Wrecking Balls and Open PO's

Wrecking Balls and Open PO's 2009-09-23 11:38:21

Imagine this scenario. You're an IT manager and you want one of your sys admins to set up a new server in your data center. To accomplish this you do three things:

1. Give the sys admin the root password to every other system in the data center.
2. Rent a wrecking ball, put it in front of the data center and give them the keys.
3. Give them an Open Purchase Order with the ability to buy unlimited amounts of equipment!

Now, no IT Manager would ever do this with their current data centers, but it's pretty much what every IT manager has to do with most of today's cloud environment. That's because the vast majority of clouds today are built to be used by one person with one password. If you want multiple people to access the account, they each have to use the same user-name and password!

That's like having every single person in your IT department using the same password for every system. I'm not a security paranoid, but even I shudder at the thought. Every single system with the same user name and password? You have no way of tracking who's made what changes to the systems or who is even allowed to make changes to the systems. Someone could install a virus across your environment and there would be no checking on who did it because everyone uses the same user name and password!

But with cloud it's even worse than that. Not only could they infect all of your systems, they could wipe them out with a few clicks of the mouse (hence the Virtual Wrecking Ball.) You could log in to find hundreds of systems and years of work completely destroyed in about 3 minutes by one windows admin with a grudge. But of course you wouldn't know who did it because everyone uses the same user name and password!

Finally, even assuming your staff has the best intentions (and most of them do), you are also giving them unlimited access to add as many systems and as much storage as they like. That's liking me giving my 7th grade daughter unlimited text without a plan (like this Dad did.) You're going to get a 500 page bill at the end of the month. 10 cents an hour sounds cheap, but it adds up fast. That's doubly true when it's not your credit card where you have to make the payments. And of course unlike the mega-texting teen, you wouldn't know who spent all the money because everyone uses the same user name and password!

By the way, if that's not risky enough for you, one major cloud provider doesn't differentiate between web services user names and passwords and e-commerce user names and passwords. On their cloud, the sys admin could even buy themselves a LED flat screen and an Xbox with your cloud password and you'd have no idea who bought it because everyone uses the same user name and password!

Now there are third party applications out there that allow you to add multiple user names and passwords to your underlying cloud, but the security holes still exist. Let's be blunt; should people have to pay extra for basics like separate user names and passwords for each user? Shouldn't that be table stakes by now?

Let's hope it happens soon, so we can start tackling the real enterprise issues around SSO, policy based management, and federated authority (I love jargon.) Plus we can stop worrying about where we left the keys to the wrecking ball.