Tuesday, May 27, 2014

Are Single Pane of Glass Management Interfaces Really Possible?

They are widely touted, almost to the point of buzz-phrase-de-jour in some circles, which naturally makes them suspect to me. There is ample evidence of past failure in the case of configuring systems, or services run on those systems, via a GUI, where there may be hundreds of options, and optimal selection of many may depend on the configuration of connected systems. Simplistic host-based firewall configuration tools are a good example of that, though there are many others, such as Samba configurators.

There have been so many examples of failure over the years that I wrote it off to George Miller’s magic number 7, and decided that this was not really possible. Some recent exploratory work I did in writing configuration tools for another project (not something I can talk about just now) convinced me that this was an error, within certain bounds, and that this was something I needed to explore. Then, in the course of writing up some project doc, which is often a rather involved process, I found 

So, yes. Possible. But possible does not equate to easy; any sane discussion of difficulty is always about context. Let's stay with that host-based firewall example. How do we offer guidance on how ICMP might be used by an adversary to characterize network topology and the security posture of hosts within that network? Given that allowed ICMP messages are sensitively dependent on the nature of the network?

'Wizard' approaches have famously failed at even simple tasks--search on the roundly-hated Clippy. Nevertheless, an advisory system of some sort would seem to be a basic requirement of any commercially viable software, though it still seems unlikely to supplant domain knowledge—network admins who thoroughly know their networks. Such an advisory system would have to be network-aware, rules-weighted, and testable. That 'testable' bit is particularly hard to do in this context, and if it isn't testable, it is of unknown reliability.

You might consider such an advisory capability as an expert system, or an AI, depending on your background. One thing is certain: this would not be an easy system to create. Development costs would scale polynomially (not really exponentially, though the difference seems unlikely to matter in practice) with capability, in a classic combinatorial explosion.

It seems likely, then, that reasonably effective 'Single Pane of Glass' management interfaces are indeed possible, at least over a narrow scope. However, expect inescapable constraints on breadth of coverage, quality of suggestions (these are baked-in by mathematics), and to a much lesser degree than I had previously thought, ease of use. Interfaces which promise more breadth of coverage seem likely to disappoint, at an inverse polynomial rate, to scope of claims.

While I see no evidence of emerging Magical Admin Tools, it seems probable that ease of use barriers to configuration systems are surmountable via well-crafted software. Scope will be key, and as always, careful evaluation of proclaimed capabilities, tested against your actual needs, is indicated.

No comments:

Post a Comment

Comments on posts older than 60 days go into a moderation queue. It keeps out a lot of blog spam.

I really want to be quick about approving real comments in the moderation queue. When I think I won't manage that, I will turn moderation off, and sweep up the mess as soon as possible.

If you find comments that look like blog spam, they likely are. As always, be careful of what you click on. I may have had moderation off, and not yet swept up the mess.