[Log In] []

Exploring the science and magic of Identity and Access Management
Saturday, October 24, 2020

Security: Complexity and Simplicity

Information Security
Author: Mark Dixon
Monday, May 18, 2015
4:48 pm


It is quite well documented that Bruce Schneier stated that “Complexity is the worst enemy of security.

As a consumer, I think this complexity is great. There are more choices, more options, more things I can do. As a security professional, I think it’s terrifying. Complexity is the worst enemy of security.  (Crypto-Gram newsletter, March 15, 2000)

Leonardo da Vinci is widely credited with the the statement, “Simplicity is the ultimate sophistication,” although there is some doubt whether he actually said those words.

Both statements have strong implications for information security today.

In the March, 2000 newsletter, Bruce Schneier suggested five reasons why security challenges rise as complexity increases:

  1. Security bugs.  All software has bugs. As complexity rises, the number of bugs goes up.
  2. Modularity of complex systems.  Complex systems are necessarily modular; security often fails where modules interact.
  3. Increased testing requirements. The number of errors and difficulty of evaluation grown rapidly as complexity increases.
  4. Complex systems are difficult to understand. Understanding becomes more difficult as the number of components and system options increase.
  5. Security analysis is more difficult. Everything is more complicated – the specification, the design, the implementation, the use, etc.

In his February 2015 article, “Is Complexity the Downfall of IT Security,”  Jeff Clarke suggested some other reasons:

  1. More people involved. As a security solution becomes more complex, you’ll need more people to implement and maintain it. 
  2. More countermeasures. Firewalls, intrusion-detection systems, malware detectors and on and on. How do all these elements work together to protect a network without impairing its performance? 
  3. More attacks. Even if you secure your system against every known avenue of attack, tomorrow some enterprising hacker will find a new exploit. 
  4. More automation. Removing people from the loop can solve some problems, but like a redundancy-management system in the context of reliability, doing so adds another layer of complexity.

And of, course, we need to consider the enormous scale of this complexity.  Cisco has predicted that 50 billion devices will be connected to the Internet by 2020.  Every interconnection in that huge web of devices represents an attack surface.

How in the world can we cope? Perhaps we need to apply Leonardo’s simplicity principle.

I think Bruce Schneier’s advice provides a framework for simplification:

  1. Resilience. If nonlinear, tightly coupled complex systems are more dangerous and insecure, then the solution is to move toward more linear and loosely coupled systems. This might mean simplifying procedures or reducing dependencies or adding ways for a subsystem to fail gracefully without taking the rest of the system down with it.  A good example of a loosely coupled system is the air traffic control system. It’s very complex, but individual failures don’t cause catastrophic failures elsewhere. Even when a malicious insider deliberately took out an air traffic control tower in Chicago, all the planes landed safely. Yes, there were traffic disruptions, but they were isolated in both time and space.
  2. Prevention, Detection and Response. Security is a combination of prevention, detection, and response. All three are required, and none of them are perfect. As long as we recognize that — and build our systems with that in mind — we’ll be OK.This is no different from security in any other realm. A motivated, funded, and skilled burglar will always be able to get into your house. A motivated, funded, and skilled murderer will always be able to kill you. These are realities that we’ve lived with for thousands of years, and they’re not going to change soon. What is changing in IT security is response. We’re all going to have to get better about IT incident response because there will always be successful intrusions.

But a final thought from Bruce is very appropriate. “In security, the devil is in the details, and those details matter a lot.”

Comments Off on Security: Complexity and Simplicity . Permalink . Trackback URL

Simplicity, Complexity and Identity Management

Author: Mark Dixon
Thursday, March 10, 2011
8:47 pm

I have been concerned for some time that Information Technology systems in general and Identity Management systems in general have become so complex that it takes rocket scientists to understand them, implement them, and take care of them.  Because of the relative scarcity of rocket scientists, many companies become overwhelmed by the complexity of the their IAM systems and either don’t implement them correctly or reap the benefit that could be realized.

Today I stumbled across an intriguing article, Simplicity: A New Model, by Jurgen Appelo, that explored the issues of simplicity and complexity. I liked the definition of simplicity Jurgen used:

Simplicity usually relates to the burden which a thing puts on someone trying to explain or understand it. Something which is easy to understand or explain is simple, in contrast to something complicated. (Wikipedia)

But he went further, explaining simplicity and complexity with the aid of a visual model:


I encourage you to read Jurgen’s article to understand the significance of each visual image.

This made me this made think, “Is there a way to map IAM systems onto a model like this?”

I don’t know the answer, but it is an issue worth exploring.  I’ll let you know if I come up with some brilliant ideas.

Comments Off on Simplicity, Complexity and Identity Management . Permalink . Trackback URL
WordPress Tags: , , ,
Copyright © 2005-2016, Mark G. Dixon. All Rights Reserved.
Powered by WordPress.