Nothing can ever be truly secure. The best we can muster is the illusion of security - create a veil through which our world looks private and closed off from the idle hands of those who would disrupt it.
I've been working quite a bit on website development lately, and I've been thinking a lot about web security. The fact of the matter is, if one person can get into a website (through authentication, of course) then there's someone out there with the skills to circumvent any security measures you have and also get in. It's like the old bank vault argument - if there's a door, then someone will be able to sneak through eventually.
With this in mind, I see two potential forms of website security: window security and brickwall security.
For simplicity's sake, I will not try to explain the coding behind how either method works. That would bore you, frustrate me, and ultimately destroy the conversation I'd like to have on the topic. Instead, assume your website is a building. You have an open lobby to receive customers and display information about the services you offer. There's also a door in the back through which your existing customers or employees can go for deeper access to your resources.
It's this door that we're talking about. What kind of a door would you use to protect your deepest, darkest secrets?
Imagine, for the sake of this argument, that both kinds of doors are indestructible. You can't beat through them or rip them off the hinges. But, you probably could pick the lock if you knew what you were doing. So really, what are the benefits and drawbacks of each door?
You can lock people out, but you can't keep them entirely away from your things. While they can't reach in and play with the stapler on your desk, they can stand at the door and ogle your new laptop for hours. On a web system, window security is remarkably easy to set up. Check whether or not the person is supposed to be there - if they are, they have access. If they aren't, then the special features of the site are "hidden."
In reality, this means the web controls are still present, but they can't be used. Someone with an incredibly high level of tech savvy can right click your website and select "view source" to see all of your private goodies. Once again, while they can see them, they can't actually interact with anything.
- Very easy to code
- Lightweight on the server
- Easy to find 'broken' elements should something go wrong on the administrative side
- As my brother would say, you can't walk around naked if you have a glass door - if the hidden parts of your website are unsightly, remember they are still visible to the righ people
- Priviledged information seems less protected to some stakeholders
Sometimes, you want to restrict people completely from your things. It's not enough that they can't touch your stapler, you don't want them to even know you have one! The majority of login-based web systems are built on the concept of brickwall security today. You can't access any page, file, or folder in the file system without authenticating. You can't even view the file tree without logging in! Obviously, brickwall security requires a more refined system of authenticating users.
Unlike window security, where protected information is merely 'hidden' from prying eyes, brickwall security doesn't give it out at all. Private data stays on the server and is only returned to the web browser when a user is authenticated. An otherwise uneducated user wouldn't even know they're missing some of the information on your page.
- More secure
- Priviledged data is protected in its entirety from un-priviledged users
- The unsightly 'hidden' elements of your website are truly hidden, only a select few will even know they exist
- A completely authenticated system is a much larger, more intricate piece of code that takes up more room on the server and in your files
- If something breaks on the administrative end, you might not be able to log in to find it
In the end, the kind of security you choose for your website is heavily dependent on your personal style and needs. Just like you wouldn't use a twenty pound sledgehammer to drive a nail into a birdhouse, you wouldn't want to build a brickwall security system to protect an online vanity photo album. Overkill is overkill, no matter the variety. (On that same note, you wouldn't use a piece of chewing gum to repair Hoover Dam, either.)
So which kind of security do you use on your company's website (or social network)? Why did you choose that particular variety? Did you overspend on something more robust than you needed? Did you build an ineffective system instead? How can your resources be better allocated in the future?