Skip to main content

Security Over Configuration?

Many recent software development frameworks use the term "Convention over Configuration".  The main idea behind this, is to remove the need for a programmer to explain every detail of an application and instead only specify what the unconventional aspects will be.  This should in theory, remove coding unnecessary aspects of the application that otherwise should be taken for granted.  This results in faster development, simplified code and ease of management.  Anything that doesn't fit the 'convention' needs to be 'configured'.

I wonder if this approach could be applied to the view of security, not only from a software perspective, but in general every day life?  Security in terms of software is often seen as an add-on, an extra, something to do at the end or if something erroneous occurs.  This shouldn't be the case.  Security should be built from the ground up from a technical perspective and from a process perspective should be considered equal to things like business continuity or the organizations marketing strategy.  So instead of security being an extra, should it be seen as default?

From an IT perspective, many view tight security simply as using a strong encryption method or implementing a password complexity policy.  Here I feel we are missing the point.  Security is all about strength in depth.  The use of rings or circles of protection the same as a fortified castle or strong hold would have been in times of "yester-year".  Information should be treated in just the same way, with protection coming from all levels including network security, application security, internal process and infrastructure security, right through to physical protection such as lock and key. 

But security at these different branches of an organization, is often seen as being time consuming, costly and returning nothing in the form of investment from the bean counters point of view.  This ironically, will probably lead to costly and short term projects that are a response to a security breach or a policy manifestation induced by not implementing the appropriate security controls in the first place.

It may take time, but information security will become more mainstream as organizations see the real value of being secure such as brand confidence, efficient process and reduced fire fighting.  Until then, security will have to be treated as a 'configuration' item for most people.

Popular posts from this blog

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:


Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?


Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…

Online-ification: The Role of Identity

The Wikipedia entry for Digital Transformation, "refers to the changes associated with the application of digital technology in all aspects of human society".  That is a pretty broad statement.

An increased digital presence however, is being felt across all lines of both public and private sector initiatives, reaching everything from being able to pay your car tax on line, through to being able to order a taxi based on your current location.  This increased focus on the 'online-ification' of services and content, drives a need for a loosely coupled and strong view of an individual or thing based digital identity.