Security Basics mailing list archives
Re: Security vs. Simplicity
From: Aarón Mizrachi <unmanarc () gmail com>
Date: Tue, 19 May 2009 18:59:46 -0430
On Lunes 18 Mayo 2009 11:02:39 avi shvartz escribió:
Hello list, In a design process of a critical infrastructure system there is always a tension between two tenets: The "simplicity tenet" - keep it simple as much as possible. And The "security tenet" - make it secure as much as possible. I am perfectly aware of all risk evaluation and assessment, TCO calculations etc, that suppose to help us all to reach a decision about "how much security" and "how much simplicity". But, we all know that gathering all relevant information and getting overall agreement about them and about the calculations of the risk\tco calculations is not "optimal" to say the least. I am also aware to the statement : "simple design is also a secured design". But, we all know that in real life the security folks wants to add "just this extra layer (for security in depth) And\or "just this vlan (for yet another communication separation)" etc. Don't get me wrong, I do understand that it's a valid concern, I just say that it's not always will be in line with the "simple" design tenet. Now, let's say that after all the technical discussions the two inflamed opponents are in front of us (kind of real life situation.). I would like to ask your opinion in the following way: Let say that you are the manager who have to say one statement (kind of a bottom line): "Design that system according to the simplicity principal" or "Design that system according to the security principal" I would humbly ask for an answer in a "managerial style": first : what will be that bottom line. second: (kind of appendix.) any explanation that you wish to add.
Hello Avi. Like everything, there must be a balance. and, the balance of simplicity are comming to us by the security and maintenance issue. This is a good paradox. Why? a very complex system (yes: system as application, network, and all things related), are prone to be buggy. And also, we ussualy think on security like an "extra layer" added to the application. Complex systems are prone to be buggy because: 1st. Are difficult to manage 2nd. The code/configs have also the tendence to be "complex", and this, itself is an entropy generator and application bug maker factor. What i recommend... This is only information system theory, but works there also... your project could be fat in the first instance, could be complex, but, you can simplify them with organization. Be Modular. Segment your work in modules, then, secure every module, and next, secure "inter-module" communication. If you need to ad a new vlan, do it, document it, separate processes, define it, but, be modular and have order. Organized complexity are simplicity.
Than you all for your kind attention, Avi ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
-- Ing. Aaron G. Mizrachi P. http://www.unmanarc.com Mobil 1: + 58 416-6143543 Mobil 2: + 58 424-2412503
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- Security vs. Simplicity avi shvartz (May 19)
- Re: Security vs. Simplicity Robin Wood (May 19)
- RE: Security vs. Simplicity Craig S. Wright (May 22)
- Re: Security vs. Simplicity Stephen Mullins (May 19)
- RE: Security vs. Simplicity David Gillett (May 19)
- RE: Security vs. Simplicity avi shvartz (May 19)
- RE: Security vs. Simplicity David Gillett (May 20)
- RE: Security vs. Simplicity David Gillett (May 19)
- Re: Security vs. Simplicity Robin Wood (May 19)
- Re: Security vs. Simplicity Ansgar Wiechers (May 19)
- Re: Security vs. Simplicity Aarón Mizrachi (May 20)
- Re: Security vs. Simplicity Paul Halliday (May 20)
- Re: Security vs. Simplicity Meenal Mukadam (May 21)
- Re: Security vs. Simplicity Daniel Miessler (May 22)
- <Possible follow-ups>
- Re: Security vs. Simplicity aaa (May 19)
- RE: Security vs. Simplicity Craig S. Wright (May 22)
- RE: Security vs. Simplicity Stefan Marksteiner (May 20)
- RE: Security vs. Simplicity Marksteiner, Stefan (May 20)
- Re: Security vs. Simplicity krymson (May 20)
- Re: Security vs. Simplicity shailesh . sf (May 21)
- Re: Security vs. Simplicity dan . crowley (May 22)