Archive for May, 2016

Hardware appliances have no place in production

Friday, May 27th, 2016

One of our customers runs the RSA/Aveksa product to automate access certification. Interestingly, this product was delivered on a physical appliance.

Some time this week, the hardware in the appliance (which is just a white label PC, I’m sure) died. This means that this company’s access governance system went offline. Since it’s hardware, and presumably because the company didn’t want to pay double to have a hot standby, they now have to wait until next week for replacement hardware. At that time, who knows how much effort will be required to re-enable the service?

All this is in a major US metro area — easily reached by the vendor. Imagine what would happen if this happened to an organization in a more remote part of the world, where import controls and duties can add days or weeks to delivery, and where local integrators are few and far between? What is a 1-3 week outage in the US could be a 1-2 month outage elsewhere.

Of course, this all could have been mitigated by buying redundant appliances. A costly waste of physical infrastructure, but doable.

In this day and age, why do people still ship physical appliances? As evidenced above, they are expensive and unreliable. They are also incompatible with the trend from the 2000’s to virtualize and the trend from the 2010’s to move applications to the cloud. They are energy and space inefficient. They may have unpleasant interactions with national border control officials, who have a fetish for taxing or blocking technology in general and cryptographic technology in particular.

What’s the upside of a physical appliance? If your system requires exotic hardware (ASICs) to perform well, then OK, I get it. That may apply to super high performance firewalls or anti-malware scans at wire speed, but not to most applications. Or perhaps your application is horribly complex to install, and you can shave days or weeks off of deployment time by pre-installing at the factory. I would argue that if the latter is true, you have a crappy application, and should fix it rather than hacking your way around the problem with an appliance. And if you must pre-package, then for god’s sake use a virtual appliance, not physical hardware!

In the context of an IAM system, the implementation effort has more to do with business process definition, policy setup and target system integrations. Installing the app itself shouldn’t take more than an hour — see above: if it does, then your app is the problem, go fix it.

The bottom line is this: The 1990s called, and they want their physical appliances back!

Anti-virus software creates a entry way for … malware

Tuesday, May 17th, 2016

If you think that running anti-virus software is good for security, think again.

There have been multiple exploits lately of vulnerabilities in badly written, badly architected A/V software, such that an attacker can exploit the A/V bug to compromise your system.

Here’s the latest whopper:

I think a well patched OS may well be safer than one encumbered by these badly built “security” products. Wow.