Frictionless Fortress: Radical Simplicity to Solve the Cybersecurity Configuration Nightmare

Humans make mistakes. That is a fact of life. 

‍

What are some best practices to create a sound configuration system for a security device?

• Minimal steps to initial operation to prevent shortcuts
• Logical and straightforward configuration model
• Simple configuration iterations to avoid errors
• Self-verifying steps to catch mistakes
• Automation wherever possible 

‍

Statistics show that as little as 3% or as high as 67% of breaches were due to misconfigurations. The 2023 Veracode State of Software Security reported misconfiguration errors in 70% or more applications that introduced a new security vulnerability last year. Hackers accessed hundreds of millions of data records in 2022 alone because of misconfigurations. National Security Agency admits government data leaked to the public due to misconfigurations.

‍

Have you ever heard of a concept called Radical Simplicity? Radical Simplicity means having as few components and moving parts as possible and reusing technology for different purposes instead of having a new moving part for each purpose. Last week, I discussed authentication and reusing Apple Pay techniques for user validation. That was an excellent example of reuse that enhances simplicity. 

‍

Security products, frankly, kind of suck when it comes to configuration because they simply lack simplicity. The more they do and the older they are, the more broken they become. When an IT security vendor attempts to turn their legacy IT product into an OT product, complexity skyrockets. This is the essence of the IT versus OT security problem - IT products are not purposely fit for OT, as shown by the sheer number of hacks due to misconfigurations.

‍

So, OT security needs products created (or at least wholly remodeled) with OT security problems in mind. How do you get to Radical Simplicity? How should those products be configured?

1. Support automated or API import of users/devices for policy creation - Some OT networks have thousands of devices, and you want to capture all of them for proper microsegmentation without the potential for typing errors.
2. Policy creation should be simple - This user group can access this device or group of devices with this protocol/application. 
3. Product Installation must be simple and fast to MVP - If your product has five components and requires significant network changes, you have already failed.
4. Accessing the system should be easy - If users have to remember complex passwords, write down challenges/responses, or carry around unnatural tokens, users will either not use the system or seek workarounds.
5. Passwords or account details should never be in an email - This is pretty obvious, but users believe email outreach is part of the system operation, which leads to hacking.

‍

These are just a few rules a security system needs to follow for configuration simplicity. As you might expect, the BlastShield solution was designed meet the concept of Radical Simplicity, and we pride ourselves on the user experience. If you want a demo of a security system users rave about using, contact BlastWave for a demo!