Posted on | June 18, 2010 | 1 Comment
I am known to be extremely pedantic when it comes to security. Why? I help to safe guard personally identifiable information. I’ve often said that proper security can almost never be convenient. In some instances, not following proper practices is effectively breaking the law (HIPAA). Yet, some users – in particular non technical managers, can not seem to grasp the fact that I can’t allow them access to certain things on their iPhone from a beach in Tahiti over open WiFi. More often than not, people only consider what they are trying to accomplish, not what any given system sees them as doing.
I’ve come up with a great analogy that some of you might find helpful in explaining why we can’t ‘change the system’ to allow certain things:
It is midnight. Inside of a locked bank is a locked bank vault. The vault contains two things, a giant stack of money and a starving kitten that is crying out for help. Two people are attempting to enter the bank – one of them a bank robber, the other one an animal lover. One wants the cash, the other wants to save the kitten.
There is no security system that is sufficiently complex to identify additional variables that may make threatening patterns seem benign. Additionally, if there were such a system, how would it distinguish between two entities with identical behavior? Sure, we could make our vault smarter in the first example to realize that it contained a starving kitten that someone would want to rescue. Now, which one of the two people trying to break in is the animal lover?
If you need money out of a bank’s vault – just apply for a loan. If you notice a kitten starving overnight, report it so someone with a key and the proper combination that can rectify the problem.
It is so very difficult to explain to non technical people the perils of adjusting the system to permit untrusted feline rescue efforts.