“Secure” is not a binary, black-and-white thing. Instead, it’s about risk management. Instead of asking whether something is secure, it’s better to ask whether it is “secure enough for such-and-such purpose”. – Quote from Crypto Stack Exchange, August 2013
I seem to be talking a lot about security these days. Not only in my professional life, but in my personal day to day.
I am considering shifting my family from Windows phone over to Android, despite the personal pains supporting this ecosystem that worked flawlessly for me for many years. The security conversation in this context is rife is opinion and observation from friends and colleagues. Everything from Android’ inherent security challenges to hackers leveraging Google Play to distribute bad wares. Admittedly, I will lose some sleep knowing my family’s desire to load hundreds of apps.
Getting the Microsoft ecosystem connected onto an Android phone requires passwords and access to applications that will not be understood as to why. Just going through the motions. For example, the password vault we’ve been using in my family worked only on Windows phone. We need to consider what tool works well in the Android space, ease of transference, and retraining my family members to use this tool. Further, vaults need access and will prompt if it can obtain rights to reach or access areas of the operating system. Another situation rife with chance of malfeasance.
When I researched a deck on security back at Santander, I found the above quote and it immediately returns to mind when I talk security in both spaces today. Many organizations take a harder line to reach the goal of “secure”, damn productivity and usability. Compliance works for larger organizations under audit scrutiny. But many companies do not operate in those industries. Neither do families.
Nevertheless, when I look at technologies, you have to look at the people at the helm. Combined, risks can be pondered and formulated. And after thoughtful interaction and use cases, discussion with the people using the technologies, making the arguments pro and con, can you make the right decision for those users. As often times, technologies are often secure enough when powered by security conscious people.
My recent thoughts on the matter.