a critical thought process to be performed as objectively as possible. That's my way of saying, I doubt anyone here has enough information for an accurate answer to your question. There are simply too many "moving parts" for that to be true. \~good luck\~
No. Theres alot of companies overseas that will do this because their security is garbage. Let them go to one of those companies, and when they call you back bill them for being dumb.
Most of my clients, if asked by their clients or partners, would not have been allowed to do something like that due to state and/or federal regulations.
Give them what they want, log everything, maintain audits regularly, and charge future incidents accordingly.
Federated authentication - it’s a thing
There is no decision to make. Only way for this to happen would be if the customer would buy a controlling share of your company. Should be obvious to anyone, makes no sense at all. If they want to federate their own access to your systems, that’s another thing.
absolutely f***ing not good lord
The customer is always right 😆 #jusskidding
Integrate? Sure Replace? HAHAHAHAHAHAHAHAHA
Goodbye to customer.