Re: Security vs. Simplicity

On 2009-05-18 avi shvartz wrote:
In a design process of a critical infrastructure system there is
always a tension between two tenets:

The "simplicity tenet" - keep it simple as much as possible.


The "security tenet" - make it secure as much as possible.

I am perfectly aware of all risk evaluation and assessment, TCO
calculations etc, that suppose to help us all to reach a decision
about "how much security" and "how much simplicity".

But, we all know that gathering all relevant information and getting
overall agreement about them and about the calculations of the
risk\tco calculations is not "optimal" to say the least.

I am also aware to the statement : "simple design is also a secured

But, we all know that in real life the security folks wants to add
"just this extra layer (for security in depth)
Don't get me wrong, I do understand that it's a valid concern, I just
say that it's not always will be in line with the "simple" design

Now, let's say that after all the technical discussions the two
inflamed opponents are in front of us (kind of real life situation.).

I would like to ask your opinion in the following way:

Let say that you are the manager who have to say one statement (kind
of a bottom line):
"Design that system according to the simplicity principal"
"Design that system according to the security principal"

I would humbly ask for an answer in a "managerial style":
first : what will be that bottom line.
second: (kind of appendix.) any explanation that you wish to add.

I don't believe the simple answer you seem to be looking for actually
exists. Security doesn't have any value in itself. Its sole purpose is
to protect you from losing your assets. Therefore I'm opposed to
implementing security measures "just because". Identify your assets.
Identify attack vectors that pose a threat to them. Implement measures
to mitigate these attack vectors.

I'd always recommend using as much security as necessary to effectively
protect your assets, but not a single bit more. How much that is depends
on the situation. What's "secure enough" for one company may be totally
insufficient for another one. However, simplified configuration is
always less prone to security breaches due to mistakes. Also keep in
mind that eventually there will be a "new guy" who hasn't been involved
in the development of your security system. The more complicated your
setup is, the more time and skill is required to understand and handle

Ansgar Wiechers
"The Mac OS X kernel should never panic because, when it does, it
seriously inconveniences the user."

This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff!