Should you entrust your systems management to the cloud?
Balancing the risks
Cloud-based security and systems management (CSSM) applications have been going through my lab for testing lately and I find myself seriously weighing their use in production.
Anyone who regularly reads my column knows that I am not exactly the biggest fan of the cloud, but the quality of the CSSM applications I have encountered so far is triggering reconsideration.
The basic reasoning behind using a CSSM is that the on-premises offerings are pretty universally miserable to work with. They are old, creaky beasts with layers upon layers of features and nerd knobs. They are a pig to set up, a pig to maintain and they take crazy amounts of resources.
Worse, the on-premises offerings either flat-out cost too much or the licensing was created by consulting the ghosts of Microsoft licensing specialists past.
The cloudy stuff is new; as such, it doesn’t have the cruft of the old. Yay for that, but the cloudy offerings also don't have the flexibility of the battered on-premises warhorses. I find myself able to argue on either side of this one.
I have yet to see a CSSM that can match a proper on-premises counterpart, full stop. That said, what good is a CSSM setup, on premises or cloud, if the thing is so convoluted that you never use it?
I will openly admit that while I have set up Microsoft's System Center Configuration Manager several times, I do not use it in production anywhere.
Every time I light it up for a review or prepare a demo for a customer I remember why Past Trevor was so convinced that its developers sup each night on the salty tears of 1,000 broken sysadmins.
I don't have fond things to say about a lot of the other on-premises offerings either. Put a gun to my head and I will admit that I can make the thing go and do what it needs to do, but I'd much rather sign up with a local road construction crew than tangle with that particular piece of software. Around here, they pay about the same.
Count the hours
So if I – someone who at least has the faintest glimmerings of understanding of what this software is trying to achieve – am so frustrated by this stuff, in what rational universe could I expect others to put up with it?
At scale, CSSM applications are amazing tools. You put a few hours of work into a change and hey presto, you can control tens of thousands of systems.
At the SMB end, those several hours spent on configuring, testing and deploying a change could see someone manually make the change on every one of a small company's 100 PCs.
The border between where exactly a full-bore on-premises CSSM setup pays for itself is hazy and company specific. CSSM applications make the financial maths even more difficult to judge.
If a CSSM is easy enough that it actually gets used, even for mundane tasks, then it is probably worth the money spent. If it solves most of your configuration and management needs – but not all – leaving you to do some things manually, is it still worth the money?
What percentage of your configuration needs should it cover before that hulking on-premises behemoth makes sense?
Better than nothing
If you combine it with stuff you already own, such as Active Directory, or alternative deployment technologies, such as Puppet, do you get something that meets all your needs in a simpler and cheaper fashion?
In situations where the competition is nothing at all, I find the CSSM options absolute no-brainers. I can get a client signed up with Intune or GFI Cloud and show them how to use the thing in minutes.
Lots of these people maintain their own systems and just having something – anything – is better than the nothing they have now.
On the other hand, I consult with a lot of mid-sized deployments where tools such as System Center exist – and licences are bought each upgrade cycle – but they simply aren't used. In too many cases it is quicker for the local sysadmins to do it by hand. Here too, I wonder if CSSM apps are the right fit.
Still, I find myself seriously considering a cloudy service. What is more, I find myself considering a cloudy service for which I can probably list quite a few really good tinfoil hat security reasons why I should never consider it.
The value of the service trumps the risks – real and imagined – of it being in the cloud. It begins, dear reader. It begins ®.
Sponsored: The Nuts and Bolts of Ransomware in 2016