Re: Security vs. Simplicity

[krymson () gmail com]

I have 2 engineers in front of me, one wants to add more security and the other wants to keep it simple, and it's up to 
me to decide a route.

I'm framing most of my response on "simple" being defined from an engineer's viewpoint: i.e. is it simple to build, 
understand, and maintain; and that it has few dependencies and supporting pieces, so that it doesn't need 20 different 
things available or it fails.

*I* would go with adding more security, but that has a host of caveats with it, and I would try to get both as simple 
as possible but as secure as possible.

Ahh, the joys of risk management, eh? :) What are the risks your security ideas are addressing? What are the risks that 
adding complexity will mean 2 years from now when both engineers leave that someone can understand what they built?

1) I'm not a high level or middle level manager (hell, I'm not a manager). So if you put a decision up to me, I'll err 
on the technical side as long as I have breathing room from the managerial/business side. This would be a different 
story if my CTO is breathing down my neck and we have a deadline we can't meet for a client if we take the 'secure' 
approach, and sacrificing the security does not immediately jeopardize any requirements.

2) The bottom line? Well, that's going to be whichever way gets it done, right? Ultimately, you need to get shit done. 
Yes, you might be trying to put a leash on and walk your fail whale around if you just throw simple things out that are 
not secure at all, but at least you can do something with that over time. If you keep adding security and spend money 
to build/maintain and don't satisfy the business in the process...you might be out a job. Being a tech/security geek, 
this pains me to admit, but that's reality.

3) This same exercise gets interesting when you replace "simple" with "convenient." Simple can have a lot of meanings, 
but typically "convenient" is a user/customer-focused issue. Rather than engineer vs engineer, this is often where IT 
sec goes up against business.



<- snip ->
Hello list,

In a design process of a critical infrastructure system there is always a
tension between two tenets:

The "simplicity tenet" - keep it simple as much as possible.

And

The "security tenet" - make it secure as much as possible.

I am perfectly aware of all risk evaluation and assessment, TCO calculations
etc, that suppose to

help us all to reach a decision about "how much security" and "how much
simplicity".

But, we all know that gathering all relevant information and getting overall
agreement

about them and about the calculations of the risk\tco calculations is not
"optimal" to say the least.

I am also aware to the statement : "simple design is also a secured design".

But, we all know that in real life the security folks wants to add "just
this extra layer (for security in depth)

And\or "just this vlan (for yet another communication separation)" etc.

Don't get me wrong, I do understand that it's a valid concern, 
I just say that it's not always will be in line with the "simple" design
tenet.

Now, let's say that after all the technical discussions the two inflamed
opponents are in front of us
(kind of real life situation.).

I would like to ask your opinion in the following way:

Let say that you are the manager who have to say one statement (kind of a
bottom line):
"Design that system according to the simplicity principal"
or

"Design that system according to the security principal"

I would humbly ask for an answer in a "managerial style":
first : what will be that bottom line.
second: (kind of appendix.) any explanation that you wish to add.

Than you all for your kind attention,

Avi

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------