EXPERT RESPONSE
Personally, I think SELinux can have a steep learning curve and it
requires a careful implementation, including extensive testing of your
applications with your proposed policies. If this process is followed,
then I think the impact of potential SElinux usability issues is lessened.
As to the broader question of usability versus security? I always say
security people are only in business if the business they support can do
business. If security makes an application unusable and the business is
then hampered in their ability to do business, then this can be as bad
as if the application is unavailable due to an attack or compromise.
Usability versus security should always be a risk-based
balance/trade-off.
Implement the best possible set of security
controls, for the optimal cost, to mitigate the most risk. If, for
reasons of usability (or cost), you are unable to implement a control
then articulate the risk, preferably in business terms like dollars, to
of not implementing that control. If they accept that risk
(and only they can), then document that acceptance and report it to the
appropriate parts of your organization, like risk and audit groups/committees. Ultimately, your salary gets paid by the business making
money. If you:
- Appropriately articulate any risk involved in doing business
- Present appropriate and cost-effective controls to mitigate those
risks
- Document any risks that have not been mitigated, either by choice or
some fundamental inability to mitigate
- Regularly re-evaluate risks and controls.
then you have done your best to secure your organisation in the most appropriate way.
|
