Why making a software system 100% secure is impossible

It seems that one cannot look at the news these days without seeing another story about a company in trouble because of a data breach. In some cases, C-level executives at Fortune 500 firms lose their jobs as a result. But there's something that gets lost in these stories: IT security is like car safety in that one should always try to improve, but the inherent risks mean that complete safety is impossible. In other words, it is impossible to create a system that is 100% secure from malicious attacks. 

Why 100% safety is impossible

If you truly wanted to make your data as secure as possible, you'd back it up on a hard disk, disconnect it from any computer, put it in a safe, then bury the safe in an unknown location. Only then could you rest assured that the information was safe from hackers or rogue employees. Unfortunately, in order to derive benefit from the information, people need to be able to access it. Therefore, compromises need to be made. Someone must be able to use that information, or else it might as well not exist at all. But anytime you give any access to a component of the IT system, you create the possibility of one of these scenarios coming to fruition:

1. A hacker steals the credentials of a trusted user and accesses the system
2. A hacker "listens" to the conversation between your employee's computer and the data
3. A hacker exploits a previously-unknown vulnerability in software you're using to access private data
4. A rogue employee sells his/her credentials and/or private data to malicious users

So there is a constant balance IT has to make when securing a system: what can we do to maximize the usefulness of the information while minimizing the downside of that information getting into the wrong hands?

This is not unlike the balance an automobile manufacturer has to strike in order to make a car safe, affordable, and desirable at the same time. If the manufacturer only focused on safety, their cars would have so much steel that they would have horrible gas mileage, little visibility to minimize the glass in the vehicle, and the inability to go out on roads where semi trucks might be barreling at the car head-on at 90 MPH. A car that can't go out on a road isn't very useful, is it? As a result, car manufacturers must find ways to make cars safer knowing that they aren't ever 100% safe.

Why IT can't catch everything

The average business user at this point is probably saying "why can't you lock down each component of the system, only letting in people that you trust"? First, up to 60% of security breaches come from rogue employees. Companies have to be able to trust someone to setup and maintain these systems, but when that person betrays that trust bad things happen.

Second, computers are incredibly complex things, and the consequences of actions cannot be understood by even the best IT people. For example, in the Target breach I linked to earlier, hackers used a vulnerability in a third-party system to get onto the Target network, then exploited a well-known method for stealing information from databases to get at customer information. While both issues should have been addressed - each is understandable on its own. The third-party vendor thought its credentials were secure and the database administrator thought that the database was protected behind the network. It was the combination of errors that allowed hackers to steal customer information.

Third, even systems built to help secure your network can have vulnerabilities. As a recent example, OpenSSL is relied upon by millions of people (directly or indirectly) to help keep information safe and secure. But programmers found a vulnerability in the system, and since have found several other issues. Any IT professional depending on OpenSSL to help secure their system found themselves scrambling to patch problems when the Heartbleed problems became public knowledge. But if the security systems themselves are causing a security concern, how is an IT professional expected to make a system 100% secure?

Will all that can go wrong, sometimes it's amazing that more breaches don't happen.

So should we just accept that breaches will happen?

No. Companies should not merely accept that breaches will happen and shirk their responsibilities to their customers to protect information appropriately. Companies can and should take reasonable precautions to ensure that information is protected. Using Target as an example again, its programmers should have known to protect its internal databases from the method the hackers used just out of habit, regardless of any mistakes the third-party made. Target should have known that its information would be desired by all sorts of malicious users and should have taken appropriate steps.

Why security is also a business problem, not just an IT problem

When talking with business users with limited knowledge of IT about security, IT professionals I've talked to generally get responses ranging from "use your best judgment" to "that's your problem, not mine". But determining the appropriate balance between costs and benefits to mitigating security risks is a business problem, not an IT one. One can always spend more time and money hunting down and eliminating security vulnerabilities, but how much time and effort is worth the cost when 60% of breaches come from employees? There is no right answer here, especially since the appropriate balance will vary greatly from industry to industry. A hospital protecting patient's medical information should be much more diligent protecting information than a hobby-related blog that stores first names and emails. Whatever the balance, an agreement should be reached between the business and IT leaders. Everyone on the executive committee should have a full understanding of what the risks to the business are and a general consensus as to what they should be, regardless of whether the source is technology-based or not.

So then who is to blame when a breach occurs?

That discussion is too large to be included in this blog post, so it will have to wait for another time.
Edit: I wrote a post about this in August. http://scottnorberg.blogspot.com/2014/08/who-is-to-blame-when-security-breach.html

Summary

The idea that an IT system should be 100% safe from hackers and other malicious users is a fantasy. Systems are too large and complex, and threats too varied, to expect 100% security for any system. This doesn't mean that companies shouldn't try to stop attackers, however. The amount of effort appropriate to stop these attacks will vary greatly depending on the industry, company, and data being protected, so business leaders and IT professionals need to be in constant communication as to what effort is appropriate to keep company (and customer) information safe.