The High Cost of On Premises Infrastructure

scottalanmiller

Placeholder for example

JaredBusch

The two biggest arguments that always have to be addressed are

1. speed of access to file shares
2. access to the client/server LoB app used now.

You normally flippant answer of don't use them is not the acceptable answer to the business principles that make the decisions. Yes, times are changing and WAN speeds and new technologies are moving things, but these two points have to be properly addressed to make any kind of realistic move to colocation for the SMB space.

stacksofplates

@JaredBusch said in The High Cost of On Premises Infrastructure:

The two biggest arguments that always have to be addressed are

1. speed of access to file shares
2. access to the client/server LoB app used now.

You normally flippant answer of don't use them is not the acceptable answer to the business principles that make the decisions. Yes, times are changing and WAN speeds and new technologies are moving things, but these two points have to be properly addressed to make any kind of realistic move to colocation for the SMB space.

The last place I worked had a very small number of employees (~15) but the size of the files they dealt with made it impractical to move data off site. With an 18Mb connection, doing CAD work with files that are multiple hundreds of MB in size isn't feasable. They use DropBox for some things, but the large majority had to be hosted on site.

bigbear

@stacksofplates said in The High Cost of On Premises Infrastructure:

@JaredBusch said in The High Cost of On Premises Infrastructure:

The two biggest arguments that always have to be addressed are

1. speed of access to file shares
2. access to the client/server LoB app used now.

You normally flippant answer of don't use them is not the acceptable answer to the business principles that make the decisions. Yes, times are changing and WAN speeds and new technologies are moving things, but these two points have to be properly addressed to make any kind of realistic move to colocation for the SMB space.

The last place I worked had a very small number of employees (~15) but the size of the files they dealt with made it impractical to move data off site. With an 18Mb connection, doing CAD work with files that are multiple hundreds of MB in size isn't feasable. They use DropBox for some things, but the large majority had to be hosted on site.

We have a huge number of CAD files and maps in house as well. Around 10TB and at any moment we may have to browse and find something.

Have looked at Panzura and Nasuni a few times but the cost of a storage gateway is still somewhat high.

scottalanmiller

@JaredBusch said in The High Cost of On Premises Infrastructure:

The two biggest arguments that always have to be addressed are

1. speed of access to file shares
2. access to the client/server LoB app used now.

Point one is the really hard one. Files take time to move, there's no "ignore it" answer. There is WAN caching, file caching, compression, "bigger links", WAN tuning, changes in file sharing infrastructure... but all come with cost or change.

LoB apps are generally easier. Modern apps rarely have big bandwidth problems are there are lots of good acceleration methods for older ones. Doesn't fix every single app, but it does address the majority.

NetworkNerd

@JaredBusch said in The High Cost of On Premises Infrastructure:

The two biggest arguments that always have to be addressed are

1. speed of access to file shares
2. access to the client/server LoB app used now.

You normally flippant answer of don't use them is not the acceptable answer to the business principles that make the decisions. Yes, times are changing and WAN speeds and new technologies are moving things, but these two points have to be properly addressed to make any kind of realistic move to colocation for the SMB space.

Couldn't we throw regulatory compliance in there too as a consideration?
https://www.truevault.com/blog/hipaa-physical-safeguards-explained-part-1.html

JaredBusch

@NetworkNerd said in The High Cost of On Premises Infrastructure:

@JaredBusch said in The High Cost of On Premises Infrastructure:

The two biggest arguments that always have to be addressed are

1. speed of access to file shares
2. access to the client/server LoB app used now.

You normally flippant answer of don't use them is not the acceptable answer to the business principles that make the decisions. Yes, times are changing and WAN speeds and new technologies are moving things, but these two points have to be properly addressed to make any kind of realistic move to colocation for the SMB space.

Couldn't we throw regulatory compliance in there too as a consideration?
https://www.truevault.com/blog/hipaa-physical-safeguards-explained-part-1.html

Not IMO. Because colo means the data is never in anyone else's hands.

scottalanmiller

@NetworkNerd said in The High Cost of On Premises Infrastructure:

Couldn't we throw regulatory compliance in there too as a consideration?
https://www.truevault.com/blog/hipaa-physical-safeguards-explained-part-1.html

Yes, compliance is one of the biggest factors keeping on premises from being a good option. Very few non-enterprises can maintain a secure local environment. So going to colocation is very important for those companies to maintain adequate physical security, that's a good point.

scottalanmiller

@JaredBusch said in The High Cost of On Premises Infrastructure:

@NetworkNerd said in The High Cost of On Premises Infrastructure:

@JaredBusch said in The High Cost of On Premises Infrastructure:

The two biggest arguments that always have to be addressed are

1. speed of access to file shares
2. access to the client/server LoB app used now.

You normally flippant answer of don't use them is not the acceptable answer to the business principles that make the decisions. Yes, times are changing and WAN speeds and new technologies are moving things, but these two points have to be properly addressed to make any kind of realistic move to colocation for the SMB space.

Couldn't we throw regulatory compliance in there too as a consideration?
https://www.truevault.com/blog/hipaa-physical-safeguards-explained-part-1.html

Not IMO. Because colo means the data is never in anyone else's hands.

And you can encrypt the entire colocation platform, so that physical extraction is not a direct concern as well. Someone stealing hard drives or even full arrays would be useless to them.

Dashrender

@scottalanmiller said in The High Cost of On Premises Infrastructure:

@JaredBusch said in The High Cost of On Premises Infrastructure:

@NetworkNerd said in The High Cost of On Premises Infrastructure:

@JaredBusch said in The High Cost of On Premises Infrastructure:

The two biggest arguments that always have to be addressed are

1. speed of access to file shares
2. access to the client/server LoB app used now.

You normally flippant answer of don't use them is not the acceptable answer to the business principles that make the decisions. Yes, times are changing and WAN speeds and new technologies are moving things, but these two points have to be properly addressed to make any kind of realistic move to colocation for the SMB space.

Couldn't we throw regulatory compliance in there too as a consideration?
https://www.truevault.com/blog/hipaa-physical-safeguards-explained-part-1.html

Not IMO. Because colo means the data is never in anyone else's hands.

And you can encrypt the entire colocation platform, so that physical extraction is not a direct concern as well. Someone stealing hard drives or even full arrays would be useless to them.

I'm less worried about physical theft than I am about someone plugging a USB stick in and infecting the host, etc.

scottalanmiller

@Dashrender said in The High Cost of On Premises Infrastructure:

I'm less worried about physical theft than I am about someone plugging a USB stick in and infecting the host, etc.

Infect it how? Can you describe this attack vector? When you plug a USB stick into a server, assuming that you have been breached in a datacenter to this level which is essentially unthinkable, and assuming that you've not disabled the USB ports, what would cause the files on the USB stick to be executed, or even mounted?

scottalanmiller

@Dashrender I've never tried this, but just thinking about it, no matter what is on a USB stick, I don't know that any ESXi, Xen, KVM or Hyper-V environment would react to the USB stick at all, or maybe just acknowledge that it exists. I'm not aware of any situation where they would "see" the files on the device. Obviously you can protect against this by blocking USB access on the hardware, you can stop the disk drives from being used, too.

But assuming that those things have been missed, I'm interested in where you've seen this threat and what has caused you to be concerned about it.

Dashrender

@scottalanmiller said in The High Cost of On Premises Infrastructure:

@Dashrender said in The High Cost of On Premises Infrastructure:

I'm less worried about physical theft than I am about someone plugging a USB stick in and infecting the host, etc.

Infect it how? Can you describe this attack vector? When you plug a USB stick into a server, assuming that you have been breached in a datacenter to this level which is essentially unthinkable, and assuming that you've not disabled the USB ports, what would cause the files on the USB stick to be executed, or even mounted?

Yeah I forgot about disabling the USB ports - so this should be a non issue. Never mind nothing to see here.

Dashrender

@scottalanmiller said in The High Cost of On Premises Infrastructure:

@Dashrender I've never tried this, but just thinking about it, no matter what is on a USB stick, I don't know that any ESXi, Xen, KVM or Hyper-V environment would react to the USB stick at all, or maybe just acknowledge that it exists. I'm not aware of any situation where they would "see" the files on the device. Obviously you can protect against this by blocking USB access on the hardware, you can stop the disk drives from being used, too.

But assuming that those things have been missed, I'm interested in where you've seen this threat and what has caused you to be concerned about it.

As you said, it's not real concern, you're much more likely to be breached like this in a SMB shop. As I said "move along, Move along"

coliver

@Dashrender said in The High Cost of On Premises Infrastructure:

@scottalanmiller said in The High Cost of On Premises Infrastructure:

@JaredBusch said in The High Cost of On Premises Infrastructure:

@NetworkNerd said in The High Cost of On Premises Infrastructure:

@JaredBusch said in The High Cost of On Premises Infrastructure:

The two biggest arguments that always have to be addressed are

1. speed of access to file shares
2. access to the client/server LoB app used now.

You normally flippant answer of don't use them is not the acceptable answer to the business principles that make the decisions. Yes, times are changing and WAN speeds and new technologies are moving things, but these two points have to be properly addressed to make any kind of realistic move to colocation for the SMB space.

Couldn't we throw regulatory compliance in there too as a consideration?
https://www.truevault.com/blog/hipaa-physical-safeguards-explained-part-1.html

Not IMO. Because colo means the data is never in anyone else's hands.

And you can encrypt the entire colocation platform, so that physical extraction is not a direct concern as well. Someone stealing hard drives or even full arrays would be useless to them.

I'm less worried about physical theft than I am about someone plugging a USB stick in and infecting the host, etc.

How is that any less safe then your office building? You have patients coming in and out all day, contractors, maintenance, etc etc etc. You don't know who is in your building and who could, just as easily, plug a USB stick in to a host.

A colo knows exactly who is in their building, many have biometric security and pressure sensitive pads to prevent piggy backing.

bigbear

@scottalanmiller said in The High Cost of On Premises Infrastructure:

@Dashrender said in The High Cost of On Premises Infrastructure:

I'm less worried about physical theft than I am about someone plugging a USB stick in and infecting the host, etc.

Infect it how? Can you describe this attack vector? When you plug a USB stick into a server, assuming that you have been breached in a datacenter to this level which is essentially unthinkable, and assuming that you've not disabled the USB ports, what would cause the files on the USB stick to be executed, or even mounted?

Dont you watch House of Cards?

scottalanmiller

@Dashrender said in The High Cost of On Premises Infrastructure:

@scottalanmiller said in The High Cost of On Premises Infrastructure:

@Dashrender said in The High Cost of On Premises Infrastructure:

I'm less worried about physical theft than I am about someone plugging a USB stick in and infecting the host, etc.

Infect it how? Can you describe this attack vector? When you plug a USB stick into a server, assuming that you have been breached in a datacenter to this level which is essentially unthinkable, and assuming that you've not disabled the USB ports, what would cause the files on the USB stick to be executed, or even mounted?

Yeah I forgot about disabling the USB ports - so this should be a non issue. Never mind nothing to see here.

But even if you didn't, is there an attack vector? How could you get something to execute if the USB was accidentally exposed?

scottalanmiller

@bigbear said in The High Cost of On Premises Infrastructure:

@scottalanmiller said in The High Cost of On Premises Infrastructure:

@Dashrender said in The High Cost of On Premises Infrastructure:

I'm less worried about physical theft than I am about someone plugging a USB stick in and infecting the host, etc.

Infect it how? Can you describe this attack vector? When you plug a USB stick into a server, assuming that you have been breached in a datacenter to this level which is essentially unthinkable, and assuming that you've not disabled the USB ports, what would cause the files on the USB stick to be executed, or even mounted?

Dont you watch House of Cards?

No and I'm guessing that this would make me want to avoid it?

coliver

@scottalanmiller said in The High Cost of On Premises Infrastructure:

@bigbear said in The High Cost of On Premises Infrastructure:

@scottalanmiller said in The High Cost of On Premises Infrastructure:

@Dashrender said in The High Cost of On Premises Infrastructure:

I'm less worried about physical theft than I am about someone plugging a USB stick in and infecting the host, etc.

Infect it how? Can you describe this attack vector? When you plug a USB stick into a server, assuming that you have been breached in a datacenter to this level which is essentially unthinkable, and assuming that you've not disabled the USB ports, what would cause the files on the USB stick to be executed, or even mounted?

Dont you watch House of Cards?

No and I'm guessing that this would make me want to avoid it?

They do get a lot of silly technical things wrong, but the story is generally pretty good.

scottalanmiller

@coliver said in The High Cost of On Premises Infrastructure:

They do get a lot of silly technical things wrong, but the story is generally pretty good.

To me this always says "the writers didn't take this seriously and don't think that I should."