Good enough security?

Thursday, October 29, 2009

Christopher Hudel


We have had 802.1x -- CISCO + Active Directory Integration --  in place for over a year know and it is largely a success; windows systems automatically obtain machine certificates (machines automatically receive certificates when they join the domain), supplicants exist for our IP Phones, and those devices (i.e.: printers)  that are currently incapable of 802.1x are split off in a tightly controlled VLAN.

There are a few stragglers in this rollout: IT and development staff with 3+ desktops need to use a hub because they don't have the port density at their desk and our switch does not permit multiple nodes on a hub to authenticate individually, having to leave the port open for the devices (sometimes we are successful in moving the extra devices into a locked room).  We are also adding Apple OSX machines and they are … finicky when it comes to configuring 802.1x machine auto, not to mention that there is no auto-enrollment setup to programmatically obtain and install machine certificates into Apple's System keychain. (Resource scalability problem.)

So, it's not perfect but it's better than 80/20, probably 90/10 -- maybe even 95/5.  Of course, that still leaves the '5 or 10' that will be vulnerable to MAC address stealing, allowing some malicious individuals in the right circumstances to gain unauthorized access to the network.

Purists will point out these faults and admonish anyone for the remaining gap.  It can be argued that nothing is perfect, the security posture is actively improving, and that the effort to close the gap is larger than the remaining risk and likelihood of exposure. The security is "good enough".

The argument that security can be "good enough" but not absolute is not new - google reveals many opinions on this topic. (Gartner stirred this pot in 2006). My consternation is around how can we as security practitioners quantify and agree on  a measurement of good enough? How do we explain to lay people the value in leaving some holes open, so that focus can be paid to open holes in other domains?  

Possibly Related Articles:
Enterprise Security
Higher Education K-12 Preschool Accounting Banking Financial Services Federal Military Municipal State/County Bio/Pharma Healthcare Provider General Legal Consulting Hardware Information Security Reseller/Integrator Service Provider Software
Risk Management 802.1x
Post Rating I Like this!
Andrew Baker Christopher, you raise some good points. The key is to track the costs associated with the current level of security deployed, and show how much it costs for additional security in a given area vs the costs needed for another area.

Only by providing transparency and some form of risk calculation can you help people understand that rather than fight diminishing returns trying to protect your doors more, you could apply a fraction of those costs to make your windows reasonably protected.

Phil Dexter Hey Christopher,

You said it right that security is actively improving. Just found an event related to data security which will be conducted on Thursday, November 5, 2009 from 11:00AM to 12:00 PM PST. You can register for this event at (, hope it proves beneficial for you.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.