Identify and Eliminate Unnecessary Security Layers
Julie Q. asked: "How can I identify and eliminate unnecessary security layers on a current program to adopt a Security Brutalist approach?"
To identify and eliminate unnecessary security layers in line with Security Brutalism, follow a systematic process focused on simplicity, transparency, and resilience. Here’s how to approach this:
1. Assess and Map Your Current Security Stack
- Inventory all controls and tools: List every security measure, tool, and process in place.
- Map controls to risks: For each, identify the specific threat or risk it addresses and whether it is essential for protecting critical assets.
2. Evaluate for Redundancy and Complexity
- Spot overlapping controls: Identify where multiple tools or processes serve the same purpose (for example, two endpoint protection tools).
- Challenge abstraction: Flag controls that are "black boxes" or whose function is unclear to your team. If a control can’t be explained or audited, it’s a candidate for removal.
3. Apply the Brutalist Filter: Is It Essential?
- Ask: Does this control directly reduce risk? If not, consider eliminating it.
- Enforce the “if it’s not essential, remove it” rule: Strip away features, tools, or processes that don’t provide clear, measurable value or that obscure security posture.
- Favor open, auditable solutions: Replace proprietary or opaque solutions with open-source or fully auditable alternatives.
4. Simplify and Harden What Remains
- Standardize on core, robust controls: Prioritize strong authentication, least privilege, secure configuration, and robust patching—these are proven fundamentals.
- Automate where possible: Use automation for routine tasks (patching, logging, access reviews, etc) to reduce human error and management overhead.
5. Expose Security Mechanisms
- Make controls and status transparent: Use dashboards and logs that provide clear, real-time visibility into security posture and events.
- Ensure auditability: Every control should leave a clear, reviewable trail.
6. Continuously Reassess and Adapt
- Regularly review for new redundancies: As your environment changes, repeat the process to keep your security stack lean and direct.
Checklist: Identifying and Eliminating Unnecessary Layers
| Step | Brutalist Action |
|---|---|
| Inventory controls | List all tools, processes, and policies |
| Map to risks | Link each to a specific, current threat |
| Identify redundancy | Remove overlaps and unneeded duplication |
| Test for clarity | Eliminate controls that are not explainable/auditable |
| Only the essential | Keep only what directly reduces risk |
| Transparency | Expose mechanisms and status to the security team |
| Auditability | Ensure clear logs and forensic trails |
| Continuous improvement | Regularly repeat the process |
Summary
Adopting a brutalist approach means stripping security down to its most effective, transparent, and resilient elements. Remove anything that isn’t essential, auditable, or easily understood. This not only reduces complexity and cost but also strengthens your overall security posture.