Question

What do you make of this Reddit thread on deprioritizing things like MFA in 2021


Badge

There’s a rant floating around on the sysadmin subreddit about a CIO who says the company has “bigger fish to fry” than things like MFA. Is this an isolated incident in your opinion, or can you think of other sysadmins (yourself included) who are facing similar challenges in 2021?


13 replies

Badge +2

It's 2021...why is MFA not already deployed? We've enforced it since 2013. I've not read the thread but will look. Wondering if the CIO is only now working to get it deployed.



Open Thread in Slack

Yeah, that’s kind of bonkers. MFA should be a priority if it’s not already enforced. Unfortunately, not much context to go on with the thread as details are very sparse.



Open Thread in Slack

Also “It’s not a ransomware attack, it’s a surprise backup!” is hilarious



Open Thread in Slack
Userlevel 2
Badge +3

Sounds like (with limited context) the CIO is an idiot.

I’ll bite. I think it’s important to consider some of these things in context. Knowing nothing more than anyone else reading that thread, it reminds me of the gentle reminders I give my team or peers when they discuss some of these things… we’re in a bubble within a bubble. Like Twitter. It’s easy for us to go “WELL DUH MFA IS OBVIOUS YOU IDIOT” … but there’s a lot of organizations out there that haven’t even waded down that path yet.



Open Thread in Slack

Let’s take video conferencing for an example. I’m sitting here with access to more video conferencing apps than I can use at one time, but there are tons of companies (the logos of which I can see out my window right now on the city skyline) that maybe maybe have VC enabled for one meeting room on the floor. I used to work at a place (of which. there are people here that work there now) where only one room on the floor was VC enabled, and it was using AT&T Telepresence, and IT had to set up your meeting for you. I say this to posit the question of “well, yeah, it’s obvious, but if your infrastructure is so badly out dated or stagnant, maybe MFA is the least of your problems.”



Open Thread in Slack

And if I wanna get fancy-fancy, I could even make an argument that people should be thinking about how they can make MFA go away with something like context-aware access, removing the whole 2/MFA dance away from the end customer or user. Certainly a dream, but not as crazy as it sounds. Anyway, this has been my contrarian thought leadership linkedin commentary for the day 😆



Open Thread in Slack

Context aware access is basically MFA with a different name. (Something you are is a factor after all)



Open Thread in Slack

But yeah, another example to your point would be if they have on -premise servers. Moving that to the cloud would be a priority over MFA in my opinion. Although they better be securing the cloud infrastructure with MFA. These things aren’t all or nothing either. How about targeting these high risk systems used by 10% of personnel for mandatory MFA this year?



Open Thread in Slack

Yeah, or even “we’re still running legacy windows 7 or xp infrastructure so my biggest problem is … you know, anything”



Open Thread in Slack

Don’t get me wrong though, were I that CIO, i’d probably be more careful to phrase that less… mm, arrogantly.



Open Thread in Slack

We also don’t know what the CIO actually said, to be fair.



Open Thread in Slack
Badge

I'm thinking those bigger fish must be pretty big!



Open Thread in Slack

Reply