tag:blogger.com,1999:blog-4088979.post3392355236680373803..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Enterprise Data CentralizationRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-4088979.post-64881418010772578502009-06-16T07:01:07.582-04:002009-06-16T07:01:07.582-04:00This comment has been removed by a blog administrator.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-77692272603881851402007-06-20T09:45:00.000-04:002007-06-20T09:45:00.000-04:00Centralized computing?You mean, like, mainframes?:...Centralized computing?<BR/>You mean, like, mainframes?<BR/>:)Johnhttps://www.blogger.com/profile/10483494412699049197noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-71238017933565403742007-06-19T15:03:00.000-04:002007-06-19T15:03:00.000-04:00What data centralization and/or thin computing is ...<I>What data centralization and/or thin computing is your organization pursuing, and why?</I><BR/><BR/>Take any building in any city in the world. Connect it to the nearest data center, which should be a carrier neutral facility, preferably an internet exchange, preferably SAS70 Type 2 compliant, preferably dual-power-grid and "class 5".<BR/><BR/>The office should connect to the Internet using 2 disparate metro fiber providers using Optical Ethernet. Also connect to the Internet using a fixed wireless solution or two. Run BGP to the ISP's over said links and run GRE tunnels and IPSec over routing protocols to the BGP-connected data center. Some cities may not have these options, but there may be similar options so try to get it as close as possible.<BR/><BR/>Take all the servers out of your office. Take all the desktops out. Take all the CRT's out. Write them off as a loss. You'll have patch panels, switches, and a few routers (maybe router-firewalls or just firewalls) as your entire infrastructure at the office. Thin clients and dual-headed LCD's should be on every user desk.<BR/><BR/>Build a standard enterprise data center. Run LTSP version 5. Connect thin clients at office over MAN and boot from PXE. If Windows is required for certain users (legitimate uses that I can think of: accounting with QuickBooks, CAD, graphic design with Adobe CS3 - MS Office does *not* count, IE7 does *not* count, etc) - then those users can connect to a 64-bit Windows Server 2003 Data Center Edition SP2 cluster with NLB. Everyone else can use Firefox and OpenOffice under a clustered CentOS LTSP.<BR/><BR/>Users that require phone access will get a softphone and a computer headset that connects over the MAN to a centrally-managed IPBX cluster such as CCM or Asterisk. Some users may not require outside phone access, so they will be given internal extensions only. All digital circuits for voice will also be in the nearby data center... except a few redphones in the office labeled for E911 use only that connect to analog lines that you don't even need to pay for service on.<BR/><BR/>Make some users mobile and give them Samsung Q1U UMPC's with Vista/BitLocker, SSL VPN, softphones+headsets, and an EVDO Rev A (or similar) connection.<BR/><BR/>My current company does some of the above (not all yet), but anywhere I worked - I would try to work towards a similar model.drehttps://www.blogger.com/profile/17414510788948258195noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-18056565690585677562007-06-19T06:51:00.000-04:002007-06-19T06:51:00.000-04:00This comment has been removed by a blog administrator.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-44293969806231963072007-06-18T16:59:00.000-04:002007-06-18T16:59:00.000-04:00Richard,While I normally enjoy your POV on things....Richard,<BR/><BR/>While I normally enjoy your POV on things. I have to fundamentally disagree on this. Data, as well as the "data center", is becoming increasingly virtualized. For example, examine Google's data processing methodologies, there is no central repository. In fact, the data itself is nothing but shards stored across thousands of boxes. <BR/><BR/>While the user may see the data as being in a given place, it has nothing to do with where the data is or how it is stored. <BR/><BR/>Our classic constructs of security boundaries and enclaves fundamentally fall down when there is no longer an easily identifiably 'chokepoint' where overarching security policies (speaking about things like fw rules, ids monitoring, etc.) can be implemented. <BR/><BR/>While the concept of centralized data _management_ is a great and incredible thing; the idea of that data, in the near future, being centraly located is a farce.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-19226380526626571432007-06-18T08:21:00.000-04:002007-06-18T08:21:00.000-04:00Richard --Well said. An organization that I used ...Richard --<BR/><BR/>Well said. An organization that I used to work for did some testing for thin client computing. While it does make the admin's life easier and of course an array of other things. People still like having their computer right there on their desktop.<BR/><BR/>They feel as if this is 'their space' in the office, and computer is 'personal'. Taking the computer away and forcing them to a keyboard, mouse, and monitor only was widely rejected.<BR/><BR/>While I agree with you in theory, in the analysis line of work that we worked in, thin client computing wasn't an option.Joel Eslerhttps://www.blogger.com/profile/05018134738510159518noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-53545728995074141402007-06-17T01:30:00.000-04:002007-06-17T01:30:00.000-04:00Let's not forget the 'A' in the 'CIA' triad - resi...Let's not forget the 'A' in the 'CIA' triad - resiliency and survivability require decentralization, replication, and the avoidance of fate-sharing.<BR/><BR/>So, your central repository idea must not be used to force undesirable centralization on IT; instead, other strategies such as replication and/or metadata tagging/searching must be used.<BR/><BR/>The replication idea is a bad one, because you've then created the Mother of All Targets for an attacker - he gets into your big infosec data warehouse, and the game's over. Instead, the way to accomplish what you're talking about (along with a lot of other things which will benefit IT and the business) is to develop an information/data architecture which allows this 'centralization' to be virtual in nature.Roland Dobbinshttps://www.blogger.com/profile/06517186494484977438noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-63111031307944468232007-06-16T23:27:00.000-04:002007-06-16T23:27:00.000-04:00One more thing...I forgot to recognize the distinc...One more thing...<BR/><BR/>I forgot to recognize the distinction in my last comment between my response to both the original article and your commentary.<BR/><BR/>The original article isn't focused on "data centralization" at all; it talks about a "...centralized function for data governance" which are two completely different things.<BR/><BR/>My comments were directed at your article, not the original. Sorry for the confusion.<BR/><BR/>/HoffAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-85080261932971506852007-06-16T23:20:00.000-04:002007-06-16T23:20:00.000-04:00You beat me to the punch! I am almost finished wr...You beat me to the punch! I am almost finished wrapping up my response to this very article as an extension to some posts I did on data-centric security.<BR/><BR/>What I find intriguing about this article is that this so-described centralized pendulum effect of data centralization (data warehousing, BI/DI) and resource centralization (D.C. virtualization, WAN optimization/caching, thin client) seem to be on a direct collision course with the way in which applications and data are being distributed with Web2.0/SOA and underpinnings such as AJAX...<BR/><BR/>How do you balance centralizing data when the infrastructure and information architectures are bound and determined to chew it up and spit it out willy-nilly?<BR/><BR/>Something doesn't compute here...<BR/><BR/>Blog entry should be finished soon discussing this...<BR/><BR/>/Hoff<BR/>http://rationalsecurity.typepad.comAnonymousnoreply@blogger.com