Ask the Expert

Security and usability in SELinux

Do you think usability is a big problem with SELinux? Is it worth it for an organization to trade usability for security?

    Requires Free Membership to View

Personally, I think SELinux can have a steep learning curve and it requires a careful implementation, including extensive testing of your applications with your proposed policies. If this process is followed, then I think the impact of potential SElinux usability issues is lessened.

As to the broader question of usability versus security? I always say security people are only in business if the business they support can do business. If security makes an application unusable and the business is then hampered in their ability to do business, then this can be as bad as if the application is unavailable due to an attack or compromise. Usability versus security should always be a risk-based balance/trade-off.

Implement the best possible set of security controls, for the optimal cost, to mitigate the most risk. If, for reasons of usability (or cost), you are unable to implement a control then articulate the risk, preferably in business terms like dollars, to of not implementing that control. If they accept that risk (and only they can), then document that acceptance and report it to the appropriate parts of your organization, like risk and audit groups/committees. Ultimately, your salary gets paid by the business making money. If you:

  • Appropriately articulate any risk involved in doing business
  • Present appropriate and cost-effective controls to mitigate those risks
  • Document any risks that have not been mitigated, either by choice or some fundamental inability to mitigate
  • Regularly re-evaluate risks and controls.

then you have done your best to secure your organisation in the most appropriate way.

This was first published in December 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: