How did things end up this way? I'm massively frustrated by the stupidity of our security team and it gets worse each year. And I've tried to explain this stuff about web apps exactly like you just did but it never quite gets through, and when it does it gets a response like "well, we should probably find a way to restrict web apps as well".
I know for a fact that none of the people doing systems administration that install this junk endpoint management software actually want to install it. And it's laughable that corporations can simultaneously claim to be implementing zero trust, while at the same time giving crowdstrike software more trust than anything ever had before everybody decided they wanted to chase buzzwords. It can take weeks for me to get a new hire set up with WSL right now. If I didn't like the people I work with I would have jumped ship a long time ago.
Security teams have managed to threaten and bully their way into having more power than anybody else in IT. All the big stories about hacking is certainly part of it, but honestly I don't think that fully explains it. If I was a CIO paying an enormous amount of money for endpoint management and then saw something like solar winds happen, I'd probably have fired everybody on the security team that advocated those sorts of security strategies.
In my mind, security is something that should happen deep in the backend and be handled mostly by programmers, DBAs, and the admins that handle application servers. Once the data has left those environments with somebody it shouldn't have you have already lost. No hacker has ever said "I breached the database, but then got stopped from exfiltrating data because somebody made it so the USB sticks don't work".
Security teams don't bear the costs of reduced productivity from saying no, but bear all the blame if they make a wrong decision to approve something. So they're heavily incentivized to say no.
Like many principal-agent problems, it requires someone appropriately situated to weigh the costs and benefits.
If that doesn't happen, it gets borne by someone, usually shareholders who pay in reduced profits and eventually capital destruction as these companies get ossified and disrupted.
"You cannot be blamed for bad decisions if you make no decisions".
Far easier to say no to everything, that way either your manager takes the blame when they overturn your decision or your are blameless when Shadow IT takes over.
That, and it allows you skip the troublesome business of userstanding user needs.
> "I breached the database, but then got stopped from exfiltrating data because somebody made it so the USB sticks don't work".
It might be a generational thing, at some point I know people actually had Napster running on their work computer, or were torrenting porn movies. That's how the whole Metallica thing happened. That feels absurd to me in today's corporate env., for better or worse the work/private split has really come a long way.
Malware spread by physical media was also a thing for a while, it's not just about the getting stuff out, a lot of the restriction on USB is not getting things in.
PS: on the "why" of all that...I'd say Windows. Platforms all have their weaknesses, but Windows opened the doors wider than anyone else IMHO.
I know for a fact that none of the people doing systems administration that install this junk endpoint management software actually want to install it. And it's laughable that corporations can simultaneously claim to be implementing zero trust, while at the same time giving crowdstrike software more trust than anything ever had before everybody decided they wanted to chase buzzwords. It can take weeks for me to get a new hire set up with WSL right now. If I didn't like the people I work with I would have jumped ship a long time ago.
Security teams have managed to threaten and bully their way into having more power than anybody else in IT. All the big stories about hacking is certainly part of it, but honestly I don't think that fully explains it. If I was a CIO paying an enormous amount of money for endpoint management and then saw something like solar winds happen, I'd probably have fired everybody on the security team that advocated those sorts of security strategies.
In my mind, security is something that should happen deep in the backend and be handled mostly by programmers, DBAs, and the admins that handle application servers. Once the data has left those environments with somebody it shouldn't have you have already lost. No hacker has ever said "I breached the database, but then got stopped from exfiltrating data because somebody made it so the USB sticks don't work".