robyoung/gist:e62905574366f9cad535b230f3fb2ae7

## gistfile1.txt
Adding people on day one, then ongoing maintenance of them when people move
around teams.
What do people do?
Can people deploy on day one?

Some people do deploy on day one others do not

One person, working on a very small team. We just need your github account
to deploy to live. We invested a lot in the initial setup of the dev environment.
- Very small team
- We just need your github account to deploy to live
- Invested in initial setup of dev environment

Another person, in an organisation of ~1500 people (half technical).
Source code internally hosted on bitbucket. Two internal AD domains.
Trello board template
  - Given to the new hire and the line manager
  - Covers technical things

How do you do the rolling off process? Do you have to check a big long list
of access? (lots of people nodding at that being hard)

Not all things have APIs which makes automating the roll off process hard.
Have they exited on good terms or bad?

Minimise the number of things you have to authenticate with

Someone points out this sounds like a good product for someone to build.
Yes, Meldium (https://www.meldium.com/) does this. But not everything is
handled by it.

We have an offboarding trello. It contains things like; transfer all your
Google Docs to someone else.
It's self managed unless the person is leaving on bad terms.
Also an epic spreadsheet of who has access to what with regular reconcilliation.
Some apps are much more important than others.

Some people use 1password for teams. Others use lastpass enterprise.
Sounds like it helps with knowing who has what access but not what
those creds are.

One person suggests discussing access and credentials as part of the exit interview.


One person has a tool that you enter your github and your ad and it will set things
up for you.
When the AD account no longer exists then you will be removed from everywhere.

Apparently Guardian had something similar where you had to have a github account


AWS accounts are the bane of my life
- Have multiple AWS accounts
- We're moving to federated identity

Another person points out there is a certain amount you have to do to manage
keys

Another person agrees, they federate to an internal AD. They have found production
servers running with personal AWS keys.


We have an SSO account. Github repo with users and access.
Central account that gives AIM roles to developers
No one ever has an account in the customer accounts

If you have a large company with lots of IT, they must have a system for sending
end user device patching
Has anyone done this at a small to medium scale?

That's what we do; search for 'managed service providers'

I've heard of Boxen used for this.
Others have had bad experiences with Boxen.

At our organistion we have three classes of device
- Managed device on classified networks
- Managed but not super locked down
  - You must update within 24 hours if we saw something bad
  - Eset? product
- Unmanaged devices
  - Moving away from this

- Hold developers accountable; if you don't look after it you don't get your bonus

- People shy away from policy but if it's light touch it should be ok

- We're going to start running red team exercises against own teams
- Consulting a lawyer about this; certain levels are allowed, installing
  rootkits etc legally not ok

We are migrating to using jamf pro (https://www.jamf.com/) for Mac device
management

Many people do not realise that you need different approach for technical
and non-technical.

What about contractors?
Some ahve a list of stuff that needs to be installed
Others provide devices for contractors as well

Does anyone work in an environment where they do not have a trusted network?
Google Beyond Corp (https://research.google.com/pubs/pub43231.html)

What about maintaining people?
People leave because of stupid policy that they have to follow

A counter agument is that we have a tendancy to cater to snowflake developers.
We need to have sensible conversations and explain why some things are not ok.
How far does that go? Do you get any choice?
It depends on what you're doing.
Coding on an ipod touch, not OK for building highly secure systems.
Has to be a trade off between the individual and the organisation.

If a team asks for something then it's a different story.
	Adding people on day one, then ongoing maintenance of them when people move
	around teams.
	What do people do?
	Can people deploy on day one?

	Some people do deploy on day one others do not

	One person, working on a very small team. We just need your github account
	to deploy to live. We invested a lot in the initial setup of the dev environment.
	- Very small team
	- We just need your github account to deploy to live
	- Invested in initial setup of dev environment

	Another person, in an organisation of ~1500 people (half technical).
	Source code internally hosted on bitbucket. Two internal AD domains.
	Trello board template
	- Given to the new hire and the line manager
	- Covers technical things

	How do you do the rolling off process? Do you have to check a big long list
	of access? (lots of people nodding at that being hard)

	Not all things have APIs which makes automating the roll off process hard.
	Have they exited on good terms or bad?

	Minimise the number of things you have to authenticate with

	Someone points out this sounds like a good product for someone to build.
	Yes, Meldium (https://www.meldium.com/) does this. But not everything is
	handled by it.

	We have an offboarding trello. It contains things like; transfer all your
	Google Docs to someone else.
	It's self managed unless the person is leaving on bad terms.
	Also an epic spreadsheet of who has access to what with regular reconcilliation.
	Some apps are much more important than others.

	Some people use 1password for teams. Others use lastpass enterprise.
	Sounds like it helps with knowing who has what access but not what
	those creds are.

	One person suggests discussing access and credentials as part of the exit interview.


	One person has a tool that you enter your github and your ad and it will set things
	up for you.
	When the AD account no longer exists then you will be removed from everywhere.

	Apparently Guardian had something similar where you had to have a github account


	AWS accounts are the bane of my life
	- Have multiple AWS accounts
	- We're moving to federated identity

	Another person points out there is a certain amount you have to do to manage
	keys

	Another person agrees, they federate to an internal AD. They have found production
	servers running with personal AWS keys.


	We have an SSO account. Github repo with users and access.
	Central account that gives AIM roles to developers
	No one ever has an account in the customer accounts

	If you have a large company with lots of IT, they must have a system for sending
	end user device patching
	Has anyone done this at a small to medium scale?

	That's what we do; search for 'managed service providers'

	I've heard of Boxen used for this.
	Others have had bad experiences with Boxen.

	At our organistion we have three classes of device
	- Managed device on classified networks
	- Managed but not super locked down
	- You must update within 24 hours if we saw something bad
	- Eset? product
	- Unmanaged devices
	- Moving away from this

	- Hold developers accountable; if you don't look after it you don't get your bonus

	- People shy away from policy but if it's light touch it should be ok

	- We're going to start running red team exercises against own teams
	- Consulting a lawyer about this; certain levels are allowed, installing
	rootkits etc legally not ok

	We are migrating to using jamf pro (https://www.jamf.com/) for Mac device
	management

	Many people do not realise that you need different approach for technical
	and non-technical.

	What about contractors?
	Some ahve a list of stuff that needs to be installed
	Others provide devices for contractors as well

	Does anyone work in an environment where they do not have a trusted network?
	Google Beyond Corp (https://research.google.com/pubs/pub43231.html)

	What about maintaining people?
	People leave because of stupid policy that they have to follow

	A counter agument is that we have a tendancy to cater to snowflake developers.
	We need to have sensible conversations and explain why some things are not ok.
	How far does that go? Do you get any choice?
	It depends on what you're doing.
	Coding on an ipod touch, not OK for building highly secure systems.
	Has to be a trade off between the individual and the organisation.

	If a team asks for something then it's a different story.