January 27, 2021

When Kubernetes is not the solution

Automation and orchestration are frequent reasons to leverage Kubernetes. Keep in mind that automation and orchestration often get confused, and for good reason. Automation can help make a business process more efficient by reducing or removing human involvement with software or hardware that performs specific tasks. For example, automation can launch a process to reorder raw materials automatically when other processes notice that supplies are below a specific level. In short, a single task is automated. Orchestration, in contrast, allows you to automate a workflow. Orchestration can keep track of sequence and activities, and can even invoke many single-task automations that are part of the workflow. Orchestration is a powerful Kubernetes tool that also allows you to invoke services such as database access across disparate systems. What's happening now is that many developers and architects choose Kubernetes to automate processes using the orchestration engine. That’s like hitting a thumbtack with a sledgehammer. You’ll end up spending way too many dollars on development and cloud resources to solve a simple, specific problem. Another fact that often gets overlooked is that Kubernetes is a complex system itself; it requires special expertise and at times can increase risk.

Learning from Incidents

When we use language that wraps up complexity in a neat parcel like “human error,” or we make counterfactual assertions (“system X should be able to detect this scenario,”) we give participants in our investigation the opportunity to agree with something that might be true given what we know in hindsight, but which does not help us understand the behaviour of the people or systems during the incident. Everyone in the room can nod and acknowledge that the human did indeed make a mistake, or that system “X” really should have detected the issue. Have you understood anything new about how your system really works? Unlikely. Secondly, when we ignore power structures and the social dynamics of the organizations we work in, we risk learning less. Asking “why” questions can put people on the defensive, which might make them less likely to speak frankly about their own experience. This is especially important when the person being asked is relatively less powerful in the organisation. “Why did you deploy that version of the code?” can be seen as accusatory. If the person being asked is already worried about how their actions will be judged, it can close down the conversation. “During this incident you deployed version XYZ. 

4 Ways Blockchain Could Catapult Into the Mainstream

We are used to storing valuables at home such as money, jewelry or art. However, when the value of these goods exceed what we can insure, or what we feel safe in keeping at home, we usually turn to banks or special custodians as more convenient safeguards for storing our liquid assets. Cryptocurrency offers alternative storage options via personal wallets or easy on-ramps to exchanges or a new category of crypto custodians that possess their own secure vaults. Today, many self-custody wallets already exist, allowing users to experience the self-service option for assets storage. Those same wallets also enable the storage of another blockchain novelty: “digitally unique” artifacts also known as non-fungible tokens (or NFTs; think CryptoKitties). In the long term, banks and old-style physical storage services may not be the most popular or safest storage methods anymore. Being your own custodian is an attractive value proposition that comes with a degree of freedom and efficiency, as long as its relative ease of use and trust levels continue to improve. Many users will gradually de-bank their assets and move them into self-custody to take advantage of new services that are only available in the blockchain world. 

Security's Inevitable Shift to the Edge

Many security architects are initially attracted to the SASE model as it helps them apply security controls at the optimal location in their rapidly changing architecture. That optimal location is the edge of the Internet, which will be close to any infrastructure-as-a-service (IaaS) or co-location facility that the business uses today or in the future. The edge deployment model provides agility for hybrid multicloud organizations and is well suited to changes to IaaS vendor or new locations from mergers and acquisitions. The flexibility of deploying security inspection at the edge means that, regardless of shifts in the location of compute, security inspection can be performed at a local edge node. This provides for optimized routing of traffic and avoids what Gartner describes as the unnecessary "tromboning of traffic to inspection engines entombed in enterprise data centers." Furthermore, since multicloud is the predominant architecture, deploying security at a homogeneous edge makes more sense than trying to engineer consistent controls using heterogeneous capabilities available at various cloud security providers (CSPs). Another driver for SASE is the migration of users outside of the traditional corporate offices.

Cisco bolsters edge networking family with expanded SD-WAN, security options

Among the four new models is a low-end box – the Cisco Catalyst 8500L – that's aimed at entry-level 1G/10G aggregation use cases, Cisco stated. The 1RU form factor 8500L is powered by 12 x86 cores and features up to 64GB memory to support secure connectivity for thousands of remote sites and millions of stateful NAT and firewall sessions, wrote Archana Khetan, senior director of product management for Enterprise Routing and SD-WAN Infrastructure at Cisco, in a blog about the new boxes. Businesses find that establishing aggregation sites at either core locations or colocations helps them own the first mile on their branch and remote-worker connectivity to the internet and other software-defined cloud interconnects, Khetan stated. "The Catalyst 8500L provides ultra-fast IPsec crypto performance and advanced flow-based forwarding to keep up with the demands of today's high-speed, secure connectivity," Khetan stated. Targeting the branch, Cisco added the Catalyst 8200, which supports eight CPU cores for high-performance packet forwarding and 8GB of default RAM to run the latest security services, Khetan stated. The Catalyst 8200 Series supports up to 1Gbps of aggregate forwarding throughput, which is double the performance of its ISR 4300 predecessor, according to Khetan.

Ransomware: Should Governments Hack Cybercrime Cartels?

One proposal has been to ban all ransom payments. Whether such bans could be enforced is not clear. Also, organizations that did their best to safeguard themselves, but still saw their systems get crypto-locked, could go out of business or suffer devastating interruptions due to a ban. Short of a ban, Ciaran Martin, an Oxford University professor of practice in the management of public organizations who until last August served as the British government's cybersecurity chief, says governments should at least crack down on insurers being able to help victims funnel payoffs to attackers. "I see this as so avoidable. At the moment, companies have incentives to pay ransoms to make sure this all goes away," Martin tells The Guardian, expanding on suggestions he's previously made. "You have to look seriously [at] changing the law on insurance and banning these payments, or at the very least, having a major consultation with the industry." Responding to suggestions that ransom payments be banned, a spokesman for the Association of British Insurers tells Information Security Media Group: "Insurance is not an alternative to managing the cyber ransomware risk; it is part of a toolkit to combat this crime." The spokesman also notes that policyholders must have all "reasonable precautions" in place.

Read more here ...