Wednesday, December 07, 2016

My view on Security

People in the Software Industry seem to be quite a bit bothered by the notion of Security. Security seems to be this ooh-so-magical castle that's innately "more important" than anything else that your company does and any and all pain and sacrifice demanded at the altar of security is justified (because oooh! Users! & Privacy!!!). Well, let's face it - security is a pain... a massive pain that provides very little reward in return.

Security is like brushing. Do it once everyday and you'll be happy, your teeth will be healthy and you'll have a long life. And that's all the importance it deserves. 

ACLs are like flossing. You know you should be doing it, but you keep putting it off as long as possible. ACLs give you a sense of security, a warm fuzzy feeling of being in control. An easy way of saying - yeah, we know what we're doing - look! ACLs! And every single day, an engineer's creativity dies a little bit when he or she spends 3 hours trying to get permission to look at just one, just one instance of the data that you're trying to protect so that you can write just one line of code. 

And then there's security "best practices". Ooh, I just cry a bit every single time someone in security says "no, you can't do this" without providing a half-decent, reasonable technical alternative to the egregious hack that's already in the system to work around some other limitation of some other security system. Half-assed security systems do no good to anyone. 

There are only 2 reasonable threat models in the world: you're either being attacked by a Nation state or you're being attacked by a script kiddie. Nothing you can do will stop a determined Nation state. Electronic security be damned. They're just going to pick you up from your neighborhood coffee shop and you're going to quietly give up your passwords and hope to get your life back. If they're trying to be a bit subtler, you're just going to get key-logged. 

If you're getting attacked by a script kiddie, reasonable passwords, https, instructions about phishing and 2 factor authentication is all that you need. 

This entire hoopla about "insider threats" being a reasonable threat model in enterprise just doesn't work. If you can't trust your employees with the broadest of powers, they just can't work with each other or with the data that you're working so hard to protect. There's just no way you can protect against the exponential possibilities of compromise. The *ONLY* reasonable alternative is "trust but verify". Put in auditing, look for patterns, look for data exfiltration but for heaven's sake, just don't make daily life hard. Because your average engineer is working really, really hard to move your company forward. Making your productive workers jump through hoops kills productivity and at the end of the day, talent leaves a non productive organization and with it, your long term future disappears.