Today we are used to life hacks.
We look at videos and read articles promising simple solutions to complex problems.
Spending time on them is usually worthless.
I am an advocate for implementing simple solutions whenever possible.
Most of the emails in this newsletter propose simple solutions to specific problems.
But there is a reason I do not get into complex problems.
Complexity can only be fought with complexity.
Before getting into the details, let’s differentiate between complex and complicated for those sitting in the back.
Something complicated is something composed of multiple parts. Something that needs a big effort to be understood, but there is a way to systematically approach the subject or problem.
One common example of something complicated is the internal workings of a mechanical watch.
Something complex is something composed of multiple parts too, but the relationship between the different parts is not easy to understand or predict. There is no systematic approach to the subject or the problem.
One common example of something complex is the climate.
Ok. Now that I’m sure we are on the same page, let’s go back to the previous statement.
Complexity can only be fought with complexity.
Why is that?
Because putting a simple solution to a complex issue cannot (by definition) cover all of the possible cases.
It will work sometimes; maybe many times, but it cannot work most of the time.
Let’s take the climate example.
I will take a simple solution to the problem of wearing a raincoat.
If it is raining, I take a raincoat. A simple solution to a part of the problem.
If it is not raining, but it is windy and cloudy, I take a raincoat too. Just in case.
Otherwise… well, I take my chances.
If you are thinking about using a weather app as a “simple” solution, you are missing the complexity of the weather forecast that goes along with it.
Using a weather app is simple for you, but it is applying a certainly complex solution to the problem.
In security, there are many complex things. One of them is permission management.
Deciding which permissions in which applications a certain employee needs is not easy.
A simple solution is to use a table.
You put the users’ jobs or roles and cross them with the permissions of the applications.
The result may be clear, but it is not simple. At best, it can be complicated.
Let’s do some math. Just a bit. And I will do it; you just have to read.
If you have 10 applications. Each of them with 10 groups or permission combinations.
You have 10 roles in your company.
As you can see, this is not something big.
The table will have 1,000 cells.
Most probably, you will not have that many employees in the company.
In identity management, at some point, you will have to move from that table to something more complex.
Maybe some rules to define the permissions.
Maybe some way for users to request permissions and for their managers to accept them.
Maybe some process to periodically validate the permissions. Nudge, nudge, wink wink: compliance.
It is not possible to know beforehand the permissions the users will need.
It is complex.
Depending on the actual situation of your company, the solution may be simpler or more complex.
If you have begun feeling the complexity of security and you need help dealing with it, I can help you as long as you are willing to make changes.
You won’t change things by letting them continue as they are.
If you want help with security and want things to change, send me an email.
If you enjoyed this content, come to the newsletter. You will enjoy it even more.