It is funny how the job of IT Administrators is to help users getting to everything they need, while Security Administrators will try to restrict the user’s access. Someone I know told me once “You got access denied ?! Good, the security is working“! At a basic level, that means that security administrations at its core is fundamentally opposed to network administration – they have in fact conflicting goals. This creates the trade-off that we need to consider in this security theory post.
I think that technology should be transparent to users. At the end, users should be able to do their job, and bring some money to the corporation they are hired in.
Since end users are not IT people, then the technology should also be easy to use and useful. This is sometimes called Usability. In other words, the trade-off is between security and usability. Makes sense right?! Keep reading please.
You can make any technology more secure, but by doing so we will make it less usable. So how do we make it more secure and more usable? This is were the third axis of the trade-off comes into play. Any good engineer is familiar with the principle of “Good, fast, and cheap. You get to pick only two“.
You can make something more secure and more usable, but you it will cost more in terms of money, time and human resources. This is why nowadays security cost a lot of money.
Returning to the security theory argument (security will break stuff), many organizations, especially small ones, will not invest or care a lot about security. Maybe they think that they are small enough to care about attacks or security. Those are the first to get attacked!
Medium and some big organizations that are not dealing with money saving (like banks) and secure government projects, will not consider high security measures most of the time until they get hit by an attacker. They took security for granted. Sadly speaking, most of those organizations will invest money on how to serve customers and preparing the infrastructure for that, ignoring the security side of their network. One day, they get attacked somewhere, and they will wake up shocked, and immediately start considering security. This already costs them a lot (may be this may cost them their reputation also).
I guess that any organization nowadays should start with security in consideration, by applying the Secure Enough principle. They should invest in the minimum amount of security as a starting point and build up from there. After that, they should invest on hiring a security administration team to keep an eye on their network and make sure to gradually implement a security baseline, and following up with security audits. Finally, a complete threat modeling for their network can help them move to the correct place. It is not a bad idea to take an advise from external body to evaluate where they stand on terms of security and network protection.
Going back to the initial l question in our security theory, does security break stuff?! I guess that depends on the business. If you are a bank, then lowering usability to increase security is something you should do. On the other hand, investing more in terms of money and resources, will give you both security and usability. Always ask your self this question “What I will lose if i get attacked? will i lose my reputation on the market? and what will happen if all my published services get shutdown because of DoS attack?“. if you do not like the answers, then start working on security more seriously.