QOTD on good security

Good security will almost always make peoples' jobs harder. There is no need to make their jobs harder "just because we can." -- John Mark Allen, posted earlier today on SANS GIAC Advisory board mailing list, in reply to a somewhat heated discussion about security enforcement (reprinted with permission of the author).
I would also like to point the reader toward another related post by Dave Shackleford on "Practical Intelligence" in Infosec, dealing with the need to work with users instead of against them.

1 comment:

Black Fist said...

Completely wrong minded in my opinion. The very reason that people circumvent our security controls is that they make their jobs harder. While we have to accept this as a reality of the world we live in, we should not say that "good security" makes people's jobs harder. That sounds like decent security to me.

GOOD security should be nearly transparent to the user, except in cases where the user needs reassurance that security is there. The problem for us is that providing GOOD security will require a lot of thinking out of the box and in some cases changing the foundations of common protocols. IPv6 anyone? We shouldn't allow ourselves to accept the current shortcomings of the security/usability trade-off as being a hard and fast rule; and we must not allow ourselves to see that as a sign of quality security.