Less is more

Security

21.04.2022
David Mantock, CISO

One of the most fundamental principles of cyber security is to reduce the attack surface.

You just need to imagine an old castle and think of the slits that are in the towers that were designed so that the archers had quite a broad view out, but at the same time very difficult to have a clear view of the archers. In this way the opportunity to shoot at them is greatly reduced. So, in one form or other in our world of bits and bytes we are trying to do the same. We have no castle in the cloud and also no flying archers so how do we reduce the attack surface in this digital age?

Here we come back to our five pillars of security, and we remember that number two is least privilege (human-2-machine and machine-2-machine). The trick is here is only to give as much access is needed to do a job and no more.So, say you go on holiday you could ask your neighbours to collect your mail while you are away. No sense in tipping off robbers by having an overstuffed mailbox. But here’s the thing how much access do you want to give to your neighbours? I think we can all agree if they need to collect the mail then they need a key to the mailbox. It could also be nice for them to have a key to house and then they could happily deposit the mail in your home for when you return. What could be simpler? And at the same time what could be more dangerous? Now the neighbours have access to your whole house. If we follow least privilege, we will not grant this type of exposure. Of course, your neighbours are trustworthy, so no wild parties in your absence and they not going to list your home on Airbnb while you are away, or are they? Let’s assume the neighbours are trustworthy, we still must worry about Hanlon’s razor [1].

Less is more

Ultimately this is why we only give the key to the mailbox. We want to protect the more valuable asset not only considering trustworthiness, but also human fallibility.

Employees are of course just as trustworthy as our neighbours, and they are certainly not stupid. So, we are happy to give them access but with caution and forethought. A wise man once said: “Moderation is the secret of survival” [2]. In this context, reduced access equals reduces risk, reduced risk equals more security. Indeed, less is more.

[1] Hanlon’z razor:  "never attribute to malice that which is adequately explained by stupidity."

[2] Manly Hall

back to panels