Security vs functionality; an unnecessary battle that we see far too often. IT and ops teams that don’t think security is an integral part of infrastructure or solution design are normally the first ones that end up in trouble down the line. It’s only a matter of time until someone screams “we’ve been hacked!” and people will quickly revert to finger-pointing, trying to blame everyone else but their decision process.
Secure-by-design is not a buzz phrase. It’s also not a security authority’s power trip to make your life difficult – whether that refers to someone designing, implementing or running a system.
In my opinion, cybersecurity is a strategic priority that needs to drive designs, and all of the elements under a design that take shape, structure and form. Designing becomes a marvel of logic. An architects dream where the design is protected on its foundations – becoming a safe harbour of human ingenuity and creativity for years to come.
Functionality should have security embedded in its design
Cybersecurity is not something you can or should overlook in order to provide ease of use. However, security vs functionality needn’t be a battle. Functionality should have security embedded in its design, not the other way around. Why?
Because universally, opinion does not imply knowledge.
If security stands in the way of “doing things”, this needs to be proven by the claiming party. At the very least, the claiming party needs to be willing to work with security untangled from personal beliefs or prior experience from insecure environments.
There is only one method to prove whether security actually stands in the way of functionality, or the problem is user training and adoption (which in 99% of the cases it is). That is the scientific logic.
Specifically for IT that would be translated into:
1. Understand the problem >
2. Break down the problem into its components >
3. Try to replicate the hypothesis on a lab or the system itself targeted on specific resources >
4. Analyse the result >
5. Reach a conclusion
Why should we go into all this trouble?
Because we are not in the 90s. We need to adapt to the worst-case scenario ransomware, privilege escalation and breaches, this is the world we find ourselves in. The worst-case scenario is the habitual truth for many organisations out there, whether they have confirmed it already or are yet to confirm and still trying to control the damage. Some also are not even aware of a compromise and have no means of knowing which makes it an almost Orwellian dystopia.
Commonly, the inability to know if you are compromised can be easily identified in most businesses by asking a single question: “If someone elevated themselves to a Domain or Global Admin would you be able to identify this as it happens?” Most organisations would not.
Others that claim they can, don’t have an automated mechanism to control this process of elevation thus rely on the human element as a mitigating factor against an attack not taking into account that humans are slow compared to a Python script.
Security vs functionality: overcoming the challenges
848 has a expert modern workplace and security practice made up of specialists in functional design. Our team integrate security at every layer of your solution without sacrificing functionality.
Kay is senior solutions architect specialising in cybersecurity, information protection and governance, identity and access management and zero-trust architecture. He has a long list of accreditations and over 15 years of experience in designing, securing, and scaling cloud-first solutions. In his free time, he uses his knowledge to share information that supports stronger security practices.