[Cryptography] best practices considered bad term

Jerry Leichter leichter at lrw.com
Sat Jan 31 19:04:52 EST 2015

On Jan 31, 2015, at 6:27 AM, ianG <iang at iang.org> wrote:
> As a wider philosophical question, is it even appropriate to promote or accept 'best practices' in the security world?  It's presence is almost a complete proof that we're not doing security, we're instead participating in a rain dance or voodoo for purposes of avoiding security.
Yes and no.

The specific term "best practices", as far as I can tell, was used by SAP sales guys - back in SAP's heyday - as a way to get people to turn their business operations inside out to work with the way SAP designed its software.  SAP took the point of view that they wouldn't customize their software - customers had to adapt to their *right* way of doing things.  They're answer to the complaint from a customer who organized things differently was "Oh ... you mean you don't follow industry best practices?"

Whether they invented the term or picked up on something that was already around, I don't know.  It became, and remains, a way for consultants and sales guys of all stripes to try to force people to abandon their "legacy" approaches and move on to whatever the consultant or sales guy is trying to move them to (for an appropriate fee, of course).

So the *term* is poisoned.  But let's ignore the *term* and think about the underlying *concept*.  The fact of the matter is, the vast majority of people and companies who need to secure their systems and data are *not* security developers, are not going to *hire* security developers, and are going to only get themselves in trouble if they try to set off in some new direction.  They need something they can actually deploy that will give them some measure of security.  Much of the stuff - and advice - out there is useless or actually makes things *less* secure.  Some of it is good.  It's extremely difficult for most potential buyers to tell the difference.

A *good* description of "best practices" would actually help things.  It would certainly include such advice as "Keep systems patched", "Don't continue to use Windows XP", "Don't reuse passwords at multiple sites" (yes, you can make exceptions for very-low-value sites; I'm talking about general advice), "Don't leave default passwords on any devices", "Have backups at an offsite location to which your systems have effectively append-only access", "Have a procedure in place to quickly revoke all access to your systems by people who leave their jobs, for whatever reason", and many more.  The fact is, there are many basic security issues for most people or companies that *do* have straightforward, well-understood solutions.  No, these don't solve *all of* *everyones* problems - but if you don't have them in place, there's not much point in doing more sophisticated stuff.

From this point of view, there absolutely *are* best practices for security - and we should do a better job of defining them.  Yes, they are a "lower bound", and many will go no further.  But what's the alternative?  A "lower bound" of nothing at all?  Or one defined by whatever sales guy last walked through the door?
                                                        -- Jerry

More information about the cryptography mailing list