When I first learned about the fundamental truths of networking from RFC 1925, I thought it was a fun little April’s fools joke and quickly forgot about them. I was reminded recently of their existence and realized there can be some insightful lessons to be learned from them after all. And since the RFC states that security protocols are also subject to these fundamental truths, I’m going to try and correlate them to Information Security.
Truth #1: It has to work.
Whatever information security tools you are implementing, be it a technology product, a policy or anything in between, it has to work. But what does “work” mean? Let’s say that it “works” if it successfully reduces the risks an organization is attempting to address. If it just creates a false sense of security, by using security by obscurity or creating a security theater, it doesn’t “work”.
Truth #2: No matter how hard you push and no matter what the priority, you can’t increase the speed of light.
2a (corollary). No matter how hard you try, you can’t make a baby in much less than 9 months. Trying to speed this up *might* make it slower, but it won’t make it happen any quicker.
Certain security controls and solutions can only be successfully implemented at a certain pace. For example, establishing strict controls faster than the organization’s culture can assimilate will almost certainly result in frustration and pushback from the users. Or take for instance the implementation of a Data Loss Prevention (DLP) solution when the organization has no visibility on what its most important information assets are or where they reside: in order for it to be successful, you need to go through those steps first or the solution might not provide the expected results and end up costing more that it should.
Truth #3: With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea. It is hard to be sure where they are going to land, and it could be dangerous sitting under them as they fly overhead.
I’ll admit it: I’ve provided thrust to a number of pigs over the years and I can attest that they really can fly. But implementing security controls or initiatives with raw “muscle” or forcing solutions to work regardless of whether a particular product is up to the task or the culture is ready for the change or if it really addresses the root cause of a problem will often have unexpected results. For example, it can push users to implement creative workarounds to your controls, defeating their purpose.
Truth #4: Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network.
Just because you understand the security risks of a particular course of action or have experienced the advantages of a particular security solution doesn’t mean everyone in the organization is as clear on the risks or the need of a particular control. Security awareness and training can go a long way in helping advance your security posture. On the flip side, if you haven’t experienced the day to day activities and workflows of others and how they are impacted by a particular security measure, you probably won’t make sense of the reasons for their resistance.
Truth #5: It is always possible to agglutinate multiple separate problems into a single complex interdependent solution. In most cases this is a bad idea.
Complex solutions to security problems tend to be very difficult to maintain in the long run and they usually increase the probabilities of unexpected consequences (such as user workarounds) and frustration on everyone involved. Always keep the KISS principle in mind when designing security controls.
Truth #6: It is easier to move a problem around (for example, by moving the problem to a different part of the overall network architecture) than it is to solve it.
6a (corollary). It is always possible to add another level of indirection.
Just because you can apply a technology solution doesn’t mean you’re solving what could essentially be a cultural or a security awareness problem. It’s just as easy to mistake the effects of a situation for their root cause.
Truth #7: It is always something
7a (corollary): Good, Fast, Cheap: Pick any two (you can’t have all three).
This rule applies to pretty much every IT project there is. It’s probably a good idea to always keep it in mind when setting expectations of security implementation projects. A fast, cheap implementation usually will either lack features you need or its performance might not be at the level you wanted.
Truth #8: It is more complicated than you think.
No matter how straight-forward the implementation of a new security technology, policy or control might look like, the best laid plans can be led astray by technical, cultural or political factors. Upper management buy-in, awareness training and thorough planning and testing can mitigate most, if not all, potential hurdles.
Truth #9: For all resources, whatever it is, you need more.
9a (corollary) Every networking problem always takes longer to solve than it seems like it should.
Truly solving or minimizing security risks can be a complex task and can take longer or be more expensive than you might have initially envisioned. However, try to keep the course and implement sustainable solutions for the long term as they will provide the highest payback.
Truth #10: One size never fits all.
This is why the planning and design phases of many security projects are so important. An organization’s culture, the risks it faces and even its internal politics will shape the priorities of a security organization or how their projects are implemented.
Truth #11: Every old idea will be proposed again with a different name and a different presentation, regardless of whether it works.
11a (corollary). See rule 6a.
Security vendors will always include “innovative” technologies in their new products, just the same as attackers will be more “creative” in their methods. Most of the time however, both sides are just using the same ideas, packaged or executed as new or different. Be mindful of blindly drinking vendor Kool-Aid or buying into the hype of new attacks. If you keep a cool head, you’ll be able to tell the difference between old ideas and truly new concepts that you should pay attention to.
Truth #12: In protocol design, perfection has been reached not when there is nothing left to add, but when there is nothing left to take away.
In information security, perfection has been reached when security controls are implemented in a transparent and unobtrusive way that an organization can perform its operations securely and minimizing its risks.