Is it possible to have to much security?
Part of me really wants to say No, there is no such thing as to much security. But the reality is that there is such a thing as too much security!
What, but in this age of digital everything, Equifax, target, Facebook hacks/leaks how can there be too much security?
Simple! When it drastically impedes your ability to do your fu(k!ng job, it is to much security.
I was troubleshooting a networking issues for my day job a couple months back and it took 8 people at 6 companies to identify on which network segment and what piece of equipment was the source of the problem. There were, routers, switches, and firewalls from different vendors and different networks all looking at packet traces to figure out which stupid piece of equipment was responsible because there were so many different layers of security and routing. (8 firewalls in between.)
This is what I'm talking about. IT WAS NOT NECESSARY.
All those extra layers of firewall and routing were completely unnecessary from a practical standpoint, but necessary because of company split offs.
It created a complexity layer on top of a complexity layer. This is not the first time I have encountered this.
Once you get to a certain point in security you do not really increase your security significantly, you just increase the amount of things which can break or create headaches.
I have seen too many companies fall victim to over securing their environment. You need good security but you must understand the laws of diminishing returns.
You must also understand Confidentiality---Availability---Integrity. You must find the BALANCE between the three that meet your needs.
To many people sacrifice Availability for confidentiality and integrity control. It is a tough act to balance but the wrong balance point means dozens of extra hours of headache for IT professionals troubleshooting problems.
IT folks, please remember one thing: K.I.S.S. Keep It Simple Stupid!
Do not over complicate things.
More complexity means more attack vectors.
More complexity means more things that can break.
What, but in this age of digital everything, Equifax, target, Facebook hacks/leaks how can there be too much security?
Simple! When it drastically impedes your ability to do your fu(k!ng job, it is to much security.
I was troubleshooting a networking issues for my day job a couple months back and it took 8 people at 6 companies to identify on which network segment and what piece of equipment was the source of the problem. There were, routers, switches, and firewalls from different vendors and different networks all looking at packet traces to figure out which stupid piece of equipment was responsible because there were so many different layers of security and routing. (8 firewalls in between.)
This is what I'm talking about. IT WAS NOT NECESSARY.
All those extra layers of firewall and routing were completely unnecessary from a practical standpoint, but necessary because of company split offs.
It created a complexity layer on top of a complexity layer. This is not the first time I have encountered this.
Once you get to a certain point in security you do not really increase your security significantly, you just increase the amount of things which can break or create headaches.
I have seen too many companies fall victim to over securing their environment. You need good security but you must understand the laws of diminishing returns.
You must also understand Confidentiality---Availability---Integrity. You must find the BALANCE between the three that meet your needs.
To many people sacrifice Availability for confidentiality and integrity control. It is a tough act to balance but the wrong balance point means dozens of extra hours of headache for IT professionals troubleshooting problems.
IT folks, please remember one thing: K.I.S.S. Keep It Simple Stupid!
Do not over complicate things.
More complexity means more attack vectors.
More complexity means more things that can break.
Comments
Post a Comment