Posted on 08/19/2013 4:52:48 PM PDT by markomalley
In the aftermath of Edward Snowden’s revelations about NSA’s domestic surveillance activities, the NSA has recently announced that they plan to get rid of 90% of their system administrators via software automation in order to “improve security.” So far, I’ve mostly seen this piece of news reported and commented on straightforwardly. But it simply doesn’t add up. Either the NSA has a monumental (yet not necessarily surprising) level of bureaucratic bloat that they could feasibly cut that amount of staff regardless of automation, or they are simply going to be less effective once they’ve reduced their staff. I talked with a few people who are intimately familiar with the kind of software that would typically be used for automation of traditional sysadmin tasks (Puppet and Chef). Typically, their products are used to allow an existing group of operations people to do much more, not attempting to do the same amount of work with significantly fewer people. The magical thinking that the NSA can actually put in automation sufficient to do away with 90% of their system administration staff belies some fundamental misunderstandings about automation. I’ll tackle the two biggest ones here.
1. Automation replaces people. Automation is about gaining leverage–it’s about streamlining human tasks that can be handled by computers in order to add mental brainpower. As James Turnbull, former CTO of PuppetLabs, said to me, “You still need smart people to think about and solve hard problems.” (Whether you agree with the types of problems the NSA is trying to solve is a completely different thing, of course.) In reality, the NSA should have been working on automation regardless of the Snowden affair. It has a massive, complex infrastructure. Deploying a new data center, for example, is a huge undertaking; it’s not something you can automate.
Or as Seth Vargo, who works for OpsCode–the creators of configuration management automation software Chef–puts it, “There’s still decisions to be made. And the machines are going to fail.” Sascha Bates (also with OpsCode) chimed in to point out that “This presumes that system administrators only manage servers.” It’s a naive view. Are the DBAs going away, too? Network administrators? As I mentioned earlier, the NSA has a massive, complicated infrastructure that will always require people to manage it. That plus all the stuff that isn’t (theoretically) being automated will now fall on the remaining 10% who don’t get laid off. And that remaining 10% will still have access to the same information.
2. Automation increases security. Automation increases consistency, which can have a relationship with security. Prior to automating something, you might have a wide variety of people doing the same thing in varying ways, hence with varying outcomes. From a security standpoint, automation provides infrastructure security, and makes it auditable. But it doesn’t really increase data/information security (e.g. this file can/cannot live on that server)–those too are human tasks requiring human judgement. And that’s just the kind of information Snowden got his hands on. This is another example of a government agency over-reacting to a low probability event after the fact. Getting rid of 90% of their sysadmins is the IT equivalent of still requiring airline passengers to take off their shoes and cram their tiny shampoo bottles into plastic baggies; it’s security theater.
There are a few upsides, depending on your perspective on this whole situation. First, if your company is in the market for system administrators, you might want to train your recruiters on D.C. in the near future. Additionally, odds are the NSA is going to be less effective than it is right now. Perhaps, like the CIA, they are also courting Amazon Web Services (AWS) to help run their own private cloud, but again, as Sascha said, managing servers is only a small piece of the system administrator picture.
I have been a Unix admin for 30 years. We can’t be replaced. Every effort has failed.
Automation software can only restore a system, not fix the myriad of things that can go wrong.
“Single pane of glass GUI’s” render the admin a eunuch unable to debug and fix.
>>I have been a Unix admin for 30 years. We can’t be replaced. Every effort has failed.<<
We didn’t replace you.
We absorbed you.
try
echo ‘reality PeopleWhoAreProcesses’ |grep me
into any nearby appliance to tell you the reality.
If that command fails it just means you don’t have privileges. Try sudo...
I dropped a quarter last week. 20 Unix admins ran up to give it back to me.
Nonsense. poser
>>Nonsense. poser<<
The kernel has noted your response.
The return code is: 101
The things you have sysadmins do are the one-off things that require specialized knowledge, dangerous powers (as in one slip loses data, etc.), or things you simply don't want regular users fooling around with.
Sure, I'm not your average user. I could reasonably do 90 to 95% of what our sysadmins do. Some of it would give me pause, as in are you sure, really sure this is *the* command... But you know what, I've seen the sysadmins job and I don't want it. I've got my own job to do, and I'm glad I don't have to do the things our sysadmins do. I take them donuts and treats every once in a while just to say thank you for making my days a little easier. I know there are plenty of other things they do quietly behind the scenes that we rarely see. So I think the NSA is wrong, or anyone who thinks automation is some panacea. Pushing things off on automation and user tools is just going to impact service and take a little slice out of everyone else's efficiency.
As an admin, I thank you.
I have to agree with y6162. Although we endeavor to make servers and services available at the deli counter, for the most part successful effort requires people who actually know how it all works together. Systems engineering expertise doesn't come out of a soda machine. Haha funny but obvious XEN problem came up while writing this and I volunteered to RTFM while the ops director got me a diet pepsi. Problem solved in 45s. I'm not even a sysadmin any more.
I can't imagine hiring an sysadmin who doesn't know how to use man pages effectively - seems singularly cost-ineffective. It may be true that laying off an illiterate sysadmin will save you money immediately. Hmmm. Maybe the NSA hired a shiftless bunch of know-nothings because capable people are a security risk?
Brilliant: Let a claim like that leak out and that does what? to current SysAdmins?
>>I have to agree with y6162. Although we endeavor to make servers and services available at the deli counter, for the most part successful effort requires people who actually know how it all works together. Systems engineering expertise doesn’t come out of a soda machine. Haha funny but obvious XEN problem came up while writing this and I volunteered to RTFM while the ops director got me a diet pepsi. Problem solved in 45s. I’m not even a sysadmin any more.<<
But the problems are very few.
And the solutions have become macro level (frankly, enterprises are looking for alternatives to technical extortion).
Today, enterprises want systems that are parameterized and externalized. It may be a slow and underdocumented process but the old ksh/bsh sysadmins are on their way out.
I assure you, as CIO, the #1 requirement I would insist on would be “removal of those self-centered sysadmin asshats.”
Anyone who exists on the teat of “I know dat” today has the operational lifespan of a flea.
I am out there guys and you are irrelevant.
And I was one of you so I know (feel free to ask me OS Qs if you think I am not). I am good for Unix variants and z/OS (including JCL).
no offense, but they never intended to replace 90% of their sysadmins.
But the problems are very few.
And the solutions have become macro level (frankly, enterprises are looking for alternatives to technical extortion).
Well, good luck on that...maybe your POV is right...this time around the merry-go-round. Funny how the devil always seems to be in the details for those macro-perspective grand-vision global-integration unifying-paradigm things...but I guess it's ok to hope we nailed it this time fer shure!
Wonder what happens when you piss off the competent people in your organization and they leave for greener pastures? Does it reduce the overall competence of the organization? Perhaps mediocrity happens? Perhaps opportunity missed? Failure to thrive? hmmm...how could you even tell? Maybe next year?
Oh, don't get me wrong, I'm sure there are annoying self-important inflated would-be prima donnas eventually showing up in every form of human endeavor. They may not be the whole game, tho...it's probably a mistake to pigeon-hole competent people just because you think they're in a dead end job. The acquisition and maintenance of competence reflects a virtue of character which may well be applied successfully in new endeavors.
The return code is: 101
These days, the hot return code is 451 (in honor of Ray Bradbury).
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.