Created
March 24, 2017 21:47
-
-
Save robyoung/e62905574366f9cad535b230f3fb2ae7 to your computer and use it in GitHub Desktop.
Scale Summit 2017 - Session 1 - Renew - Onboarding / Maintaining Engineers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Adding people on day one, then ongoing maintenance of them when people move | |
around teams. | |
What do people do? | |
Can people deploy on day one? | |
Some people do deploy on day one others do not | |
One person, working on a very small team. We just need your github account | |
to deploy to live. We invested a lot in the initial setup of the dev environment. | |
- Very small team | |
- We just need your github account to deploy to live | |
- Invested in initial setup of dev environment | |
Another person, in an organisation of ~1500 people (half technical). | |
Source code internally hosted on bitbucket. Two internal AD domains. | |
Trello board template | |
- Given to the new hire and the line manager | |
- Covers technical things | |
How do you do the rolling off process? Do you have to check a big long list | |
of access? (lots of people nodding at that being hard) | |
Not all things have APIs which makes automating the roll off process hard. | |
Have they exited on good terms or bad? | |
Minimise the number of things you have to authenticate with | |
Someone points out this sounds like a good product for someone to build. | |
Yes, Meldium (https://www.meldium.com/) does this. But not everything is | |
handled by it. | |
We have an offboarding trello. It contains things like; transfer all your | |
Google Docs to someone else. | |
It's self managed unless the person is leaving on bad terms. | |
Also an epic spreadsheet of who has access to what with regular reconcilliation. | |
Some apps are much more important than others. | |
Some people use 1password for teams. Others use lastpass enterprise. | |
Sounds like it helps with knowing who has what access but not what | |
those creds are. | |
One person suggests discussing access and credentials as part of the exit interview. | |
One person has a tool that you enter your github and your ad and it will set things | |
up for you. | |
When the AD account no longer exists then you will be removed from everywhere. | |
Apparently Guardian had something similar where you had to have a github account | |
AWS accounts are the bane of my life | |
- Have multiple AWS accounts | |
- We're moving to federated identity | |
Another person points out there is a certain amount you have to do to manage | |
keys | |
Another person agrees, they federate to an internal AD. They have found production | |
servers running with personal AWS keys. | |
We have an SSO account. Github repo with users and access. | |
Central account that gives AIM roles to developers | |
No one ever has an account in the customer accounts | |
If you have a large company with lots of IT, they must have a system for sending | |
end user device patching | |
Has anyone done this at a small to medium scale? | |
That's what we do; search for 'managed service providers' | |
I've heard of Boxen used for this. | |
Others have had bad experiences with Boxen. | |
At our organistion we have three classes of device | |
- Managed device on classified networks | |
- Managed but not super locked down | |
- You must update within 24 hours if we saw something bad | |
- Eset? product | |
- Unmanaged devices | |
- Moving away from this | |
- Hold developers accountable; if you don't look after it you don't get your bonus | |
- People shy away from policy but if it's light touch it should be ok | |
- We're going to start running red team exercises against own teams | |
- Consulting a lawyer about this; certain levels are allowed, installing | |
rootkits etc legally not ok | |
We are migrating to using jamf pro (https://www.jamf.com/) for Mac device | |
management | |
Many people do not realise that you need different approach for technical | |
and non-technical. | |
What about contractors? | |
Some ahve a list of stuff that needs to be installed | |
Others provide devices for contractors as well | |
Does anyone work in an environment where they do not have a trusted network? | |
Google Beyond Corp (https://research.google.com/pubs/pub43231.html) | |
What about maintaining people? | |
People leave because of stupid policy that they have to follow | |
A counter agument is that we have a tendancy to cater to snowflake developers. | |
We need to have sensible conversations and explain why some things are not ok. | |
How far does that go? Do you get any choice? | |
It depends on what you're doing. | |
Coding on an ipod touch, not OK for building highly secure systems. | |
Has to be a trade off between the individual and the organisation. | |
If a team asks for something then it's a different story. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment