Why this guide?#
We need stronger and better cybersecurity. But also simpler cyber security.
Our society depends on software. However, software is vulnerable for security breaches. Security breaches are a disaster. A security breach can have an impact on your safety, your health or can destroy your company or life in many subtle ways. Without digital security privacy is impossible.
Security is a hard problem to solve:
It is intangible
It is complex. It involves humans and advantaged technology.
Goals and measurements depend on the specific context.
Every serious business system needs a minimal security baseline like:
Secure login.
Implement minimal confidentiality, integrity and availability requirements (‘CIA’ aspects).
Comply to national and international rules and regulations .
Secure logging.
Backup and restore.
Policies and procedures that are simple and effective.
Why reinvent the wheel every time? Why take the risk to make new mistakes? Why not use battle tested and worldwide used proven cyber solutions and FOSS security building blocks?
Note
The truth is: 100% security is impossible!
Security is always risk based. The weakest link for a solid security defense are humans.
This Playbook is created to simplifying cyber security. There are too many problems for too long with cyber security. This has caused many breaches and severe consequences for many humans and organisations.
Good cyber security is seen as a major cost factor for companies. Most software and hardware companies can and should do a better job to minimize security breaches. But even if you want to do security better you are confronted with many obstacles:
Clear and directly implementable legal requirements to deliver products that meet basic security needs and regulations are often missing.
The number of resources that have the knowledge and experience that can assist when doing a project using a security-by-design is scarce.
Creating online business products and special software and hardware products, is complex. Most engineers and architects are not trained on using and applying security principles in all project phases.
Simplify Security is both a philosophy and methodology.
We need simpler solutions.
we need to use solutions that are transparent and we can trust.
We need to stop reinventing the wheel.
We should make use of proven open solutions.
We should improve existing solutions instead of creating new solutions that will fail again in future.
The Simplify Security methodology consist of some principles and guidelines that help to reach your goal effectively, thus saving time and money. The methodology is all about avoiding the need to reinvent the wheel time and again.
The key principles to practice the ‘Simplify Security’ methodology are:
Openness is key.
Use and reuse common security practices.
Use security by design as an approach to involve all stakeholders.
use of proven open security solutions. This applies for security principles, frameworks, thread models, and of course FOSS security tools.
The core of simplifying security is to minimise security vulnerabilities for an information system from the start.
Open simple security solutions are:
solutions that are easily to understand
solutions that can be studied
solutions that can be improved
Using and reusing proven cyber security solutions is against the nature of professionals. A good cyber security professional is stubborn and thinks he or she knows better.
Everyone should avoid unique expensive cyber security solutions that promise to solve your digital security challenges. Most tools and solutions overpromise and under deliver. At best you lose valuable time and money. But more often your information security defense is reduced and you are more vulnerable to attacks and loss of information.
Simple security solutions does not mean these are easy solutions. Simple is often harder to create than something complex.
Note
Creating something simple requires extensive time and design work. Simple security solutions are not created overnight.
The greatest risks for security are humans. Humans are bad at keeping secrets secret.
So eliminate and minimise the human factor whenever possible.
Options to minimise human security risks:
Give only access on a need to know basis to information.
Eliminate complicated IT management tasks by automation. Humans do make errors. And often random errors. Scripts and software used for automation do not make random errors. If an error is found in a configuration script you can fix it. The same error will never occur again.
Avoid technical solutions when there is a simple solution possible without technology involved. There are a lot of drawbacks on automation and using embedded software in devices. If e.g. availability and confidentiality of notes is very important, old school pen and paper often beats IT solutions for note taking and brainstorming.
Goal#
The key goal for this playbook and the simplify security project is to create a security guide that has benefits for:
Security professionals
Companies and
Consumers and societies worldwide.
We believe reuse of open and proven security solutions saves time and resources and makes our digital world a nicer place.
We will show that simple cyber solutions to mitigate nowadays cyber risks are possible.
We provide recipes for solutions on common security challenges. Most security challenges are context dependent. But most specific challenges can and should be solved by using the same solutions that have proven to work. Your recipes for a simple security solution is more than welcome in this guide. Please contribute.
Scope#
This Simplify Security Guide is created to provide simple answers to common security problems. Problems that every organization, large or small, faces in the digital age. Cyber security has many aspects. Both technical and non-technical. In this edition we focus on common security challenges that most organisations in various domains face.