Some tidbits while tinkering.

Category: FUD

SAN – I’m not such a fan

Reading this story at AnandTech reminded me about why I’m not such a fan of SAN.

First off, I think it has uses. There are definite use cases for highly available, network available, high performance SAN installations, I just think there aren’t as many as SAN vendors would like you to think.
It’s an enticing option, the nirvana of expandable storage available across the network at lightning speed, with high reliability, a range of enterprise level features, things like de-duplication, virtualised storage, highly dynamic provisioning, simplified backup etc.

But in general, it’s just:

  1. Far too expensive to be worth it.
  2. Underperforming in real workloads.
  3. Expensive/hard to put in, expensive/hard to maintain, and forces you on an upgrade cycle that seems to be unfair to the consumer.

My general rule, from time in the industry is that its expensive to scale out in hardware, and cheap in software. SAN doesn’t obey this rule, and for an industry obsessed with horizontal scalability, SAN is a distinctly hierarchical model – it’s just that it lets you believe you’re scaling horizontally, when you’re not.

As they explain in the article, far better than I can, SAN has underperformed for a massively long time, and requires a huge expense, largely glossed over by the vendors, for maintenance, specialised skills to manage, specialised networks, specialised, custom (normally hard to get) hardware, and doesn’t necessarily provide significantly improved provisioning times over traditional storage.  It’s also, for me, a massive single-point-of-failure, from experience.  We had firmware issues with our SAN environment at one stage that took down whole sections of the data centre, and wiped out our backup arrangements because they were local, and on the same, misbehaving SAN.  Admittedly, there were a range of other issues that caused that scenario – but we were sold equipment expecting it to do, and behave, much better than it actually ended up.

Now Virtualisation is a special case in the SAN conundrum, and it’s no accident the biggest SAN vendor had the cash, and the reason, to snatch up the biggest virtualisation vendor. SAN provides a range of benefits for virtualisation, allowing increased flexibility, but how many people really use it? Vmotion is probably one of the biggest benefits, but underused in practice.

The real problem, as I see it, a lack of a cheap method of abstracting storage in software, while taking advantage of the new range of SSD’s available, to have the advantages that companies like facebook have in abstracting their storage, without paying the SAN price.

We need something like the Hadoop/CouchDB revolution in Big Data to happen in storage virtualisation.

The good news is companies like Fusion-IO working to bridge this gap.  I’m hoping after they forge their way, enterprising minds will work out how to do a passable attempt within open source, and we’ll finally have a storage layer that works. Until then, we need to keep waiting, but hoepfully, if we have enough control of the application itself, individual companies can build their apps to use cheap IOPS on local PCIe SSD’s, while implementing caching to external storage pools.

BYOD and MDM – why Bother?

Vito Forte with Fortescue Metal has recently commented about not overcomplicating mobility.

For me, the idea of BYOD, and the normally draconian rules applied if you purchase an MDM solution seem diametrically opposed.  The process seems to be:

  1. Allow BYOD because someone told you it would save money.
  2. Somebody freaks out about security, and lack of control.
  3. The solution is MDM!
  4. MDM is expensive.  And nobody wants to install it.
  5. And thus, some companies even go to the point of purchasing the devices that they were meant to get employees to buy!

MDM is honestly, a fantastic tool for enterprise fleets, in particular those with needs to roll out and manage enterprise software, or who have very strict requirements on what their mobile userbase do.

But it doesn’t meld well with BYOD.

Typically, most of what people want MDM to do (passwords on devices, and remote wipe – really, that’s the typical useful limit!) can be done via ActiveSync settings in Exchange.  Which almost everyone runs. Or something like Google Apps supporting the same functionality. You don’t get encryption, but it should soon be easily accessible on Android and iOS devices, even on a per-app basis, which is the essence of BYOD.

Then, all you need to do, is make sure you encrypt data in transit, even using the new iOS per-app VPN feature, and even better, use the new iOS SSO features (not yet publicly released) to make multiple app sign-in relatively painless.

You loose the ability to have enterprise software roll-outs automatically, but both Android and Apple seem to be recognising the difficulty in enterprise apps and BYOD, and working hard on solutions. Expect iOS 7 to have a number of improvements to this, and there are ways around it on Android already.

My point is, don’t treat mobile as something to over-regulate because you don’t understand it. The new security models and improved overall device constraints make the average mobile significantly more secure than the average desktop – even most policy-secure desktops. Embracing the new systems with a little thought will allow more flexible deployments, and keep the bean counters happy.




It seems unusual that news articles such as this would indicate so many people would quit the cloud over PRISM. The crux of the matter is that most of the places that people would host with, could be easily accessible to any law enforcement that really wants it anyway? The real news is how quickly they can get it, and that the court order frameworks are really just rubber stamping.  This is not a surprise to many in the security community – in fact, I think it shows they are just doing the job properly.

It’s key to note that should a company or person choose to host any of their data in a hosted location – it will be available to local law enforcement.  This isn’t anything new, only the data provided by major US companies is.  The worrying thing isn’t those that publish the information, it’s the ones that don’t.

Also of concern to people is that foreign governments are cooperating with the US in data collection.  To that I say – isn’t that the point?  Don’t we want Allies combining their data to allow them to pursue the investigations they need to? This is the real reason many hosters are not harping on about PRISM, and in particular why Australian hosters aren’t jumping on the ‘Host-Here- Avoid-PRISM’ bandwagon. They simply won’t know, or likely many know that indeed it does occur, or they’d be silly to risk a statement like that backfiring.

Users of any off-site service should know:

  1. Your information can be intercepted at any point by law enforcement or others if not encrypted from endpoint to endpoint. This isn’t new, but be aware of the issues with intra-datacentre traffic too.
  2. Any device can typically be imaged by law enforcement if they need to in the course of an investigation.  This is certainly more invasive and annoying for law enforcement than PRISM-like data collection, but possible.
  3. Information can (and should) be shared between jurisdictions if needed.  Again, not news, and less than the revelations around wholesale data sharing between intelligence groups – but the fact they can justify this level of expense means they were doing it a lot before anyway, but this method is cheaper, easier, faster.
  4. Personal data is available from many, many sources of probably equal scariness around your shopping habits, activities, things like search history, visited pages etc.  This information is given away by free apps to enable them to make money to provide services.  It ain’t cheap to be facebook – so how do they make money, off selling our data of course!
  5. Giving away data to foreign companies in terms of industrial espionage can, and is, in a lot of cases by some obvious candidates, state sponsored.  This sort of thing is absolutely to be worried about by large-scale corporates with useful IP, or large-scale deals in play. The ease of eavsdropping and bugging at all levels of the data/telco stack is huge, and shouldn’t be discounted.
  6. Encrypt. And keep those keys secure!
  7. Use anonymising services, but don’t think it protects you that much. Things like DuckDuckGo just make the tracking a little harder to get around (it’s unlikely they are using proper obfuscation techniques to prevent analysis of network traffic from identifying searches) and won’t stop information from being transferred via other uses of free services. Get used to it, or opt out of modern social networks and services.
  8. Intelligence services now have reams and reams of easily accessible data from the internet, and don’t need court orders to get at it.  That just means they are able to act at the speed they hope they would, and big data is being used for something other than marketing.  Which is good.

Security and Continued FUD

After being in security for a while, and seeing the view of multiple waves of management, in multiple organisations, I’m starting to get jaded at our ability to see beyond our own noses.  The FUD mechanism is really something I think that should be put down. Whenever I see it, I just feel like it’s the last resort of either people with vested interests in short term sales, people without the ability to properly define the issue in terms of risk, or just being lazy.

Case in point: This article on titled ‘Bad idea: Neglecting mobile device security’.

Now mobile security is one of my things, but on reading this article, it’s ridiculous.

It starts off as a SANS survey of the preparedness level of security experts on Mobile Device Security and Mobile Device Management, which is great, but makes a logical mistake at assuming that because a lot of security professionals aren’t prepared for BYOD, that they are underprepared, and HP is happy to underline that point, and sell you some stuff to fix it.

Why do we keep doing this to ourselves as a group of (relatively) smart professionals?

As the Verizon report helps to back up, we don’t really have a problem with mobile security.  We did a few years ago, and nobody let mobiles connect to sensitive stuff.  But nowadays, there a many real solutions to security the apps (not the mobile devices) themselves, and security the backends, such that as long as mobiles have passwords/PINs and remote wipe capability, most enterprises are covered.  I’ll go into the real threat model around mobile soon, but sufficed to say BYOD and the hype around it is more to deal with security vendors sunk costs, than it is to real vulnerability for most business.

So then why do we keep inventing issues for technology and policy to fix, hype it up internally, and to our management, and then get disappointed when they don’t throw money our way?  We need to wake up to the way salespeople are taking over our spiel to management and get back to finding out ways to get what management wants done, done. Metrics not on surveys, but on actual financial loss wouldn’t hurt either.