And all in the name of security

Over the years (which, in truth, means far more years than I am prepared to admit to) I have seen a trend in limiting access to functionality and settings on the company computer.  Many reasons have been given including

  • to protect the settings;
  • to stop users breaking it; and
  • to maintain consistency.

And recently the main reasons given are often to do with security: protecting our assets, or preventing malicious attacks.  And the more that the devices are locked down, the less that some people can self-resolve; the more that devices are secured, the more exceptions that have to be made for developers and certain types of individual.  The more secured we are the more we pay in security, software, and resolver groups.

But if you are a target then you have to have the security – you can’t just open the doors and let everyone in.  The inside must be protected from marauders, whether they want to steal your secrets (as in the IT example) or blow up your cities (a more traditional security consideration).

So, in the name of security we accept constraints to our daily lives: we undergo searches when we board aircraft, we accept CCTV beyond even Orwellian imagination, and we are tracked by numerous databases in every aspect of our daily life.  Some of these are more intrusive than others, some are easier to forget, but all are sold as making our lives more secure and to help us sleep at night. And we probably do sleep more soundly in our cocoon of protection.

If I protect my house with high security locks and a burglar alarm does that mean that I won’t be burgled? As far as opportunists go, yes it probably does.  But I can’t guarantee security against a determined thief who will find the weak points.

And that’s essentially my point – we have a lot of protection against a known (or perceived) threat, and that’s all to the good.  But what if the opposition isn’t necessarily all about harm or destruction? What if their aim is to add complexity, cost, and obstruction? If this is the case, have they already won?

There is no wholly right or wrong answer; countermeasures are implemented against a perceived threat landscape.  But on this occasion I just want to pose a counter-argument to promote a bit of thought.