Cybersecurity Controls – Good, Cheap, Fast: Pick Two

Nearly twenty years ago, I was working for the public transportation department in the town where I went to school. It was there that I was introduced to the new Marketing Director, who was among the first MBAs I had met. He laid something on me that was novel to me at the time but I am sure was common knowledge among MBAs and many other fields. Good, cheap, fast: pick two. Every project manager understands this intuitively and just a few years later, even as a rookie system administrator, I also quickly came to understand it first-hand.

Take something as basic as a hard drive (and I will replace “good’ with “big”). Anyone who has ever bought a hard drive knows this: it can be big, fast, and cheap, but only two of those at once. A modern high end SMB server will likely have six levels of storage, descending in terms of speed while growing in terms of size, with each component optimized for its exact purpose. These tradeoffs are ubiquitous in that field with implications for storage, processing, networking, and practically everything else that we can measure.

We know what this looks like:

But this is all about operations as a whole. This concept applies very broadly all the way from a single server rack to building a new skyscraper. There is another diagram I have seen inside my head for a very long time, much more narrowly focused on IT security and compliance:

There is no overlap between security and convenience. Security and compliance are difficult and expensive. The primary reason for this is that the bad guys are waging an asymmetrical war against the good guys.

Let us look at an example. About ten years ago, a major home improvement retailer in the United States had a significant cybersecurity incident. Attackers were able to breach the systems of an HVAC contractor. This breach allowed them to move laterally into the retailer’s payment processing systems. The exact mechanics have been well studied and are interesting but are outside of today’s scope. The specific takeaway was, “be careful with domain trust relationships.” That has always been sound advice, but I think a much broader and much more useful lesson is available. In this incident, in every incident I recall before, and in every incident I recall since, someone somewhere chose convenience over security.

That convenience may take many forms, although I will argue that nearly every form it can take is simply a version of cost. Perhaps for some incidents, a better firewall would have prevented the breach, but that better firewall costs more money. Perhaps for another incident, a software coding flaw was to blame. Hiring a more conscientious and security-focused developer might have prevented this breach, but that developer likely commands a higher salary (think Heartbleed). Or perhaps there is nothing wrong with the equipment or code and the breach was caused by simple misconfiguration on the part of an administrator, like every time an online storage bucket containing personally identifiable information or credit card details is discovered to publicly available with no authentication. A more experienced or better trained administrator might have prevented this, but experience and training also cost more money.

At least one breach I remember was due to incomplete implementation of multi-factor authentication (MFA) for Office 365. The CEO had the IT department enforce MFA for every employee of the company, with one exception: himself. He felt he was too important to be required to jump through one extra hoop to get to his email. When one Office 365 account was compromised, it was his, and because of his position, the fallout was significant.

This is what I mean when I refer to asymmetrical warfare. It is cheap and easy for your adversary to probe your publicly visible services for weaknesses, whether those weaknesses are publicly known or not. However, it is difficult and expensive to protect against attacks that may only be theoretical because you are approaching an attempt to prove a negative. This requires orders of magnitude more effort on the defending party.

There are rare occasions where a security control can let you bend the rules and push across the boundaries. One control that has gained popularity recently and seems to check the good, cheap, and fast boxes is the introduction of passwordless sign-in. The control is good because it strengthens security via the addition of another authentication factor in place of a password (think biometrics or something the user owns, such as a TOTP token). The control has become relatively cheap to implement as it has become a more standard offering across Microsoft, Google, Apple, etc. And the control is fast in that it often speeds up logins by removing the need for users to recall or reset passwords frequently, and rolling out the control is not a lengthy process for most. While this security control appears to check all three boxes, it is a rare exception to the rule.

At Compass IT Compliance, we are here to assist you not just with recommendations on your specific technical posture, but also on your cultural and cognitive posture regarding security and compliance. We are here to help you avoid embarrassing fines, press releases, and one-year Life-Lock subscriptions by not being the one who chose convenience.