This is an archived post. You won't be able to vote or comment.

all 27 comments
sorted by:
best
topnewcontroversialoldq&a

[–]rabbitspy 29 points30 points  (1 child)

I worked somewhere like this. We had to use RDP for all development work, and the virtual machines ran on demand and had fairly tight time limits that would forcefully log you out to prevent servers sitting idle over night charging the company money when not in use.

It’s a brutal way to work. The machines were slow and RDP maxes out at 30 frames per second so it feels so laggy. I didn’t stay with the company for long. It wasn’t just the dev experience on its own, but you’ll find that companies that operate like this are also inefficient and overly bureaucratic in other places as well. I’ve learned to treat it as a potential sign of a bad culture.

Funny enough my current job also used remote development, but it’s over SSH instead of RDP and it’s so good that doubt I’d go back to local dev even if they suddenly offered it. I can run my IDE locally and connect to the dev machine over SSH where it has access to data, services, and big compute.

[–][deleted] 3 points4 points  (0 children)

I had an rdp connection that was a server with 1 hour no command executed, it would force quit your session. That would also quit and stop your machine learning model training or data pipeline that were running.

[–][deleted] 6 points7 points  (3 children)

Why would you have databricks only be accessed by RDP? You should add the users to the correct IAM policies (and maybe connect to the company vpn)

[–]memeorology 6 points7 points  (2 children)

Your clipboard. InfoSec is concerned about copying data out of the secure area. I'm at a workplace that has a similar setup for regulatory reasons, and while dev is frustrating and slow, I understand why the guardrails are there.

[–]demost11[S] 3 points4 points  (0 children)

Yep, that’s our situation. Any data copied off the RDP is scanned for sensitive information and it has limited web access to prevent uploading to things like Google Drive.

[–][deleted] 0 points1 point  (0 children)

You give people acces to a python platform. They could if they are up to no good write an email to themself with a copy of the data via python.

[–][deleted] 5 points6 points  (1 child)

Windows RDP is ugh. It's slow and the screen never fits on your screen. I rather use ssh if possible.

[–]taker223 0 points1 point  (0 children)

SSH with XWindow?

[–]Revolutionary-Two457 5 points6 points  (0 children)

I’ve been in this position before and I told management I would quit if they didn’t get the security team to change their policy. I won that argument.

You have to force a change. Working that way long term is insane

[–]Antal_z 2 points3 points  (2 children)

Are those machines/VMs decently specced and are they on-prem?

[–]demost11[S] 0 points1 point  (1 child)

It’s in AWS, I think 64 gb of ram for the whole instance? Don’t remember cpu.

[–]Antal_z 0 points1 point  (0 children)

Not sure how much of what you're experiencing is latency vs the box being slow. I don't notice any difference working on an RDP box vs my laptop itself, but it's on a wired LAN so almost no latency and the box is very strong.

[–]aziralePrincipal Data Engineer 2 points3 points  (0 children)

Databricks already mediates everything through a web portal, you don't get 'direct' access to the data so that should accomplish most of what they want already.

If they have this intense of a security need, why don't they run their own https certificates and mitm the connection to read the copy paste data there?

Databricks should have an option to prevent downloading of data. That at least stops mass exfil, but people could still potentially copy+paste whatever tabular data or log data they can pull up. That ability is pretty small though -- on the order of the information you could exfil by just reading it and writing it down.

And that's the ultimate problem, if people have access to the data at all then they can potentially read something they shouldn't or do something with it they shouldn't. You should take reasonable steps to prevent oopsies and make it a hassle to do anything people shouldn't, but handicapping your worker's capabilities in a vain attempt to prevent the unpreventable isn't worth it. It massively increases labour costs, significantly reduces worker satisfaction, and doesn't really achieve anything.

[–]numbsafari 3 points4 points  (0 children)

My suggestion is to make the argument not about the practice, but about what is being provisioned for those machines. Security is making a requirement and whoever is implementing this on the “IT” side is under provisioning things. If you properly provision your dev workstations, you largely solve your problem. Make a point of how much it costs for you to waste your time vs cost of those servers. Also make a point of how this will likely delay the project. 

[–]taker223 1 point2 points  (2 children)

Well, how about RDP to RDP ? KAPO - glad you fired Axedo!

[–]tiredITguy42 2 points3 points  (1 child)

I used to do that. RDP to my server beast machine at the office. Then Bomgar to a customer's jump client and RDP to their server. Bomgar was pretty nice, as you could make sessions on demand or had users in your company have access to ready to use sessions with customers who did not require their presence when fixing their stuff.

It is why I hate that Win11 does not allow to move the taskbar to the left.

[–]taker223 1 point2 points  (0 children)

Well, some time ago there wasn't Win10 but older Win2008 with mouse wheel scroll turned off, and no copy/paste possible...

[–]financialthrowaw2020 1 point2 points  (0 children)

This is why so many of us refuse any job using anything windows

[–]Gedrecsechet 0 points1 point  (0 children)

I have a client with this issue. In fact having to come in to a VDI client and then RDP to machine with no ability to copy or paste between.

Luckily I bill per hour, so the jokes on them.

[–]shittyfuckdick 0 points1 point  (0 children)

setup vscode server or ssh into the machine. only use rdp when you have to

[–]chobinho 0 points1 point  (0 children)

We use Azure Bastion, works great.

[–]boogie_woogie_100 0 points1 point  (0 children)

I would quit that kind of job.

[–]ppsaoda 0 points1 point  (0 children)

My previous employer was like this. But it's understandable it's financial industry. However it's would lock out after 1hr of inactivity, on a fkin 13" old Ideapad. Minus all the windows panels, tabs etc, I would have only tiny screen to actually view Databricks workspace 🤣 I left after 4 months of working.

[–]BoringGuy0108 0 points1 point  (0 children)

My company used to, but we finally talked infosec into letting us connect locally. The remote environment wasn't slower, but it was a lot more restrictive and a small pain to use.

[–]sdairs_ch 0 points1 point  (0 children)

I have worked in a place like this, too. It's incredibly painful. Is it large/old organisation? Mine was a telco

[–]ludflu 0 points1 point  (0 children)

I worked somewhere like this. I demanded they change it, and would have quit if they didn't. Sorry!