All Posts in “@Mike_Colson”

How are Engineered Solutions Supported?

/ / @Mike_Colson, Enterprise Design Considerations, Enterprise Solutions, Federation / Leave a Reply

This spawned from an internal conversation so hopefully I don’t cause too many issues with it. What the hell is an IT solution, and what are you to expect of an IT solution from a vendor?

Is an IT solution just like a piece of hardware or software? Should it be treated and supported the same?

These are exactly the questions that are being asked by customers and by those of us evangelizing these solutions. If you have ever architected an IT design you know there is a lot to getting all of the moving parts working together. So how should we view these solutions?

From a business perspective investing in an IT solution can be expensive, so we want to be sure that the proper expectations are set. The full set of expectations depends on the type of solution. So rather than try and cover all of them let’s focus on the Federation Enterprise Hybrid Cloud an EMC, VMware, VCE, and Pivotal offering. The best way to look at this solution would be to think of it as a new building construction. Your business has decided it’s ready for it’s own office space and the size of with warrants new construction. The business has set needs, sq footage being the most likely initial defined requirement.

With those thoughts in mind they shop for an architecture firm, and a contractor to do the build. The architect starts to provide some input into power, cooling, number of floors, and breaks out the different use cases and specifics. Then the contracting firm comes in and does the build.

Once the construction is complete the company takes ownership and moves in. From there they have full control over how furniture is placed and who sits where. Any work done in that building is the dictated by the business.

But what happens when the business wants to change the layout of the building or modernize it? Well they bring back in an architect or contractor and verify that the changes are within code, legal and safe. Then they set to doing the work.

IT solutions like EHC are the same, the frame work for the build is founded in sound architecture, but each is customized to meet customer requirements. While some things can be productized and updates and changes can be controlled like moving furniture it takes time to reach that on a maturity cycle. Initially all solutions have to reach that level of commodity and utility.

Now your next question is going to be what in the hell do you mean by that? Well initially it means that as versions of EHC change and products are updated we (EMC and you the customer) need to make sure everything interoperates. In some instances it means professional services help to perform the upgrades at some costs because nothing is free. In others it just means validating against a compatibility or interoperability matrix.

For some this is becomes an anticipated expense, and something that can be planned for in outlying years budgets as the solution matures. For others this may be a show stopper as a solution like this is meant to drive lower OPEX and CAPEX. Early adopters will always have these concerns but it’s important to understand the support and upgrade cycles of such products and that we are all upfront about them so we can better partner to build the right solution the one that works to meet the business goals.

How Ashley Madison Makes Security Sexy

/ / @Mike_Colson, Security, Solutions / 1 Reply

Bringing Sexy Back to Security, ok maybe not back maybe making security sexy for the first time is more appropriate. Thanks to the recent Ashley Madison hack folks are actually equating sex and security more than ever. Thank goodness for that because security really needs to be viewed in a better light even if it is a red light.
Queue someone singing Roxanne.

While full details haven’t been exposed as to how Impact Team were able to so easily crack into Ashley Madison’s network and PWN them harder than a teenage Modern Warfare team playing against a group of kindergarteners. What was explained was that once they were in there was no security internally everything was easily exposed. Evidentially once in the hackers could VPN to every server in the environment with user name root and password of Pass1234. That’s the kind of password an idiot would have on their luggage.

If the importance of this last bit doesn’t immediately jump out at you it’s not that the breach happened, because they too often do. It’s that people suck at security. People are our biggest vulnerability in any environment.

I have had so many conversations with folks regarding security policies and whether they actually make organizations more secure. Odds are no, the policies most likely do not secure the environment. Instead the policies act as a way to set guardrails for users. This helps to curb behavior and drives users in the direction the company wants them to go. It’s like herding cats.

The same who argue against using ridiculous policies, and believe me I have been privy to some really bad security policies, say that what we really need is better training for the employees. Here is where I call BS, SUPER DUPER MAJOR BS. How many of you have to do quarterly or annual training? How many of you then actually do it vs. hit play on some video recording and go to lunch? Hell I have been guilty of that when the training doesn’t actually apply to me but I have to do it anyway. Training doesn’t help either if a breach actually happens or there are regulatory violations that result in fines either, “Oh but we trained our people” doesn’t really get you out of the fines.

So how then does anyone operate securely, is it just replacing the humans with robots?

Look I am not trying to stand on a soapbox and say that I have the answers, what I am saying is security is about risk management. You manage risk in three ways, accept it, mitigate it, or avoid it. Accepting risk means that you get that there is an issue but since nothing can be done you take the risk anyway because the reward outweighs the potential problems. Mitigation means you take as many precautions as possible to eliminate the risk, it’s not fool proof and there will still be breaches but you do your due diligence to protect yourself. Avoidance is a matter of assessing the risk and determining the reward doesn’t outweigh the risks and thus you move away from the risk.

The Ashley Madison hack is hilarious in the irony of the situation because not only was the very business of it a giant risk (cheating on your spouse), but it appears little to no risk assessment was done either from the regulatory controls of PII or the infrastructure for that matter. Step away from the business issues and the lack of security awareness and over to the user side and you see thousands of government employees signed up for the service with their government email addresses. Hello, McFly! What are they thinking how about a little OpSec and the fact that there are free email services all over the interwebs? These people just accepted the risk and pressed on.

Despite all of this stupidity the search for sex led these poor ignorant souls to a poorly managed risk accepting service for what should have been a risk adverse user population. Hopefully now the sexiness of how this could have been avoided can be applied and more companies and users can understand why security and risk management matter so much.

VMware App Volumes: Part 1

/ / @Mike_Colson, EUC, vExpert, VMware / Leave a Reply

This is a multi-part blog where I am exploring and learning about VMware App Volumes. This is part 1 so welcome to my mind crunch.

Another acquisition leads to another IP release for VMware, this is the reality of IT today. In August of 2014 VMware bought a company called CloudVolumes, haven’t heard of them? Not surprising, but the product that this relates to is VMware App Volumes for Horizon suite. It comes packaged for free with the Enterprise edition. So what does App Volumes provide?

As always I am glad you are asking these questions voices in my head. App Volumes delivers applications to virtual desktops via VMDKs. Think persistent disks that we use for user profiles but now with applications? The funniest part of this to me at least is that VMware calls the App Volume deployment an Application Container **cough Docker cough**. Sorry I had a different technology stuck in my throat. So the solution looks like this:

Read More