As a Security Practitioner, you win or lose by how you strategize, plan, design and build. To me that’s some of the most enjoyable parts of security. Thinking of creative ways to solve problems. The issue becomes, sometimes the more creative we are, the more complexity we add. Complexity adds to confusion. Confusion leads to more problems and problems lead to incidents.
“Dial it back a bit.” I say to myself. “Consider the value of what you’re trying to protect AND the cost that you’re introducing in: overhead and process.”
Complexity, that is, designing and building things that have intricate details and nuanced processes is enoyable for a lot of technical people, myself included. We enjoy getting deep in the weeds and building something truly awesome from the inside out.
Sometimes though, we forget who we are designing and building for. We forget our audience. We forget that the enemy of security is complexity.
That’s because, if the process you’ve built is too cumbersome or too confusing not only will it not be used, it will be actively circumvented. Especially when it comes to security controls.
Let’s say you have a Web Content Filtering system in place to protect your users from malicious, unsafe or innapropriate websites. Let’s say you do have a process for granting access to blocked websites. The problem is that the process you have in place puts unecessary burden on the user to actually get access. Maybe you have some verification processes in there and maybe a check with that users manager. Maybe the process, all in all, takes hours or days to complete.
Chances are pretty good that your user is going to just find another way to access that website. Maybe they use their personal cell phone, personal computer or heck, maybe they use a proxy service that is not blocked by your Content Filter, thus opening themselves up to other security issues.
I’m not saying there shoulnd’t be controls involved in allowing access to blocked website. What I am saying is that a consideration needs to be made related to how you design and implement that process, so that a busy user can get their job done without having to undergo a burdensome, frustrating process.
Complexity is and always will be the enemy of security. More often than not, the simple and straightforward will end up being better, more repeatable and more enjoyable for you as the security practitioner and your users.