Computer security is like walking in the rain

This morning I was out walking in the rain trying to come up with a good idea for a blog post. I've been thinking a lot about computer security lately. As I was walking I realised that walking in the rain was a good analogy to use when thinking about computer security. I have to deal with a very wet climate. I enjoy spending time outdoors. Sometimes I have things I have to get done that require me to be outdoors. This means I have to come up with a way to deal with rain. I actually have several strategies for dealing with rain depending on what I'm doing, how hard it's raining, and how long I'll be exposed to the rain.

The simplest strategy is to just try to stay out of the rain. This is OK for very short durations in the rain. If I'm quick I stay relatively dry while going from my door to the car, or from the car to a store. In computer terms this would be like running Windows with minimal security enhancements, nothing but what's built in. It's very easy and convenient. Most of the time I won't get too wet. Occasionally I'll get caught in a downpour and get soaked to the skin requiring a full change of clothes. Most of the time I don't use this strategy nor would I recommend it for others as they will inevitably get wet at some point.

The next strategy is to wear a coat. This gives some added protection but when I do get caught in that downpour I may have to change my pants or at the very least my shoes and socks afterwards. If it rains hard enough or I'm outside long enough the coat will eventually soak through. Over time the coat wears out and becomes less effective at keeping the rain out. I have to buy a new coat. There are many different types of coats, some of which give much better protection from the rain than others. There are windbreakers, rain coats, and overcoats. Choosing which coat to use takes experience with the weather and knowing how hard it's likely to rain. This would be like Windows with an antivirus/malware program installed.

This morning while walking it was raining pretty hard. I took an umbrella and wore a rain coat. I was out in the rain for quite a while. I still got a little bit damp but that was mostly because I was too hot while walking up the hills. The problems were mostly internal caused by the protection I was using. Some of the dampness was caused because the umbrella didn't protect against splashes from the rain drops on the sidewalk and for a small period of time it was raining hard enough that some of the drops made it through the umbrella (a Microsoft golf umbrella by the way) in the form of a fine mist. This is like Windows with a hardware firewall (umbrella), antivirus software(coat), and anti-malware software (the coat is a specialised rain coat). All that protection may get in the way and cause it's own problems but in the end it does a pretty good job of protecting me from the rain. If someone was going out in the rain this is what I would recommend, with a warning that it may not be the ultimate in protection. They may get a little damp at times. Some of the dampness may be caused by the protection itself (perspiration).

Last winter I volunteered to work at one of the 2010 Olympic venues (Whistler Olympic Park) for a ski jumping event. One of the perks was a very high tech Halti all weather jacket. This jacket is made of some super high tech material that allows you to work very hard and not get soaked from your own perspiration. At the same time it is completely waterproof even if you are out in the rain for hours on end. I was shovelling snow at the top of the big ski jump in major sleet (mixed rain and snow) for hours. I had a Tilley hat, the Halti coat, similar high tech rain pants, microfibre clothing underneath, rubber boots, and some high tech thinsulate gloves. This would be like running Windows in a virtual machine on a very fast computer that was behind a locked down server class OS that enforced network policies and an enterprise class firewall. I was able to work for several hours in extremely adverse conditions without getting wet at all. I was able to get the work done with no problems caused by either my environment or the gear I was using to protect me from the environment.

What does all this say about computer security? Security is about mitigating risk. You have to assess the risk and come up with a plan to mitigate the risk that is appropriate to your budget and environment. No matter what you do, you will never get the risk down to zero. With enough resources you can get close. The closer you get to zero risk the higher the cost. For most of us the cost/benefit falls somewhere in the middle which means we may have to deal with occasionally getting a little bit damp.