« Lindstrom's Razor | Main | Local Policies »

When the cure is the problem

From Martin Wolf comes a story with real Infosec parallels (emphasis added):

We must not get diverted by the financial sector's opposition or by populist rage. We must focus, instead, on the core issue. Trying to make financial systems safer has made them more perilous. Today, as a result, neither market discipline nor regulation is effective. There is a danger, therefore, that this rescue will lead to still greater risk-taking and an even worse crisis at some point in the not too distant future.

Either we impose a credible threat of bankruptcy, or institutions we have to support are made safer, or, better, we have both of these. Open-ended insurance of weakly regulated institutions that take complex gambles is intolerable. We dare not return to business as usual. It is as simple - and brutal - as that.

"Trying to make the system safer has made them more perilous", information security routinely gripes that systems are "too complex" and that is why they are insecure - too much code, too distributed and so on. Fair points. But what happens when infosec has to offer a solution of their own? In almost every case, the security protocols and mechanisms that are put in place to mitigate some risk become the most complex part of the system. Does anyone see a problem here?

"Open-ended insurance of weakly regulated institutions that take complex gambles is intolerable", the result of this echoes Brian Snow's point that the most dangerous security posture is to think you are secure and act accordingly when in fact you are not secure.

Both of these issues to me point out the reality that security can only solve so much and that assurance is required to deal with both of these issues.

October 21, 2009 in Assurance, Security |

Comments

Rogan Dawes

The thing about complex security protocols is that they can be reused across multiple systems. Which in turn makes it feasible for them to be thoroughly reviewed without the cost of the review overwhelming the benefit of the security protocol in the first place.

Yes, DES/AES/RC4/etc are all complex systems. But nobody writes their own any more, they use well-reviewed (shared) implementations that have already withstood significant scrutiny.

And this applies to many of the security protocols in use today.

I'm not denying that complexity is the enemy of security. But implying that complex systems MUST be insecure is naive.

Posted by: Rogan Dawes | October 23, 2009 at 03:36 AM

The comments to this entry are closed.