Commentary Sophos Security Insights
The New KISS Rule: Keep Information Security Simple
IT environments are becoming more complex; the solution may be simpler security
"Complexity is the worst enemy of security." Bruce Schneier said that in relation to the challenge of securing increasingly complex IT environments, but the same can be said of information security solutions themselves. As security professionals, we love to be in control and to have every available knob and dial at our disposal. Yet the more complex a security system is, the less likely we are to take full advantage of available features, to apply policies consistently, and to avoid configuration mistakes.
Have you ever opted to delay or avoid deploying a security feature because it just required too much time to configure properly? HIPS is a technology that provides valuable protection against new strains of malware for workstations and servers. Some HIPS implementations require just the check of a box to toggle them on, while others require weeks or months of tuning and testing. The latter provide more fine-grained control and perhaps even better security ... if you use them. Potential doesn't stop attacks; deployed solutions do.
Complexity can also rear its ugly head when trying to consistently apply security policies across systems. Data loss prevention (DLP) is all the rage these days, but applying rules uniformly across workstations, servers, mobile devices, email systems, and network gateways can be a nightmare. Multiple systems, each with their own management consoles, policy definitions, and terminology conspire against consistent results. Integrated single vendor solutions, long the targets of security professionals' disdain, may be worth reconsidering if they can ensure consistency and require less of your team's attention.
Simplicity also helps to avoid configuration mistakes. Firewalls and IDS systems are classic examples where rule sets and configuration options quickly become so elaborate that errors are virtually inevitable. This argues for both simplifying the rules where possible -- fewer IDS rules that can be more carefully tuned and monitored may be more effective than a more comprehensive set -- and for seeking out network security solutions with simple, uncluttered interfaces that make it easy to keep track of everything you need to manage.
Easy management, push-button configuration, and product integration have not historically been the "holy trinity" of security. Demands for greater control and vendor diversity have pushed simplicity to the background. But with growing complexity contributing to mistakes, inconsistencies, and protection capabilities sitting on a shelf, it may be time to rethink the approach. Perhaps it's time to keep information security simple.