There’s an enormous problem inside some organizations where, whether this is just perceived or actually true, the InfoSec team “maintains” security by “just saying no to everything.”
Obviously, no business can survive if one component of itself is simply shutting down all initiatives willy-nilly. “No” isn’t a security position; it’s a death knell. And, if you work for a company where this is really, really true, you should maybe evaluate your career choices. It doesn’t make sense for good IT people to work at that kind of organization, and if the answer is always “no” anyway, they don’t actually need you. InfoSec should say, “yes – but.” Meaning, they should be taking the time to understand why something is necessary to the business, understand how it works and what its vulnerabilities are, and understand how to safely and securely introduce it to the business.
Just as many IT Ops people are not experts in the InfoSec disciplines like auditing, forensics, pen testing, incident detection and response, and so on, many InfoSec people are not familiar with the intimate details of Ops technologies, what their business benefits might be, or how they work under the hood. This is why everyone needs to work as a team to make these decisions.
“Hey, we’d like to implement PowerShell Remoting. It uses WS-MAN.”
Totally understandable conversation, actually. It should have gone like this:
“It’s massively lower-weight in terms of server overhead, and unlike RDP it’ll trigger less mandatory restarting of servers – so we get better availability.”
“How’s it work?”
“It runs over a single port, and we should have a requirement that that port be HTTPS. Credentials are delegated across that connection – no clear-text passwords! – and I can show you how we’d enable full-text auditing of everything admins do via that channel. It’s actually a lot more auditable and locked-down than RDP.”
“OK, let’s look.”
If you present a valid business case, and then can work together to understand how the technology works, then you’re doing it right. “We need to understand the encryption used” isn’t a challenge you need to defend. The proper response is, “yeah, we do! I don’t know a ton about encryption – can we dig into this together?” Encourage that teamwork. Nobody should be on the defensive or offensive – you’re all supposed to be working for the same team. Too many times, though, the Ops folks I’ve seen go down this road – with anything, not just PowerShell Remoting – aren’t taking a team approach, and they’re not making a business case.
And let’s say you do start the conversation right, with a business-level justification (with some numbers, please – businesses understand numbers). You do go in as a team player. If you still get needlessly rebuffed without even a fair hearing, and without a reasonable justification (“yeah, not now – we’re busy recovering from the 10M user accounts that were compromised last week, k?”), then…
Evaluate your career choices. Ask yourself why you’re so broken inside that you’d work for a dysfunctional situation.
Public registration is now open for my 3rd annual “DevOps/DSC Camp” near and at my home in Las Vegas!
Camp isn’t a conference. No, it isn’t recorded or streamed. Don’t ask. Camp is a working group of experts who are dealing with DSC, and DevOps generally, in their daily lives. We teach each other how to do things like build CI pipelines, introduce DevOps into an organization, solve DSC challenges, and a lot more. It’s a tiny group – just 20 folks – and that’s what keeps it close-knit.
We begin on Thursday evening (July 27) with an evening cocktail hour, and we head off to some cool local restaurants for dinner. We get started in earnest on Friday morning with presentations and round-table discussions. Friday afternoon, we head to my house for customized personal pizzas for lunch, an afternoon in the pool, and a huge smoked BBQ dinner. All day, we’re talking shop – moving between small groups talking about getting stuff done. Truly, this is an event where everyone confirms that they’re going directly home and using what they’ve learned to effect change in their organizations. This’ll be the first year “open source PowerShell” is on the table – can’t wait for those discussions!
Saturday, we hunker down all day and learn. Most alumni will have an opportunity to present a topic, and we keep it very interactive. After swimming around all day Friday, your introverted shyness will be gone, so you’ll be ready to engage. Saturday evening we hit the town for some fun and food.
Sunday, we wrap up in the morning. In the past, Sunday afternoon has been headed up by DSC product team members from Microsoft; we can’t promise that’ll continue, but it’s a possibility. They buy lunch ;).
This is an intense and mentally engaging weekend. As I’ve mentioned, it’s a close-knit group – and we’re already close to half-full as I publish this article. If you’d like to jump in, don’t delay. I hope to see you.
AD turns 17 this year. That’s a long darn time for a directory service, and you might wonder how much life it’s got left in it. Oh, I don’t mean as in, “Windows Server 2018 is going to eliminate AD!!!!” No. Whatever happens with AD will be an evolution, not a revolution. And I’m not even sure Microsoft has a firm marching plan on this – I think they’re kind of playing it by ear.
But it’s fun to look at what they’re doing, and guess where they might go next.
As you all know by now (I hope), Microsoft’s Azure Stack, the “run some of the Azure Portal on-prem and use it to manage in-cloud and on-prem resources” solution, is only available as, essentially, an appliance. You have to buy it from OEMs like Dell or HP, and it comes preinstalled on select hardware. It’s a sealed OS – you can’t install your own drivers, your own management agents, and so on. You can’t even really mess with it’s patch application schedule.
This is a new approach for Microsoft. It isn’t going to be the last time they do it.
Check out the “ITTRANSFORM”-tagged sessions at the IT Transformation conference website. This is an event that I’m helping to content-manage, in conjunction with the event’s organizer and Pluralsight. I’ve often been asked if my annual DevOps Camp will be a larger thing, and this is about as close as I think I’m able to come.
Jeff Hicks and I are pleased to announce the first release of The PowerShell Scripting & Toolmaking Book, a new Agile-published book available now on LeanPub.com. We’ve released Part 1 of the book’s eventual 5 Parts, and set the pricing to $29.99 as an introductory rate. That price will rise as we publish additional Parts in the future. Because you’re essentially paying a one-time fee for a lifetime subscription, the final price will be around $60-$65. The first Part alone is 175 pages long, so we’re anticipating a pretty deep, involved book by the time we reach the end.