TechHui

Hawaiʻi's Technology Community

Our servers incorporate unicorn horn technology!

Hello, My name is Brian and I have an IT problem.

(Hi Brian)


Actually, we all do.

I started off a geeky, unsociable, and shy nerd hiding behind racks of whining fans, choking on stifling recycled air yet somehow always wearing a jacket. I enjoyed spending hours upon hours in dimly lit rooms configuring unix daemons and rebuilding systems. Sound familiar? No? I guess your 1999 was better than mine!

Last weekend I don't think I even used a computer more than a few minutes. I was too busy diving, eating out, swimming, watching aerial explosives detonate, slathering chemicals on myself at Waimea, cruising with friends, etc.. Email? Oh my phone does that. I don't even know what variants of HTML my android's browser supports. Do I care? Nope. It's a tool and as long as it does what I want pretty well.. that's good enough for me! I'm over technology, life is more interesting. The technology is my slave. I'm not going to waste much time messing with it.


...

How does your business do IT? Actually.. scratch that..

Why does your business do IT? Do you even know? You probably do... deep down inside.. somewhere - but many never ask the question. We have email and spreadsheets and servers and.. backups.. because someone said we should! Industry best practice! CRM systems are proudly paraded. "We can store over 10,000 client records and retrieve anyone's within 2 seconds". I can create bar charts from Istanbul from any of 32 different OLAP cubes! Oh yeah.. that's the stuff...

So? Has that helped your business? Has it translated directly into sales? Can you actually demonstrate that to me somehow? Even if you made more sales.. did that cover the cost of your systems.. your licenses.. your personnel.. your HVAC costs.. your extra floor space.. the distraction to your business.. the additional risk you (may) now outlay. If you're a non-profit you still need some sort of review process to ask - is it working for us?

Maybe it is working for you! I don't know your business - but I do know that if you don't have some pretty confident answers (even guesstimates?) to those questions then you're Doing It Wrong (tm).

It's really that simple.. if your IT department isn't making you money - it's costing you money - and probably far more than you realize!

"But we have to have one". Really? Why? Is your business IT? If not then.. what makes you think you are any good at something you know nothing about? Even if you do.. it may not be worth your time. I'm sure most CEOs know how to operate a lawn mower. Doesn't mean we'll see them out there mowing their corporate HQ lawns. Opportunity cost? Oh yeah.


I'm not here to talk about outsourcing though.

...

Somewhere along the way.. many of us forgot that the whole point of IT was to support our business processes. That is.. the stuff that actually makes us money. I care about visualizing sales records only if it somehow helps me understand my product.. my market.. my customers.. etc.. If it's just a pretty picture.. well that's nice but .. not interested.

Now.. I realize I'm probably mostly preaching to the choir (At least I'm picturing Dan applauding and toasting me from his lemur mug collection - if he didn't have one before he will start one now).

Okay so if we can get over our fetish for "cool stuff" and surrounding ourselves with massive SANs and fat 10GE pipes.. where does that leave us? Do we get rid of technology? Heck no, we almost certainly need IT.

But we need to remember that IT is just a tool - the bubble that holds our information which facilititates our business - and a sysadmin is fundamentally no different than a facilities manager (sorry guys, it's true!).

...

IT used to be really hard. It's easy now. COTS stuff is great. Building your own is almost always a waste now. Yeah there are exceptions - you aren't one. I know it's cool. Get over it. We simply don't need big IT departments like we used to anymore.

Perhaps we shouldn't have Information Technology departments anymore.. let's replace them with.. Information Services departments or something (okay I'm bad at making up sexy names). I do think even something as subtle as continuing to call it "IT" furthers our problematic "throw systems at the wall until they stick" mentality for resolving our broken content policies. It's not about the technology!! It's about what you do with it. Make it your slave. You should have such great IM/KM people that you're throwing resources at them to improve how your BUSINESS works - tech is merely a vehicle for it!

This is why I think many of our organisations are broken and need restructuring. Too many remain tech-driven and systems-heavy with CTOs and oft-forgotten CIOs and Process Improvement guys languishing in a forgotten corner. I think it's because we like tangibles. You can pat a server and see what your money bought. You can demo that new web sales system you spent $300k on. Even if your $1M dev project fails.. well you can point to actual.. debris?

But.. Fixing the process for your sales data reporting? Rewriting your business rules for storing personally identifiable information (PII)? You want our employees to *gasp* change how they do things? Ugh.. that sounds hard.. can't we just buy more servers? Throw some crypto at the problem?

Nope, sorry - doesn't work that way. I realized this more than ever from reactions to the recent revelation of a PII breach at UH's Parking Office.

Instantly everyone asked! Why weren't they outsourcing! Wasn't it encrypted? Who was monitoring the network? Asleep at the wheel!!

Hardly anyone else seemed to wonder.. WHY the parking office had that information? Did it resolve an actual business requirement for the parking office? I don't see how. If it did then it would have been much smarter, cheaper, and simpler to fix the business process that "required" that information. Adding encryption, using better software.. centralizing your systems - yeah those are probably smart.. but if you don't even need to store the information in the first place! Well that's a grand slam.

I'm not picking on UH though - well not too much, they did mess up. But realistically most of us have this problem - we just delude ourselves. I applaud them for their transparency in the matter - many institutions do not reveal their breaches. I'm sure they have a policy on this and it just wasn't being followed here.

We have bought into the idea that information = power and the more we can amass; the more powerful and better positioned in our market sector we will be. That we'd just cram everything onto disks or a database and we'd rejoice as the money we dumped into IT systems magically produced.. candy.. mmm. Sorry it doesn't quite work that way!

Is information power? Absolutely. It's also a risk though.

And you need a plan.

And yep, it's hard.

Get over it.

Views: 54

Comment

You need to be a member of TechHui to add comments!

Join TechHui

Comment by Brian on July 27, 2010 at 10:06am
Like Dan said, there are different types of background checks and I assume the LAPD simply requested a different type/basis. If that's the case then it's just administrivia and has little to do with security.
Comment by Daniel Leuck on July 26, 2010 at 10:37pm
Paul - As you are obviously not taking what I'm saying at face value, which is fine - its good to be skeptical, why don't you ask a Google employee what goes into the screening process, learn about Google App security from their Director of Security and / or visit a Google data center?

Note that SAS 70 Type II audits include verification of control activities, including policies on background checks. The fact LAPD is requesting additional information on background checks could simply indicate they prefer a different type of check. Its hard to respond to this without knowing the details but, having done a fair amount of business with state agencies, I can do some informed guessing about the possible bureaucratic hang ups. :-) I can also assure you that the systems they currently use are not more secure.
Comment by Paul Graydon on July 26, 2010 at 9:16pm
Brian, would you not consider it a bit concerning that such background checks weren't already in place? If not at Google, where else hasn't yet?
Comment by Daniel Leuck on July 26, 2010 at 8:35pm
Beyond straight security measures your security is only as strong as the weakest person in your company, or most malicious. If you trust your data to a vendor you need to implicitly trust every single one of their employees that has any access to your data.
True, but again, all the same factors come into play. Do you really think your company is doing more rigorous screening and has better physical and procedural security than a company with a dedicated security team and $150 billion to lose? Google has thought of these things ;-) If you visit a Google data center the level of security will be immediately evident.

I was going to address your comments about encryption, but Brian has done that nicely. Security breaches are almost never due to cracked encryption. The overwhelming majority of breaches are due to simple human error - using a stupid password, sending information in clear text or forgetting to lock a door.
Comment by Brian on July 26, 2010 at 8:15pm
I don't think anyone with a bit of sense will disagree there is always some risk. Ceteris paribus, a solution with lower risk is still better.

You don't need to trust them for a) and b) if you use encryption and b) can be resolved through doing your own
backups to either your own infrastructure or another vendor.

Suitably implemented encryption is hardly ever cracked in the wild. Systems that utilize encryption (poorly) are cracked all the time. Asymmetric-key systems are not used for bulk encryption of content anyway but as an element in PKI. You'd use a symmetric cipher like AES or Twofish to protect large amounts of data.

Encryption of data as commonly utilized in RDBMS' and similar systems is useless anyway since the software needs access to the key in order to decrypt it. Therefore the system itself still needs to be protected. Encryption can protect backups, archival data-at-rest, transmissions, etc..

I'm not surprised in the least if a deadline was missed due to background check delays.
Comment by Paul Graydon on July 26, 2010 at 8:06pm
That'd be the problem with lunch-time brain splurge, didn't mean to quite say that your own network is as secure as the cloud, but that both have security risks, different in each case, and that that should play part of any analysis, and that is more than just firewalls and infrastructure.

Beyond straight security measures your security is only as strong as the weakest person in your company, or most malicious. If you trust your data to a vendor you need to implicitly trust every single one of their employees that has any access to your data, a) Not to access it unnecessarily , b) Not to pass on data to third parties, c) Not to destroy it and backups.

Hmm. Maybe that's a point for consideration when you make the switch too: backing up your own data from the cloud.
Sure Google/Microsoft/Amazon are insured for data loss and theft, and so you'll get a large payout but that can't compare to actually having your data.

Any encryption you use to store data on a service does nothing to avoid the inherent dangers in trusting people with access to your information.

Encryption can be cracked, at varying levels of cost, an absolute must has to be 2048bit for RSA, if not higher, and can mitigate both a) and b) provided people are smart enough and not lazy enough to take the effort. Sadly you're dealing with the masses ;) Encryption is a hassle unless you have systems in place to make it transparent to the actual users (e.g. Carbonite backup, you can encrypt it yourself if you wish within their agent on your machine.)

Google has reportedly missed their deadline for providing a replacement service for LA. The last I read this morning it was claimed it's because Google hasn't got a full background check on everyone that could have access to the data, which is an LAPD requirement. I sincerely hope that's a false claim.

Hmm.. I think I still come across as sounding critical of the cloud and I'm not, it definitely has its benefits, uses, and can generally be seen as a positive thing, but don't go in with eyes closed, and don't forget that even if you don't go to the cloud, you've still got your own security concerns.
Comment by Brian on July 26, 2010 at 7:46pm
Plus I have photographic evidence that Ikayzo does in fact operate some test/dev servers in-house rather than storing them in a cloud somewhere!
Comment by Brian on July 26, 2010 at 7:44pm
The moment you don't have direct control over your data you have no control at all.

Possession and access control are not the same thing. I can store encrypted data in Amazon S3 - they possess it and they can deny me access to the data - however they cannot access it themselves.

So yes, DoS attacks are possible if the provider goes rogue on you - but then if you used only one that would be your single point of failure. Depending on your risk posture, the processes you support, and the uniqueness of the content this may or may not be acceptable.

Fundamentally this is not much different than storing all your data on a single volume without backups.
Comment by Daniel Leuck on July 26, 2010 at 7:35pm
Disclosure: We do business with Google and Amazon. I also want to mention that, like Brian, I'm not picking on UH. Everyone makes mistakes. As my wife often reminds me, I make plenty of mistakes :-) UH disclosed the breach and took corrective action as soon as it was discovered. They also promptly notified all affected parties.
Comment by Brian on July 26, 2010 at 7:32pm
Dan already covered most of what I would have said..

We have about a dozen or so major air-walled networks, 4 or so of which are quite large, and probably hundreds of unknowns.

Having a lot of networks doesn't solve the problem, you just create sprawl and make management (and security) a nightmare. Plus they're inconvenient which means people bypass your rules. Not to mention inefficient which slows your business down in general. For most systems being networked is a requirement. If we accept that it's actually worse to have more networks - then the only option is to have one or a few.

This is why SSL is kinda silly nowadays. Nobody is going to bother doing large scale collection/traffic analysis (except perhaps the government) when it is much easier to steal it from a database somewhere.

Whether or not something is connected to the Internet has nothing to do with how secure it is. You're thinking purely in terms of compromise - but that is not the only threat to information. My mail stored in Google's cloud is tremendously safer than if I kept it on a bunch of flash drives that I carried around with me.

Sponsors

web design, web development, localization

© 2024   Created by Daniel Leuck.   Powered by

Badges  |  Report an Issue  |  Terms of Service