Keeping it Simple to Keep it Secure

The New York Times recently ran an interesting profile of Peter Neumann, one of the preeminent computer scientists in the world. The story, “Killing the Computer to Save it,” details Neumann’s ideas for how to solve the inherent security vulnerabilities in computer systems that have been repeated again and again for the past 50+ years. Neumann’s thesis, essentially, is that simplicity is the key to security — advice that’s been mostly lost on the computer industry since its inception. John Markoff of the New York Times writes:

“’[Neumann’s] biggest contribution is to stress the ‘systems’ nature of the security and reliability problems,” said Steven M. Bellovin, chief technology officer of the Federal Trade Commission. “That is, trouble occurs not because of one failure, but because of the way many different pieces interact.” ... Dr. Bellovin said that it was Dr. Neumann who originally gave him the insight that “complex systems break in complex ways” — that the increasing complexity of modern hardware and software has made it virtually impossible to identify the flaws and vulnerabilities in computer systems and ensure that they are secure and trustworthy.”

Neumann is concerned with the security of computer systems as a whole, but his simplicity thesis holds true in identity management, too. One reason on-premise identity management has always failed is because it breeds complexity — complexity to your internal network, IT staff and certainly maintenance.

Maintaining the connections to multiple iterations of on-premises applications, which are riddled with their own vulnerabilities, is difficult enough. Adding secure connections from an on-premises SSO and IDM solution to cloud applications only compounds the complexity.

At Okta, we believe we have solved that complexity problem by closely integrating with on-premise directories and using the cloud to virtualize the SSO and IDM. IT administrators use a much simpler platform from a management, activation and integration perspective. Unlike on-premises software suite that must be built for multiple operating systems and varying on-premises network architectures, the cloud platform is abstracted and really just needs SSL communication protocols.

Security really can be a byproduct of keeping everything as simple as possible. The higher the complexity, the higher the risk of failure — whether from network issues, security vulnerabilities or (which seems to be the most common) misconfiguration faults.