Last week, while teaching the CCSK (cloud security) class, the discussion reached a point I often find myself in these days. We were discussing the risk of cloud computing, and one of the students listed “less control” as a security risk.
To be honest, this weaves itself through not only the Guidance but most risk analyses I have seen. And it’s not limited to cloud discussions. One of the places I hear it most often is in reference to mobile computing – especially iOS devices.
For example, while hosting an event at RSA earlier this year we had a security pro with over 10 years experience state that they don’t let iPads/iPhones in, but they still use Windows XP. When I asked why they allow a patently out of date and insecure OS, while blocking one of the most secure devices on the market, his response was “we know Windows XP and can control it”.
Which, to me, is like saying you are satisfied to pick exactly which window the burglar will come and leave through.
More knowledge or control doesn’t necessarily translate into better security. In fact, uncertainty can be a powerful motivator to implement security controls you otherwise neglect due to a misplaced sense of certainty.
We all know you are far less likely to crash in a plane than to die in a car accident. Or that your children are far more at risk of drowning or (again) car accidents than of being abducted by a stranger. But we feel in control when driving a car, so we feel safer even though that’s flat-out wrong.
You can’t control everything. Not your own systems or employees, no matter where they are located. Design for uncertainty, and you can better adapt to new opportunities or threats, at (I suspect, but can’t prove) the same costs. Not that you shouldn’t maintain some degree of control, but don’t assume control means security.
Reader interactions
3 Replies to “More Control Doesn’t Equal More Secure”
Hey Cindy,
Neither. I’m talking about people who think that “more” control over something means greater security. E.g. “we know and lock down Windows XP, thus it’s less of a security risk than an iPad.”
It’s more about psychology, not which controls you actually use.
Rich—are you talking here about about implementing controls just for the sake of feeling more secure, vs implementing the right controls to help you become more secure (even if they are less) and mitigate risk?
A recurring theme in security, and a few different ways to look at the topic. A dozen years ago I remember people talking about how the better we got a detecting specific threats, the more fragile security technologies became – i.e. missing new or general attacks because of the focused on known threats. Schneier used to talk about a case where there were security bars on the windows, but the attacker chain-sawed his way through the wall. I have written a couple times about ‘embracing insecurity’ for this reason, and one of the topics in the [security speed bump](http://securosis.com/blog/security-speed-bumps) post a couple years ago. More knowledge does not always translate into better security and less control does not mean less security. In this context, you may lose control to Amazon/Rackspace/GoGrid, but maybe they do a better job than you. You are fearful of threats against hyper-visors and mobile platforms, but they are more secure than what many rely upon today.
-Adrian