Low-Tech Security

Four ways to get really resourceful when budgets or basic availability are a problem

March 07, 2007

Living in a place like Cambodia where "development" almost never refers to software, I have found that thinking low-tech is almost always the way to go. As an example, I talked a while ago with somebody who was looking for a secure way to share a central database. He was talking about connectivity throughout the country, and ways to secure the links between the central database and all the remote sites that would need access.

The guy I was talking to decided against VPN-over-dialup recommended by some overpriced Western consultants, in part because there was literally no way to get a dialup connection; the only phone service available was cellular, and even that was spotty. We finally decided the best solution was a CD burner on each end, and a person who would ride a motorcycle between headquarters and each remote site to distribute updated records. The small number of conflicts would be resolved manually by a person with a cellphone calling the sites involved to resolve them.

That's what I mean by low tech.

The "official" solution was engineered properly for a situation in which power and Internet access are both cheap and accessible. But in a place where labor is cheap and infrastructure is minimal, low tech is often the right solution.

With that in mind, here are some of my favorite low-tech solutions to security problems. They are presented in no particular order, and should certainly not be seen as recommendations for the general public. Some of these have been tried, some are just ideas I've had, and I'd appreciate your thoughts on any or all of them. I also think about security in the broad sense, with the full CIA (confidentiality, integrity, availability) triad included. Some of these things are not "sexy" security (intrusion prevention, anti-malware, etc.) but they nevertheless are important.

An organization was having problems with power reliability at its headquarters. They had generators, as almost all companies and individuals of means have here, but failure of the cut-over circuits was causing major headaches for the systems staff, and they were losing data (remember the I and the A?). They had expensive UPS systems on each and every system to prevent the data loss, and they were spending tons of money on electricity, fuel, and generator maintenance.

The extremely smart systems manager ran a few numbers and found it would be cheaper and more reliable to not use the generator to automatically cut over, but just to manually cut over at the start of the work day, turn on the necessary systems, and then turn off the systems and the generator at the end of the work day. Web operations were already hosted offshore (which in this case meant California) so they had only one or two servers with UPS to run overnight.

Reliability improved, they were available when they needed to be, and they saved money.

A company was having trouble with flooding on the ground floor of its offices during rainy season. Systems were getting water in them during the inevitable floods, and building a raised floor and lifting wiring was just too expensive. Instead they moved everything possible to the upper floors, and had a local guy come in to build some custom wall mountings for the hardware that needed to be on ground level. Problem solved.

Telephones are run by a government body here, and international communications are expensive. VOIP seems to be a good option for a lot of people, particularly those with a high volume of IDD calls. The problem? VOIP is (depending on whom you talk to) illegal unless you get a license from the ministry that sells IDD services. Hmmm... It doesn't take a genius to figure out that said license isn't going to come cheap.

The solution? For at least one company, VOIP over a VPN to an office in another country. This isn't low tech, but it is a great application of VPNs to circumvent a corrupt process. In this case the content of the calls wasn't sensitive, just the fact of them.

An organization here wanted to share their its Internet connection with a group of students doing training in their facility. However, they wanted to provide most of the training without the Internet access turned on in the training room, but didn't want to limit availability for the office workers who shared it.

None of the people involved were technical, so the solution I recommended was simple. A patch panel with one cable in it – the uplink from the main switch to the classroom switches. Plug it in, Internet available. Unplug it, Internet unavailable. Low tech, but highly reliable.

Do you have any favorite low-tech solutions to security problems? One of the best things I have learned being here is to not discount a solution for lack of complexity. As I learned from Civilization 4, "a designer knows he has achieved perfection not when there is nothing left to add, but when there is nothing left to take away." (Antoine de Saint-Exupéry)

— Nathan Spande has implemented security in medical systems during the dotcom boom and bust, and suffered through federal government security implementations. Special to Dark Reading.