Hack the Planet as a Service
Risk is complicated. Everyday life is full of risk, we just don’t think of it that way. With the state of the world right now, I sometimes wonder if there are so many risky things that we tune them out. We know that alert fatigue is real but maybe we have hit a point where we don’t even see the risks until they impact our day.
Things have escalated to the point we have a thriving Ransomware as a Service industry. At a certain point it can feel like, why play whackamole? In corporations teams feel like it’s easier to wait for something bad to happen. As individuals, we know that our personal identifying information is now in the hands of nation states through breach after breach after breach.
So much so that when the US government banned TikTok in the US due to security reasons. The push back from users was pretty loud, “that’s fine, I’ll send the Chinese government my data myself.” FWIW, I thought the ban by the US government was rubbish but that’s a talk for a different day.
It was a fascinating few months to see such swift action by the US Government to fix “security” followed by a curious set of EO’s and actions that actively removed the safeguards being put in place at the speed of government.
All of this got me thinking about categories of risk. This category is vast but I’m going to focus on a few kinds of risk that impact our DevOps/SRE teams.
So let’s break down some of those ways. I’m specifically not addressing the security risk of tools that manage the supply chain. Think of tools like Blue Yonder. They are an obvious target for ransomware attacks because of the one to many relationship. Not to be confused with supply chain management.
With that in mind let’s break down some of the most common risks we face on a daily basis. Risk we have control over.
Deployments: What happens when we don’t have the right guardrails in place? Mostly, nothing but when it goes bad it goes really bad.
Dependencies between services or repositories are so tricky because teams are like, eh I sort of care but do I care. I’ll see if it matters. The catch is, it matters when you are building out proper CI and CD. I sometimes wonder if the reason we stop at CI is because the connectivity of our code makes CD too hard to manage.
- Best practices vary a Reddit thread
Vulnerability: Oof I get it, that spreadsheet of doom is miserable. How do you decide what to take care of, do you have enough information to make informed decisions. And really the only piece of secure tech, is the tech that is unplugged and buried in cement. That said, it’s important to be smart about your approach when you have a growing industry like RaaS.
AI: Everything that can be used for good can be used for bad.
Maybe this makes you feel more anxious instead of less but here’s my advice, like anything, pick what’s important to you. Understand your risks. Find the tools that make your life easier and split the load. We talk about shifting left but maybe it’s less shift left and more you own this piece and I’ll own the next.
I continue to believe that we are better together but in order to be better together, we need to understand what’s at stake, how to help, and how to play to each other’s strengths. 3Mór is helping to address many of these risks. Whether you feel security is a vitamin or a painkiller, it will impact you in some way shape or form.
