Someone tossed a Security+ study question my way this week. This is an example of Security+ trying to be CISSP Lite, but it’s still a valid question–probably for either test, and for SSCP and CISM too.
A small not-for-profit organization needs to invest in a new expensive database. There is no budget for additional servers or personnel. Which of the following solutions would allow it to save money by avoiding hiring additional personnel and minimize the footprint in their current datacenter?
B. Software as a Service (SaaS)
C. Infrastructure as a Service (IaaS)
D. Platform as a Service (PaaS)
Let’s take it one at a time.
A. Linux. Linux will save licensing costs, but it doesn’t completely solve their problem. They still have to buy server hardware, hire staff to administer the box and the database–unless they run Linux in the cloud, that is. Linux alone doesn’t solve the problem.
B. Software as a Service (SaaS). This is the right answer. Subscribe to SaaS, and for a low monthly rate (of course!) you get server space, complete with operating system and all the applications you want in the cloud, saving on licensing costs, power, hardware, and sysadmin tasks. Actually they just roll it all up and pass it on to you, but hopefully the provider’s volume saves you money. That’s the idea. At the very least, in the short term, SaaS is cheaper than buying a server, all the software, and hiring a couple of professionals to keep it humming along.
C. Infrastructure as a Service (IaaS). This is a couple of steps down from SaaS. For an even lower monthly rate, IaaS sells you some server space in the cloud, and then you load an operating system and applications on it. It’s not the right answer for these purposes because the organization still needs to hire a systems administrator and a database administrator to keep the box up and running, in addition to purchasing the operating system, supporting utilities (if any), and database application. Sometimes this is a good answer, but not in this case, where there’s no budget for additional personnel.
D. Platform as a Service (PaaS). This is a mid-tier solution. PaaS gives you server space in the cloud with an operating system loaded on it, and they’ll maintain the operating system. Then you load the database and your staff administers the database software. This isn’t a bad answer, except we don’t know that the organization has a qualified DBA already on staff to administer the new database application. Since the question specifically says there’s no budget for additional personnel, we have to read between the lines, and assume they don’t have the necessary personnel already. For that reason, this is the second-best answer of the bunch. If the question had stated they had a qualified DBA on staff, and that the database they need to run isn’t available via SaaS, then this would be the best answer.
How do you know that the servers are secure? Do you have to trust your business to a company that you have no experience with? Are these servers insured for loss of data and any liability that this NOP could receive?
I used Linux on my home PC’s for the last 14 years. It works great on my laptop and netbook.
I’ve read that OpenBSD works better and is more secure on servers than Linux. What is your opinion on the subject.
Those are all questions that you should ask before signing on the dotted line and paying your money. You’re right that you don’t want to just sign up for the cheapest service you find on Google without asking any questions first, especially if you get into a complex SaaS setup. You should vet the company the same way you would vet a new employee, at the very least.
Regarding OpenBSD and Linux, OpenBSD is basically a security-first product. It has its uses, certainly. That said, Linux can be made nearly as secure and tends to have better support. It’s impossible to count the number of security products out there based on Linux. When you’re talking servers, the diligence of the people running it is just as important as the operating system it’s running on. I worked someplace for a few years that had a number of servers based on the ancient and poorly supported SCO Unix without incident. The perimeter security protecting the servers was good, the servers didn’t have anything unnecessary running, and the sysadmins were good and worked well together.
I’d take either over a solution running the same software on top of Windows, but even Windows can be secured to an acceptable level. Governments put Windows on classified computer systems a lot. When I do a security evaluation, I’m at least as concerned about what’s going on around the server as I am about what operating system the server is running.
Clear as mud?
Perfectly understandable even to a home hobbyist. I thought that the only way to secure a Windows server, or P.C., was to unplug it and remove the hard drive. The drive would then be shipped out state and the server kept on site in a closet.
“Failure is not an option — it comes bundled with Windows.”