Security sucks. No doubt about it. It's a cost factor, a resource drain, and does not provide any immediate benefit. It creates hurdles, inconveniences and complications. The same goes for driving licences, speed limits, insurance and any other kind of regulation. Security sucks like the nuclear power plant in view, the wind turbines or motorways within hearing distance or any kind of vaccination. However, while we all agree (don't we?) that the existence of driving licences, speed limits, motorways, insurance, nuclear power plants, wind turbines, vaccinations and even "security" is justified, we feel that, ideally, it should not directly affect or impact us. NIMBY ─ "not in my backyard".
From the zillions of discussions we've had since the deployment of the new outer perimeter firewall, the new mail quarantining appliance and, with it, the roll-out of new antispoofing measures and the recent activation of two-factor authentication, it's clear that NIMBYs also exist in our community. Blocking malicious top-level domains? Yes, but don't block the webpage of my personal yoga trainer. Protecting against impersonation? Sure, but don't touch my private emails sent to my professional @cern.ch email address. Two-factor authentication? Great idea, but please don't start with my department. And we have many more examples, with some even suggesting that we are intentionally inhibiting CERN's functioning, hate certain users (communities) and do not deserve to get any promotions this year.
If, however, we want to protect CERN and to have a decent level of security, we cannot avoid deploying a certain set of computer security measures: defence-in-depth, network segregation, firewalls, intrusion prevention, SPAM and malware filtering, endpoint protection, strong passwords and two-factor authentication, secure software development mechanisms, business continuity and disaster recovery planning. And they all come with inconveniences. They reduce flexibility and spontaneity. They create choke points (e.g. firewalls, mail filters, software scanners) with security controls to distinguish good from bad. Like fuses, water filtration, traffic lights, cashiers or border control. And it would be hilarious and/or unfair to argue that "some animals are more equal than others" and to provide them with exemptions, derogations or any other kind of exceptions. No NIMBYs.
The same goes for CERN computer security. Security paradigms and deployment mean following a simple priority list: high-risk areas first, critical functions first, internet-facing services first, professional business first. Everything else is secondary and must follow the rules for the "firsts". Ideally with no exceptions as they might lead to security bypasses or introduce weaknesses or vulnerabilities. A dedicated cybersecurity audit confirmed our strategy and requested that we enforce it more thoroughly (more about this in a future Bulletin article). So, bear with us, if your login takes a little longer, while some of your colleagues can still "enjoy" one-factor authentication. Bear with us, if your personal emails got quarantined as they are violating industrial standards and are released only later. Bear with us, if your software compiles with (too) many error messages and requires fixing before you can use it. Sorry, NIMBYs.
Security sucks. Indeed. But the alternative sucks even more. Reinstalling your laptop. Exposing all your emails. Losing all your documents. Sabotaging your system, service or experiment. Ransomwaring the Organization. Stopping CERN from working. For a looooong time. Hence: RIP NIMBYs.
