Blogger: Eric Maiwald
I was catching up on my reading when I came across a short piece in the IEEE Spectrum magazine by Robert Lucky. In the article, Mr. Lucky describes problems that are so complex that they cannot be fully solved – he calls these problems “wicked problems.” While reading the article I kept coming back to the old joke about security engineering – cheaper, faster, or secure…choose any two.
In this article, Mr. Lucky talks about really hard problems that often have no elegant solution only different sub-optimal options. “Entanglement” is a word he uses to describe how these problems (and their solutions) influence other things outside of our normal boundaries. He notes that to approach such a problem, we often draw boxes around the parts of the problem we control. That sounds a lot like how some organizations approach IT problems – this is a security problem or a network problem or a development problem.
But the problems we deal with are not really that cut and dry. Should I use virtualization in my data center? If you only look at power and space consumption in the data center, the answer is an obvious yes. But what about other concerns like security? Did the virtual environments just circumvent all of the network security controls? What about service oriented architectures? Good idea? Sure but what does the use of services mean for the development process and for the implementation of controls? What about WAN optimization? Should I use it? Perhaps but there are tradeoffs in its use (for example, don’t try to optimize an encrypted stream of data because it won’t compress!). I could go on but I think you get the idea and where I’m headed with this.
I’m sure you heard the joke in security – cheaper, faster, or secure…choose any two. While we laugh at this (and mostly at the security guy who dares to intrude into the faster getting cheaper), the joke illustrates the tradeoffs involved in all large system engineering or architecture projects. Unfortunately, unlike mathematics where we can easily find the local maximum and therefore the optimal solution to a problem, engineering is a messy process that requires less than optimal solutions to these very hard problems.
So where am I going with this? In order to deal with these hard problems, security needs to work with other IT disciplines. We need to identify the tradeoffs to be made and then choose the most appropriate solution based on the requirements from the business. In the end, many of the tradeoffs cannot be solved by IT alone so the business will have to be involved and will need to understand the impact of the decisions.