

Ask HN: Would you pay for hardened AMIs/VMs? - pilom

Do startups harden their own machines? Run stock OS's in production? Is there a perceived value in secured machines?
======
caw
Anecdote: A friend of my runs a consulting business. He does webapps, but
generally has to set up the webserver if he doesn't have to provide hosting.
He's a fantastic programmer. I came to find out that he hadn't disallowed root
SSH yet or implemented SSH keys.

With that said, I would say most probably don't unless they have someone with
sysadmin experience or likes infosec.

Perceived value? Certainly, if you can convince them that if the data gets
corrupted or stolen or you get haxx0red by script kiddies there's going to be
a financial consequence.

Will they pay? I don't know. It's risk management between site/data loss and
paying to set it up.

------
bartman
I'd be interested in having AMIs that cut down on the boot time as much as
possible. For example most cluster compute AMIs need at least 3 minutes to
boot, by slimming the image and maybe intelligently ordering the filesystem it
should be possible to speed this up.

------
djb_hackernews
I'm surprised something like that doesn't exist...

~~~
eliot_sykes
This doesn't exist already? I'd pay for a hardened AMI no question

------
secos
I'd certainly consider it.... especially if it was targeted for specific
industries/regulations (HIPAA, SAS 70, etc).

~~~
caw
I agree with you on this. If I was starting something in a space with
regulations I would love to buy something that's guaranteed rather than
figuring it out myself. It would allow me to work on my product rather than
compliance.

~~~
pilom
The problem is that it can't really be guaranteed because there is no knowing
what you are going to do with it. I could give you a hardened AMI and then you
could totally open in up in the course of your development. So it would have
to be something like "Here is what has been done to it. Here is how it
currently satisfies X accreditation. It is your responsibility to keep it
secure"

Given that is this still worthwhile?

