Security on Cloudinthealps

Pourquoi les Big Tech partent en vrille, merci Cory :)

Thu, 16 Apr 2026 00:00:00 +0000

Je n’arrive pas à corriger la date de naissance de mon fils sur Gmail. Ça fait des mois.

Le support Google m’explique poliment qu’ils ne peuvent pas procéder à la modification. Pas qu’ils ne veulent pas — qu’ils ne peuvent pas. Mon fils a un compte Gmail, avec une mauvaise date de naissance, et personne chez Google n’est en mesure de rectifier une donnée personnelle factuelle. En Europe. En 2025. Sous le régime du RGPD.

Premières impressions sur les Lenovo A3

Mon, 04 Oct 2021 00:00:00 +0000

J’avoue, j’ai été très tenté de faire un titre clickbait sur ce coup… et je me suis retenu avec difficulté.

Alors voilà, j’ai eu l’occasion, grâce à Loic Beauvillain, de prendre en main ces nouvelles lunettes Thinkreality A3 de Lenovo, et voici un petit résumé de cette expérience.

Pour poser le décor, je manipule de manière plus ou moins régulière des Lenovo A6, les ancêtres des A3 donc. Et j’ai eu de multiples occasion de tester des Hololens 1 & 2, mais pas de manière prolongée. Je suis un tech, pas du tout du côté développement, et j’ai essayé de me positionner en tant qu’utilisateur des lunettes relativement standard.

Le cloud souverain, oui mais comment?

Mon, 25 Nov 2019 00:00:00 +0000

Si vous voulez déployer vos applications et services dans un cloud public, vers qui allez-vous vous tourner?

Très probablement vers l’un des 3 acteurs majeurs au niveau planétaire. Votre choix se fera sûrement pour des raisons politiques plus que techniques ou financières. Je dédierais sûrement un article à ces choix ultérieurement.

Le fait est que pour déployer une nouvelle application dans le cloud, le choix est finalement assez simple.

En premier vous avez la solution déjà indiquée : un des mastodontes américains. Problème, vous ne voulez pas forcément donner vos données, vos applications et votre argent à une multinationale, quelle que soit sa position vis-à-vis des questions éthiques et légales. Et dans un climat de défiance envers la globalisation, et une tendance à la relocalisation, il semble un peu hypocrite de s’appuyer sur eux.

Test Azure Bastion

Tue, 02 Jul 2019 00:00:00 +0000

Alors oui, c’est une fonctionnalité dont nous parlions peu mais qui va simplifier beaucoup la vie quotidienne. L’annonce de la public preview est récente, mais la fonction marche déjà très bien, sous peu que vous utilisiez le portail Azure Preview (https://aka.ms/BastionHost). Le principe est très simple : vous avez des VMs connectée à des Vnet isolés du monde extérieur, et vous ne souhaitez pas ouvrir les ports d’administration (SSH/RDP) de ces VMs vers l’extérieur. Habituellement, vous montiez une VM dédiée, qui elle était configurée pour accepter les connexions extérieures, avec une stack spécifique lui permettant de servir de relais vers les VMs protégées. Bonjour la complexité : • D’administration d’une solution dédiée, et parfois bancale (si quelqu’un aime sshgw, qu’il se jette la première pierre!) • D’utilisation au quotidien. Dans certains cas un logiciel particulier permettait une connexion relativement simple, dans d’autres il fallait s’authentifier plusieurs fois et faire des tunnels SSH pour arriver à sa destination… Et là, libération avec Azure Bastion. Démonstration! Mettons que vous ayez déjà une VM déployée sur Azure. Lorsque vous utilisez le portail Azure pour vous y connecter, en principe, vous n’avez qu’à cliquer sur le petit bouton qui va bien. Dans mon cas une VM Linux :

Managed Kubernetes and security

Fri, 06 Jul 2018 00:00:00 +0000

Almost a sponsored post today, or better : a shared announcement. You probably know that I am following Kubernetes rather closely, especially managed Kubernetes services (AKS, EKS or Openshift for example). One domain where these offerings have been lacking is network and security. It is still a very sensitive subject for our customers, for containers related project, and still for public cloud projects. Security and networking teams have trouble adapting to the public cloud paradigms and architectures. There some fear of loss of control, some base fear of the unknown, and some real worry about how to handle networking and security. Kubernetes (and the other orchestrators) adds another abstraction layer on top of the existing public cloud platforms, which does nothing to alleviate fear, to say nothing about complexity and transparency. There are some very good solutions out there to manage network overlays into Kubernetes. My favourite is Calico, but you may like any of those. I’ll stick with Calico for a simple reason, which you will see below. Microsoft and AWS are both working hard to provide a network overlay into their managed Kubernetes offering. They each chose their own path, but we will get to approximately the same point in a short time. Thanks to Jean Poizat, we have the two announcements.

GDPR, my love

Tue, 27 Feb 2018 00:00:00 +0000

The original title was supposed to be “in bed with GDPR”, but it might have been a little too clickbait :) Anyway, short post today, but an important one, I think. To be honest, I feel like screaming everytime I see/read/hear someone telling me that “we need to have a GDPR offer/business/thing”. Alright, it is a buzzword, and I have to live with that. I have made my peace with AI, Blockchain, Big Data, IoT , Cloud, etc. But I still struggle with GDPR. Here is why. First this policy is a very important one in Europe, and will impact every business that comes anywhere close to us. You cannot ignore it. And every company has to look into it and find out what is needed to be compliant. Second, the deadline is looming, but the national law for France is not yet in application. There is a text that is discussed (https://www.legifrance.gouv.fr/affichLoiPreparation.do;jsessionid=?idDocument=JORFDOLE000036195293 &type=contenu&id=2&typeLoi=proj&legislature=15) but there might still be many changes before the law is applied in France. That means that we should hurry to wait, but be prepared… tough one. Last, and most important, and the main reason of my screaming : it is mostly a question of law, for lawyers. Sure IT has to get ready to comply, but most of the consulting and debating and discussing has to be managed by law experts, which will be the right people to understand what it will mean to be compliant. Sure an IT company can get some services in place, offer some broad suggestions and consulting. But without a lawyer, trained for that (and a proper written and voted law…) our job is almost meaningless.

New security paradigms

Mon, 09 Oct 2017 00:00:00 +0000

Obviously you have heard a lot of talk around security, recently and less recently. I have been in the tech/IT trade for about 15 years, and every time I have met with a new vendor/startup, they would start by saying that we did security wrong and they could help us built Next Gen security. I am here to help you move to the Next Gen :) All right, I am not. I wanted to share a short synthesis of what I have seen and heard over the past months around security in general, and in the public cloud in particular. There are few statements I did find interesting : • Perimetric lockdown, AKA perimeter firewalls, is over. • No more need for IDS/IPS, in public cloud, you just need clean code (and maybe a Web Application Firewall) • Public cloud PaaS services are moving to an hybrid mode delivery Of course, these sentences are not very clear, so let me dig into those. First, perimeter security. The “old” security model was built lake a medieval castle, with a strong outer wall, and some heavily defended entry points (Firewalls) There were some secret passages (VPNs), and some corrupted guards (Open ACLs :) ). https://commons.wikimedia.org/wiki/File:Herstmonceux_Castle_with_moat.jpg This design has lived and is not relevant any more. It is way too difficult to manage and maintain thousands of access lists, VPNs, exceptions and parallel Internet accesses, not mentioning the hundreds of connected devices that we have floating around. A more modern design, for enterprise networking, often relies on device security and identity management. You will still need some firewalling around your network, just to make sure that some dumb threat cannot go in by accident. But the core of your protection, networking-wise, will be based on a very stringent device policy that will allow only safe devices to connect to your resources. This solution will also require that you have a good identity management, ideally with some advanced threat detection in place. Something that can tell you when some accounts should be deactivated/expired, or when you have abnormal behavior : for example, two connections attempts for the same account, from places thousands of kilometers apart. For those who have already setup 802.1X authentication and Network Access Control on the physical network for workstations know that it requires good discipline and organization to work properly and not hamper actual work. To complete the setup, you will need to secure your data itself, ideally using a solution that manages the various levels of confidentiality, and can also track the usage and distribution of the documents. As I said No more need for IPS/IDS. Actually, I think that I have never seen a real implementation that was used in production. Rather there was almost always an IPS/IDS somewhere on the network, to comply with the CSO’s office requirement, but nothing was done with it, mostly because of all the generated noise. Do not misunderstand me, there are surely many true deployments in use that are perfectly valid! But for a cloud application, it is strange to want to get down to that level where your cloud provider is in charge of the lower infrastructure levels. The “official” approach is to write clean code, to make sure that your data entry points are protected and then to trust the defenses in place from your provider. However, as many of us do not feel comfortable enough to skip the WAF (Web Application Firewall) step, at least Microsoft has heard the clamor and will add the possibility to connect a WAF in front of your App Service shortly. Note here : it is already possible to insert a firewall in front of an Azure App Service, but this requires a Premium service plan, which will come at a ahem premium price. And that was my third point : PaaS services coming to a hybrid delivery mode. Usually when you look at PaaS services in the public cloud, they tend to have public endpoints. You may secure these endpoints with ACLs (or NSG for Azure), but this might not be very easy to do, for example if you do not have a precise IP range for your consumers. This point had been discussed and worked on for a while, at least at Microsoft, and we are now seeing the first announcements for PaaS services that are usable through a Vnet, and thus private IP. This leads to a new model, where you may use these services, Azure SQL for example, for your internal applications, through a Site-To-Site VPN.

Voice control and security

Mon, 26 Jun 2017 00:00:00 +0000

I will assume that I am definitely not the first one to write about that, but I feel the need to write anyway. We saw during a few recent events that our new beloved always listening devices can interpret an ordre form almost anyone (Someone ordered a Whopper? Burger King: OK Google!)

It seems trivial and a bit childish, but when you start integrating many services into a system like that, you may have to think about security. This goes at different levels : from limiting commands to voice-print recognition.

Sharding your data, and protecting it

Wed, 17 May 2017 00:00:00 +0000

I am quite certain that there are many articles, posts and even books already written on that subject. To be honest, I did not search for any of those. For some reason, I had to figure out sharding almost by myself building a customer design. So this post will just be my way of walking through the process, and confirm that I can explain it again. If someone finds this useful, I will be happy :) Here is the information I started with. We want to build an application that uses a database. In our case, we chose DocumentDB, but the technology itself is irrelevant. The pain point was that we wanted to be able to expand the application worldwide, but also to keep a single data set for all the users, wherever they were living, connecting from. That meant finding a way of having a local copy of the data, writable, in every location we needed. Having a readable replica of a database is quite standard. You may even be able to get multiple replicas of this kind. Having a writable replica is not very standard, and certainly not a simple operation to setup. Having multiple writable replicas… let’s say that even with reading the official guide from Microsoft (https://docs.microsoft.com/fr-fr/azure/cosmos-db/multi-region-writers) it took us a while to fully understand. As I said, we chose to use DocumentDB, which already provides the creation a readable replica with a few clicks. This is not enough, as we need to have a locally writable database. But we also need to be able to read data that is written from the other locations. What we can start with is to create a multiple ways replica set. We could have a writable database in our three locations, with a readable copy in each of the other two regions : Dessin