A Holistic View of Security
When people are asked about "security", a multitude of images roll through people's heads. Everything from armed guards and electric fences, to absurdly long and complex passwords that your boss tells you must be changed every 2 weeks. The truth of the matter is, all of those visualizations are right on one level or another. But, to think of just one of them as being the panicle of security, whereby if you at least have this one thing you'll be safe, you would be flat out wrong.
In the folowing picture I've used the video game Stronghold 3 by FireFly Studios to create a depiction of what this kind of thinking would produce if all aspects of security were translated into the terms of purely physical security. As you can see, the front side of the castle is heavily fortified. Attacks from this direction are well defended against. However, as attacks are launched more to the sides, the castles defenses quickly diminish. In fact, any attacks from the rear of the castle are completely undefended against and leave the castle extremely vulnerable. In this exaggerated example, it is clearly visible that the castles security is not in fact very secure.
In the past, I've seen books that will tell you to approach security by evaluating the risk and ranking them. Then start by addressing each risk starting with the highest priority. I'm here to tell you that this notion of priority is flawed and there are many reasons why. First and foremost is that lists tend to give a sense of importance such that people feel if the most important aspects are covered, then we need not worry about the rest. As we already saw with the castle example, your security must be complete to be effective. Second is the fact that establishing such a priority means that you have a deep understanding of both the magnitude of effect and probability of occurance for any given event. While mountains of statistics could be accumulated to obtain a better establishment of priority, it's normally not nessesary because everything that presents itself as a threat should actually be evaluated and addressed. About the only worthyness of establishing the priority would be when it comes to budgeting. But, more on that later. Now, the final reason I'll give as to why a priority list is not appropriate is that many aspects of security should be deployed in controlled stages from the ground up. Because of dependancies, even though a particular threat may be very real and viable, its mitigation may require multiple other components to be in place. It would be akin to saying that a house built in Seatle Washington (one of the rainiest cities in the U.S) must have an excelent roof and gutter system to handle all the expected rainfall. As water damage can be quite sever and the frequency of rainfall is very high, the general contractor decides to build a roof as his top priority before even digging the foundation for the house. While such a thought is comical and brings back memories of saturday morning cartoons with impossible feats of physics, trying to establish security policies out of order can be just as obsurd.
So, where does one start then when establishing security policies and practices?
To be continued.... Work In Progress.
Lead Image courtesy of Ryan Lea