Operation Bootstrap

Web Operations, Culture, Security & Startups.

Simplicity Makes Security Easier

| Comments

Mubix posted a short bit titled “Simplicity is Security” and I wanted to add my $.02 to the idea. I think this statement is actually a good thing for people to consider. The premise of the article, as I saw it, was that the simpler a system is or the simpler a civilization lives, the more secure it becomes. This is somewhat based on the difficulty of subverting the security measures built into simple societies and also based on the idea that a simple life has little value if compromised to the public at large.

I do definitely believe that a more complex system becomes less secure UNLESS you build security in as a core requirement and correctly assess the effectiveness of security measures. I also do agree that to the majority of our world today, stealing the identity of a farmer in Africa doesn’t have the sizzle of a Wall St Banker. However, security is a very individual thing – even though we apply it broadly to organizations. At the end of the day, I care about what impacts me personally, what I have liability for, and what can damage my way of life.I may not be able to buy a new Porsche by stealing that Farmers identity, but if someone can destroy his crop for the year he is still very damaged. If I’m a competing Farmer, I may be his only enemy but I’m still a threat.

I believe that as the value of a target goes up, so too does the size of the audience who may have interest in attacking that target. As the size of that audience increases, the effort and complexity of attacks which are likely to be used increases. If you protect a low value target with simple security you are probably fine. If you protect the Hope diamond with simple security, it’s going away.

So if you can keep the entire environment simple, from the value of assets to the security protecting them, then I would agree that Simplicity is Security. However the trick, I believe, is in understanding the value of your assets in a way which allows you to make this type of assessment accurately.

All that said, if we could make systems and interactions more simple it would probably be a heck of a lot easier to make them secure.