Stop fighting alone, let synergy rule!

Could it be true, as it seems to me, that CERN still has manpower to spare? I thought that now, during LS1, resources were scarce and everybody was very busy. But apparently not. We are getting more requests than ever to open firewalls for stand-alone web servers running local databases and custom web applications.

What we are talking about here are “newly” created software applications with similar functions to existing alternatives. We often encounter computing hardware and network equipment managed in multiple ways by multiple people, and commercial software or cloud services that closely resemble CERN’s existing computing services are bought or rented – for instance, SurveyMonkey vs. SharePoint or tinyurl.com vs. cern.ch/go. Why does CERN run two document stores, CDS and EDMS, that provide similar functions and workflows? Wouldn’t one be sufficient? And four (or more!) JIRA ticketing systems? Why are there so many local Git instances, dozens of servers providing Drupal web content management and several Twikis?

In other words, why do we reinvent the wheel again and again? Why do we devote our resources to duplicating and triplicating activities on similar services? It can be partly explained by the natural drive for the new, for playing, for learning, for striving to achieve better. It is also much more fun to build something yourself and not “just” use existing solutions, and as those existing solutions never exactly match your requirements 100%, this gives a good excuse to start from scratch.

On the other hand, we have on more than one occasion declined to open the CERN outer perimeter firewall for a custom-built service sitting under the desk of a physicist. Not because these services are bad as such; on the contrary, they usually provide great new functions and a good “look and feel”. However, behind the scenes, the set-up is often sub-optimal, long-term maintenance not guaranteed, and security protections lacking. This forces us to deny any opening of the firewall and request that the developer concerned start over. We therefore have to ask ourselves if it's really in the Organization’s best interests to start from scratch over and over again. Shouldn’t we manage our resources better? Is it really so much more fun to take new roads than to improve existing ones?

Setting up a Drupal web server, a Twiki, a JIRA instance or a database is not rocket science, but maintaining its viability and security in the long run is more difficult. Long-term viability and consistent operation are key for a good service, but this requires more work - hard work that is not necessarily as much fun as setting the system up in the first place. In addition, for us, managing the security of one central service that is provided, maintained and secured by trained and hired professionals is much easier than managing a cacophony of soon-forgotten applications in random locations. So why not just use the central services provided free by the IT Department instead? This is ideal as it saves you time that can be spent on something more important, as long as you accept that the IT Department’s solution has some (probably acceptable) limits and might not always completely match your needs. But let’s not settle for that! Let’s put an end to computing services not being able to offer 100%. Instead of wasting resources on individual standalone solutions, we should team up and help the IT Department to deliver the solutions we want! We should stop fighting alone and instead join forces with the department to provide sustainable computing services for everyone. Let synergy rule and free up your time for the real challenges!

We are interested in your opinion! Please write to us at Computer.Security@cern.ch.

Check our website for further information, answers to your questions or help. If you want to learn more about computer security incidents and issues at CERN, just follow our Monthly Report.

Access the entire collection of Computer Security articles here.

by Computer Security Team