Keep Security Simple

How do you keep security simple? One way is to break security down to discrete objectives:

1. Keep services running and info away from attackers. // Deny access by default
2. Allow the right users access to the right info. // least priviledge
3. Defend every layer as if it were the last layer of defense. // defense indepth
4. Keep a record of attempts to access info. // audit logs
5. Compartmentalise and isolate resources as much as possible.
6. Don't make the same mistakes that everyone else makes.
7. Don't let the aforementioned objectives cost too much.

Adopted from the book Assessing Network Security by Ben Smith, David LeBlanc, Kevin Lam.