So, through the combined machinations of work, the holidays and any number of other unforeseen circumstances it’s been a pretty long time since I’ve posted anything up here. Predictably, while I’ve been away from the blog, changes and interesting developments in the industry have continued at their normal breakneck pace.
It’s interesting to me that every couple of years, a new “killer app” comes along that everyone thinks is going to be the absolute “must have”. A couple of years ago, it was Network Access Control (NAC). All of a sudden, everyone and their brother had a NAC box or “solution” and there were small companies lead by some very sharp folks appearing out of the woodwork to show everyone how it was done. I freely admit that I was completely taken in by the promise of the network security panacea it was purported to be.
The problem is (as it is with pretty much everything) that NAC is one heck of a lot easier to talk about and sketch on a whiteboard than it is to actually implement in the real world. Add to that the constant struggle between network security and ease of use and it’s not all that surprising that the grand vision that NAC would sweep the world and solve everyone’s network security issues in one fell swoop never really materialized.
This is not to say that some people aren’t chugging along happily along doing one level or another of client integrity checking and access control, just that it is now a niche market and the idea that anyone who was serious about security would be doing it has never come to pass.
These days, it seems that the new “next best thing” is the idea of ”datacenter convergence”. I’m guessing that most of you have at least heard this term, but just in case, datacenter convergence is the name given to the effort to make everything in the datacenter (servers, storage and networking principally) communicate over one common fabric. Now, you might assume by my tone in the rest of the post that I’m going to react to this newest “best thing” with a healthy amount of skepticism and you’d be at least partially correct.
The difference here is that DC convergence seems like a technology that offers some real upside for those who go through the pain of implementing it. NAC always struck me a sort of a one (maybe two) trick pony. You force users to authenticate to gain access to the network (which is great) and you do some admittedly minimal checking of the machine for required/prohibited software and vulnerabilities (which sounds awesome but in the end can be more trouble than it is worth). In most cases what you ended up with was a slightly more secure network and whole bunch of annoyed end-users. On the other hand, being able to dynamically pull the exact VM I need along with the requisite disk/processor/storage resources from the pool of physical machines that I’m already using? Sign me up! The implications of this in terms of portability, power savings, and 24/7 availability are really very exciting. The trick is actually doing it, and perhaps more importantly, picking the vendors and partners to help you make it from the wishful thinking stage to a real implementation. Over the next few posts (which will not take 3 months to write, I promise) I’ll go through the myriad of challenges you will face and what the leading vendors are doing to convince you that their solution is the best one for you…
