Both a science and an art.

The Black Rabbit on Security Vs. Usability

Maybe you’ve heard of the sliding scale of security versus usability. Nothing comes without a trade-off, or a cost. As you slide towards usability your system gets less secure. Go harder towards security and no one can get any work done.

Blue team has to question their purpose. The top answer is likely to secure the organization against inside and outside threats, and that’s a fine goal. However, another goal should be to help the organization achieve its mission. And that’s where the sliding scale rears its long shadow.

The attackers are relentless, tireless, and ultimately have an advantage over the defenders. The simplest and quickest solution is to lock everything down as tightly as possible and deny user requests for access (unless they speak the proper incantations and burn the required sacrifices).

The problem that one runs into is: if you lock things down too tightly, the user will find a workaround so they can get stuff done. A new vulnerability has just been added to the system. The harder your grip, the more sand slips through your fingers.

Remember that you’re there to serve the company and its mission, while using your unique skills to provide the best possible security. Also remember that perfect security is not possible. This is where you sit down with the end-users, who are your customers, and find out: what are they required to have in order to accomplish their work?

Note that it’s not what would they like to have. That question will never have a final answer, and ultimately leads to “complete and unfettered access to everything”. Obviously not an optimal solution.

Of course users often don’t know what they need. Default to deny, and then add allowances on top until you and they have found just the right balance, together. Think of it as a nice quiet walk together, down an old British tree-lined lane, with Lovecraftian monsters slobbering outside the quaintly arched boughs. It could be a bonding experience with your users.

It’s a constant back-and-forth that requires continual tuning and vigilance. You can’t just set the required bits and walk away. Blue team has to work with the rest of the company, and even be their best friend. When security walls itself off and functions more like the Eye of Sauron, that’s when users find their own ways to get things done.

Introduce users to the sliding scale and tell them the madness that lies at either extreme. Communicate, put yourself in their shoes, and give them your own to try on for size. Blue team can do a far better job if they aren’t an island.

Don’t default to deny. Instead default to “what is you need, and how can we best get you there?”

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Winter

Winter

73 Followers

Ethical Hacker. Rabbit Care Expert. Defender of the Small.