Security: Complexity and Simplicity
It is quite well documented that Bruce Schneier stated that “Complexity is the worst enemy of security.“
As a consumer, I think this complexity is great. There are more choices, more options, more things I can do. As a security professional, I think it’s terrifying. Complexity is the worst enemy of security. Â (Crypto-Gram newsletter, March 15, 2000)
Leonardo da Vinci is widely credited with the the statement, “Simplicity is the ultimate sophistication,†although there is some doubt whether he actually said those words.
Both statements have strong implications for information security today.
In the March, 2000 newsletter, Bruce Schneier suggested five reasons why security challenges rise as complexity increases:
- Security bugs. Â All software has bugs. As complexity rises, the number of bugs goes up.
- Modularity of complex systems. Â Complex systems are necessarily modular; security often fails where modules interact.
- Increased testing requirements. The number of errors and difficulty of evaluation grown rapidly as complexity increases.
- Complex systems are difficult to understand. Understanding becomes more difficult as the number of components and system options increase.
- Security analysis is more difficult. Everything is more complicated – the specification, the design, the implementation, the use, etc.
In his February 2015 article, “Is Complexity the Downfall of IT Security,† Jeff Clarke suggested some other reasons:
- More people involved. As a security solution becomes more complex, you’ll need more people to implement and maintain it.Â
- More countermeasures. Firewalls, intrusion-detection systems, malware detectors and on and on. How do all these elements work together to protect a network without impairing its performance?Â
- More attacks. Even if you secure your system against every known avenue of attack, tomorrow some enterprising hacker will find a new exploit.Â
- More automation. Removing people from the loop can solve some problems, but like a redundancy-management system in the context of reliability, doing so adds another layer of complexity.
And of, course, we need to consider the enormous scale of this complexity.  Cisco has predicted that 50 billion devices will be connected to the Internet by 2020.  Every interconnection in that huge web of devices represents an attack surface.
How in the world can we cope? Perhaps we need to apply Leonardo’s simplicity principle.
I think Bruce Schneier’s advice provides a framework for simplification:
- Resilience. If nonlinear, tightly coupled complex systems are more dangerous and insecure, then the solution is to move toward more linear and loosely coupled systems. This might mean simplifying procedures or reducing dependencies or adding ways for a subsystem to fail gracefully without taking the rest of the system down with it. Â A good example of a loosely coupled system is the air traffic control system. It’s very complex, but individual failures don’t cause catastrophic failures elsewhere. Even when a malicious insider deliberately took out an air traffic control tower in Chicago, all the planes landed safely. Yes, there were traffic disruptions, but they were isolated in both time and space.
- Prevention, Detection and Response. Security is a combination of prevention, detection, and response. All three are required, and none of them are perfect. As long as we recognize that — and build our systems with that in mind — we’ll be OK.This is no different from security in any other realm. A motivated, funded, and skilled burglar will always be able to get into your house. A motivated, funded, and skilled murderer will always be able to kill you. These are realities that we’ve lived with for thousands of years, and they’re not going to change soon. What is changing in IT security is response. We’re all going to have to get better about IT incident response because there will always be successful intrusions.
But a final thought from Bruce is very appropriate. “In security, the devil is in the details, and those details matter a lot.”