Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: Quote cybersecurity unquote
From: Marcin Antkiewicz <firewallwizards () kajtek org>
Date: Wed, 6 Nov 2013 22:27:52 -0600

trying. If they can't do system administration or system operations,
they're going to step away from the plate and let Amazon or Google or
whoever do it. Overall, this is probably for the best.

unfortunantly you are misinterpreting what they are leaving up to Amazon
and Google.

They aren't outsourceing the system administration, all they are
outsourcing is the hardware administration.


In many ways, much of what's going on in cloud computing is a step
backwards for security. While cloud computing can make doing upgrades
easier for good admins, it also makes it easier to keep running old
software without patching it. Look at how VMWare is pushing their products
for the desktop by advertizing that people will be able to keep running
Windows XP forever.

Hold on. There are multiple trends in security here that you lump into the
same bag:
- "Cloud" describes little more than a billing model (subscription O&M),
and a form of provisioning (the "elasticity"), and some business glue.
Amazon sells you a slice of a hypervisor, Google used to sell managed
python execution containers, SalesForce lets you build a CRM-related
applications as plugins into their data and services. Save for the Amazon's
case, who needs sysadmins? If you have 3k Amazon instances, but all of them
run the same code, you need a deployment specialist that is more of a
programmer than a sysadmin. No one will fix a node, there is no capacity
planning, log rotation, account provisioning - those are fixed at much
higher scale, or done via APIs. You sysadmin here is called an Architect,
and knows Chef/Puppet/etc like you knew /etc.

- Why bother with Amazon? Same hardware in the corporate data center, and
people you can actually talk to? Let's see - I have an app, we want to have
a load balancer, 5 front caches and 2 backed DBs provisioned in 3 days. Oh,
your lead on hardware is 2 weeks, and we did not do this architecture
before? DNS issues? Ah, the cabling you guys did not do for 3 weeks... IT
is either a commodity, and begins to see competition on price with other
options, or it's a well run organization that is fiercely competent and
pragmatic. I see much more of the first kind.

-  I have 35 sites where upgrade from XP to Win7 costs $0.5 mil a pop.
Those are not offices, there is no added functionality we will get from Win
7. No, I were unable to plan ahead. We saw the wall, and when we tried to
pull brakes, it turned out that we run drum brakes from the 20's on bicycle
width tires - no braking power :-) What now? Mitigation. I gave Bromium a
call, they are more than happy to help, more work will happen. We will fix
the issue in 2-3 years, when the money will be spent on an lifecycle
replacement and, for the same money, we will get very important new
features (the XPs are fronts to big machinery that comes integrated). Yeah,
I know. I just work here... We will run XP, in VMs and on hardware, for a
decade or more.

- Security is maturing. Whether I like how it goes, the NIST standard work,
and the adoption talk surrounding it begins to smell like a talk on best
practices. Never mind all of the folks who will have to adopt it. I talk to
lawyers and insurers, they slowly are taking notice, and the poor security
volk will be hit with slow professionalization of the occupation. The
network security of the late 90s is no longer in demand. Openflow demands
serious networking skills and some programming skills. DevOps can run
immensely secure infrastructures, because their service model requires very
tight change control, minimalist capabilities on production nodes and all
admin actions are scripted. There is very little chance for a non-standard
configuration errors, or unnoticed config errors. Yes, mono-cultures are
bad. Yes, mistakes still happen. It's a much better model than state of an
average old school (10 years ago :-) Unix DMZ. Sorry, good security people
are in huge demand, expensive, and they will not work and behave as they
did 10 years ago.

- Marcus is right. Cloud raises the bar or, more likely, allows cluefull
folks to run faster than the pack. Drop code on a VM (different spend
structure), use providers host security offers, integrated Nessus scans,
cheap 24/7 alerting, CloudFlare for WAF/DDoS/CDN, some DNS provider, and
you have a formidable setup that can be administered part time. Is it
better than the traditional way? No, but a lot of people can't afford the
typical solution and finding good people who can build it on a budget is
hard. The outcome is very different, but it took the market by a storm.

Marcin Antkiewicz
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]