After reading this article, I had a few dissenting thoughts, maybe someone will provide their perspective?

The article suggests not running critical workloads virtually based on a failure scenario of the hosting environment (such as ransomware on hypervisor).

That does allow using the ‘all your eggs in one basket’ phrase, so I agree that running at least one instance of a service physically could be justified, but threat actors will be trying to time execution of attacks against both if possible. Adding complexity works both ways here.

I don’t really agree with the comments about not patching however. The premise that the physical workload or instance would be patched or updated more than the virtual one seems unrelated. A hesitance to patch systems is more about up time vs downtime vs breaking vs risk in my opinion.

Is your organization running critical workloads virtual like anything else, combination physical and virtual, or combination of all previous plus cloud solutions (off prem)?

  • floofloof@lemmy.ca
    link
    fedilink
    English
    arrow-up
    17
    ·
    2 months ago

    Most organizations will avoid patching due to the downtime alone, instead using other mitigations to avoid exploitation.

    If you can’t patch because of downtime, maybe you are cheaping out too much on redundancy?

    • PiJiNWiNg@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      3
      ·
      2 months ago

      That immediately stuck out to me as well, what a lame excuse not to patch. I’ve been in IT for a while now, and I’ve never worked in any shop that would let that slide.

    • RedFox@infosec.pubOP
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      1
      ·
      2 months ago

      Yeah, that’s pretty risky for this point in time.

      I guess the MBA people look at total cost of revenue/reputation loss for things like ransomware recovery, restoration of backups vs the cost of making their IT systems resilient?

      Personally, I don’t think so (in many cases) or they’d spend more money on planning/resilience.