Hitachi ID Facebook Page Hitachi ID Twitter Page Find us on Google+ Hitachi ID YouTube Page

Hitachi ID Systems Blogs

Cloud/IaaS: It’s all about the workload

April 2nd, 2014

So you think moving your server workloads to the cloud will save you money?

Think again.

The cloud paradigm is no longer new to computing, but even when it was a new computing idea, it was already an old commercial idea. When we move workloads to cloud servers, we are in effect leasing servers rather than buying them.

How is that relevant?

I can buy a big screen TV at my local electronics shop, or I can lease one next door. If I lease it, initially it will seem less costly, but over time, leasing will cost more than buying. The same is true with cars: I can buy one and drive it into the ground, over 10 or 15 years, or I can lease one, and replace it with a newer model every couple of years. Leasing will definitely cost more.

So the lesson here is that cloud == leasing, on-premise == buying. Leasing costs more but has the benefits of offloading administration to someone else, plus the opportunity to replace the product or service with a newer version quite frequently. In other words, with leasing, I pay more, and I get more.

IaaS and SaaS are the same. You don’t buy the compute capacity – you lease it. You don’t buy the hosted app – you lease access to it. Someone else manages it and someone else upgrades it once in a while. It costs more in the long run, but you get those benefits.

So does this mean that IaaS is definitely more costly than purchased compute capacity? Mostly, yes. The main exception to this rule is where the workload is sporadic. If I have a VM that needs to run for just 1 hour per day, if I buy the capacity, then I’ve effectively purchased 24x as much capacity as I needed, so even the buy-vs-lease cost savings won’t help me. It’s better to lease that for just the time windows I need it.

What does this mean in practice?

IaaS is cost effective for specific workloads — those that are only run on demand, and are shut down most of the time. Training systems. Demo systems. Peak capacity web farms. POC and lab environments. Testing systems used infrequently. There are lots of workloads where – if you have the discipline to shut things off when not in use – you can save money by moving the runtime platform to the cloud.

But who has the discipline? That’s the real problem. Human users forget to shut down their VMs, so they might move to the cloud to host sporadic workloads, but then they forget to turn things off, and wind up leasing much more capacity than they really need.

This is where Hitachi ID can help. Our Privileged Access Manager can be used to “check out” a whole machine (not just a privileged account), which has the desirable side-effect of turning the machine on. The subsequent check-in, which might be manual or due to a timeout, will suspend the same VM, effectively stopping the billing until the machine is needed again.

This can amount to a huge cost savings for IaaS used to host sporadic workloads.

If your IaaS usage fits this pattern, call us — we can save you money.

Modern day IAG delusions

March 27th, 2014

“HR is the source of truth” –> Really? Are they reliable? Timely? Do they know about contractors? Vendors? Are they a willing participant in non-HR processes (such as access management)?

“Job title determines role” –> Really? Who defines job titles? What governance process determines what titles are valid and who can get which ones? How are they updated? Is the level of granularity of the random string of text on my business cards really the same as my access rights?

“Just define and assign roles, then all the access rights problems will be solved.” –> Really? You think the access rights of back-office workers are easily compartmentalized, well defined and static, so that they can be trivially assigned via roles?

Consumer credit card data breaches

January 14th, 2014

Another day, another breach, or so it seems.

Both Target and Neiman Marcus have been victims of large scale compromise of customer data, including credit card data:

Aside from the large size of these compromises — tens of millions of payment card numbres — is the fact that they seem to have been carried off in the physical retail environment.

For a long time, the pattern of breaches we see reported in the press has been compromises of web sites or back office operations, and consumers have probably come to believe that if they were at risk at all (probably not many worry about this, given the volume of online purchases), they were at risk when shopping on-line but not in person.

The reality, however, is that a lot of fraud and identity theft happens in the physical world. Low tech attacks include “dumpster diving” to get personal information (discarded bank statements and the like), telephone based “social engineering” attacks (I call your bank or a retailer and pretend to be you) and in-person attacks (I visit the bank and try to impersonate you or I use a stolen truck to literally break off and haul away an entire ATM).

Now we are seeing mixed attacks. Point of sale systems are under attack, but sophisticated IT technology (such as RAM scrapers and code that sends home stolen data) are used as well.

This means that corporations have a much larger physical perimeter to protect — including their retail operations and “road warrior” users. However, the defenses have not really changed. They begin with physical security. In this case, that means hardened devices and locked server rooms, including in the retail world. Electronic defenses are the same as they have been for years — Encrypt filesystems, authenticate/authorize/audit both regular and privileged users, encrypt storage and transmission, deploy and maintain anti-malware and patches, etc.

The payment card industry actually has excellent standards for this stuff. “Payment Card Industry, Data Security Standards V2″ (PCI-DSSv2) is clear, reasonable and explit:

One would hope that these retailers, and anyone else that touches credit card data, actually complies with these standards.

For those that need help, we do offer some assistance:

  • Hitachi ID Privileged Access Manager to secure access to root, admin, DBA and service accounts.
  • Hitachi ID Identity Manager to ensure users get appropriate access rights and have that access deactivated promptly and reliably when they leave the organization (a big deal in retail!)
  • Hitachi ID Password Manager to securely and efficiently manage corporate credentials, lowering the risk of a user’s (weak) password being compromised and that user’s access then being abused.

The bad guys have upped their game. The good guys must follow suit.

Adobe hack

October 30th, 2013

Reports are circulating today that a recent hack of Adobe and exfiltration of customer data was larger than thought – data about 38 million active users was compromised:

This raises some interesting questions:

  • There is a fundamental risk to a subscription-based business model, which is what has moved to. If you want to charge your customers monthly, like a utility, to use your products or services, then necessarily you have their contact info, credit card numbers, etc. That makes for quite an attractive target for compromise!
  • Clearly the data in question should be secured very carefully — encrypted, access controlled (e.g., using a privileged access management system, monitored, etc. Something in these controls clearly failed at Adobe.

This is a warning to customers to beware sharing CC and similar data with firms that have to retain the indefinitely. It is also a warning to firms that have such practices to be incredibly careful.

PCI-DSS includes lots of good guidelines about how to protect such data — I wonder which rules Adobe managed to not follow?

Finger prints again

September 23rd, 2013

Interesting. How long as the iPhone 5S been on the market? 2 weeks?

Unsurprisingly, the finger print scanner has already been “hacked” — meaning that if someone can take a photo of your fingerprint, for example from your beer glass, they can photo manipulate it and cover it in latex or just plain glue to make a working pattern that will sign them into your phone.

The Guardian

Chaos Computer Club

This is no big deal – most and perhaps all consumer grade finger print scanners are vulnerable to this kind of thing. It’s just evidence that:

  • A finger print scanner is all about convenience, not about security
  • If you want security, combine multiple authentication factors.

I wonder if that basic advice shows up anywhere on Apple’s marketing material or user guides? Probably not.

Fingerprint scanners: a sign of the end of growth?

September 12th, 2013

Finger print scanners may have seemed high tech once upon a time, but they became commodity technology years ago. In fact, for years PC makers were adding bells and whistles, and it was around the time that they ran out of useful ideas (and added finger print scanners) that growth in the PC business seems to have come crashing to a halt.

Now the PC makers weren’t doing anything wrong — it’s just that the market had saturated and they ran out of useful things to offer, with finger print scanners being the last, mostly-useless gadget they could think of to throw in for minimal incremental cost. By when these things showed up, laptops were powerful, had lots of disk, CPU and RAM, had built-in gigabit Ethernet and Wifi, speakers and microphones, webcams, etc. i.e., quite nice machines, for not much money.

Apple just released new iPhones today, and one of them has a fingerprint scanner. I think that marks the end of growth in the smart phone hardware market, just as it did for PCs. Smart phones today are nice — high resolution colour screens, decently fast CPUs, lots of RAM and storage, WiFi, GSM, LTE, tethering, apps, music, video, document processing, GPS/navigation, accelerometers, light sensors, response to speech input, light sensors, front and back cameras, etc.

I don’t think there’s all that much left to add – just slightly better, faster and cheaper with each generation.

This is a big problem for the phone manufacturers, as their volumes will (or perhaps already have?) flat-line and their margins will compress.

The only growth left is to saturate developing country markets – China, India, etc. That won’t be easy for the major players, as China at least has quite strong domestic manufacturers who play well in a market where relationships with the telcos matter a lot and where consumers are very price conscious.

So I’ll stick my neck out and make some predictions:

  • Apple revenues will stay flat and they will become a utility, as Microsoft, Cisco and Intel have before.
  • Samsung has a bit more runway (better product mix and geographic diversity) but in a couple of years they will flat line too.
  • We won’t see any major innovations in smart phones for years.
  • Maybe others will pick up on the finger print gimmic, and maybe not – I don’t think anyone cares.

By the way, this is only peripherally an identity-related blog entry. :-) Finger print scanners are a biometric authentication device, so fair game. But really, it’s about the rapid maturation and saturation of the smart phone market, which is interesting in its own right.

Governments are getting increasingly hamfisted

August 19th, 2013

Interesting reading here:

The Guardian

Basically two incidents related to the Snowden disclosures:

  • The UK government demanded (and got) destruction of physical media through intimidation of a newspaper organization.
  • The partner (read: boyfriend) of the journalist covering the story was intimidated at Heathrow and had media and personal electronics confiscated.

So what’s interesting about all this?

  • This is the UK government acting badly. I guess they take their orders from Washington now? How far has the British Empire fallen!
  • They don’t seem to realize that networks and cryptography make information
    basically indestructible. You cannot contain this thing – honesty is the only recourse going forward, like it or not.
  • It seems not to have occurred to them that if you hassle a journalist or their friends, they will write about it, and you will look even dumber in the public eye.

Get over it guys. The cat’s out of the bag. Everyone knows that Western governments snoop on their citizenry in a fashion not unlike that of dictatorships. Bullying people about it after the disclosure has already happened just reinforces in everyone’s minds that the government is rife with over-eager spooks with not a care for civil liberties.

How to suck at security

August 19th, 2013

I stumbled on this recently – it’s fun, and all true! :-)


Microsoft in trouble…

August 17th, 2013

It seems that Microsoft can do no right these days.

In the public space, they seem to be an all too eager accomplice with the NSA, violating the privacy of their customers.

In the gaming world, they had dreams of device lock-in and always-on Internet for their next console, but have had to back-pedal due to consumer outrage.

In the operating system space, I recently purchased two PCs and my experience getting each to a working state was telling.

* The first PC was a laptop for my kid. I picked up a used “professional class” Lenovo – same thing I use myself at work on eBay for a few hundred bucks. Add a mail-order SSD and voila- a backpack-friendly notebook for my little girl. So what to install on it? I handed her a USB drive with a recent Ubuntu on it (12.04 LTS) and asked her to install the OS herself. 10 minutes later, and my 13 year old was done: a fully functional machine, with a full suite of apps (including an office suite), which she was starting to personalize. 10 minutes from “that’s a new SSD” to “OK, the machine is ready to be used.” Impressive.

* The second PC was ordered a few weeks later. Also a cheap box – to replace our recently dead home Windows PC. A refurb Asus i7 with lots of RAM, a big HDD and a mid-line video card. Similarly priced to the laptop, also for light domestic duty. So how did this one go? 15 minutes to complete the half-installed OS install procedure. 2 hours to burn backup DVD media. 1 hours to decrapify the OS. Another 1 hours to download useful apps. Several reboots to apply tons of patches and “updates.” Total time to bring this machine to a similarly useful state? About 18 hours elapsed, 3-4 hours of intermittent human attention. Brutal.

Why would consumers put up with this? Microsoft: this is why Apple is eating your lunch! People pay hundreds of dollars to not put up with this. I even happen to think that the Win7 UI is *better* than the MacOS one and comparable to the Ubuntu one, but come on guys – hours of BS just to turn a consumer PC from a thrashing pile of almost-malware to a useful machine? And you pay $50 to $100 for the privilege of suffering that. Wow.

I don’t really know how Microsoft gets themselves out of this mess, either. Their whole commercial model depends on two franchises: Windows and Office. The rest, if I understand it right, is financially immaterial. The Office franchise is at risk from cloud apps (Google) and free apps (LibreOffice). The Windows franchise is under attack by mobile (Android, iOS) and cleaner desktop alternatives (Linux, MacOS). I get that Windows is a more robust enterprise desktop solution, able to be locked down, with central management features, but users, burned once or twice by the consumer experience, will certainly hate it. I also get that Windows is the premiere gaming platform, but are the enterprise and gaming markets enough?

To add insult to injury, I recently installed a trial of Windows 8.1. Wow – that is not a friendly desktop OS. Flaky/crashy with the main app I have Windows for (WebEx) and that whole Start page is definitely as crappy as everyone says. Who needs it? I just want to open a file or launch an app. And get this: the OS wants me to sign in with – not local creds – but creds to Microsoft’s online platform. Can you imagine if *that* credential database get compromised? What enterprise would allow such a dumb idea? What consumers are comfortable with this? Crazy.

If I were a Microsoft shareholder, I’d be up in arms.


July 31st, 2013

Just read the latest bit from our friend Mr. Snowden:

The Guardian

Interesting slides. Some thoughts:

  • This is an internal training deck, from 2008.
  • It shows full data capture – emails, VPN connections and more — in many countries around the world.
  • Data remains local — it’s not practical to feed all this stuff back to the US. Sensible architecture.
  • Interesting to see which countries are collaborating with the NSA on this kind of snooping and which are not.
  • This is from 2008. Imagine how much more they can do today!
  • Not snooping on US citizens/residents? Yeah, right.
  • Cool to see that Canada (where I live) is not on the list of cooperating states.
  • They claim ability to decrypt VPN traffic. I wonder how that’s done? Is there some secret key leakage/disclosure going on in popular VPN client packages? This may be the most worrying bit in the presentation
  • They claim 300 terrorists arrested using this platform. If true, and if they have convictions, this would go a long way towards justifying the whole thing. Privacy invasion to support theoretical security is one thing. To support concrete security results is something else again.

Bottom line: if they are actually putting away real terrorists with this stuff (as claimed) and are basically doing pattern match searches (almost certainly true), I’m not sure this is all that bad for my privacy or that of any other “honest citizens” — seems like a reasonable program, on that basis.

Just my $0.02. Let the flame war begin. :-)

– Idan