Complexity is the enemy of security. Simple systems are inherently more secure than complex solutions. We see this idea validated again and again in security.
Unfortunately, our IT systems are getting more and more complex as we depend on technology to fuel business growth and innovation. But do we really need to expose ourselves to ever-increasing complexity? Surely, in security, less is more.
In my daily life, I try to minimize the amount of unnecessary exposure to risk. Most security professionals do that. I avoid giving out personal details unless absolutely necessary. When asked for ID to enter a building, I give out my British driver’s license, not my New York licence. I started doing this after a few instances where I handed over my N.Y. ID only to have it scanned into a database without my permission. Once dipped into the scanner, my ID number and a whole host of other information were in a database of unknown security. Both British and N.Y. ID establish identity, but only the N.Y. ID number is used by U.S. banks as a unique individual identifier. Also, I doubt the British ID can be scanned in the same scanners.
I sometimes get asked for a Social Security number by someone who clearly has no valid reason to ask. The most ridiculous example of this was a neighbourhood dry cleaner that used the SSN as a convenient “customer number” in its database. In cases like those, I provide a fake SSN (my phone number, minus one digit) — easy to remember, useless if compromised. Less information about me floating around equals more security for my identity.
I’d really like to see the minimization posture adopted by more software and possibly more business processes, too. Rather than worrying about how to secure information, don’t collect it unless absolutely necessary. As a user, whenever and wherever you can, avoid giving out information or give out “identity placebos.” Less is more.