Complexity is the worst enemy of security

Last updated: 21 March 2014

The phrase ‘less is more’ rings true in many sectors of life, work and society, but few expect it to be used in relation to security. For many, security fits the ‘more the merrier’ platitude – at least that’s what many of my IT security colleagues would promote. Look deeper, however, and there are theories, like those supported by security expert Bruce Schneier over the past decade, that suggest differently.

Schneier is confident in his belief that “complexity is the worst enemy of security” and a recent study of the impact of complexity in network security environments, based on the number of vendors, devices and rules in that environment, provides further evidence in his favor.

Back in 1999, Bruce stated “The only way to evaluate the security of a system is to analyze it”. In a blog post entitled ‘A Plea for Simplicity’ he wrote:

“We’ve seen security bugs in almost everything: operating systems, applications programs, network hardware and software, and security products themselves. This is a direct result of the complexity of these systems. The more complex a system is–the more options it has, the more functionality it has, the more interfaces it has, the more interactions it has–the harder it is to analyze. Everything is more complicated: the specification, the design, the implementation, the use. And everything is relevant to security analysis.”

More recently, an AlgoSec survey examining the dangers of complexity in network security environments revealed that more than half (55%) of the survey respondents (127 IT security professionals worldwide) from mid-sized and enterprise organizations stated that complex policies ultimately led to a security breach, system outage or both.

Multiple security policies require knowledge of multiple strands of protection. The Great Wall of China wouldn’t be nearly so imposing if it was lined with doors, reinforced or otherwise. As AlgoSec CEO Yuval Baron writes in Wiredthe result is that we’ve increased the level of complexity within the environment to the point where we have actually created risk because of human errors”. Layers of digital security are all very well until they require human interaction.

At an office level, I’ll bet you most people, when prompted to use multiple passwords, either alternate between two (one a version of the other) or write a list of their passwords and leave it near their desk. More complex, or just more complicated?

For many, this is why multi-factor authentication works so well. By combining something you have (token, smart card, mobile app) with something you are (fingerprint) with something you know (PIN or password), you not only provide more layers of security, but alternative layers of security – adding security and convenience.

Do you feel digitally secure at work? Let us know below.