Let cloud apps manage your systems – if you have nothing to hide

Balance risks versus rewards


There are a growing number of cloud-based security and systems management (CSSM) applications available to consumers and small and medium-sized businesses (SMBs), and I am ambivalent about their use.

On the one hand, I am not fan of things cloudy, especially where they involves trusting US-based companies*.

On the other hand, these products bundle together vital functionality in an easy-to-use package with an understandable licensing structure. Weighing the pros and cons is something of an extended exercise.

Before we embark on that journey, let's take a look at what CSSM applications do. Put simply, they make sure your computer is working the way it is supposed to. They include security features ranging from anti-malware management to website and email filtering.

They also typically include patch management, asset tracking, monitoring and the ability to push configuration changes out to groups of systems.

The three CSSM applications I can name off the top of my head are Windows Intune, SolarWinds' N-Able and GFI Cloud. There are umpteen cloudy competitors and innumerable on-premises offerings. In addition, the scene is muddled by applications such as Spiceworks, which cover some of the common CSSM use cases but by no means all of them.

Secrets and spies

First things first. I am in no way comfortable with any of my data – or that of my customers – going out to the US. At first glance a CSSM based in the US that can do everything from install updates on my PC to change my anti-malware settings looks like the perfect vector. But I feel that i might as well just hand over the administrative passwords to the NSA and be done with it.

So what? If the NSA wants to compromise the networks under my care it will do so, full stop. I once sat down and ran the numbers on what it would take to effectively hide something from our dragnet overlords and I realised that it would be a full-time job, and it would be expensive.

That's before you factor in that the attempt to hide from surveillance itself attracts surveillance, so you would need to be able to do so without appearing to do so.

Very little of what I – or most of us – do is worth stealing or spying upon. CSSM applications help keep out a lot of the bad guys.

They manage anti-malware applications, have web filters and manage updates for not just the operating system but the myriad other attack vectors as well. There are any number of on-premises applications that will do the same job as the increasingly popular CSSM offerings, but sadly, the on-premise applications can be expensive, clumsy and miserable to work with.

We are all of us far more likely to experience a financial loss to our businesses from some [expletive deleted] infecting our entire network trying to inefficiently mine Bitcoins than we are from the US stealing our secrets and selling them to our competitors.

Not worth knowing

On the risk versus reward sheet, I have the following to consider: what is the likelihood that without a security and systems management application my network will be compromised? How much would that cost? Will a CSSM mitigate that risk?

On the side of "risks introduced by CSSM applications" I have more questions. Do I have anything worth stealing? How likely is it an eavesdropper is going to notice that I have something worth stealing? By the time they have run the gauntlet to steal the info, will it still be worth anything? Can they ramp up fast enough to be a competitive threat?

A construction company will see a direct benefit from any management software that makes its task easier

A construction company can have several thousand PCs in play, all needing to be managed, and it will see a direct benefit from any management software that makes its task easier. It certainly has things it wants kept secret – bid amounts on contracts, formulae for building materials and so forth – but how likely this is to be targeted is an open question.

I am sure that my local super construction company's American competitors would love to know the details of its bids. But it's doubtful the NSA would even bother to play that game, let alone be able to get permission for it before the tender was up.

As for the building materials, well, if they find a competitor using a super-secret formula for über-cement, I'm absolutely positive that a Canadian judge would love nothing more than to give that one thorough go in our courts.

On the other hand, if Hacky McHackerson manages to waltz through Yet Another Adobe Reader Vulnerability and cracks the financials system open like an egg, then said construction company will be the one before the court and our friendly local judge will look decidedly less friendly.

Enemies keep out

As a journalist, I keep an emergency kit set up that should – assuming I do everything else right – be untraceable enough to make the bastards actually work for their supper. This might help me as a platform for single-use communication with a mythical future whistleblower who has prize-winning secrets to reveal.

If you have good reason to fear the spooks are after your lucky charms on a corporate level, a digital bug-out bag isn't going to save you. Even hiring professional paranoids might not be enough. So if you are a person – or company – of interest, don't use a CSSM.

That statement may seem somewhat facile at first glance, but there is a requirement to be realistic in your assessment about your own importance to the spooks, or lack thereof. An American CSSM is vulnerable to national security letters from the US government, yes, but there are plenty of other folks out there wanting a peek at what you are up to.

If you want to be doubly sure, you can find a few tools to monitor changes to the file system or changes to the registry on specific systems, or invest the time and money to run an on-premises security and systems management application.

Of all the options on the table, however, nothing at all seems the riskiest.

Risk versus reward: which solution will you choose? ®

*Except for some very rare cases, cloud = USA. There are a few providers from elsewhere, but precious few offering anything beyond IaaS and fewer still selling into markets where American providers dominate.


Other stories you might like

  • AWS says it will cloudify your mainframe workloads
    Buyer beware, say analysts, technical debt will catch up with you eventually

    AWS is trying to help organizations migrate their mainframe-based workloads to the cloud and potentially transform them into modern cloud-native services.

    The Mainframe Modernization initiative was unveiled at the cloud giant's Re:Invent conference at the end of last year, where CEO Adam Selipsky claimed that "customers are trying to get off their mainframes as fast as they can."

    Whether this is based in reality or not, AWS concedes that such a migration will inevitably involve the customer going through a lengthy and complex process that requires multiple steps to discover, assess, test, and operate the new workload environments.

    Continue reading
  • Google calculates Pi to 100 trillion digits
    Claims world record run took 157 days, 23 hours … and just one Debian server

    Google has put its cloud to work calculating the value of Pi all the way out to 100 trillion digits, and claimed that's a world record for Pi-crunching.

    The ad giant and cloud contender has detailed the feat, revealing that the job ran for 157 days, 23 hours, 31 minutes and 7.651 seconds.

    A program called y-cruncher by Alexander J. Yee did the heavy lifting, running on a n2-highmem-128 instance running Debian Linux and employing 128 vCPUs, 864GB of memory, and accessing 100Gbit/sec egress bandwidth. Google created a networked storage cluster, because the n2-highmem-128 maxes out at 257TB of attached storage for a single VM and the job needed at least 554TB of temporary storage.

    Continue reading
  • IT downtime not itself going down, power failures most common cause
    2022 in a nutshell: Missing SLAs, failing to meet customer expectations

    Infrastructure operators are struggling to reduce the rate of IT outages despite improving technology and strong investment in this area.

    The Uptime Institute's 2022 Outage Analysis Report says that progress toward reducing downtime has been mixed. Investment in cloud technologies and distributed resiliency has helped to reduce the impact of site-level failures, for example, but has also added complexity. A growing number of incidents are being attributed to network, software or systems issues because of this intricacy.

    The authors make it clear that critical IT systems are far more reliable than they once were, thanks to many decades of improvement. However, data covering 2021 and 2022 indicates that unscheduled downtime is continuing at a rate that is not significantly reduced from previous years.

    Continue reading
  • Digital sovereignty gives European cloud a 'window of opportunity'
    And US hyperscalers want to shut it ASAP, we're told

    OpenInfra Summit The OpenInfra Foundation kicked off its first in-person conference in over two years with acknowledgement that European cloud providers must use the current window of opportunity for digital sovereignty.

    This is before the US-headquartered hyperscalers shut down that opening salvo with their own initiatives aimed at satisfying regulator European Union, as Microsoft recently did – with President Brad Smith leading a charm offensive.

    Around one thousand delegates turned out for the Berlin shindig, markedly fewer than at CNCF's Kubecon in Valencia a few weeks earlier. Chief operating officer Mark Collier took to the stage to remind attendees that AWS' CEO noted as recently as this April that 95 per cent of the world's IT was not spent in the cloud, but on on-premises IT.

    Continue reading

Biting the hand that feeds IT © 1998–2022