Meditation #3 Five Theses on IT Security

The point of IT security is not to keep everything locked up. The reason we often think about security like that may be our day-to-day concepts of security. For example, maximum security prisons where particularly dangerous criminals are being kept. Keeping them locked up may be a comforting idea. However, we would probably squirm at the thought of maximum-security supermarkets, where only prescreened customers could get in for a limited. A high level of security is good but obviously it doesn’t work for all aspects of our society. Security needs to be flexible. We need a clearer understanding of what security is. Here are five theses on security that describe that. 

Thesis 1: “Security Is the Ability to Mitigate the Negative Impact of a System Breach”

 The consequence is that understanding what these impacts could be is the first step, not finding out what security tools can do and how many different types of mitigation you can pile onto the solution. Understanding potential negative impacts comes before thinking about how to mitigate them. If there are no or only small potential negative impacts of a system consequently no or little mitigation is necessary in order for the system to be secure. 

Thesis 2: “Mitigation Always Has a Cost” 

 Security never comes for free. It may come at a low cost and the cost may be decreasing for certain types of mitigation over time, but it is never free. What’s more is that much of security costs are hidden.

There are three primary types of mitigation costs: economic cost, utility cost and time cost. The economic cost is capital and operational costs associated with mitigation. These include salary for security personnel, licenses and training. Usually, they are well understood and acknowledged and will be on budgets. 

Utility costs arise when a solutions utility is reduced due to a mitigation effort. This is the case when a user is restricted in accessing certain types of information due to their role. A developer may want to use production data because it is easier or wants to perform certain system functions that he or she might otherwise need someone else to do. Full utility is only achieved with full admin rights, reducing those privileges as part of a security effort reduces utility. 

Time costs arise when a mitigation effort increases the time spent to achieve an objective. For example, two factor authentication or the use of CAPTCHA are well known examples of time costs but approval flows for gaining access and authorizations in a system are other examples of time costs.

Only the first type is typically considered when thinking about security costs, but the others may exceed the economic costs. This means that security carry large unknown costs that need to be managed.

Thesis 3: “You Can Never Achieve 100% Mitigation with Higher Than 0% Utility” 

The only 100% secure solution is to unplug the server, which of course renders it useless. It only becomes useful when you plug it in but then it has a theoretical vulnerability. If the discussion is only centered around how to achieve 100% protection any use is futile. The consequence of this is that the discussion needs to turn to the degree of protection. Nothing is easier than dreaming up a scenario that would render current or planned mitigation futile but how likely is that. We need to conceptualize breaches as happening with a certain probability under a proposed set of mitigations. 

Thesis 4: “Marginal Risk Reduction of Mitigation Efforts Approach Zero”

The addition of each new mitigation effort needs to be held up against the additional reduction in the probability of a system breach or risk. The additional reduction of risk provided by a mitigation effort is the marginal risk reduction. When the marginal risk reduction approaches zero, additional mitigation should be carefully considered. Let us look at an example: If a service has no authentication the risk of a breach is maximal. Providing basic authentication is a common mitigation effort that will reduce risk significantly. Adding a second may provide a non-trivial reduction in risk but smaller than the first mitigation. Adding a third factor offers only a low marginal reduction in risk. Adding a fourth clearly approaches zero marginal reduction in risk. For some cases like nuclear attack, it may be warranted; for watching funny dog videos, maybe not. 

Thesis 5: “The Job at Hand Is Not Just to Secure but to Balance Security and Utility” 

Given that mitigation always has a cost, and the marginal risk reduction of additional mitigation efforts approaches zero, we need to reconsider the purpose of security. The purpose of security should therefore be reconceptualized from optimal protection to one of achieving the optimal balance between risk reduction, cost and utility. Finding that balance starts by understanding the nature and severity of the negative impacts of a system breach. While costs of mitigation continue to drop due to technological advances the full spectrum of costs should be considered. Preventing access to nuclear launch naturally needs top level security, but a blog about pink teddy bears does not. For every component we have in the cloud we need to make this analysis in order to achieve the right balance, not to live with too high risk and not spend unnecessarily to reduce an already low risk. At the same time we need to keep our eyes on how mitigation efforts impact the utility of the system so as not to unnecessarily reduce the usefulness.

is the Apple watch a Telegraph?

The coming of the Apple is the buzz of the moment. Apple is the champion of making things simpler, but have they gone too far with the apple watch and made it too simple.

One click bonanza

The received wisdom in new product development is that you should take out steps, and continually simplify the product. This is what amazon did with one-click and this is what apple did with [insert your favorite Apple product here]. The reason is that it increases usability.

But sometimes the simplification meets a point where it doesn’t improve usability any more. With any product you will have some measure of complexity. Complexity is conventionally conceived as the number of possible states the system can have. So, roughly a measure of complexity is the number of variables a user can choose between and the number of states they can assume.

Some products are the antithesis of the amazon One-Click. Microsofts office suite has heaps of functions that are never used. Other products like SAP have a lot of different screens with a lot of functions, which make them difficult to use. But the reason that these functions are there is often that users actually need these functions, so for them they are necessary. If you take a way that functionality you will make the user interface more simple, but the complexity of the task you wish to do remains, only now, because of the too simple interface, it is even more complex than it was before. This is what we could call residual complexity, that is, the complexity of a task that is not supported by the tool.

Let me give you an example of high residual complexity. We bought a dishwasher called something with one-touch (perhaps inspired by amazon?) where indeed there was only one button. Actually at the face of it good thinking: Simplify to the core of the problem. What do I want to do with a dishwasher? make it wash my dishes. That works very well. Under normal circumstances. That is, until I discovered after it had been installed that, it just didn’t work. Not much you can do with one button then. I called the store and they had me push some sequences on the button to do diagnostics. Suddenly I found that the dishwasher was stuck in Turkish language. A language I am not intimately familiar with. What to do when you have only one button?

Finally it was back to the original language and an operator came on site to fix it and it worked. Now we were happy until the dishwasher had finished its washing cycle. For some reason, the product manager or whoever was in charge thought it would be nice if the dishwasher played “Ode an die Freude” from Beethoven’s 9th symphony. I love that piece and especially the ode, but not when it is played in a  15 second melody sequence with clunky 8 bit soundgenerator and repeated three times. Now I wanted to turn it off, but what to do with only one button?

One click communication

To illustrate it further lets take the simplification to its extreme. Take a keyboard on a computer. It has about 50-60 keys. They can be on or off. That leaves us with a product with 100-120 different possible states (not counting combinations, since a keyboard records only one stroke at a time). If you would like to simplify this maximally you could introduce a One-click concept where the keyboard had only one key that could be on or off. We just reduced the complexity of the user interface with a factor of 100 or more popularly we made it a 100 times more simple.

That, however, has been done centuries ago (literally). It’s called a telegraph. The telegraph illustrates clearly the problem of residual complexity, because in order to carry out the necessary tasks with a telegraph (communication) where there is only one button, it shifts the complexity from the user interface to the task: you need to learn morse code in order to use it!

That means when there is an inherent task complexity you cannot simplify the user interface beyond a certain point if the goal is to increase usability.

Residual complexity and the Apple watch

Now let’s return to the Apple watch. As compared to a watch, the Apple watch is not more simple. Quite the contrary. On the other hand compared to a smartphone it is simpler. And many, including Apple compares it to exactly that. You can do many of the same things on the Apple watch as you can on the iPhone.

For example you can read and reply to messages only, there is no keyboard. So, if you want to reply you have to choose a preconfigured reply or dictate a reply.

You can read an email there, but if it is longer than a short message you will have to scroll incessantly. You can also listen to music, but what if you want to search for a song? You can look at my calendar, but what if the entry is more than 15 characters or you want to move an appointment?

All of these examples are examples of residual complexity. Could it be that Apple just made it too simple? Could it be that Apple just built a new telegraph for your iPhone?

 

Photo by Clif1066 @flickr under CC license

Review of Bitium

Bitium is an app for provisioning and deprovisioning acces to cloud applications for employees in company. You can add the applications that your company uses and log into them.

Add employees to your organization and assign them apps that you have in your company. They will be invited and you can decide whether they themselves should choose password or bitium should do it for them. If bitium does it for them it is easy to deprovision access once they leave the company, since they don’t know the password that bitium uses to log them in. Bitium solves two central challenges in using SaaS for enterprises

  1. overview and a central portal or starting point for the employees work
  2. authorization, controlling who has access to make sure new employees are up and running quickly and more importantly former employees loose the access just as quickly. You can use most authorization methods like saml, LDAP, oAuth, 2FA and so forth.

On top of this it even has some instant messaging features.

How can you use it?
You can use it in onboarding making sure that all systems are ready when a new employee starts.

Identity and access management is a central process that Bitium can be used for, but in general it is meant to be the portal towards the web of SaaS applications a company uses. So use it as a start page for your company.

Strong points
Easy to use connection to the different apps that exist. No nonsense you click the add and supply log on credentials and you’re up and running

A directory of more than 1000 SaaS apps is daunting and guaranties you will be able to move all or at least the vast majority of access to apps to one place

Clear and clean user interface makes it easy to get started. There is absolutely nothing more or less than there should be for a cloud portal.

Weak points
Some app connections do not work well. Maybe the connection fails or you can’t initialize the app for some reason, but it is probably not only Bitiums fault and they do write that it is in beta. Never the less as a user you expect and hope everything works.

Access management is out of your physical control. Since Bitium is a SaaS company you have effectively trusted it with all your company’s passwords and user data. That is however a tradeoff. If you want to control it you can set up different methods of authorization against your own user base, but the information about which users use which apps will still be stored with Bitium

Suggestions for the future

  • It is an opportunity to recommend other apps that similar users use. We hope that they won’t develop into a marketplace where the user interface is cluttered with adds though.
  • Develop an integration framework, so you could also manage integration between applications.
  • It could also be an idea to integrate the application itself with HR systems, since authorization is a key element of onboarding and off-boarding employees.
  • Develop a strong enterprise mobility offering. Bitium could provide companies with their own app store and administer employees’ access to apps centrally.

Price
There is a free plan that gives you basic functionality. Then there are plans for $199, $599 and $999 per month, which offers more functionality, such as IP whitelisting, SAML and LDAP authorization, which makes it attractive for larger corporations with that infrastructure in place.

Notable facts

  • Integration to more than 1000 apps
  • Created as a spinoff from a previous online game company
  • The vision of Bitium is to become the SaaS operating system of the future

Recommendation
Anyone looking for a single method to access cloud applications could find good use of Bitium. Probably small and medium sized companies who have a lot of SaaS products will be the early adopters, but there really isn’t any reason why larger enterprises shouldn’t use Bitium as well.