Business requires trust, but knowing whether your vendors merit that trust is difficult. With the rise of information technology, the ways in which trust can be broken, intentionally or unintentionally, have multiplied and become more complex. Vendor risk assessment questionnaires are one method for verifying that third parties follow good information security practices so your business can weigh the risk of entrusting them with your data.
Vendor risk scoring is a practice that has emerged to address the complexity of vendor management by assigning vendors a single score– typically a number or letter grade– to facilitate comparison between vendors and portfolios. The past decades of digital transformation have provided both the need for innovative IT security hygiene assessment techniques and the technological capabilities to gather and analyze the data necessary to give those risk scores predictive power. Now the vendor solutions have reached a level of maturity that they are valuable for businesses of all sizes and sectors.
In managing cyber risk, it’s not enough to ensure that your business’s systems and enterprise web presence are secure. You must look beyond your perimeter properly vet the third and fourth-party vendors who will have access to your data without being subject to your governance. If an organization outsources technological functions to third parties, or uses them in its supply chain or data handling, the risk is compounded by these parties’ weaknesses. The 2013 Target data breach, which began at an air conditioning subcontractor, is a well known example, but the danger of third-party vendor risk has only increased. More third party breaches are being discovered than ever before.
Introduction Utilities in the Enterprise Modern enterprise data centers are a complex mix of different technologies geared towards accomplishing business goals. Some of these technologies are pricy, big-name business solutions, but some are simple tools and utilities, facilitating processes. Linux sysadmins have been using rsync (remote synchronization) to move and mirror files for two decades, though versions of it now run on nearly every platform. Its lightweight build, small footprint, and usability make it a good choice for simple file copy operations. But this same asset is also a liability for many utilities: designed purely for functionality, they may not automatically account for potential risks to enterprise data. To successfully use rsync in the enterprise means protecting the data being transferred through it from accidental exposure.
It is increasingly hard to trust your technology as it scales along with your business. New servers, network appliances or applications are constantly added to your IT environment in costly efforts to optimize your business needs. With increasingly strict regulatory rules in place, this leaves many of us worried about IT backlash.
Most engineering teams we connect with tell us they do not have any runbook repositories of documentation for logging their processes.
Information technology has changed the way people do business. For better, it has brought speed, scale, and functionality to all aspects of commerce and communication. For worse, it has brought the risks of data exposure, breach, and outage. The damage that can be done to a business through its technology is known as cyber risk, and with the increasing consequences of such incidents, managing cyber risk, especially among third parties, is fast becoming a critical aspect of any organization. The specialized nature of cyber risk requires the translation of technical details into business terms. Security ratings and cyber risk assessments serve this purpose, much like a credit score does for assessing the risk of a loan. But the methodologies employed by solutions in this space vary greatly, as do their results.
It's been a while since we last covered these two leading IT automation solutions—suffice to say, both SaltStack and Ansible have evolved significantly since then. Let's take a fresh look at how they compare when it comes to enterprise-grade IT automation and orchestration.
The emergence of the cyber risk assessment space marks a strategic shift in how enterprises handle digital threats, from traditional, ineffective security-centric approaches to blended frameworks that combine layered security and risk management. Let's see how Cavirin and RiskRecon stack up when it comes to measuring enterprise cyber risk.
According to the Forbes Insights/BMC second annual IT Security and Operations Survey, 43 percent of enterprises plan on redoubling their patching and remediation efforts in 2017, citing patch automation investments as having the best ROI among security technology purchases in 2016. It's not hard to understand why: the same survey reveals that known security vulnerabilities continue to cause the majority of data breaches and security compromises. Rapid7 and Qualys are two leading cybersecurity vendors in the vulnerability management space—let's see how they stack up in this comparison.
Penetration testing (pen testing) is crucial for developing and maintaining hardened, attack-resilient systems—these can be applications, nodes, or entire networks/environments. Specialized tools are readily available for discovering vulnerabilities and security gaps in these systems; in this comparison, we'll compare Arachni and OWASP Zed Attack Proxy (ZAP), two popular security suites for application-level pen testing.
Unless you've been hiding under a rock in a datacenter from the last century, chances are you've heard of Docker, the leading software container solution on the market. And if so, you've likely heard of its chief competitor CoreOS as well. Let's see how the two stack up in this comparison.
As pure play digital businesses, SaaS vendors live and die by their uptime and availability; fortunately, a plethora of tools are available these days for monitoring and troubleshooting the entire stack. AppDynamics and New Relic are two leading application performance management (APM) tools for tuning and diagnosing modern software applications—let's see how they hold up in this head-to-head comparison.
We've covered more than a handful of IT monitoring solutions, but few dominate their categories like SolarWinds and Microsoft SCOM, the two contenders in this match-up. From the network to the servers and applications, SolarWinds' suite of solutions ensure that the whole stack is performing optimally; similarly, SCOM/Systems Center 2016 provides monitoring across applications, workloads, and infrastructures. Let's see how they stack up in this head-to-head comparison.
IT admins managing expansive infrastructures require specialized tools for discovering IT assets living in their environments—no trivial task, considering the myriad of nodes connected at any given time: guest laptops, mobile devices, dev/test servers, virtual machines, old desktops, and more. Cybersecurity suites such as ForeScout and Tanium have made infrastructure discovery and visibility their bread-and-butter; let's see how they stack up in this comparison.
In a recent report by Forbes and BMC, known vulnerabilities were cited as the leading cause of data breaches, accounting for 44 percent of security incidents. These statistics underscore the importance of proper vulnerability management; judging by the continued failure of organizations to properly patch/update their software and systems, the practice is easy in theory but hard in practice. Tripwire and Qualys are two cybersecurity vendors with a keen focus on keeping vulnerabilities in check—let's see how they stack up in this comparison.
The enterprise's infrastructure monitoring needs have evolved drastically over the years; more often, firms need operational intelligence regarding the health and performance of a myriad of IT assets: physical/virtual servers, applications/services, security devices, and more. System Center Operations Manager (SCOM) and Splunk are two leading solutions on the market for monitoring datacenter health and performance; let's see how they compare for keeping the enterprise IT ship afloat.
You may have heard that perimeter security is dead, but rest assured, IT folks aren't about to do way with their corporate firewalls just yet. The perimeter is just one—albeit critical—dimension of your organization's digital attack surface, and endpoint security is no less important, especially with the continued enterprise adoption of cloud and mobile technologies. Tanium and IBM BigFix are competing solutions in this space that were, interestingly, born from the same progeny.
Data analytics continue to play an integral function in cybersecurity—from SIEM to advanced network-based intrusion detection (NID), today's leading solutions are heavily reliant on data science-backed, actionable threat intelligence to detect and mitigate cyber attacks. Varonis is one such vendor whose platform revolves around cybersecurity data analytics; let's see how it holds up against leading security vendor Tripwire.
Ticketing systems are essential to today's enterprise IT help desk operations—without them, service requests and issues would end up lost inside a flurry of emails and handwritten notes. Both JIRA's Service Desk and ServiceNow are leading solutions in this category; the latter has a 25% share of the IT service management (ITSM) market, while Atlassian—though more software developer-focused—is a household name when it comes to project management and collaboration tools.
Network and perimeter-based security remains a crucial pillar of enterprise resilience, but with the rise of new computing models like the cloud and mobile, more emphasis is being placed on protecting endpoints than ever before. And with business processes and communications increasingly take place outside of traditional firewall boundaries, vendors like Carbon Black and CrowdStrike are focused on protecting these potential cyber attack entry points wherever they may be, inside or outside the perimeter network.
More often, catastrophic outages and security compromises can be traced back to simple misconfigurations and unpatched systems. This isn't to say that elements like pilot error and the workings of nefarious actors are not common—they certainly are—but IT asset misconfigurations tend to be the lowest common denominator in most of these scenarios. That being the case, a plethora of solutions focus on systems management for maintaining strong security and quality of service. Tanium and Microsoft System Center Configuration Manager (SCCM) are two such solutions competing in this space.
Effective cybersecurity is no longer relegated to deep-pocketed enterprises—a myriad of open source solutions can offer adequate protection to the most cash-strapped of organizations. That said, there are some capabilities free just won't get you, but how critical are they in the grand scheme of cyber resilience and are they worth the price tag? Tripwire and OSSEC are two popular solutions on opposite sides of this spectrum; let's see how they stack up.
When it comes to IT service management (ITSM) platforms, the two main contenders that usually come to mind are ServiceNow and BMC Remedy. Not surprisingly, these two vendors collectively own 50% of the ITSM market, according to Gartner's latest numbers. Let's find out how they compare in helping operations support and deliver enterprise IT services.
To survive in today's cyber threat landscape, enterprises increasingly rely on layered defenses to smooth out attack surfaces. A variety of tools are available to cover all parts of the security continuum: security information and event management (SIEM), security configuration management (SCM), vulnerability detection, and more. Tripwire and RedSeal are two platforms that cover different, but equally important, aspects of enterprise security—let's see how they stack up in this comparison.
It's not uncommon for organizations to encounter hundreds of security incidents on a daily basis—from the trivial poking and prodding of script kiddies to nefarious activities that constitute the inner workings of advanced persistent threats (APTs). Transforming this volume of data into actionable information is impossible without the assistance of security intelligence, specifically, the analytic capabilities of security information and event management (SIEM) tools. AlienVault USM and IBM QRadar are two leading platforms that focus heavily on these areas—let's see how they stack in this comparison.
Log management solutions play a crucial role in an enterprise's layered security framework— without them, firms have little visibility into the actions and events occuring inside their infrastructures that could either lead to data breaches or signify a security compromise in progress. Splunk and ELK (a.k.a BELK or Elastic Stack) are two of the leading enterprise solutions in this category; let's see how they stack up in this comparison.
Fee versus free, how do the two compare when it comes to intrusion detection? Specifically, how does the open source Advanced Intrusion Detection Environment (AIDE)—commonly referred to as the free Tripwire replacement—stack up against Tripwire Enterprise, the longstanding leader in this category?
How does the fourth-largest network security company by revenue hold up against the first cybersecurity firm certified by the U.S. Department of Homeland Security? Fortinet's appliances and next generation firewalls (NGFW) have made it a category leader in unified threat management (UTM); let's see how they stack up against FireEye's comprehensive suite of enterprise security solutions.
When it comes to modern software development, collaboration is the name of the game; to this end, development teams have more than ample selection of tools at their disposal these days. With a user base in the double digit millions, GitHub is the perennial favorite for sharing, collaborating, and repositing code, but the recently revamped Visual Studio Online—now known as Microsoft Visual Studio Team Services (VSTS)—may soon be stealing some of its thunder.
It's been said that to defeat cyber attackers, you must think like them. For most organizations, this seldom is the case; efforts to bolster cybersecurity measures rarely go beyond implementing stronger controls, training employees to be vigilant, and—on occasion—hiring outside firms to assist in security testing efforts. However, for firms intent on staying one step ahead of nefarious actors, penetrating their own network defenses on a regular basis is crucial to maintaining continuously effective security. To this end, Metasploit and Nmap are two popular tools that enable firms to diagnose critical security gaps before they lead to data breaches.
Cylance and Tanium—both firms are in the billion dollar valuation club, but what does this buy in terms of cybersecurity? Tanium claims 15 seconds to visibility and control, while Cylance combines AI and machine learning with endpoint protection. Let's find out if these security vendors' solutions can give organizations a fighting chance in a digital world fraught with cyber threats.
As the dominant cloud vendor by market share, AWS—in efforts to rein back control of its public cloud ecosystem—has expanded its plethora of built-in console offerings to go head-to-head with leading 3rd party-developed tools. For example, Amazon Inspector now enables native automated security assessments while AWS CodePipeline offers continuous delivery and release automation services, all from within AWS. And for keeping a keen eye on EC2 instances and application, there's Amazon CloudWatch for native monitoring of AWS cloud resources. Let's see how it stacks up against Nagios, the leading open source infrastructure monitoring platform.
When it comes to public cloud offerings, few vendors can hold a candle to AWS and Microsoft Azure's dominance in the infrastructure as a service (IaaS) space. However, neither have offered much in terms of hybrid/private cloud platforms and tools—until now. OpenStack has long filled this void with its open source cloud computing platform, but Azure Stack's arrival may finally spell an end to its dominance in the category.
In our previous piece 10 Essential Steps for Configuring a New Server we walked through some of the best practices to follow when setting up a new Linux server. But how can you tell if your server is setup correctly? More importantly, how can you ensure those initial configurations don’t drift over time? With UpGuard, you can do both at any scale, so we’ve created a policy within our cyber resilience platform to match our 10 essential steps as an example of how we can help organizations control their IT environments.
15 second visibility versus three decades of infosec experience, which will ultimately prevail? Tanium claims it can provide security teams with visibility and control over every endpoint in 15 seconds or less, regardless of network size; Intel Security is of course the venerable McAfee, rebranded/repositioned after being acquired by its current namesake in 2011. Find out how these two compare when it comes to protecting today's enterprises against cyber threats.
Linux admins have always relied on the command line to manage their systems. While not as immediately intuitive as a GUI, command line interfaces (CLIs) open up the real power of computing with a slew of versatile commands that can be chained together for nearly any purpose. GUIs, on the other hand, are limited to the nearly always reduced functionality developers built into the buttons and screens. This model makes sense, since only some people will need the “advanced” capabilities of the command line, while others perform only a few tasks over and over with a minimum of knowledge about the software. Regular command line users develop a sense of how to best use the commands over time, but with this UpGuard primer, even dabblers can take advantage of some quick tricks using these five basic Linux commands.
Effective cybersecurity these days is a complex and multifaceted affair involving a myriad of approaches: intrusion detection/prevention, vulnerability detection, malware mitigation, security configuration management (SCM), security information and event management (SIEM), patch management, file integrity monitoring (FIM), and more. For most organizations, however, the shortest path of least resistance means deploying a consolidated platform combining a multitude of these approaches. Tenable SecurityCenter Continuous View (CV) and Symantec Endpoint Protection are two such offerings.
Cyber security compliance standards exist to protect devices, data and people connected to the internet from the myriad threats facing them every day. For example, regulations like the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) standards ensure businesses operating in the power industry follow certain guidelines with regard to cybersecurity in order to keep the service they provide reliable. Typically, devices that fall within the scope of these regulations include computers, network devices, and other network-connected devices, such as industry-specific tools, card scanners, etc. But what happens when everything is connected to the network?
Continuous monitoring is critical for ensuring that IT assets and controls meet business requirements and expectations—constantly assessing and validating them for quality, integrity, and security. This involves not only identifying infrastructure bugs and issues, but also issues with applications and their components. Deteriorating software performance and downtime can be just as devastating to the business as a data breach or security compromise, and is quite often a red flag for cyber attacks in progress. Two leading solutions, Datadog and SignalFx, can help you spot and decipher the smoke signals before your business goes up in flames.
When it comes to compliance, passing audits means providing adequate documentation that you've taken the necessary steps to secure your environment. Sometimes creating this documentation can be just as difficult as enacting the security measures themselves, so software solutions exist that are supposed to streamline the compliance documentation process and make it easy for both companies and auditors to determine compliance. Tripwire offers a compliance solution with their suite of products, while Industrial Defender, now owned by defense contractor Lockheed Martin, offers their Automated Systems Manager (ASM) product.
Despite espousing a common, layered approach to security these days, most enterprise security suites have taken markedly divergent paths to essentially arrive at the same location. For example, some solutions started out as intrusion detection and protection systems (IDPS) and gradually added on vulnerability detection and security information and event management (SIEM). Others began as penetration testing (pentesting) tools—or have built their offerings around pen testing—and similarly expanded their solutions to include other security mechanisms like endpoint protection and anomaly detection. Core Security and Rapid7 are two such enterprise security suites; let's see how they stack up in this comparison.
Most of us take SaaS availability and uptime for granted: we assume that our favorite cloud-based tools will always be available when we need them. For cloud service providers, however, meeting these expectations is a magnanimous effort, usually involving elaborate CI/CD toolchains and sophisticated frameworks for failover and continuity. Application performance monitoring (APM) solutions form part of these frameworks—in this comparison, we'll take a look at two such popular offerings, AppDynamics and Dynatrace.
Continuous security and vulnerability detection—both Tenable and Qualys have built industry-leading suites around these two cybersecurity disciplines. The latter in particular serves as a focal point for both vendors, with Tenable SecurityCenter and Qualys Enterprise going head-to-head for the top slot in the vulnerability management category. Let's see how the two stack up in this comparison.
Continuous Integration (CI) is one of the formative concepts behind DevOps, driven by a need to regularly integrate new and changed code back into the master repository, and is often combined with Continuous Delivery (CD) to achieve faster and more stable builds with automation. Teams compile software, and run it through a series of tests in a production-identical development environment to ensure the success of the build. The logic behind this is wonderfully simple, though it only came about in response to the problems of the traditional deployment cycle: the more often you build and test during development, the less you have to worry about each time. Instead of having a D-Day, where the software will finally be compiled and run in production for the first time, continuous building and testing makes the go-live date just another routine deployment.
Log analysis and security incident and event management (SIEM) tools have become staples of enterprise cyber resilience programs. For vigilant organizations, having infrastructure visibility into the transactions occurring behind the scenes is instrumental to maintaining a strong security posture. Splunk and SumoLogic are two leading platforms that serve this critical purpose—let’s revisit them again to see how their current offerings stack up.
Monitoring tools have come a long way since the early days of Big Brother. Today's solutions have evolved into powerful software troubleshooting and performance analytics platforms capable of deconstructing and analyzing the entire application stack—infrastructure up—for bugs and issues. Datadog and New Relic are leading vendors in this category; let's take a look at the two and see how they stack up.
People seem to have a hard time deciding what DevOps even is, much less how (or whether) it compares to a highly structured methodology like ITIL. To answer the big questions up front: no, you don’t have to choose between DevOps and ITIL; no, DevOps is not replacing ITIL or vice versa; no, DevOps will not solve all the problems of an ITIL environment, and no, DevOps will not be perfected by implementing ITIL. But building good IT processes is they key to resilience, and UpGuard can help.
As perimeter-based cyber protection falls to the wayside, a new breed of continuous security solutions are emerging that combine traditional endpoint protection with newer technologies like security information and event management (SIEM) and crowdsourced threat intelligence. These next generation security platforms attempt to address the needs of both traditional on-premise data centers as well as organizations with entire IT infrastructures in the cloud. Two vendors—AlienVault and Tenable—have products on the market that fall in this category. Let's see how they stack up in this comparison.
Services are the programs that run in the background on servers. All OSes come with a set of base services and most software utilizes services as well. Effectively managing servers means controlling these services—knowing what is there, what should and shouldn’t be running, whether or not services will automatically start on (re)boot and who the services should and shouldn’t run as. We’ll go through each of these pieces to see how a strong service management policy can help reliability and security in the data center and how configuration management and testing is key.
This article is part of our ongoing How-to series that focuses on ways to keep your environment ready and yourself sane in real world scenarios.
Most people associate DevOps with open source platforms and applications and with good reason. In the forward for the book Continuous Delivery with Windows and .NET, Dave Farley, who literally wrote the book on continuous delivery, writes, “I think it fair to say that some of the initial innovation in the Continuous Delivery space came from the Open Stack community.” But Microsoft has been pushing itself as a viable option for continuous workflows, offering its Azure cloud platform and its Visual Studio Online products as alternatives to Linux-based solutions.
Who provides better continuous security: the world's largest maker of networking equipment or the first cybersecurity firm certified by the U.S. Department of Homeland Security? Due to key acquisitions over the years, both Cisco and FireEye possess a comprehensive suite of enterprise security solutions. In this article, we'll find out how they stack up against each other when it comes to continuous enterprise cyber threat protection.
In terms of what they do and how they work, Tripwire and Puppet have little overlap. Tripwire is for monitoring changes and Puppet is for configuring servers. The reason for tracking changes and configuring servers, however, brings them together as two approaches to compliance automation and, ultimately, reducing risk in computing systems. We’re going to compare Tripwire to Puppet here, not necessarily as identical tools, because they do have mostly different functionality sets, but how they fit into an IT environment.
Users of Intel Security’s McAfee Vulnerability Manager (MVM) have a choice to make before that product hits end-of-life in early 2018. They can either follow Intel Security to Rapid7’s Nexpose vulnerability monitor, or reassess their needs and choose a new direction all together. Either way, IT operations for those customers should plan on a migration away from MVM within the next two years, which in most cases is enough work to justify at least examining the field of vulnerability management products. Tenable, with their SecurityCenter, has been a major competitor in this field, piggybacking on the success of their industry-standard Nessus vulnerability scanner.
With 13% of the overall web server market share, the high performance open source HTTP server Nginx is a rising star in the pantheon of web server heavyweights. Even the most hardcore of Microsoft aficionados are dropping IIS in favor of Nginx in Windows Server environments; for those with stringent performance/speed requirements, Nginx can't be beat. But like all web servers, the fastest growing solution on the market is not without its security shortcomings. The following are the top 10 ways to harden Nginx for Windows.
It goes without saying that you should always be on top of required updates—we're a couple months into 2016 and Apple has already issued major security updates for OS X and iOS. In some cases, however, users may be partial or restricted to their particular flavor of Apple's flagship OS. Whether you're running Snow Leopard, Yosemite, or El Capitan, the following are 10 tips for fine tuning your OS X instance for a better security posture.
Adding a little bit of structure into one's affairs never hurts, especially when it comes to IT business processes and assets. To this end, various frameworks offer blueprints for achieving key organizational objectives like compliance and security. Three of the more popular frameworks—COBIT, ITIL, and TOGAF—are widely used by enterprises in this regard—let's see how they compare when it comes to bolstering cybersecurity and digital resilience.
Upon its release, Windows 7 was hailed as "the most secure Windows ever"—true enough at the time, but its predecessor Windows Vista didn't exactly set a high bar security-wise. Nonetheless, the updated OS shipped with literally hundreds of security changes and additions, addressing the needs of a more security-conscious home and business user base with features like AppLocker, BitLocker Drive Encryption technology, and more. Despite these improvements, Windows 7 has its own set of critical vulnerabilities—here are the top 11 on the list and how to fix them.
Though Windows Server 2008—with features like hard drive encryption, ISV security programmability, and an improved firewall—is a significant leap forward in terms of security when compared to its predecessor Windows Server 2003, it is certainly not without its own security flaws. The following are the top 20 critical Windows Server 2008 vulnerabilities and tips on how to remediate them.
Apache Tomcat is the leading Java application server by market share and the world's most widely used web application server overall. Currently at version 8, the popular web server has not been without its security flaws, perhaps most famously publicized in this incident of aircraft hacking by security researcher Chris Roberts earlier this year. However, hardening Tomcat's default configuration is just plain good security sense—even if you don't plan on using it on your plane's network. The following are 15 way to secure Apache Tomcat 8, out-of-the-box.
According to Web3Techs, Nginx is the second most popular web server platform behind Apache, which is quite a feat considering the latter’s longstanding footprint in this arena. That said, more high performance websites are using Nginx over Apache for content and application delivery services, and its adoption rate has been steadily increasing over the years for good reason: it’s fast (blazingly so), lightweight, and available on all major OS platforms. The following are 10 important tips for hardening your Nginx deployment against the threat of cyber attacks.
In the pantheon of open source heavyweights, few technologies are as ubiquitous as the MySQL RDBMS. Integral to popular software packages like WordPress and server stacks like LAMP, MySQL serves as the foundational data platform for a vast majority of websites and cloud services on the internet today. Unfortunately, its popularity translates to more commonly known attack vectors and security exploits —the following are 11 ways to shore up MySQL security and protect your data more effectively.
Traditional IT security mechanisms are simply ineffective at protecting today's enterprise cloud and hybrid infrastructures against cyber attackers. For this reason, numerous upstarts have risen to the challenge with innovative approaches to implementing security in the data center and beyond. Two leaders in this category—Tanium and CloudPassage—utilize peer-to-peer and botnet-based technologies for quicker breach detection and remediation. Let' see how the two stack up in this comparison.
It's been said many times before, but is always worth repeating: enterprises need a layered approach to security for combating today's cyber threats. Illumio ASP and AlienVault USM provide just that: working in conjunction with traditional security solutions like firewalls and IDS/IDPS solutions (or in USM's case, providing its own), the two platforms further smooth the attack surface area with features such as policy-based controls, security analytics, and crowd-sourced threat intelligence, among others. Let's see how they stack up in this comparison.
Hackers as portrayed on the big screen are usually sitting hooded in front of a monitor with sleek, shiny black hat tools laid out on the screen. Though in reality such tools in past years were mostly CLI-based, a new generation of penetration testing (pen testing) and ethical hacking tools feature both slick UIs and powerful functionality for testing cyber security controls and posture. In this comparison, we'll look at two of the best: the Kali Linux and BackBox Linux pen testing and ethical hacking distros.
As Redmond's flagship RDBMS solution, SQL Server provides the underlying data platform for a broad range of Microsoft enterprise solutions— from Sharepoint to BizTalk Server. This, of course, makes bolstering SQL Server security a critical necessity for protecting MS-centric infrastructures against attackers. To this end, the following are 11 ways to harden MS SQL Server 2008 security.
The twelfth major release of Apple's flagship desktop and server operating system dropped on September 30th, 2015, bringing with it a host of new and improved features like Split View, a smarter Spotlight, Metal for Core Graphics, and under-the-hood performance improvements, among others. Alas, benefits do not without a price—in this case, myriad of security issues and exploitable vulnerabilities. The following are the top 10 of the lot followed by remediation tips.
PostgreSQL may be the world’s most advanced open source database, but its 82 documented security vulnerabilities per the CVE database also make it highly exploitable. Granted, the popular object-relational database is considered superior to others when it comes to out-of-the-box security, but proper measures are still required to protect web applications and underlying data. The following are 10 common ways to secure your PostgreSQL implementation from cyber attackers.
Network Protocol Analyzers (a.k.a. traffic packet analyzers or sniffers) are essential instruments in the network and/or security professional’s toolbox. The ability to examine traffic in motion across a network is critical for optimizing network topologies, troubleshooting malfunctioning or poorly-performing applications, and perhaps most importantly—identifying and mitigating cyber attacks. In this comparison, we’ll look at two leading network protocol analysis tools—Wireshark and Netcat—to see how they stack up against each other.
Solaris 10 is the most widely deployed Unix operating system on the market, despite flip-flopping between open and close-sourced status multiple times between versions. Notwithstanding, users are well-advised to stay proactive in bolstering the security of deployments. The Center for Internet Security (CIS) provides guidelines for a wide range of enterprise software that can be helpful in this regard—the following are 10 of its security benchmarks for Solaris 10.
OS X may be considered Apple's desktop OS magnum opus, but it certainly hasn't been without its share of vulnerabilities (1,250 to date per the CVE database). The following are the top 11 OS X vulnerabilities and exploitation prevention tips.
Despite crossing over the half-decade mark since its release, Red Hat Enterprise Linux (RHEL) 5 is still in widespread use—and will continue to be supported by Red Hat through November 30th 2020. Security enhancements in later versions of RHEL like improved Security Enhanced Linux (SELinux) and virtual machine security (i.e., Svirt) warrant a timely upgrade, but organizations unable to do so can still bolster RHEL 5 for a strong security posture.
When it comes to software, certain key attributes serve as a litmus test for enterprise-readiness—quality and breadth of support, reporting and policy management capabilities, and scalability are common, among others. Three characteristics in particular are also increasingly important to enterprise automation solutions: the graphical user interface (GUI), integration capabilities, and security.
As the two leading IT automation platforms by market share, Chef and Puppet have been compared against each other extensively—for UpGuard’s recent take, please see Puppet vs. Chef Revisited. In this comparison, we’ll instead approach matters a little differently by comparing and contrasting Hosted Chef—the SaaS version of the product—with the full-fledged, flagship Puppet Enterprise offering.
A long time ago in a datacenter far, far away, developers and operators were writing specialized scripts by hand to manage IT resources. Configuration management (CM) and automation tools integrated these processes into streamlined solutions for delivering repeatable, rapidly deployable IT environments. Well, times they are a changin’ again, and automation tools have evolved—this time into comprehensive IT lifecycle management platforms for automating resource deployment from bare-metal to the application stack.
In case you haven’t heard, Microsoft loves Linux. Recent news around Redmond’s new modular Linux-based operating system for datacenter networking have been making the rounds, but for those in the know—the announcement is hardly a surprise. With the open source operating system’s happy feet casting huge footprints in the enterprise cloud—coupled with the rise of SDN—it’s clear that embracing Linux is a key strategic imperative for Microsoft. But its recently publicized love affair with Linux is hardly a new one.
Users of the highly popular Windows-based compression/decompression utility WinRAR be warned: a newly-discovered vulnerability could allow remote attackers to compromise Windows systems by exploiting a remote code execution (RCE) flaw. Despite this, RARLab has not issued a patch yet and doesn't plan on doing so. Is this a case of vendor negligience or an overhyped security alert?
Ruby-on-Rails—it’s modular, expressive, and broadly supported by legions of loyal developers. From Twitter to GroupOn, many of the world’s most trafficked websites have relied on Rails to deliver scalable and highly available web services. But as GitHub discovered a few years back, the language/framework is not without its security flaws—65 to date, per the CVE database. Here are the top 15 and how to remediate and/or prevent them from being exploited.
Java—love it or hate it, it isn’t going anywhere. Despite being hailed as “the biggest vulnerability for US computers” by CSO magazine, it’s currently back in pole position as the most popular developer language on the market. Of course, this has mostly to do with the rise of Android, as traditional Java web apps have been steadily losing market share to newer languages and stacks over the years. However, Java is still popular with developers and cyber attackers alike: it’s well understood, extensively documented, and unfortunately highly exploitable.
Microsoft Internet Information Server (IIS) is widely used in the enterprise, despite a less-than-stellar reputation for security. In fact, for many “IIS security” is a contradiction of terms—though in all fairness, Microsoft's web server solution has improved significantly over the years. IIS 8.5 for server 2012 R2 and IIS 10 for 2016 have been hardened and no longer present the dangerous default configurations of older IIS iterations, but can still be further tightened. By following these 10 steps, you can greatly increase security for your IIS web apps and servers.
Docker may not be the solution to ending world hunger, but the recent myriad of strange and remarkable use cases for it might have you thinking otherwise. From managing Rasberry Pi clusters to facilitiating genome sequencing and cancer research, these top 11 weird and wonderful uses for Docker illustrate the technology's amazing versatility across a variety of innovative and irreverant applications.
According to Netcraft’s 2015 web server statistics, 47.7% of all websites are using Apache—making it the most popular web server in the world. Ubiquity has its price, however: the open source project is under the constant scrutiny of both malicious actors and security professionals alike.
The Open Web Application Security Project (OWASP) is a well-established organization dedicated to improving web application security through the creation of tools, documentation, and information—that latter of which includes a yearly top 10 of web application vulnerabilities. The following is a compilation of the most recent critical vulnerabilities to surface on its lists, as well as information on how to remediate each of them.
A typical organization’s environment consists of a myriad of applications and services, each with its own unique set of ongoing vulnerabilities and flaws that could ultimately lead to a data breach. This can make IT security and operations’ job difficult, as different departments and groups within a company may utilize specific software offerings to accomplish their job functions. Fortunately, a consolidated database of vendor-specific software vulnerabilities exists—the Common Vulnerabilities and Exposures (CVE) repository: a public information security resource developed and maintained by Mitre Corporation.
Java consistently gets a bad rap when it comes to security—but considering half of enterprise applications in the last 15 years were written with the language, its pervasiveness (and commonly-known attack vectors) may be more to blame than Java’s inherent security weaknesses alone. That said, new approaches are being developed (e.g., Rask, Waratek) to improve Java web application security at the Java Virtual Machine (JVM) level, but for most organizations—instituting traditional security defenses for Java applications can help protect against the majority of Java-related exploits.
This is a clash of virtualization titans: one virtual machine, the other a containerization technology. In reality, both are complementary technologies—as hardware virtualization and containerization each have their distinct qualities and can be used in tandem for combinatorial benefits. Let’s take a look at each to find out how they stack up against each other, as well as how the two can be used in tandem for achieving maximum agility.
Genuine Windows 7 or Windows 8/8.1 owners are in for a pre-holiday treat from Microsoft: a free upgrade to Windows 10, no strings attached. Security-conscious users will appreciate some new features that enable better security—namely Windows Device Guard, Hello, and Passport. Despite these nifty additions for bolstering one’s desktop security posture, Windows 10 certainly hasn’t been without its own critical security flaws.
Windows 10 made its debut back in July and has since garnered some generally positive reviews, though the release hasn’t been without its share of vulnerabilities. For IT and operations, this means (begrudgingly) supporting/hardening another variant of the Windows OS on an ongoing basis. Even in homogeneous Windows-only environments, managing vulnerabilities and patches across different OS versions can be a daunting affair. The following can serve as a practical starting point for protecting today’s Windows-based infrastructures against cyber attacks.
When we speak of the DevOps and continuous delivery/integration (CI/CD) toolchain, we’re referring to a superset of tools—many with overlapping capabilities—for helping organizations achieve faster and safer deployment velocity. This encompasses a broad range of solutions: provisioning tools, orchestration tools, testing frameworks, configuration management (CM) and automation platforms, and more. Comparisons between CM products usually steal the show (e.g., Puppet vs. Chef), but in this case we’ll compare two orchestration and management tools for provisioning infrastructures: Terraform and CloudFormation.
Popular high-level Python framework Django is widely lauded for its ease-of-use and pragmatic design, but like all software it is susceptible to its own share of critical vulnerabilities. Built completely with Python, the MVC framework has a sizable community and can be extended with app plugins for additional functionality. Ubiquity has its price, however—in this case, Django's open source popularity means that default attack vectors are also widely known.
So you’ve done your research and settled on Puppet as your configuration management (CM) and automation tool of choice. But it comes in 2 flavors: a commercial enterprise product and a free open-source version. Can free beat fee in this case? Let’s dig into the details to help inform your decision.
Part One of Getting Started with Docker introduced some features of the Docker solution that make it unique from VMs and other comparable technologies. In this follow-up article, we’ll take a look at how UpGuard works with Docker containers—both in how we deliver our product to customers, as well as in its built-in integration capabilities for simplifying tasks like creating Dockerfiles, among others.
Heavy hitters FireEye and Tripwire are unique contenders in the security offering lineup– both were the first to develop novel approaches to IT security that have since been emulated industry-wide: FireEye was an early innovator of virtualization and sandboxing technologies as applied to security, while Tripwire was the first to bring a commercial host-based intrusion detection system to market. We’ll take a closer look at the two and compare/contrast each respective solution’s strengths and weaknesses.
Many enterprise software hopefuls tackle the final stretch to becoming a mature offering through the development of an easy-to-use management GUI. This is especially true of DevOps and automation tools, as quite a few solutions have recently rounded out their platforms with web-based UI consoles for easier, visual management of resources and services.
Despite seeming like somewhat of a no-brainer, using the power of the cloud to combat cloud-based security threats has really only come into vogue recently. As organizations continue to move their infrastructures out of physical data centers into the cloud, traditional methods for securing IT resources are becoming increasingly ineffective. Using cloud-based collective intelligence and virtualization to inform threat detection methods is fast becoming a standard practice, and for many security products—a central ingredient to an effective multi-pronged approach to combating cyber attacks.
Puppet and Chef have both evolved significantly since we covered them last—suffice to say, we’re long overdue in revisiting these two heavy-hitters. In this article we’ll take a fresh look at their core components along with new integrations and expansions that continue to position them as leading enterprise IT automation platforms.
Either you’re reading this because the question has been puzzling you secretly, or you’ve arrived to protest this admittedly incongruous comparison. Fortunately, both sides of the fence are covered here. In this article we’ll compare and contrast their features and benefits, but not before clearing up some popular misconceptions about the two big data platforms. We’ll then delve into each respective platforms’ attack surfaces/vulnerabilities and evaluate them from a security angle.
The information security (infosec) space is for the most part divided into two camps: established players using a combination of old/new tactics for combating cybercrime, and market entrants attempting to rethink security from the ground up. Attack methods are increasingly sophisticated and require novel approaches for detection and remediation—since very little is understood about the next generation of threats, opportunities abound for both incumbent leaders and upstarts alike. And with targeted attacks and advanced persistent threats (APT) on the rise, newer players with innovative approaches to security are seeing ample opportunities for supplanting longstanding market leaders and their aging security products.
Splunk and Sumo logic are two competing big-data analytics, machine data, and log management solutions designed mainly for IT operations and security use cases. Albeit fierce competitors on many fronts, the two also take different approaches to the problem space and cater to slightly different markets. Splunk is more enterprise-focused and geared towards on-premise solutions, whereas Sumo Logic is the plucky innovative startup offering a cloud-based offering at lower price points. Let’s look at them in more detail.
How good can free be? Or perhaps a more fitting question is whether free can be good enough for securing one’s enterprise against current and future threats. To answer this, we’ll be comparing the popular open source host-based intrusion detection system (HIDS) OSSEC with commercial offering Tripwire Enterprise to find out if that pretty penny spent can indeed lead to a stronger security posture.
As information security (infosec) models continue to evolve in response to the expanding threat landscape, new generations of tools are emerging that take different approaches to securing IT infrastructures. The question for legacy security vendors is how well their respective solutions will hold up in the face of today and tomorrow’s threats, and whether emerging models will supplant long-standing approaches to security. Many existing solutions were created before the advent of the cloud, and though effective for years—hold diminishing value as new attack methods like polymorphic malware and advanced persistent threats (APT) become increasingly commonplace. This dire need for innovation in the security space is giving upstarts like Tanium ample traction, even as stalwarts like Tripwire augment and retrofit their solutions to address a new era of threats.
In a few short years DevOps has gone from a fringe movement to a must-have for any IT leader. There's a lot of buzz around it, but there's alot of practical knowledge in there as well. Provisioning environments, deploying applications, maintaining infrastructures--these are all critical yet delicate tasks traditionally done by hand. What if we could get a machine to do all that stuff for us, not just saving hours of work but also removing the element of human error?
The following is a comparison of two leading open-source host-based intrusion detection systems (HIDS): Open Source Tripwire and OSSEC. Both are competent HIDS offerings with distinct benefits and drawbacks that warrant further analysis.
The following is a tale of two heavyweights in the CM arena: Microsoft’s Systems Center Configuration Manager (SCCM) and Chef. But even a big fish like Chef is still a minnow compared to the whale that is SCCM, which runs on about two-thirds of enterprise organizations. This is largely due to the fact that as a Microsoft product, SCCM rides on the dominance of Windows desktop and server. It’s nevertheless a truly useful product, though it may be overkill– and also horribly expensive– for smaller organizations. This is where open source solutions like Chef come in, offering a pay-per-node pricing structure that is much more cost effective than SCCM. Let’s dive into the details.
Due to the sophistication of today’s data breaches and intrusions, implementing and maintaining network security more often requires a multi-tiered approach; companies securing their networks often use a combination of technologies to combat the myriad of cyber attack, intrusion, and compromise methods available to cyber criminals today. Though a variety of tools and methodologies exists, the two common elements to all secure enterprise network configurations are the firewall and the intrusion detection/prevention system (IDS/IDPS). Firewalls control incoming and outgoing traffic based on rules and policies, and act as a barrier between secure and untrusted networks. Inside the secure network, an IDS/IDPS detects suspicious activities to/from hosts and within the traffic itself, and can take proactive measures to log and block attacks.
Chef is one of the most widely-used CM tools today, arguably playing second fiddle to the mighty Puppet. The tool is written in Ruby and Erlang, uses a pure-Ruby DSL in the Knife CLI, and includes a nice GUI for easy management. Developers and DevOps types will prefer using Chef, much more so than sysadmins.
Like many configuration management and automation tools, Ansible was originally an open-source project for automating IT infrastructures and environments. As it began to gain a foothold in the enterprise, parent company AnsibleWorks expanded commercial support for the product. Currently their solutions consists of two offerings: Ansible and Ansible Tower, the latter featuring the platform’s UI and dashboard. Despite being a relatively new player in the arena when compared to competitors like Chef or Puppet, it’s gained quite a favorable reputation amongst DevOps professionals for its straightforward operations and simple management capabilities.
The configuration management (CM) stage is seeing a lively assortment of players as of late. Fueled by the zeitgeist of DevOps, tools are experiencing growing pains and/or maturing into full-fledged commercial enterprise offerings, for better or worse. Some are slowly encroaching on others’ territory; many are going head-to-head. Others have a more nebulous arrangement-- they may work together but also sport competing features. Foreman and SaltStack is an example of the latter.
Ansible is a newish CM tool and orchestration engine developed and released in 2012 by its eponymous company (previously called AnsibleWorks). Unlike several other CM apps, Ansible does not utilize a master-and-minions setup – this is the main difference between it and the other big boys in the CM arena Puppet, Chef, CFEngine and Salt.
As we move full-swing into what InformationAge is calling The Year of DevOps Culture, we thought it appropriate to look at some of our favorite DevOps tools and highlight their strongest attributes and perceived shortcomings. A plethora of solutions for configuration management and infrastructure provisioning is available these days-- Puppet, Chef, Ansible, and Salt are a few notable options. Chef is one of the more popular of the bunch, so we’ve put together a list of what we consider its top 5 best and worst attributes.
Puppet Enterprise is a great platform for automating the configuration and deployment of applications to servers, but as a sophisticated infrastructure management tool with numerous interconnected moving parts-- can be a challenge to troubleshoot when things go awry. This is especially true when dealing with cascading errors that are hard to isolate for resolution. What follows is a short list of some of the more common issues one may encounter, and a few tips on how to troubleshoot and resolve them.
Build once, configure once and run anywhere. Sound familiar? Numerous companies have had a crack at this over the years. Sun was the first with Java and JVM: a platform-independent language and runtime environment that enables developers to build programs that are at once compiled and interpreted, allowing them to be run from anywhere a version of the JVM exists. Docker, the latest company to adopt the mantra, has a similar value proposition--except in this case we’re dealing with servers, not code.
When Purdue student Gene Kim and professor Gene Spafford teamed up to build the initial version of Tripwire back in 1992, little did they know their intrusion detection techniques would become industry standards for a $2.71 billion market in 2014, with growth estimates of $5.04 billion by 2019. Clearly the ever-rising threat of sophisticated cyber attacks and security breaches will only broaden the landscape for security solutions over time. Hackers are becoming increasingly clever; on top of this, vulnerabilities will keep surfacing and resurfacing in critical software components.
We’ve been comparing cloud service providers for years now, pitting Rackspace against Azure, Azure against DigitalOcean, DigitalOcean against Linode, and so on down the line to the point that we’re just plum sick of it. Just kidding! Who could ever tire of such a thing? Cloud computing invokes such a rush that it almost takes your mind off of poor, old, dead as an R/C helicopter Radio Shack. And as the cloud space is in constant flux, many of the previous comparisons could be a touch out of date. So we figured our options were either (a) mope around, morosely pondering the inevitability of death and everlasting irrelevance, or (b) hold a Battle Royale to determine the Best Cloud Computing Service for Now and At Least the Immediate Future!
Background Chances are, if you’re shopping for a virtual private server, you already understand why they’re useful for web developers, app designers and everyone in between. You also probably know that the surge in popularity of hourly pricing means you can try most of the big players in this space for yourself for the cost of one Bazooka Joe comic (not even the gum, just the comic). Hopefully you’ve had time to peruse our other comparisons featuring today’scombatants and a few of your other relevantchoices.
You’re monitoring your IT infrastructure for changes and errors, right? Of course! You need to know every time something hits the fan; it comes with the territory. You can barely pull up an incognito tab at work without getting an error message. The problem is, a lot of alerts don't apply to you. Hey, but at least you get paged in the middle of the night when a backup server reads low on memory! And that weekend trip you cut short only to find a fix had already been checked in? What a rush!
As with the comparison between AWS and DigitalOcean, this is another example of a giant swiss army knife platform and a smaller, more focused player in the cloud computing arena. As with AWS, Azure offers a breadth of features that you expect from an offering backed by a tech giant, whereas DigitalOcean's product is highly targeted.
The biggest players in the web server business, Apache and IIS, have had the field to themselves for a long time. Now, however, they have to contend with a few seriously capable upstarts, the most prominent of which is Nginx (pronounced ‘engine-x’). This young turk was first developed in 2002 and boasts a growing, dedicated following among many webmasters. Nginx’s popularity is mainly due to being open-source and having the desirable combination of high performance and low resource consumption. It is important to note that Nginx is most often compared to Apache due to its similar open-source philosophy.
With the introduction of Google’s IaaS dubbed Compute Engine, more than one pundit has declared that Amazon’s EC2 giant has finally met its match. (Not that other vendors don't have their own benefits; check out our comparisons — AWS vs. DigitalOcean, Rackspace, and Azure.) It’s true that Google is one of the few companies that can seriously go head-to-head with Amazon’s and match its computing capacity and prices. But in a significant number of other ways, Google Compute Engine (GCE) is also quite different from Amazon’s EC2. Let’s take a closer look at the two.
DigitalOcean vs. AWS is a David vs. Goliath story with a twist. The plucky upstart, DigitalOcean, faces an established behemoth. Like David, DigitalOcean has a strategy that plays to its strengths while avoiding a direct confrontation with Amazon. But this isn’t a fight to the death. Amazon and AWS address the needs of different audiences, and knowing what each does well will help you choose between them.
Python and Ruby are two of the best examples of the new generation of high-level languages which focus on simplicity and giving the programmer the ability to get things done fast, rather than syntax correctness and strict hierarchy (insert cough that sounds like “Java!” here).
For today’s busy sysadmin, systems health and performance monitoring tools like Microsoft’s SCOM (Systems Center Operations Manager) and the open-source Nagios are invaluable. They enable at-a-glance monitoring of large numbers of servers throughout a network, which is doubly critical in case of a widely geographically dispersed network setup such as in a WAN or MAN. Though they broadly achieve the same goals, SCOM and Nagios come at it from quite different directions.
Ruby and PHP are two of today’s best-known and widely used languages for web development. There are some major similarities between them – they are both dynamically typed, meaning you don’t need to declare variables before using them, they both have exceptions and private and public classes, and they both have extensive standard libraries to call on. See more here. However, they are also quite different in a number of other important ways, as we’ll see by going into detail about the two languages.
This is a tale of a newcomer vs a relative oldie in the Configuration Management (CM) arena. Both are tools to help the sysadmin or devops professional to better manage large numbers of servers. They excel at stuff like repetitive task automation, simultaneous deployment of apps and packages to a group of servers, or configuration and provisioning of new servers from scratch.
Github and Bitbucket are two of the largest web-based hosting services for source code and development projects. Unfortunately, they both don’t support the popular SVN version-control system (VCS). And they take different approaches to private vs. public repositories that affect the ease of collaboration and the risk of data exposure.
When it comes to providing PaaS hosting solutions for Ruby development, Heroku and Engine Yard are the de facto leaders. And they both utilize Amazon’s EC2 as a hardware base. However, they also take different paths to get there – Heroku offers isolated slices of EC2 instances, called dynos, that offer very limited access to the underlying infrastructure. Engine Yard offers a curious PaaS-IaaS hybrid; you have much more access to the underlying VM, you get a full EC2 VM to work with, but at the same time you also get an ready-made environment for application development. Let’s peek under the hoods of both solutions.
MySQL and MongoDB represent two sides of an argument that has been raging recently concerning data storage – the tried and tested relational database vs. non-relational or NoSQL database. They are both open-source products distributed under a version of the GNU GPL, and both are also available as commercial versions offering many more features and corporate support.
Opsworks and Chef are very similar Configuration Management (CM) tools. Opsworks is actually built on the Chef framework, then customized for Amazon’s giant cloud environment AWS. Hosted Chef is an IaaS solution from Chef parent company Opscode, in which they host the Chef server for you, and it in turn manages and communicates with your nodes, which are most likely also hosted in a cloud infrastructure such as Amazon’s EC2 infrastructure. So both solutions are evolutions of the traditional CM tool, now tweaked for cloud-hosted environments. Let’s peek behind their respective curtains.
Cloud computing is no longer the next big thing. As evidenced by all the cloud infrastructure and data centers now being set up by established players like Google with its AppEngine and Amazon with AWS, it is the current big thing. Into this mix are some smaller pioneers like Heroku, started all the way back in 2007 – in cloud computing that’s the late Jurassic period. Let’s compare two PaaS offerings, Heroku and Google’s AppEngine, and see what makes each of them tick.
There has recently been a huge growth in the number of Configuration Management (CM) tools available to the sysadmin or DevOps professional. Well, ‘huge growth’ really means an increase from just 2 or 3 in the early 2000’s (CFEngine comes to mind as one of those early pioneers), to about 20 today. Many of these are little-known niche products, but some bigger names like Chef have passionate adherents, and equally passionate detractors.
With the increasing importance of cloud computing, services like Amazon’s EC2 on AWS and Heroku are coming under more scrutiny. Even better for the consumer, the increasing number of such services means more choice in the market. But with this increased choice comes an increased level of confusion, because it’s often difficult to do an apples-to-apples comparison of the various services. Even worse, their offerings aren’t strictly in the same domains, but let’s take a stab at it.
“I love the long time it takes to manually provision a brand new server from scratch!” said no one ever. One of the things that sysadmins and devops have long regarded as a necessary evil is the overhead time wasted twiddling one’s thumbs while waiting for a new server’s creation. With the advent of virtualization and cloud computing and the resultant massive increase in need for computing, the frequency of new-server creation has only increased as well.
Open-source vs. proprietary? In the software universe, this debate has raged on in almost all sub-sectors – OS’s, databases, and even in the CM arena, where SCCM vs. Puppet are two of the heavyweight champs slugging it out. But beyond that philosophical difference in origin, they also take two completely different paths to the destination of easing the sys admin’s life.
Today’s sys admin and devops professionals have to manage, on average, a much larger number of servers hosting a much larger number of applications, than their counterparts from as recently as the 90’s. Blame this on the exponential growth on computing for organizations, coupled with the emergence of new technologies such as virtualization and cloud computing.
Configuration management (CM) and Remote Execution tools are fast becoming the tools of choice for many a sysadmin or devops pro. If you consider that the point of computing is to make our data management easier, then CM tools make are the next level of that logic – they make it easier to manage the large groups of servers that make it easier to manage our data. CM tools are great for all sorts of routine activities in the data center: automation of scripts on a number of servers, remote execution and deployment, provisioning and installing the same software on a bunch of new servers, and so on. CM tools will enable you to execute stuff like: “I have this command I want to run across 100 servers. I want the command to run on all of them within a five second window.
Retail giant Amazon through its AWS platform is the largest IaaS and PaaS provider in the world. In early 2013 Amazon announced the rollout of Opsworks, an “Integrated DevOps application management solution”, according to the website (http://aws.amazon.com/opsworks/). So it’s basically a customized CM tool for AWS is what they’re saying. This brings it into competition with another CM giant, Puppet Labs, though as we’ll see this may not be the apples-to-apples comparison it initially appears to be.
With the huge growth in virtualization and cloud computing, there has also been a correspondent increase in the average number of virtual machines (VM) that today’s admin has to manage. Manually creating a full VM on today’s virtualizers, like VMWare and Hyper-V, is a real pain because they have to take a snapshot of the entire machine config, and then replicate this to another machine. As you can imagine, VM images eat up a lot of space and time.
The sysadmin or devops pro of today typically needs to manage a large numbers of servers, often automating some tasks or performing the same action several times over, like installing and provisioning a new server, rebooting a set of servers at specific times every day, deploying the same package to a group of servers, and so on. For such busy folks, Configuration Management (CM) tools like Ansible and Salt are absolute lifesavers.
AWS and Rackspace are both giants of the cloud infrastructure services arena. Although to paraphrase George Orwell’s famous novella, all cloud providers are not created equal. So let’s take a closer look at our pugilists before placing bets or declaring the winner. The Contenders
Two factors have resulted in a corresponding increase in the number of servers supported by today’s sys admin - virtualization and the massive growth of computing in the organization. Even in small and medium-sized companies, it is not unheard of to have a sys admin supporting 4 servers or so. And of course, this number only goes up as the size of the organization increases. Enter configuration management (CM) tools like Puppet, Chef and Salt. Make no mistake, any of these tools will truly simplify your life as a sysadmin, by automating and minimizing the drudgery of manual server setup and creation. But which one should you go for? As with IOS vs. Android vs. Windows Phone, X-Box vs. PlayStation vs. Wii, each has both diehard loyalists and vociferous critics. The answer, again as happens in many of these wars, is that you need to match and compare each contestant’s capabilities to your own needs, and judge for yourself.
MySQL and PostgreSQL are two of the most popular open-source RDMS (Relation Database Management System) programs on the market. They have competed favorably with commercial closed-source database programs for many years. Each has developed a reputation for specific strengths and weaknesses. MySQL is perceived to be much quicker but offers fewer features. PostgreSQL is believed to have a deeper feature set. Some programmers think of PostgreSQL as being similar to Oracle, and it is often favored by those who know Oracle products.
Shipping Containers and Compute? LXC (LinuX Containers) is a OS-level virtualization technology that allows creation and running of multiple isolated Linux virtual environments (VE) on a single control host. These isolation levels or containers can be used to either sandbox specific applications, or to emulate an entirely new host. LXC uses Linux’s cgroups functionality, which was introduced in version 2.6.24 to allow the host CPU to better partition memory allocation into isolation levels called namespaces . Note that a VE is distinct from a virtual machine (VM), as we will see below.
So, Puppet or Chef? A question of configuration automation & provisioning that has started more than one flame war in its time. Whilst perhaps not helpful for those charged with implementing an automation solution for their business the most appropriate answer really is "It depends." Many have argued that (considering the alternative) using either is fine. Just get started! There are differences though, both with the technologies and the companies behind them, that an understanding of both may make your choice a little easier. * check out Puppet vs. Chef Revisited for an updated comparison.
Cyber resilience is a fundamental change in understanding and accepting the true relationship between technology and risk. IT risk (or cyber risk, if you prefer) is actually business risk, and always has been. And the cybersecurity industry, for what it's worth, has generally avoided this concept because it goes against the narrative that their respective offerings—whether it's a firewall, IDS, monitoring tool, or otherwise—would be the one-size-fits-all silver bullet that can keep businesses safe. But reality tells a different story.