It saddens me that Microsoft cannot properly implement zero trust principles or account based access control to their DevOps environment. VDI and VPNs are not secure, no networks are secure!
First, I wouldn't be so harsh on them: statistically, the probability of successful attacks increases with the size of the company, and having lived long enough I consider it a miracle that the likes of Apple and Microsoft had seen so few leaks.
Second, zero trust is a very specific concept that basically refers to not trusting networks traditionally considered as more secure, such as corporate LANs. It is definitely not a panacea, not to mention that no large company, including Google, is able to implement it in full without incurring enormous costs.
Third, whatever you do, it's extremely difficult to protect against an inside job. I'm not suggesting it was a case at all, I'm just saying it's better not to jump to conclusions too hastily.
- based on the perenial patch Tuesday issues I am surprised it did not happen sooner.
- zero trust is a journey. we should accept that networks cannot be secure and instead look to implement principles of ZT away from the network. I like the open source OpenZiti project as a way to put strong identity and zt principles into our apps. Its not a panacea but it does make access and exploit much harder.
- correct, though if using attribute-based access controls we can at least massively limit what an insider could get access to... 37GB of source code across multiple different project at first blush looks like more than what 1 single user should have access to.
> I work in the cyber insurance industry. This is not true.
Really? I mean our small company has never had our codebase breached and released by hackers, while Microsoft and their subsidiaries have had this happen several times. Similarly Twitch, Github, Valve... all have suffered source code breaches similar to the article.
None of the small companies I have ever worked for have had this issue, so it does seem that large tech companies have a higher probability of having their codebase successfully leaked.
We are also talking about Microsoft, which is probably amongst the top companies that are targeted the most by hackers across the world (mainly because of the impact when they are breached, rather than the ease of breach).
I assume when OP talks about the likelihood of a successful breach, they don't mean the success % of a breach, they mean the total number of successful breaches. When I worked at a big company the security team seemed to be putting out small fires all the time with targeted phishing attacks and so many laptops that could have missed an update, virtual machines getting ransomware e.t.c., and now I work for a smaller company and look after their IT as part of my role we have only had 1-2 fairly small issues across the last year.
I thought they tried that already with Windows Vista. I mean... it seemed to at least share a lot with Blockchain since the initial release had more variations than anyone cared to track, was slow, confusing, expensive, and hardly anyone used it despite all of the hype....
