Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

10/31/2013
02:29 PM
Adrian Lane
Adrian Lane
Commentary
50%
50%

Simple Security Is A Better Bet

Complex security programs are little better than no security

Last week I spoke with a firm to discuss compliance strategy for data privacy protection of personally identifiable information (PII). A number of state laws were potentially in play, including Massachusetts 201 CMR 17. We discussed what applications and databases were in use, how information moved, and some specific in-house issues. Then I discussed the different technology options for each platform that were available, mentioning which threats the products addressed and the relative cost of implementation and maintenance.

Even over the phone, I could hear heads spinning on the other side of the line. Too. Much. Information. And far too complex for them to come away with any coherent strategy or action plan. Forget running -- we needed to get to a crawl. It was clear the firm did not have the time, manpower, or budget to go through the full analysis process. And even if it did, it would have ended up with a half-dozen separate and distinct projects, each with its own learning curve, each with a different product to obtain, and each with a different skill for management.

That's where I simply cut to the chase: I advised a single technology, in two specific implementations, that provided basic security across all of the platforms for all of the use cases.

Why? Because it was going to address most of the issues the company had -- it was not even fully aware of the issues it needed to address -- and it was within its capability to implement. I hate to do this because sometimes it feels like compliance for the sake of compliance. Personally, I like to pick tools and technologies that best fit my category of need, be it compliance, security, or whatever. That said, sometimes best of breed is not possible. Selecting "the best" technical solutions app by app creates project and operational complexity that would simply never work in this case.

I've talked a lot on this -- here and on the Securosis blog -- about how complexity makes it harder to do security. Certainly guys like Bruce Schneier and Dan Geer have covered this in great detail as well. Examples I've witnessed firsthand, such as security settings being difficult to check, made it more likely people will make a mistake or skip the process entirely. If code is hard to read, then code reviews are less effective. Complexity makes things hard to understand and, in turn, results in less effective security -- in this case, complexity from an implementation and management perspective. Getting 90 percent of the way home was better then outright failure.

Does this sound cliche? Sure, it does. Do companies still bite off more than they can chew? Absolutely. The person who wants the work done is a specialist and wants things done to his or her standards, often beyond IT's capabilities. It's a reality for many IT organizations that the best choice is often the simplest to implement, or the simplest to use.

Adrian Lane is an analyst/CTO with Securosis LLC, an independent security analyst firm. Special to Dark Reading. Adrian Lane is a Security Strategist and brings over 25 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and secure software development. With experience at Ingres, Oracle, and ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Shidisu
50%
50%
Shidisu,
User Rank: Apprentice
11/18/2013 | 10:20:14 PM
re: Simple Security Is A Better Bet
Your analogy is flawed. Its more like "Well, he really should have this <insert complexity=""> and that <insert complexity=""> to be 99% cured, but since this guy is performing the procedure himself and dosnt have the expertise/time/resources to get to 99%, he can perform a simpler procedure that will get him to 90% NOW and will be able to get the other 9% down the road.</insert></insert>
knowlengr
50%
50%
knowlengr,
User Rank: Apprentice
11/16/2013 | 5:41:42 AM
re: Simple Security Is A Better Bet
So you go to the hospital and you overhear the physicians saying, "Well, he really needs this <insert complexity=""> and that <insert complexity="">, but since this guy doesn't know the difference, let's go with something simple instead.

Speaking of simple, the Schneier link has been moved.</insert></insert>
webbjh3
50%
50%
webbjh3,
User Rank: Apprentice
11/15/2013 | 9:38:57 PM
re: Simple Security Is A Better Bet
Adrian, I fully support the idea of simplifying our systems and our lives. However, one solution that addressed all use cases? I really would like for you to share that silver bullet with us all... As a very small start up I am already looking at 5-6 technologies.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM &amp;amp; Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.