Wednesday, November 24, 2010

Using AWS for larger business

Netflix is one of those really secretive companies, there have beens some interesting articles how they run the operations for the disc delivery, but not much on the way the deliver digital content. I came across this really cool article on how they use AWS:

http://www.readwriteweb.com/cloud/2010/11/why-netflix-switched-its-api-a.php

Pretty interesting read. Not sure I agree with some of the statements about less system admin and less database folks when they use AWS. I can understand less datacenter staff, but managing virtual or cloud infrastructure is just as much work. Obviously this is only the case when its running customized software and databases built internally (such as netflix). You still need to release software, manage the databases, and handle the same problems you would if you were doing it all in house.

The only items you don't need to worry about would be the following:

Backups
Provisioning new hardware (which is pretty simple if you run your own vmware in house)

This is another good read on a website I read. They moved to EC2, and wrote a review 1 year later:

http://4sysops.com/archives/4sysops-one-year-in-the-cloud-part-1-costs/

The costs seem to be higher than using a normal colo server, so I'm not sure what the ROI would be for companies moving to EC2 or AWS. It would be good to see some more detailed comparisons of how companies use the services, and what the ROI is.

Wednesday, November 3, 2010

PCI compliance and SSLv2

So I am doing a PCI audit, and one of the requirements is that there must not be weak cipher support enabled on systems which collect credit cards from the web. I started doing some testing around some of the larger ecommerce sites out there, and it had some pretty startling findings. SSLv3 has been in Browsers since 1996 (think mozilla 2.0... way before we had firefox).

http://blog.zenone.org/2009/03/pci-compliance-disable-sslv2-and-weak.html

From my testing these sites to have SSLv2 disabled: google, paypal, delta, etrade

These sites don’t have SSLv2 disabled, this is strictly against PCI: Home depot, bank of America, Scottrade, Microsoft, Amazon, QVC, Dell, Orbitz

Really concerning that these big commerce sites allow something like that to slip by the auditors. Time to hire me to fix your compliance :)