Security Basics mailing list archives

Re: Security vs. Simplicity

From: shailesh.sf () gmail com
Date: Wed, 20 May 2009 15:30:42 -0600

Dear Avi,

Well, the answer to your question in a 'True' managerial style would be - "It Depends"!!!

IMHO I would tackle this problem from 2 different perspectives -

First would be the "Regular Operations" perspective and the second one shall be the "Contingency Operations"
perspective.

During Regular Operations, assuming that your decision is WRT Critical Infrastructure(s), than you would want to err on
the side of security than on simplicity.
This argument is not for securing the system employing the "Security by Obscurity" principle, but if you are trying to
provide Confidentiality, Integrity, Non-Repudiation, etc. (yeah the CIA Triad) then the system must be "Secure", at
times even at the expense of "Simplicity".

During Contingency Operations, you want to ensure "Availability" of system then the focus would evidently be on
"Simplicity" than "Security". While planning for a COOP or DRP you would be better of with a system that works (but is
insecure) than saddled with one which is secure but does not works.

So the bottom line for your dilemma would be -
The Security folks must be given a free reign, considering that most of your operations would be "Regular" and hence
optimum Security would be your goal.
Yet the Design folks ought to have the "Veto" for rejecting those extra 'Layered Security' that Security folks are
always willing, happy and ever ready to append to a system that could jeopardize its recovery during "Contingency"
operations.

Hope this helps.
Do keep us posted on your decision as well.

Regards,
Shailesh

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain
a laser like insight into what is covered on the exam, with zero fluff!

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------

Current thread:

Re: Security vs. Simplicity, (continued)
- Re: Security vs. Simplicity Ansgar Wiechers (May 19)
- Re: Security vs. Simplicity Aarón Mizrachi (May 20)
- Re: Security vs. Simplicity Paul Halliday (May 20)
- Re: Security vs. Simplicity Meenal Mukadam (May 21)
- Re: Security vs. Simplicity Daniel Miessler (May 22)
- Re: Security vs. Simplicity aaa (May 19)
  - RE: Security vs. Simplicity Craig S. Wright (May 22)
- RE: Security vs. Simplicity Stefan Marksteiner (May 20)
- RE: Security vs. Simplicity Marksteiner, Stefan (May 20)
- Re: Security vs. Simplicity krymson (May 20)
- Re: Security vs. Simplicity shailesh . sf (May 21)
- Re: Security vs. Simplicity dan . crowley (May 22)
  - RE: Security vs. Simplicity Jason Hurst (May 22)
  - Re: Security vs. Simplicity Stephen Mullins (May 25)
    - RE: Security vs. Simplicity Craig S. Wright (May 26)
    - Message not available
    - Re: Security vs. Simplicity Daniel Miessler (May 28)
  - Message not available
    - Message not available
    - Re: Security vs. Simplicity Aarón Mizrachi (May 28)
- RE: Security vs. Simplicity aaa (May 22)