Previous month:
February 2011
Next month:
April 2011

March 2011

Are you using lack of firewall support as an excuse to avoid IPv6?

If you are among the organizations who think denial and avoidance is a realistic strategy for putting off IPv6 testing and implementation,  several of the excuses I've heard over the past several months are no doubt familiar to you.

All Too Familiar Excuses

"We can't provide senior management with a compelling business case to demonstrate that IPv6 is more important than other network and security initiatives."

"We can’t get IPv6 access from ISPs."

"No one else is hosting content on IPv6 networks."

"All the surveys we've read claim that firewalls don’t support IPv6."

There are more, to be sure. But commercial firewall vendors take exception to the last excuse in my short list and claim that enough vendors support IPv6  that firewalls are no longer a credible excuse for putting off IPv6.

How many is "enough"? Read my Enterprise Efficiency article, Don't Use Firewalls as an Excuse to Ignore IPv6, to find out who's implemented IPv6 and where to find admin guides, manuals, FAQs or data sheets that describe exactly what they implement.

Cloud hype creates fear, loathing and sickness unto death

A day doesn't pass by when I don't see an email, article or tweet that says "I'm tired of cloud marketing and cloud hype" or something equally negative. Granted, I spend more time with security greybeards and hard cores but anyone hoping to profit from offering cloud infrastructure or cloud-based services should pay close attention to this signal because it's growing in frequency and strength. Perhaps it's time to ask why.

Clouds are marketed as must-have-now,  innovative and secure. Let's look at the problems each of these marketing points create.

Pace of Adoption

Enterprises and large organizations don't always do now very well and they adopt new slowly. Look at the history of wireless LANs. While it's hard to conceive now, wireless LANs actually languished for a very long time while corporate IT pushed back with a litany of excuses to not do wireless: "it's not secure, we can't control who's on it, it's not as fast as wired Ethernet, adapters are finicky..." These are all manifestations of fear: fear that change increases the risk of intrusion, data breach, performance, and increased helpdesk calls.

Peter Baer

Clouds are Evolutionary not Revolutionary

Clouds are also marketed as being revolutionary or innovative. Clouds are evolutionary, perhaps eventually they will be disruptive, but they are not overly innovative. Let's test my claim. If you agree that network and location transparency, location independence, high availability, file access transparency, etc. are characteristics of cloud computing, then it may surprise you that these were all implemented in the 1980s in the LOCUS distributed operating system [1,2]. (This is not a recent find, I used LOCUS as a case study in a Bellcore report discussing why telcos needed to deliver broadband in 1989.) If you also agree that virtual machines and in general, the notion of virtualization also antedates cloud computing, then I trust you'll agree that cloud computing isn't new: bandwidth, memory, CPU and storage just caught up to the vision that Walker, Propek, English, Kline, and Thiel shared in 1983. Claiming something is innovative when it is not disrespects the true innovators. This kind of hype is responsible for much of the loathing.

Cloud Security Hasn't Weathered Test of Time

Lastly, clouds are marketed as being more secure. This is a dangerous claim because it is made without qualification. Eventually, at least for large market opportunities, cloud marketeers must meet IT and such meetings are almost always on IT's turf. At that point,  the cloud folks have to convince IT that the cloud is more secure than the network that IT administers. That's a tough sell to rock solid IT departments, especially when cloud security is ultimately bounded by the same constraints as the enterprise - expertise, quality of processes and workflows, technology, monitoring, review, testing... - and also subject to the same if not expanded attack surface. Rock solid IT departments have heard these arguments before, ad nauseum (a.k.a., sickness unto death).

None of these marketing ploys are helpful. Instead, I consider a Kierkegaardian leap of faith (you knew it was coming): forego the current marketing mantra and to try something more direct and simple when you discuss clouds with prospective customers.

Three Simple Truths About Clouds

1) Don't be afraid of clouds. Clouds are evolutionary not revolutionary. Clouds leverage innovation and experience accumulated over nearly 20 years of experimentation and implementation. Shed the fear.

2) Clouds have a great pedigree. Share the history of distributed processing and virtualization. Acknowledge past accomplishments, with attribution, as a means to confirm that a cloud is A Good Thing! In so doing, folks will admire you more and loathe you less.


3) Clouds face security challenges. The last thing anyone responsible for security wants to hear is comforting words or bravado. Marcus Ranum is known for saying "If conventional Internet Security wisdom was working, the rate of systems being compromised would be going down". We all know that if anything, the rate of system compromise is increasing. Don't overpromise; instead, earn trust and confidence by collaborating with security and operations communities to identify and mitigate threats unique to clouds.