8 Simple Design Principles For Creating Effective Security Systems
Businesses rely on security systems and policies to protect their data and business operations from threats. Over the years, the number and complexities of these security systems have grown significantly. On one hand, the threat landscape is constantly evolving, with new types of cyber threats emerging regularly, requiring security systems to cover more bases and become more robust. On the other hand, the adoption of new technologies, such as cloud computing, IoT (Internet of Things), and AI (Artificial Intelligence), introduces new security challenges to the security infrastructure. So security systems will keep growing in number and complexity.
In this blog post, I share with you eight principles for designing and implementing security mechanisms. These principles draw heavily on the concepts of simplicity and restriction, making them easy to understand, maintain, and apply consistently.
8 Cyber Security Design Principles
1. Principle Of Least Privilege
The Principle of Least Privilege (PoLP), also known as the principle of minimal privilege, is one of the fundamental concepts in computer security and access control. This principle prescribes that users or systems be granted the minimum level of access or permissions necessary to perform their tasks or functions.
By restricting users, processes, or systems to only the resources and permissions required for their legitimate purpose, PoLP aims to limit potential damage or unauthorized access. This, in turn, helps mitigate the risks associated with accidental or intentional misuse of privileges.
Some of the key aspects of PoLP include:
Giving users and systems the minimum level of access or permissions required to perform their specific roles or functions.
Limiting access to the specific resources or data necessary for the completion of tasks.
Providing access only when needed and for the duration required, reducing the window of opportunity for potential misuse.
Adopting a default-deny approach, where access is denied by default, and only explicitly granted permissions are allowed.
Dividing responsibilities among users and systems to avoid concentration of power, reducing the risk of abuse.
Incorporating the Principle of Least Privilege in the design of their systems and policies allows organizations to enhance the overall security of their IT systems and infrastructure by minimizing the attack surface and limiting the potential impact of security incidents.
For example, if a user requests an administrator for root access to a database server, the administrator must deny the request unless the user’s job requires such level of access. If the requested access is necessary, then the elevated rights should be removed as soon as those rights are no longer needed.
I have discussed the implementation of PLoP in an earlier blog post that you can access here: What Is Principle Of Least Privilege And How To Implement It
2. Principle Of Fail-Safe Defaults
The Principle of Fail-Safe Defaults, also known as the Principle of Least Surprise, suggests systems should be designed with default behaviors that minimize the risk of accidents or unintended actions. The goal of this principle is to make the default state of a system inherently safe or less harmful, at the very least.
Some of the key aspects of the Principle of Fail-Safe Defaults include:
Configuring systems in a way that the default settings and behaviors are inherently safe so that the users do not have to take specific actions to secure the system from common risks.
Configuring default settings that minimize the likelihood of unintended consequences or actions that could lead to errors or security vulnerabilities.
Aligning the default behavior with user expectations to reduce the likelihood of users being surprised or confused by the system's actions.
Giving users a straightforward way to undo or mitigate any unintended consequences of the actions initiated by default settings.
Avoiding default configurations that might pose a risk to security, privacy, or the integrity of the system.
Using the Principle of Fail-Safe Defaults, you can create systems that are more user-friendly, less error-prone, and inherently safe. More importantly, you can minimize the chances of accidental or unintended negative consequences.
An example of the use of the Principle of Fail-Safe Defaults is found in your web browser. You may have noticed that your browser by default blocks certain sites, such as those lacking the “https” protocol specifier, that it deems harmful. You have the option to override these settings but you need to do so explicitly, every time. This behavior is designed to protect the average user from malicious sites.
3. Principle Of Economy Of Mechanism
The Principle Of Economy Of Mechanism recommends that the design and implementation of security mechanisms be kept as simple as possible. Simplicity in design and implementation ensures that there are fewer possibilities for errors. Simple, less complex designs have fewer components so the checking and testing processes as well as operation are less complex.
In any system, the interfaces between components are suspect areas that are most error-prone. A simple system has few components, which means few interfaces, leading to a lower likelihood of errors. Simple security systems are also easier to understand both by the administrators and end-users, which ensures that there are fewer challenges in efficient implementation and operation.
The key benefits of the Principle Of Economy Of Mechanism include:
Simple systems typically have a smaller attack surface, meaning fewer opportunities for attackers to find and exploit vulnerabilities.
Simple systems are easier to understand so it is more likely that potential security issues are identified and addressed through analysis and review.
Simple systems make it easy to test and verify the correctness of the system and its data.
Simple systems have fewer failure points, which contributes to better reliability.
Simple systems and easier to maintain and update.
Simple systems are less likely to lead to errors or misconfigurations that could compromise security.
Simple systems are typically more cost-effective in terms of development, maintenance, and operation than complex ones.
A good example of this design principle is found in authenticator applications used in Two-Factor Authentication (2FA). These apps emphasize simplicity in generating and managing authentication codes by presenting a clear interface for linking accounts and retrieving time-based codes. It is designed to be user-friendly while enhancing account security.
Although simplicity in design has many benefits, it is important to ensure that you do not compromise essential features or necessary security measures for the sake of simplicity. The goal is to avoid unnecessary complexities that do not contribute to the core functionality of the system, where complexity can introduce unintended security risks.
4. Principle Of Separation Of Privilege
The Principle of Separation of Privilege is the security design concept of splitting up tasks and assigning rights to different parts of a system. The goal of this principle is to reduce the risk of a security breach by limiting the impact of a compromise in one part of the system on other parts.
The separation of privilege can be applied at the user level, allowing different users to run different parts of the system, each with access to only the areas they need to perform their tasks. This kind of separation can also be applied to applications, system sub-components, and processes. This principle can even be used to isolate parts of the organization into separate security domains so that even if one part of the organization is breached, the others remain secure.
Separation of privilege can be applied in several ways. The most common example of its application is through the use of privileged accounts, which have special permissions that allow them to bypass normal security controls. Examples of privileged accounts include Domain Administrator Accounts, Privileged User Accounts, and Local Administrator Accounts.
5. Principle Of Complete Mediation
The principle of complete mediation recommends restricting the caching of information. To understand this concept, let’s take an example: Whenever a user attempts to read a file on a server, a system “mediates the action”, by checking if the user is allowed to read the file. If the user is allowed, then the system provides the resources necessary to complete the action.
If the user tries to read the file a second time, the system must check if the user still has the necessary permission. Most systems would cache the results of the first check and approve the subsequent requests based on the cached result, leading to a security lapse.
The goal of the principle of complete mediation is to prevent such instances from occurring. So it emphasizes the need for every access request to be checked against an access control mechanism. Additionally, it requires systems to not grant access to any resource without consistently validating every access attempt.
Enforcing the principle of complete mitigates security vulnerabilities arising out of incomplete or inconsistent access control checks. This principle is the foundation of the Zero Trust Security Model and plays a critical role in maintaining a robust security posture against unauthorized access, privilege escalation attempts, and insider threats.
A common example of the Principle of Complete Mediation is the use of access control lists (ACLs) in file systems. When a user attempts to access a file, the system checks the user's permissions for that file against the ACL. If the user has the necessary permissions, the access is granted; otherwise, it is denied.
6. Principle Of Open Design
The principle of open design suggests that secrecy does not add security. In other words, the security of a system should not depend on keeping its internal workings or algorithms secret. Instead, the system should be secure even if everything about its design is known to the public. Secrecy adds little if anything to the security of a system. On the contrary, it gives a false sense of strength that is all too often lacking in the design and implementation of the system.
A security system should not rely on the ignorance of the user because an informed user can defeat that security mechanism. Additionally, designers of a security system must not depend on the secrecy of the details of their design to ensure security. Adversaries can uncover such secrets through reverse engineering, analysis, or non-technical means such as dumpster diving.
Open design inspires greater trust among users since the system is open to public scrutiny. This facilitates peer review and input from security experts and the wider community, resulting in improvements and hardening of the system.
However, it should be noted that open design does not mean you should disclose specific security details, configurations, or private encryption keys. The openness pertains to the fundamental design principles and mechanisms, which must be able to withstand public scrutiny and not rely on secrecy for security.
Open-source software projects are common examples of the use of the principle of open design. As the source code is freely available, anyone can inspect, review, and modify the software to identify and fix vulnerabilities, helping make the system more secure.
7. Principle Of Least Common Mechanism
The Principle of Least Common Mechanism suggests minimizing the shared components between different security domains. Reducing the commonality between components helps decrease the potential impact of security breaches by limiting the scope of compromise in the event of a breach.
So, if one part of the system is compromised, the impact is contained within that specific part. The compromise of one domain does not automatically lead to the compromise of other, unrelated security domains. Applying this principle also shrinks the overall attack surface of the system, making it more challenging for attackers to exploit shared components to compromise multiple security domains.
The principle of least common mechanism works in tandem with other principles such as the Principle of Least Privilege and the Principle of Fail-Safe Defaults to build a more robust and secure system by limiting the potential consequences of security incidents and enhancing the system's overall resilience.
The application of this principle is commonly seen in virtualized environments, where separate virtual machines (VMs) are used for different applications or services. Each VM is separate and operates independently, reducing the risk of compromise spreading from one VM to another.
8. Principle Of Psychological Acceptability
The principle of psychological acceptability suggests that security measures should not make the legitimate actions of users more difficult or cumbersome than necessary. In other words, security mechanisms should be designed such that users find them acceptable, user-friendly, and compatible with their expectations and behaviors.
This is arguably the most important design principle since it recognizes the importance of considering the human factor in security design. Security measures need to be effective in mitigating risks while garnering user compliance. So, it is crucial to strike a balance between security and usability. If security measures are too complex or intrusive, users are less likely to comply leading to potential security vulnerabilities.
Users are also sensitive to their productivity. If security measures unjustifiably hinder their legitimate actions, they will find a way to bypass or disable them. So, you need to ensure that security measures have minimal impact on user productivity. It also helps to communicate the purpose and necessity of security measures with the users so that they understand the expectations and buy into the process. Regular training programs that educate users about security practices also help users understand their role in maintaining security without creating unnecessary confusion or frustration.
In summary, the principle of psychological acceptability recognizes that though security mechanisms may add some extra burden, that burden must be both minimal and reasonable. By incorporating this principle in their policies and practices, organizations can foster a security-conscious culture that encourages user compliance, enhancing the overall effectiveness of their security measures.
An example of this principle is the use of app-based authenticators in 2FA systems that ensure time-based codes are readily available to the user. This means users do not have to wait for SMS-based codes, which are often slow to arrive, or use biometrics, which some users may find intrusive. So, the system adds a layer of security without unduly hindering the user.
Conclusion
Those designing these security systems and policies need to take great care to strike the right balance between robust security and user convenience. Although it may seem counterintuitive, implementing overly strict security measures can lead to security breaches due to user resistance or circumvention of security controls. After all, humans are often considered the weakest link in security. Social engineering, insider threats, and human errors can and often do compromise even the most sophisticated security systems. Therefore, designing systems that account for human behavior is crucial, especially in a business environment.
Are your security systems effective in meeting the core goals? Do you need help designing security systems that are effective but user-friendly? Reach out to us by clicking the button below to learn how we can help you build robust, effective, user-friendly security systems.
If you liked the blog, please share it with your friends