A long discussion in several media on the net was started by what appears to have been a highly entertaining presentation at InterOp in Las Vegas recently. The presentation was given by Joshua Corman, Principal Security Strategist at IBM/ISS and was called “the 7 dirty secrets of the security industry”:

networkworld.com-interop-dirty-security-secrets

Among the “secrets” is the observation that the security industry is not about security but about making money! Hardly surprising. Anyway, some of the other points made by Mr. Corman are definitely more valid.

For instance “#2: There is no perimeter”. This is interesting and points to one of our core messages (see for instance blog post …). The perimeter, in the classical LAN oriented meaning of the word, cannot be protected anymore and therefore becomes meaningless. Depending on your point of view the classical perimeter is either going away and being replaced by something else or, in other words, is “shrinking” to cover not networks but primarily applications and data. This becomes even more true in the evolution towards cloud computing where protecting the network in reality becomes identical to protecting the Internet which is obviously not practical for companies. Basically this revolves around a fundamental understanding of exactly what it is you want to protect. As opposed to trying to protect everything to the same level which is in reality what we do with a classical perimeter, where everything on the “inside” must necessarily have the same security level!

The 7th “secret”: “Security has grown well past do-it-yourself” is also very true, but probably more true than it has to be. It is unacceptable that un-necessary infrastructure complexity drives the security in a company. Excessive complexity is a major security threat to organizations – and even drives excessive costs! The starting point for any considerations about how to design, implement or re-design an infrastructure securely must begin with a fundamental simplicity principle. If you manage to design a very simple infrastructure, more people than today will actually be able to implement “do-it-yourself” security. The other major risk with the approach recommended by Mr. Corman is the risk that business people leaves security issues to the “experts”! Security must begin with all of us as individuals making conscious decisions about our own actions. The responsibility for secure conduct cannot be left to experts. Again, to be able to implement this responsibility paradigm, the infrastructure needs to be simple and transparent enough to enable non-IT, non-security savvy people to make meaningful decisions.

Simplicity is a very fundamental principle in security.

Systems are in general said to be “complex” when they consist of more than one element or part and displays variation over time without being random.

When the elements in the system further more contains some sort of memory and provides feedback and change behavior based on external inputs they are said to constitute a complex adaptive system. Adaptive systems are considerably more complex than simple linear systems when the individual elements in an adaptive system change behavior independent of each other. This sort of behavior makes the combined output of such a system non-linear and almost un-predictable although not random.

We believe that remote access infrastructure and solutions (or basically any kind of connectivity infrastructure, i.e. network) effectively constitutes exactly such an adaptive complex system.

This is the reason why Giritech strongly believes that simplifying infrastructure is the core foundation for building a solution for an organization with predictable behavior. Note here that predictable behavior is the formal foundation for being able to unambiguously document that the solution addresses certain challenges as designed. In the case of remote access systems that it does not jeopardize the security policy and thereby potentially creates “holes” that might allow un-authorized access to resources or non-authenticated access at all!

See for instance this link for more background on the term "complexity".