On Mon, 3 Feb 2020 16:13:34 -0500, Christopher Morrow
<morrowc.li...@gmail.com> may have written:
> My experience, and granted it's fairly scoped, is that this sort of thing
> works fine for a relatively small set of 'persons' and 'resources'.

Seeing as managing this sort of thing is my primary job these days ...

> it ends up being about the cross-product of #users * #resources.

That's the interesting part of the job - coalescing rules in a way that
minimises the security impact but maximises the decrease of complexity. If
you don't, you get an explosion of complexity that results in a set of
rules (I know of an equivalent organisation that has over 1,000 firewall
rules) that becomes insanely complex to manage. 

> certainly a more holistic version of the story is correct.
> the relatively flippant answer way-back-up-list of: "vpn"

I think that "vpn" is the right answer - it's preferrable to publishing
services to the entire world that only need to be used by empoyees. But
it's not cheap or easy. 

Mike Meredith, University of Portsmouth
Hostmaster, Security, and Chief Systems Engineer

Attachment: pgp9x9K3M8fTy.pgp
Description: OpenPGP digital signature

Reply via email to