Posts made by IRJ
-
RE: AD/AAD and VPN integration
@gjacobse said in AD/AAD and VPN integration:
@irj said in AD/AAD and VPN integration:
but even MFA isn't perfect
Ha - is that the truth. MS SMS MFA was down a while earlier this week...
I wouldn't even consider SMS viable MFA for internal employees. Maybe for external users because they won't install MFA app.
-
RE: Laptops versus desktops and roaming users
In the enterprise space, the vast majority of users have laptops, docks, and a spare AC adapter (so they don't need to borrow it from dock).
Exeptions would probably be assembly line or something like a shared nurse's station
Desktops are the exceptions though and not the rule. -
RE: AD/AAD and VPN integration
@dashrender said in AD/AAD and VPN integration:
@scottalanmiller said in AD/AAD and VPN integration:
Ask it another way.... so you want to expose your AD infrastructure and fragility directly to the Internet? AD isn't meant to ever see light of day, the entire design of AD is that it is protected inside the LAN. If you do this, you are disabling the foundation of AD's security.
I can understand where you're coming from - I'll even go so far as to say I agree, at least to some point.
But the extra oneous on end users is what is trying to be avoided. I guess your answer to that is - tough, suck it up, this is security we're talking about here, and security is basically the antithesis of convenience?
The thing is you're not exposing your AD with SAML authentication. Worse case scenario a malicious user can spoof a session. MFA does alot to alleviate this concern, but even MFA isn't perfect.
Plenty of other ways to secure SAML or verify your IDP and service provider like azure has them in place.
https://cheatsheetseries.owasp.org/cheatsheets/SAML_Security_Cheat_Sheet.html
Even really basic stuff like IP filtering is helpful when authenticating SAML to a SaaS service. The attacker would have to know the IP range of SaaS application. Again not a save all security measure, but it helps more than you'd think.
Also short authentication timeouts with need to re
-authenticate in 15 or 30 mins when not in use is also a huge help. -
RE: KVM or VMWare
@pete-s said in KVM or VMWare:
@stacksofplates said in KVM or VMWare:
@pete-s said in KVM or VMWare:
@stacksofplates said in KVM or VMWare:
@pete-s said in KVM or VMWare:
@stacksofplates said in KVM or VMWare:
@irj said in KVM or VMWare:
@irj said in KVM or VMWare:
@stacksofplates said in KVM or VMWare:
The integration with the REST APIs is more important than any of the anscillary features of qemu/libvirt.
Exactly. Stuff isn't done manually anymore.
It's not even that about manual process. It's about being able audit, and have a repeatable process.
Auditing in KVM is pretty much not there lol.
Just a side note, but what type of auditing are you talking about? Security audit? Compliance audit?
All of the above.
OK, thanks.
But how about libvirt being used by openstack and openshift? There has to be a lot of enterprises running that in their hybrid cloud environment. Surely not everyone is running their workloads only on Amazon or Google. Red Hat has to be out there pushing a lot of this to their enterprise customers. And surely these environments are fully automated and auditable just like aws or gcp. Or isn't that the case?
I don't know anyone running RHEV. I also don't know anyone actually running openatack. I'm sure there are a few but it's hardly the norm.
Openshift may use libvirt underneath with kubevirt but I think most are just running containers. I don't know too many places running openshift either over just k8s.
There are 4000+ jobs on linkedin in the US when searching for openstack.
8000+ jobs when searching for openshift. And I see companies such as Bank of America, Citi, Delta Air Lines, Federal Reserve etc. So I'm guessing it's in use for sure.Yeah some companies associated with the government are looking at openshift now. The problem they are facing in testing it is lack of talent.
There's 69k+ kubernetes jobs available in kubernetes. Even so kubernetes engineers are hard to find
-
RE: KVM or VMWare
@pete-s said in KVM or VMWare:
@stacksofplates said in KVM or VMWare:
@pete-s said in KVM or VMWare:
@stacksofplates said in KVM or VMWare:
@irj said in KVM or VMWare:
@irj said in KVM or VMWare:
@stacksofplates said in KVM or VMWare:
The integration with the REST APIs is more important than any of the anscillary features of qemu/libvirt.
Exactly. Stuff isn't done manually anymore.
It's not even that about manual process. It's about being able audit, and have a repeatable process.
Auditing in KVM is pretty much not there lol.
Just a side note, but what type of auditing are you talking about? Security audit? Compliance audit?
All of the above.
OK, thanks.
But how about libvirt being used by openstack and openshift? There has to be a lot of enterprises running that in their hybrid cloud environment. Surely not everyone is running their workloads only on Amazon or Google. Red Hat has to be out there pushing a lot of this to their enterprise customers. And surely these environments are fully automated and auditable just like aws or gcp. Or isn't that the case?
Openshift is on azure now
-
RE: Who do you call for IT assistance
@scottalanmiller said in Who do you call for IT assistance:
I'm lost. The question that Dash had is about how can he get someone who can step in and does what he does. But this answer is about how someone doing something different can make money. I'm not arguing that making money is good, only that this doesn't relate to what he's looking for.
HITRUST does provide support in the way of improving your IT. It wouldn't be specific for your day to day, but with your road map. Dash and other generalists generally don't have to the time to road map and even implement moving towards IT maturity.
-
RE: KVM or VMWare
@stacksofplates said in KVM or VMWare:
@stacksofplates said in KVM or VMWare:
@scottalanmiller said in KVM or VMWare:
think
That's not apples to apples. One is support one is hiring engineers. Two different things.
No idea why this quoted so weird.
"Just because something may be supported, doesn't imply that it is support."
-
RE: Who do you call for IT assistance
Also, getting paid to do a job and doing a job isn't the same thing. You are looking at it from "how do we make money" from the vendor angle, not addressing at all how "do we get actual IT support" from the customer angle. No matter how rich person X is, doesn't imply that person Y does job Z.
You better believe the how we can make money side is important. How can you pay talent and expand your company without making money? That one just seems so obvious.
The idea on the customer side is they will need less support with these processes in place. Externally proving you can do Backups and DR is pretty vital to the customer. Saying we do it well or we've been in IT 30 years isn't enough to convince companies that a valid process is in place. When you work with sensitive data and/or are making money using the tool you need security. Without audits and certification in place how can you guarantee your vendor has your PHI or financial data safeguarded? Also can they backup and restore data and their infrastructure within very little downtime. SLA don't mean shit when it cost your reputation and income.
-
RE: KVM or VMWare
@scottalanmiller said in KVM or VMWare:
@stacksofplates said in KVM or VMWare:
@scottalanmiller said in KVM or VMWare:
@stacksofplates said in KVM or VMWare:
@scottalanmiller said in KVM or VMWare:
There's no shortage of KVM talent, so anyone telling you that they can't hire is actually telling you that they are so bad at searching that they can't function as a business or they are so bad to work for that no amount of money can fix it.
This simply isn't true. No one in the enterprise space runs qemu/libvirt. They've developed their own APIs (gvisor, firecracker, etc).
It's totally true. Just because you are talking to companies doing a bad job and lying about it and you are accepting what they say as truth doesn't make it so, at all. As long as talent is on the market, and it is without any shortage, then the issue is with the companies hiring (or failing to hire), this is just basic logic. They claim they can't hire, yet people are looking for that work that know what they are doing. GIven those facts, what they claim can't be true. Basic economics.
I'm not. You don't have a real pulse on the market it seems. These are just claims you're making without any basis. Just because you can find some people who can install Proxmox doesn't mean there is KVM expertise.
Also, Proxmox doesn't count as KVM expertise in case that's the angle you're trying to use here.
I never made the claim about anything about ProxMox. I just said that KVM skills are not in short supply. There's lots on the market. Everyone makes claims that there is a shortage to justify not providing in house talent and just going to vendors. It's an easy claim to make and if a company is crap at hiring it even makes it appear to be true. But we all work in IT and know that it's not even remotely true. Tons of people are on the market, and tons of support firms are too. The bottom line is that companies avoid hiring them (or anyone) because they like just paying a vendor as an excuse. Went through this this week, luckily once we talked about this exact stuff they understood immediately and didn't just hire a vendor to sell them stuff.
It's easy to follow the sales people and get paid as a middleman and not to do IT, so everyone wants to so it. Big enterprises are full of middle managers looking to protect their jobs. SO the process just keeps repeating. But don't repeat it to IT people as if we don't know better. We all know that skills are on the market and companies aren't hiring them.
-
RE: KVM or VMWare
@irj said in KVM or VMWare:
@stacksofplates said in KVM or VMWare:
The integration with the REST APIs is more important than any of the anscillary features of qemu/libvirt.
Exactly. Stuff isn't done manually anymore.
It's not even that about manual process. It's about being able audit, and have a repeatable process.
-
RE: KVM or VMWare
@stacksofplates said in KVM or VMWare:
The integration with the REST APIs is more important than any of the anscillary features of qemu/libvirt.
Exactly. Stuff isn't done manually anymore.
-
RE: Who do you call for IT assistance
@scottalanmiller said in Who do you call for IT assistance:
It can't, IT isn't a certifiable process. Anything that is certified can't be competitive in IT and as IT is a performance field, that makes it an antithesis of IT.
Have you heard of Microsoft 365, AWS, or Azure before. They go through certification processes like HITRUST. I'd say they are a tiny bit profitable.
Excluding the tech giants, HITRUST is worth a ton of money. If you're selling software or housing data it boosts your credibility and limits the risk factor since your internal infrastructure is audited. Not only is HITRUST profitable for businesses that sell software or services, it's actually pretty damn good. You should look into the requirements for the 3 levels. They are pretty stringent and overall good security practices.
Without some external auditing of your IT infrastructure, you'll lose alot of potential big customers and small ones with money.
-
RE: Who do you call for IT assistance
@jaredbusch said in Who do you call for IT assistance:
@irj said in Who do you call for IT assistance:
@dashrender said in Who do you call for IT assistance:
@irj said in Who do you call for IT assistance:
@dashrender said in Who do you call for IT assistance:
Question: is there a certifying authority you can get certified in that you can also reach out to to get help with problems you can't solve?
HITRUST in your field.
Nice - while not really an IT cert... it is something specifically on her radar. Thanks!
They certify your organization.
https://blog.rsisecurity.com/what-are-the-3-hitrust-implementation-levels/
That has nothing to do with the question. That is a certification similar to ISO.
It is, but it's specific to medical industry and it satisfies this question.
@dashrender said in Who do you call for IT assistance:
Question: is there a certifying authority you can get certified in that you can also reach out to to get help with problems you can't solve?
-
RE: KVM or VMWare
@scottalanmiller said in KVM or VMWare:
@irj said in KVM or VMWare:
@jaredbusch said in KVM or VMWare:
@hobbit666 said in KVM or VMWare:
Didn't get on with KVM but thats down to my skill set. (i.e. limited linux skills)
No business should run on just KVM. Until the most current iteration of Proxmox I would never recommend KVM for a business.
I have used it personally for years now. But that is different than running a business. A business needs simple easy to follow processes that are enabled by things like Proxmox, vCenter, and Hyper-V Manager.
Unless you use terraform or similar to build your servers on KVM. You would then need to leverage bash/powershell to do the builds. Then you have a very repeatable process that doesn't rely on GUI management. You can also use an open source tool like Jenkins to manage pipelines for deployment so it's easy repeatable.
I would say most SMBs who aren't trained in IaC would be better off with other options.
I would say that anyone that doesn't know how to use KVM well is just as unsafe (but doesn't know it) with VMware and should be even more wary to continue. If any business, of any size, lacks the skills to do IT well then they should address that rather than implementing something wrong poorly and just looking the other way. KVM remains the better answer for exactly that reason.
The problem is paying for the talent. I was talking to a former coworker in a fortune 100. They are can't find people who are qualified to do DevOps. They have to keep raising pay and still not getting bites.
-
RE: AD/AAD and VPN integration
@gjacobse said in AD/AAD and VPN integration:
VPNs are - a point well discussed here. This isn't about the Good / Bad / Insecure / or pointless.
Using AD/AAD, what is a recommendation of a VPN solution? Currently while we set VPN / MFA settings in AD/AAD, we then have to go to a third party VPN solution and add the user there.
Are you asking for a solution that supports SSO with AD/AAD?
-
RE: Who do you call for IT assistance
@dashrender said in Who do you call for IT assistance:
@irj said in Who do you call for IT assistance:
@dashrender said in Who do you call for IT assistance:
Question: is there a certifying authority you can get certified in that you can also reach out to to get help with problems you can't solve?
HITRUST in your field.
Nice - while not really an IT cert... it is something specifically on her radar. Thanks!
They certify your organization.
https://blog.rsisecurity.com/what-are-the-3-hitrust-implementation-levels/
-
RE: Who do you call for IT assistance
@dashrender said in Who do you call for IT assistance:
Question: is there a certifying authority you can get certified in that you can also reach out to to get help with problems you can't solve?
HITRUST in your field.
-
RE: KVM or VMWare
@jaredbusch said in KVM or VMWare:
@stacksofplates @IRJ
While you are both correct with your statements. The idea that the typical SMB is using or even understands these tools is ignoring reality of the typical SMB.This really sums it up.
@irj said in KVM or VMWare:
I would say most SMBs
who aren't trained in IaCwould be better off with other options.This is why it is either vCenter, Proxmox, or Hyper-V Manager
I agree, and I knew what you meant. However, you didn't specifically say SMB. You said any business. You did also mention it was places you consulted so it could be assumed you meant SMB.
However, this ML so I had to argue
-
RE: KVM or VMWare
@jaredbusch said in KVM or VMWare:
@hobbit666 said in KVM or VMWare:
Didn't get on with KVM but thats down to my skill set. (i.e. limited linux skills)
No business should run on just KVM. Until the most current iteration of Proxmox I would never recommend KVM for a business.
I have used it personally for years now. But that is different than running a business. A business needs simple easy to follow processes that are enabled by things like Proxmox, vCenter, and Hyper-V Manager.
Unless you use terraform or similar to build your servers on KVM. You would then need to leverage bash/powershell to do the builds. Then you have a very repeatable process that doesn't rely on GUI management. You can also use an open source tool like Jenkins to manage pipelines for deployment so it's easy repeatable.
I would say most SMBs who aren't trained in IaC would be better off with other options.