Overall, my experience in the professional space (public: Got Breach? “Whoopsie!” -OPM et al./private: Got Breach? “Whoopsie!” -Experian et al.) is directly contrary to your sentiment but, who knows; maybe I need to “get out more”,
Most organizations/individuals care very little about security and/or privacy, the focus is on liability. Very few organizations are willing to invest in ~
resources~ humans which are able to (over-time) design, develop, document & distribute sound computing processes, procedures & OPSEC; especially when Gartner suggests a new “killer-app” (pizza box or ) for CxOs to gobble up, each year.
Until the day comes when the consequences of breach match the impact of said breaches (read penalties/fines are percentage-based per revenue … don’t hold your breathe ), C-Levels are MORE than happy to piss in the bucket and keep it moving.
Furthermore, I don’t see such an “official” Qubes offering as you suggest becoming a reality unless someone/some group decide to fork and do so. Despite outwardly calling for critique, IME if there’s anything that rubs the Qubes team the wrong way it’s calling their baby ugly.
Guess what paying customers will undoubtedly do?
Until investment (temporal, financial or otherwise) is required.
What you’re referring to here is specifically about documentation. Quality documentation leading to ease-of-use for end users is more often than not a clear parallel to quality projects/products.
Don’t get me wrong. I’m all in favor of the Qubes team being paid (and, paid well might I add ) but, this approach seems odd (?) to me.
Perhaps “typical” is the key word in this statement as, most groups seem to have fallen head-over-heels for layer after layer ~
of “ease-of-use”/“rapid deployment” complexities~ to create abundantly more opportunities for failure.
* Disclaimer 0 *
- To date, I’ve not yet the opportunity to admin Qubes in a fortune 500 production environment.
* Disclaimer 1 *
- Certs are a bit cheesy for my personal taste but, they serve two purposes well:
- Offer candidates to display a certain level of awareness related to solutions
- Offer hiring managers to promote said awareness to customers (internal & external)
IMO, Qubes is pretty straight forward from a zero-trust admin perspective:
- Xen is the hypervisor layer (virtualization in production is nothing new and widely adopted & Citrix offers many different certifications in and around Xen use)
- The rest (whether it be *nix or Winblows also with many certification options) is good old-fashioned, vanilla administration
If the Qubes team were serious about adoption, developing & offering official, publicly available training and/or certification options might go a long way toward adoption.
If this forum is any indicator, the most common challenges users face/speak up about are:
A) Linux-centric hardware troubleshooting (unfortunately, still pretty standard in this day & age)
B) Linux-centric software troubleshooting (thankfully, not the hardest challenge to overcome)