Re: Security vs. Simplicity

[Stephen Mullins <steve.mullins.work () gmail com>]

I agree that the goals of network ops and network security seemingly
contradict one another.  Network Operations calls for simplicity,
redundancy, and ease of troubleshooting.  Network Security calls for
defense in depth and secure design over all else.

But you want a "managerial perspective."

> From a "managerial perspective", none of this matters.  What matters
is pleasing the customer.  The customer may be a business you are
contracted to service, or the internal business.  From that
perspective what matters is being compliant with all applicable laws
and maintaining high availability of systems/networks so your
organization can continue making money and you get to keep your job.
If security impedes the company's ability to make money then you have
failed.

This is why, in the private sector, networks will only ever be as
secure as they are required to be by law to pass the annual audits
they must do.  Prior to the passing of various legislation requiring
implementation of sound security practices, few bothered "wasting"
money on even hiring a single security admin, let alone going the
extra mile.

So that's my "bottom line" perspective.  Security must be mandated by
legislation or it will not exist at a high level as it does not
generate profits and a business's primary goal is to turn a profit.
Obviously some businesses (banks, e-commerce) have a strong interest
in maintaining secure systems.  Private hospitals, schools, and
various businesses really don't - unless you force them to implement
security and go through annual audits.  All that talk about damage to
a brand or loss of customer good will is bunk.  So many organizations
have had data stolen from them at this point that the consumer doesn't
trust any of them and is not shocked by any breach whatsoever.  It's
barely even news these days "another company lost customer data to
hackers, ho hum, next page."

Steve Mullins

On Mon, May 18, 2009 at 11:32 AM, avi shvartz <yram () netvision net il> wrote:
> Hello list,
>
>
>
> In a design process of a critical infrastructure system there is always a
> tension between two tenets:
>
>  The "simplicity tenet" - keep it simple as much as possible.
>
>    And
>
>  The "security tenet" - make it secure as much as possible.
>
> I am perfectly aware of all risk evaluation and assessment, TCO calculations
> etc, that suppose to
>
>  help us all to reach a decision about "how much security" and "how much
> simplicity".
>
> But, we all know that gathering all relevant information and getting overall
> agreement
>
>  about them and about the calculations of the risk\tco calculations is not
> "optimal" to say the least.
>
> I am also aware to the statement : "simple design is also a secured design".
>
> But, we all know that in real life the security folks wants to add "just
> this extra layer (for security in depth)
>
>  And\or "just this vlan (for yet another communication separation)" etc.
>
> Don't get me wrong, I do understand that it's a valid concern,
>  I just say that it's not always will be in line with the "simple" design
> tenet.
>
>
>
> Now, let's say that after all the technical discussions the two inflamed
> opponents are in front of us
>  (kind of real life situation.).
>
>
>
> I would like to ask your opinion in the following way:
>
>  Let say that you are the manager who have to say one statement (kind of a
> bottom line):
>   "Design that system according to the simplicity principal"
>   or
>
>   "Design that system according to the security principal"
>
>  I would humbly ask for an answer in a "managerial style":
>   first : what will be that bottom line.
>   second: (kind of appendix.) any explanation that you wish to add.
>
>
>
> Than you all for your kind attention,
>
> Avi
>
>
>
>
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: InfoSec Institute
>
> Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
> concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. 
> Gain a laser like insight into what is covered on the exam, with zero fluff!
>
> http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff!

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------