Friday, 10 July 2009

What risk isn't

Writing blogs and having an opinion are fairly easy things to do, creating and selling a product is not. I've done both, at the same time, in fact that's why this blog exists - a marketing tool for a product I am no longer involved with, but a past-time I enjoy so I carried it on.

Sadly my opinions are still fairly strong on many subjects, and security is one of those. I believe security should be pragmatic, but that doesn't just mean trying 'as hard as you can', making 'best efforts', but getting the best result that can possibly be achieved. A subtle difference, semantic even, but one which I strongly believe in.

The 'bad guys' don't wait around until everyone's on a level playing field, they deliberately make it work in their favour. They are constantly on the attack. So when someone tells me that a product isn't the most secure, but the easiest to use, I want to grab them like a bad puppy and rub their nose in the mess they are leaving behind. I have heard this more times than you may think, and even fairly recently in response to a critical post.

So, I agree that risk is a vital part of security, making the best choice possible based on the cost of available tools, to mitigate the expense of possible attacks that exist without them. What I don't agree with is that when there is an equal cost involved, you should go for the product which is easier to install, understand or operate at the cost of security. This is often dressed up as TCO or some such rubbish. That's what security administrators are for, and actually, it's not that difficult. If you DO choose to do this, you are putting your network, your applications, your users and your data at risk. This is not acceptable for most organisations.

I've worked with some of the most complex encryption technologies out there, and all they take is a little training. Key management is only difficult when people are involved in remembering things, technology was invented for this kind of problem. The best solutions are the ones which offer a trade off where the non-intuitive decisions are made by humans and the repetitive tasks done by the technology.

What more is there to understand?

No comments: