How do I configure a firewall appliance in public IaaS? How do I install anti-virus inside a container? How do I filter calls to microservices via an appliance in my DMZ?
Now, what do these questions have in common?! They are all about using old approaches and practices in a new environment and/or with new technology. These are sometimes known as “anti-patterns.”
And here is a technology analyst dilemma, with two stark choices:
Choice A: Please don’t be stupid. What you are doing is philosophically wrong, like tying a horse to a car, or fueling plane with coal. Please do <this approach that requires major rework> instead. We can help you down this path.
Choice B: Sure, here is how you configure that firewall, install AV, etc. To be frank, some may frown at this, but we are happy to help. Please watch for <this list of challenges>
What would you do?
In our coverage areas, this came up recently in the context of cloud threat detection and monitoring. If you recall our NTA / NDR research, we could not conclusively answer the question about “does NTA / NDR have a place in the public cloud?” A small vocal minority of cloud purists and cloud-native application developers screamed “NO.” At the same time, a large, not-so-silent majority has pushed CSPs to develop taps for cloud traffic and purchased a lot of virtual appliances to do NTA / NDR and even NIDS for public IaaS. Now, this would be a good place for a “10,000 lemmings cannot be wrong joke”, but is it?
Here is an example from our peers in networking research, complete with “no forklift” image. Still, us security people are rarely asked to redo the approach, but to secure it. This pushes us harder to Choice B. We’ve been advising people who move to cloud incrementally to change their approaches incrementally as well. However, this perhaps slows the innovation? On the other hand, many organizations simple lack the skills to do it the way cloud-native crowd does it…
All in all, a hard call that we face fairly often …