Less is more (secure)

May 28, 2008 – 5:58 AM

Complexity is the enemy of security. Simple systems are inherently more secure than complex solutions. We see this idea validated again and again in security.

Unfortunately, our IT systems are getting more and more complex as we depend on technology to fuel business growth and innovation. But do we really need to expose ourselves to ever-increasing complexity? Surely, in security, less is more.

In my daily life, I try to minimize the amount of unnecessary exposure to risk. Most security professionals do that. I avoid giving out personal details unless absolutely necessary. When asked for ID to enter a building, I give out my British driver’s license, not my New York license. I started doing this after a few instances where I handed over my N.Y. ID only to have it scanned into a database without my permission. Once dipped into the scanner, my ID number and a whole host of other information were in a database of unknown security. Both British and N.Y. ID establish identity, but only the N.Y. ID number is used by U.S. banks as a unique individual identifier. Also, I doubt the British ID can be scanned in the same scanners.

I sometimes get asked for a Social Security number by someone who clearly has no valid reason to ask. The most ridiculous example of this was a neighborhood dry cleaner that used the SSN as a convenient “customer number” in its database. In cases like those, I provide a fake SSN (my phone number, minus one digit) — easy to remember, useless if compromised. Less information about me floating around equals more security for my identity.

I take a similar approach to my corporate security policies. For example, we standardize on Firefox as our company browser. This is not because Firefox is better (though it is) or more secure (though it is), but because it is less entangled with the operating system and less “enriched” with code-execution features. On top of the basic installation, we add a little plug-in called NoScript. What NoScript does is strip pages down to basic HTML: no Java, no Javascript, no other code or embedded objects. Every page visit by default is minimized to the bare essentials of HTML. If you need code for a menu or a fancy feature, you can decide to enable it just for a session or permanently. Even though the user can override the protection, the vast majority of sites are visited in a “less is more” posture. As a result, the incidence of spyware, viruses and other nasties is shockingly low in our environment.

I’d really like to see the minimization posture adopted by more software and possibly more business processes, too. Rather than worrying about how to secure information, don’t collect it unless absolutely necessary. As a user, whenever and wherever you can, avoid giving out information or give out “identity placebos.”  Less is more.

Source: Network World