RE: Security vs. Simplicity

[avi shvartz <yram () netvision net il>]

David,

Please let me put it on the "razor's edge".

I that scenario the two "inflamed opponents" tried their best to
 be "Engineers" as much as possible.
No success, they are in front of us, it's decision time.

What will be our answer? 
(I know: not enough information... it depends... I want to ask a few more 
  questions... - nope.(

Avi

-----Original Message-----
From: David Gillett [mailto:gillettdavid () fhda edu] 
Sent: Tuesday, May 19, 2009 10:11 PM
To: 'Stephen Mullins'; 'avi shvartz'
Cc: 'Securityfocus'
Subject: RE: Security vs. Simplicity

> From: Stephen Mullins [mailto:steve.mullins.work () gmail com] 
>
> I agree that the goals of network ops and network security 
> seemingly contradict one another.  Network Operations calls 
> for simplicity, redundancy, and ease of troubleshooting.  
> Network Security calls for defense in depth and secure design 
> over all else.

  CIA: Confidentiality, Integrity, Availability.  Redundancy is
usually an Availability strategy, and Simplicity aids with Integrity.
The "contradiction" is much more a matter of "seeming" than of fact.

  A good solution is indeed as simple as possible BUT NO SIMPLER.
And as insecure as necessary BUT NO LESS.  Establishing where those
limits are (they should be derived from the other identified 
requirements) and implementing to meet them is Engineering.

David Gillett



------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------