I saw a comment yesterday about how IT admins have to restrict the privileges of other developers on their machines and was surprised by knowing this. I simply thought that employees in the software industry were essentially at equal parity in terms of their departments, and that the admin department was there just to centralise all the work done by other departments and keep track of the status of their systems. I did not think there would be a need to apply childlocks on other employees’ systems as I assumed that a person working at an industry like this would have basic computer literacy to know what is safe and permissible by company policy to execute and what is not.
This may come off as being too naive of me, but I genuinely want to understand how the hierarchy in such a company is actually like. I always thought of workspaces in the software industry to divide labour laterally and there would be no need for administrative powers apart from the management to exist, at least in regard to regulating other workers’ actions beyond normal workspace policies. It would be extremely kind of anyone to shed light on this matter.
In the environments I’ve worked in it was always a battle between IT and the programming staff.
I once had to deal with a homebrew worm because one of the devs wanted more compute power and took over the network.
A lot of people assume IT and developers are cut of the same cloth but the professions are quite different.
From an enterprise security perspective you want to operate with a least privilege model. For developers who need admin access this is typically granted through some just-in-time temporary elevation process, but many developers who are writing code and pushing builds through a devops CICD pipeline may not need admin to do their jobs.
Even if people working in the field know, what is safe and what not, it does not mean, that the company, product or customer is safe, too.
First, if something goes wrong, you need to prove, that everyone did the right things. This is difficult of everyone had unrestricted access to everything. Think of a company with thousands of workers…
Second, if everyone has access rights, hacking one account of a company means, that the hacker has access to everything too.
Third, not everyone is always doing everything in good intent. If someone has been fired, they might be angry and just delete the most important files.
Fourth, mistakes happen.
I work in software at a large corpo and I don’t normally have access to install anything that doesn’t come from the company’s internal repository of third party apps.
But there is a pre installed app on my laptop that i can use to get temporary admin access for my laptop in a few seconds. But while the temporary admin access is on, everything I do gets logged for accountability. I’ve used this temp admin before for setting some environment variables.
Most things I work on happen in a big cloud provider (AWS, GCP, Azure, etc.) and the role I have access to on our cloud provider account has very limited privileges (esp in prod). Adding a new privilege to the role needs to go through two rounds of peer review + one round of manager review.
Developers tend to install a lot of little things (without any research into the trustworthiness of those things), that then never get patched and lead to an ungodly pile of detected vulnerabilities to clean up.
