*>>Stop right there. Then the decision is already made. Seriously. Even with air-gap, they’ve got a major hole.*
Yes, I know... :( This problem has two facets -- malicious outsider and untrustworthy insider. I have a combination of solutions available that can considerably mitigate the risks for the former, but little that can even reasonably slow down the latter. I'm going to ramp up auditing as well, to help close the window on how long it takes us to find out if there are any potential loss scenarios. But, that is where we are, given the culture and budget. IOW, technology is only a small part of this issue... *ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker> *Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market…* * GPG: *1AF3 EEC3 7C3C E88E B0EF 4319 8F28 A483 A182 EF3A On Thu, Dec 17, 2015 at 1:35 PM, Michael B. Smith <[email protected]> wrote: > Well…. > > > > *Hand in all electronic devices at the door. Most will learn fairly > quickly to leave them in their car or at home.* > > They'll air-gap before they do this one. :) > > > > Stop right there. Then the decision is already made. Seriously. Even with > air-gap, they’ve got a major hole. > > > > I can take a video on my phone of a dev paging through source code. Far > faster than it’s readable on the screen by a human. Take it home. OCR frame > by frame. And now I own all the keys to the castle. > > > > And this is all using free tech. > > > > If you allow smart devices in the door, you’ve lost the game. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Andrew S. Baker > *Sent:* Thursday, December 17, 2015 1:14 PM > *To:* ntsysadm > *Subject:* Re: [NTSysADM] Protecting Sensitive Source Code > > > > Hey, MBS: > > > > > > *>> * > > ** > > *If you have a particular dev you don’t trust, fire him/her.* > > Yes, that's my starting point, but apparently there are folks we trust a > little bit, so we need to give them *some* access, but not all of it. :) > > > > > > ***>>* > > ** > > *You could up the ante’ with MFA beyond 2FA. Require a second party to > participate in providing a key to unlock the repository.* > > Good point. I'll see if they want to go there... > > > > > > ***>>* > > ** > > *And, presuming we are referring to Windows, ensure that you are using > GPOs that prevent the use of any USB devices.* > > Already done -- I should have mentioned that. > > > > > ***>>* > > *Hand in all electronic devices at the door. Most will learn fairly > quickly to leave them in their car or at home.* > > They'll air-gap before they do this one. :) > > > > > > Regards, > > > > > > > *ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker> > *Providing Virtual CIO Services (IT Operations & Information Security) for > the SMB market…* > > * GPG: *1AF3 EEC3 7C3C E88E B0EF 4319 8F28 A483 A182 EF3A > > > > On Thu, Dec 17, 2015 at 12:49 PM, Michael B. Smith <[email protected]> > wrote: > > > > If you have a particular dev you don’t trust, fire him/her. > > > > > > You could up the ante’ with MFA beyond 2FA. Require a second party to > participate in providing a key to unlock the repository. > > > > > > And, presuming we are referring to Windows, ensure that you are using GPOs > that prevent the use of any USB devices. > > > > > > Hand in all electronic devices at the door. Most will learn fairly quickly > to leave them in their car or at home. > > > > > > I’ve seen the first two used at “big money” companies. The last at > military installations. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Andrew S. Baker > *Sent:* Thursday, December 17, 2015 11:03 AM > *Subject:* [NTSysADM] Protecting Sensitive Source Code > > > > Good morning: > > > > Does anyone happen to have any experience with the protection of sensitive > source code? > > > > Essentially, we're looking to ensure that we can adequately mitigate the > risk of critical portions of the code being copied and used inappropriately. > > > > This is beyond any protections (real or imagined) offered by the > following, which we have in place today: > > > > -- An NDA > > -- Restricted access to the source code repository, on a need to know basis > > -- Two-factor authentication to access the repository (being considered) > > > > An air-gapped network is not currently on the table for discussion. :) > > > > Regards, > > > > > *ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker> > *Providing Virtual CIO Services (IT Operations & Information Security) for > the SMB market…* > > * GPG: *1AF3 EEC3 7C3C E88E B0EF 4319 8F28 A483 A182 EF3A > > >
