Checks and Balances — Risks vs Mitigations

Lately, you probably heard many people talking about “checks and balances in government” without knowing what exactly they are. I’m no expert in politics so I don’t know what such things are either. However, it got me thinking about two very different approaches regarding the security of intellectual properties (IP).

A Tale of Two Companies

Company A has a policy of banning the use of personal GitHub repository for work. It subscribes to surveillance services to monitor for leaks of IP. However, company IP keeps on being made public through personal repositories, pastebin.com and alike. Security Operations Center (SOC) keeps on having to send take-down notices to take down those leaks.

Company B had decided not to ban such actions, and (hopefully, because I’ve not asked the questions yet) instead instils checks and balances by understanding the risks and do something about it.

Actions and Reactions

Sir Issac Newton said, “for every action, there is an equal and opposite reaction.” It’s true in physics, but just like physical forensics are not the same as computer forensics, it requires active effort to make it true in computing. Therefore, I say, “for every risk, there must be an equal and opposite mitigation.”

How to Play

Well, now it’s time for me to show you a table with Actions, Reactions, Risks, and Mitigations. However, Medium doesn’t do tables, and I don’t want to use a screenshot or call in gist/airtable which will break this post should they go down (you should never build a service that relies on multiple clouds, e.g. AWS API Gateway backed by Azure Databases; you should build a service cluster that uses each cloud provider as one of its members) so I’ll leave you with this: