Minimum Viable Security
Articles About Minimum Viable Security      Posted March 11, 2014
At Gemini Security Solutions, we believe that all organizations need to reach a minimum level of security that is viable for their organization. This post serves as a collection of articles that describe the meaningful components of minimum viable security (MVS).
- The post that started it all: Minimum Viable Security.
- A cautionary tale about Small Businesses Under Attack that describes what happens when organizations don’t take minimum viable security seriously.
- The article Are You Prepared for a Security Breach? describes why incident response is a necessary part of MVS.
- Even startups need to take MVS into account, so they Don’t Startup On The Wrong Foot. There’s also more information about How Smart Startups Invest In Security.
- Rogue hotspots and firewalls make an appearance in Are Your Doors Really Closed?
- The danger of overdoing it with security – the opposite of MVS – is the point of Don’t Overdose On Security.
Minimum Viable Security      Posted January 6, 2014
What is the bare minimum amount of work that can be done that can be considered making a system more secure? What items must all individuals, all organizations, and all systems address in order to improve security? I often tell people that security is not one-size-fits-all, but what is the one-size-fits-most equivalent? What is the 20% of minimum viable security implementation that will address 80% of vulnerabilities?
In 2006, NIST released special publication 800-69, Guidance for Securing Microsoft Windows XP Home Edition, a series of recommendations on how individuals could secure their home computers. Weighing in at 175 pages, it was not for the faint of heart. If you stick with it until Appendix A, you’ll find this interesting quote:
Appendix A contains step-by-step instructions for implementing the most essential recommendations for securing Windows XP Home Edition computers.
After eight full chapters of detailed recommendations, a list of six simple steps is provided in the Appendix, which can further be reduced to these bullets:
- Turn on firewall
- Enable automatic updates
- Install anti-malware software (with automatic updates)
- Create non-administrative user account(s)
For me, this represents the core of a concept I’ve been referring to as minimum viable security.
Minimum viable security is a concept borrowed from the concept of minimum viable product (MVP). At the core, the MVP concept means the product will contain only the minimum amount of effort invested in order to prove the viability of an idea. Take for example Uber, the smartphone app / transportation network startup. At first, Uber offered one application (on iPhone), and one transportation option (the black car). That was the minimum viable product to get their service off the ground. Now, the Uber app is available on iPhone, Android, and anything with a mobile web browser, and offers up to three transportation options – uberX ride sharing, black car, and black SUV. Uber didn’t need universal smartphone compatibility and three different transport options to launch… but they did need one app, and one transport. Otherwise, Uber would have just been a neat idea that was impossible to implement, like the Amazon Prime Air drones.
I think the above bulleted list might actually be close to true minimum viable security. There are a few items that I think need to be added, since all systems are not Windows XP Home Edition, and we’ve learned a bit in the last seven-plus years. So, add your suggestions in the comments over on the Security Musings blog and let’s see what else makes the cut.
Firewalls, patching, anti-malware, limited privileges… What else should be considered minimum viable security?
In my next article, I’m going to discuss the value of minimum viable security, and how the very concept of minimum viable security freaks out security professionals – including some of my coworkers.