As IP becomes a way of life and COTS is no longer a buzz word but instead a reality, the subject of security is raising its head once again, if it ever went away. But where do we start when we need to make systems secure?
Two underlying themes make systems insecure: people and access.
Retrieving data is the fundamental reason for security challenges in IT systems. Without the need to retrieve data then the infrastructure would be so secure it would be impenetrable. However, it would also be quite a useless system as what is the point in storing data if we can never retrieve it?
People are known to be the weakest link in any system. No matter how secure or impenetrable our hypothetical storage would be, at the end of the day, it was designed and built by humans and so has flaws.
As with all things engineering, security is about compromise. I’ve used the term “impenetrable” above rather loosely as I contradicted myself in the very next paragraph, but the point is that if we want to access our data, then the sad reality is that we must expect some vulnerability.
If we look at some of the high-profile security breaches then they’ve come from simple actions such as clicking on links within emails, or not being entirely secure with passwords. Consequently, we have made passwords so secure that they are impossible to remember by humans, so what happens? People write them down. Or use the password storage within their browser.
Now we start to disappear down the security rabbit-hole. How secure is the browser? Is it synced to a shared home account? Does the employee know who is accessing their browser at home? Even if they don’t share their browser, is it residing on a shared computer? And on we go….
For me, security is about a combination of psychology and technology. They work together and cannot be separated. But as engineers we seem to place a heavy burden on the technical aspect of solving the security challenges without considering the people aspects. Although we can force users to change their passwords every month, or week, or even day, what is the point? People always seem to take the least path of resistance and will find a way of circumnavigating this kind of complexity, no matter how well intentioned.
Another challenge we face is that as law abiding citizens, we often find it difficult to think like criminals. We may think we can second guess criminal behavior, but the reality is that the good in us really blocks out our perception of the evil that can be achieved, and that’s probably very good otherwise society would quickly break down.
Security is a fascinating subject and as we progress on our IP journey where COTS and datacenters are the norm, we really must think about security in terms of psychology as well as the underlying technology.