Red Hat, Where's The Love For Hyperic?
"Red Hat and GroundWork Open Source announced an interesting expansion of their partnership today that sees Red Hat offering 24×7 telephone premium support for GroundWork products, as well as the sale of GroundWork training classes."
I, like every one, wondered why Red Hat went with GroundWork versus Hyperic.
At first I thought this is just some piece of marketing from GroundWork, but since the press release has a quote from Red Hat, I have to believe someone over at RH thinks this is a good idea.
It seems strange considering Hyperic is the foundation of the JBoss ON product. What's stranger is that Hyperic isn't listed on RHX under systems monitoring providers (only Zenoss & GroundWork are listed). Javier, what's the deal? :-)
A NetworkWorld review said this about GroundWork's OSS product in June 2007: "In contrast to Zenoss Core and Hyperic HQ, GroundWork Open Source's free-for-the-download open source network monitoring and management product, called GroundWork Monitor, is quite basic and lacking in features."
<conspiracy_theory_hat_on> The only thing I can think of is that RH is staying away from Hyperic because of Hyperic's VCs.
IT Training Source
IT Certifications
Oracle Certifications
Cisco Certifications
Microsoft Certifications
Accel Partners & Matrix Partners are both Hyperic investors, as they were in JBoss investors.
It's well within the realm of possibility that RH executives, after paying over $300M for JBoss, are not eager to jump into bed with Accel or Matrix again.
GroundWork's VC's don't include Accel, Matrix or Benchmark (where one of the Accel guys jumped to after the JBoss deal). </conspiracy_theory_hat_on>
Thoughts?
Information Security Programs
If you take a very good look at them, and work on trying to figure out what they are actually trying to teach, you might just walk away either disappointed that there are not more real world information, or that these programs are doing the right thing.
Realistically what I would like to see in an information security program are those things that make sense in a real world situation. The closest program is the SANS Masters of Information Security degree, but most of the degree program is based on the individual SANS classes, and there is no mention of accreditation on their web site. If they are not accredited, (and I could have missed this, if they are accredited let me know), then this falls into the "junk degree" program. It might look good on a resume, but the program has not been vetted and approved by any of the national education accreditation processes. This can leave the student in Limbo when it comes to using the degree to advance their career.
What would make a real world information security degree?
There are limitations on time, usually a masters program runs for 2 years, for a grand total of 8 classes over 4 terms per year, so there are 16 classes to play with. 15 if you give credit for a masters thesis, which is generally a good idea to write to demonstrate learning.
Of all the skills out there, with terrorism, war fare, hacking, disaster recovery, web 2.0, hacking, and all the rest of it, the idea of working within a time limitation becomes difficult to work out what makes a great information security degree program. The more emphasis areas, the more expense to the school, the more over head, the less likely that the school will be successful. That is a very real issue, schools even no-profits or not for profit need to make enough money to run their programs, and some programs will be more popular than others. Money goes into a general pool, where popular programs help subsidize less popular programs.
IT Training Source
IT Certifications
Oracle Certifications
Cisco Certifications
Microsoft Certifications
What I would like to see.
I would like to see at least one track that covers auditing, real auditing, one class each in network, database, web servers, and operating systems. That would take up 2 terms (assuming 2 classes per term), but is desperately needed in the commercial market. We have many people running around running scanning systems on networks, but they have no idea how to interpret the results. They have no idea how to take the results and provide solutions, tell fact from fiction, or test the results to see if they really are an "oh my god" kind of issue that must be fixed. Rather we are presented with a dull bland report telling us how insecure we are, but offers no solutions, no way to tie back to regulation specific to the industry, nor the risks that are presented by a verified exploit.
I would like to see at least a series of classes that covers secure code writing for the Internet. PHP, Java, Ruby on Rails, C#, C++, stored procedures that interact with the web service, the manifest file and how to limit the number of calls, the dangers, liabilities, and limitations of each code set. That would be 7 classes in total, or about 1 year of class alone.
I would like to see hacking following along right after the secure code for web services, tearing apart bad bank, or bad store. Looking at other web applications, learning how to debug them, knowing what the information is telling the programmer and the security engineer. Using common tools to find out problems like SpiDynamics tools, browser plugins, and generally learning what happens when you do not write good software for a dangerous environment. That would be at least 4 classes, or of a year.
I would like to see a series on policies, HIPAA, SOX, IT ethics (separate from the random and meaningless ethics classes seen lately), privacy, intellectual property issues, management, information security policies at the local level that need to reflect the legal and regulatory landscape we live in. This alone could take a year of class, but need to cram it into 4 classes to even hope to meet the 2 year limit on a masters degree.
I am over the 2 year limit already, but we still have not touched on enough. We don't have time for IPS systems, disaster recovery, backups, cyber warfare, terrorism, malware, crime, identity theft, IDS systems, management systems, budget, managing information security, and a whole host of other things that a security engineer or manager needs to know about. There is no room for leadership, managing difficult employees, managing developers, working with anything to do with project management.
In other words, there is not enough time to teach in a masters program (or even a bachelors program) all the things that a good security engineer needs to know to make a real difference in their organization. That is a distinct limitation in the educational program, it also means that the good security engineer needs to be a life long learner, and willing to pick up learning when and where it is available to them.
Network Access Control Is Achievable
The various approaches to NAC have created a significant and even highly contested debate across the IT security industry. The benefits of NAC are clear, although have yet to be realized on a widespread basis.
Many NAC offerings today are still expensive propositions that require network re-architecture and are based on a complex set of bypassable technologies. At the same time, many vendors failed to deliver on their claims by offering NAC solutions that do not offer full network coverage and leave an enterprise exposed to security vulnerabilities. Oracle certifications
Any agent-based NAC solution requires a network discovery project prior to deployment to obtain the inventory of all the devices attached to the network. However, the standard discovery process is lengthy, requires significant manual input and cannot identify all devices, especially those that are firewalled or unmanaged. Likewise, appliance-based NAC solutions are not practical from a budgetary or deployment perspective in large, geographical distributed IT environments. Cisco certifications
The result is a confused and increasingly skeptical marketplace.
Despite this, NAC is achievable. You can implement complete and real-time NAC with your existing network setup. Your NAC deployment can be accomplished within your budgetary and implementation expectations. You can ensure that all the devices connected to your network are and remain authorized and compliant throughout their lifecycle on your network. IT Certifications
Visibility - The Starting Point for NAC Deployments
Visibility and real-time device detection are the first building blocks of the NAC process and, if achieved, remove significant attack vectors and enable NAC coverage to be applied to the entire network infrastructure. If a NAC solution cannot identify all devices connecting to the network in real-time, IT managers will likely find that their network access controls will only cover known devices and will regularly miss unmanaged and rouge devices, which are the source of most security vulnerabilities.
Audit and Compliance - Understanding the Network before Activating NAC
Device profiling provides contextual information about each device on the network, including its user information, function and running software and hardware. Based on this vast audit information, an IT manager can determine the devices that are authorized to access the network according to the organization's policy regarding device and software configuration. In parallel, this audit information can enable an IT manager to identify non-compliant, unmanaged and rogue devices that should not be operating on the network even before activating the NAC processes.
NAC - Ensuring Full Network Coverage
A NAC solution must operate in real-time. Every device must be detected and included in the NAC process as it is being attached to the network. Without real-time detection, a device and/or its user is given a window of opportunity to maliciously act the network.
The quarantine mechanism used should not depend on the underlying IT infrastructure in any capacity. Internal political issues among the different departments in a large enterprise will prevent a NAC solution that relies on the IT infrastructure from scaling across the entire network. In addition, any configuration changes to the network of a bank or financial services company will never be authorized in the first place.
The user experience for managed and compliant devices should be as transparent as possible. A user of managed and compliant devices should pass through the NAC process without even knowing that the device was assessed by the NAC solution. Microsoft Certifications
A NAC solution must scale across the entire IT infrastructure. The deployment must include all sites and not just a certain portion of the network. A NAC solution that is dependent on an appliance and/or the switching fabric is not a practical option in segmented networks. In addition, allowing guest users access only is the equivalent of putting your head in the sand. Any user can just connect a device to an uncovered network segment and gain access to any network resource.
Final Thoughts
NAC should be treated as a security methodology. Any worthwhile NAC solution must first allow provide intimate knowledge the network by profiling all devices connected to the network and identifying the non-compliant, rogue and unmanaged devices, even before the NAC processes are activated. This enables an IT manager to assess the impact of turning on the NAC solution. Finally, a NAC solution must be highly scalable with a relatively easy deployment across the entire IT infrastructure in order to deliver a fast time-to-value at a reasonable cost. IT Training Source,
IT Certification Exams Training Source,
Oracle Certifications,
Cisco Certifications,
Microsoft Certifications.
network
