And to give some context to my question, I was in an argument with a cloud
developer discussing SSM vs SSH in Amazon AWS and they've disallowed SSH
"because we had a breach last year" (the breach was in their data center,
before they went to cloud, and improperly hardened SSH).
Anyway, the adage was thrown out that "industry best practices are hard to
argue with" - Meanwhile, him ignoring that ssh 'best practices' weren't
followed when the breach occurred.
His whole argument for using this convoluted ssm setup could be applied to
SSH hardening. Boggles the mind.
The SSM is convoluted as heck for users to get an SSM session then get an
ssh tunnel opened back up to your machine you download/upload trace files,
patch files etc.
Chris
On Fri, Oct 28, 2022 at 8:15 AM Jeff Smith <jeff.d.smith@xxxxxxxxxx> wrote:
Our ‘Best Practices’ are more like
‘What we think you should be doing’
But we know what folks are googling is ‘Best Practices’
I also hate this term, but it’s what the industry has landed on.
*From:* oracle-l-bounce@xxxxxxxxxxxxx <oracle-l-bounce@xxxxxxxxxxxxx> *On
Behalf Of *Chris Taylor
*Sent:* Friday, October 28, 2022 8:11 AM
*To:* mwf@xxxxxxxx
*Cc:* oracle-l@xxxxxxxxxxxxx
*Subject:* [External] : Re: What's that line again about 'best practices'?
Thank you Mark!
On Thu, Oct 27, 2022, 4:28 PM Mark W. Farnham <mwf@xxxxxxxx> wrote:
James Morle suggested something along the lines that they should be
renamed Usual Practices (or something like that). I’ve called them Standard
Minimum Starting Points and I pointed out that the only best practice I
know of is to not allow things to be called best practices. Calling
something a “best practice” tends to stifle attempts to do better.
IF you can get something called a best practice into your service delivery
standards and you implement that practice, you have a legal defense whether
or not the users can do anything or not.
Nothing can be proven to be a best practice. Things called best practice
are sometimes really just good enough to be acceptable.
You’ve probably caught the drift I believe “best practice” is a harmful
term. Some things called “best practices” are really quite good initial
starting points or usual practices that are just fine unless you need
something better.
*From:* oracle-l-bounce@xxxxxxxxxxxxx [mailto:
oracle-l-bounce@xxxxxxxxxxxxx] *On Behalf Of *Chris Taylor
*Sent:* Thursday, October 27, 2022 1:59 PM
*To:* oracle-l@xxxxxxxxxxxxx
*Subject:* OT: What's that line again about 'best practices'?
Mark or someone has an idiom I want to save this time....
Something about best practices being written by people who don't have to
support them or something .....
Chris
