NetSec Letter #11, 8 August 2001
Internet Security and Usability: Who's Winning?

Fred Avolio
Avolio Consulting, Inc.
http://www.avolio.com/

I write this while on a short vacation, so forgive the contemplative mood. This month I want to take a brief look at security and usability on the Internet. Specifically, I want to answer the question: are we better or worse off, security-wise, than we were a few years ago.

As I write and you read that last sentence, you should immediately get the sense of the problem with what we are about to discuss. We are not even sure where to put the stake in the ground. I fought the urge to write "are we better off than a decade ago." In 1990, few of us had anything to do with the Internet. If we did, the threats were almost nonexistent. (Almost, but not entirely -- recall the "Morris Worm.") Further, in Internet-time a decade is ... well, I do not know what it is, but it is much longer than 10 calendar years, or so I am told.

Usability vs. Security?

Why pit usability and security against each other anyway? It was ever thus. The tension started in the Garden of Eden. In Genesis 2:16-17, after creating all things God gives the first command: "You are free to eat from any tree in the garden; but you must not eat from the tree of the knowledge of good and evil, for when you eat of it you will surely die."* Shortly thereafter is the first security breach. Which -- no surprise to us security folks -- happens to be "social engineering." From Genesis 3: 1-7:

[The serpent] said to the woman, "Did God really say, 'You must not eat from any tree in the garden'?"

The woman said to the serpent, "We may eat fruit from the trees in the garden, but God did say, 'You must not eat fruit from the tree that is in the middle of the garden, and you must not touch it, or you will die.' "

"You will not surely die," the serpent said to the woman.

You know the rest of the story. We have the first "acceptable use policy," followed immediately by the first instance of a user desiring more. And we in the security field still have jobs because of these events.

Security and usability are always at opposite ends of a "seesaw" (teeter- totter). An axiom states, "Security and usability are inversely proportional." A corollary of this is "There is no such thing as complete security in a usable system."

Certainly, to most of you reading this, the tension I describe is real. On the security side are you and your staff, if you are fortunate enough to have a staff. On the other side, it seems, is everyone else. All of your internal users are asking you for new and easier ways to get at the new and scarier services on the Internet. Not to mention the "external" users -- clients, customers, business partners, suppliers, independent sales people, etc., who want even more. Moreover, there are the vendors and site developers, coming up with the new, the exciting, the insecure.

So, is the seesaw the correct picture? It is a good picture, but it is not adequate. It leaves out the source of the real tension: the threats. Over a decade ago, in 1990, there were fewer threats, and the associated risks were less. Why? There were fewer targets, fewer avenues of attack, and fewer attackers. (You had to work hard to be a bad guy back then.)

On the firewall-wizards mailing list at the end of 1999, we saw a thread discussing different types of firewall technology. Shaun Moran wrote the following:

"I welcome the day when you can put your trust into a firewall to do it all (and some products are getting there) but in my experience that day is still pretty far away."

To which I replied, in part:

"It is 'far away' in the past. [The first commercial firewalls] all 'did it all' when they first shipped. What has changed is the definition of 'it.' 'It' has changed as the Internet -- and so its use -- has grown. As long as new 'gotta have this' services are invented for the Internet, the most particular firewalls will always lag behind, at least some."

I do not have to explain the relationship between threats and security. We work in this realm. We also understand that there must be a balance. Back to the seesaw. Too much security and we are very secure, but stuck on the ground, going nowhere. Too little security and we are flailing in the air, a three year old sitting on the opposite side of the seesaw from an adult.

Equilibrium on a seesaw is good. Well, equilibrium with a few small pushes. It works. Security and usability. Security with usability.

Winning

We must first agree on how we define "winning." Winning, in this sense, is raising the "use level" while maintaining (or increasing) our security posture. Surely, the Forces of Darkness are increasing in numbers and attacks, but the Forces of Light are keeping up. And all of this is happening in an Internet world with increasing targets (enterprises and users) and increasing avenues of attack (services). This is not just keeping the status quo. Remember that we are increasing the things we do on the Internet. It means that while more people are using the Internet, and while more services are being used (I remember when "standard Internet services" meant e-mail, FTP, and maybe TELNET) and more bad guys are out there with better tools, the risks are still acceptable.

Increased usability with increased -- or comparatively static -- security. This is winning. ##

Pointers

Avolio, "Security Axioms," 1999, http://www.avolio.com/papers/axioms.html.

Firewall-wizards mailing list: To subscribe, visit http://www.nfr.net/forum/firewall-wizards.html.

*Bible quotes from the New International Version of the Bible, published by Zondervan.