The New Iron Triangle: Security, Privacy, and Convenience

By: Brian Cardarella

If you have not heard of The Iron Triangle here is the basic idea: in a software project you generally have three constraints: time, money, and quality. If you need the project done more quickly but maintain quality you will need to increase the budget. If you want to increase quality you will need to either increase the time or increase the budget. It basically means that no contraint can be changed without there effecting any of the others. The total area of the triangle remains the same, the lengths of the sides change to maintain this and reflect the priority of each.

This concept is not just for software projects, it is just where I hear it the most. Let me introduce you to a new iron triangle: security, privacy, and convenience.

Imagine the a government agency is providing a service. One criticism that government software always gets is how inconvenient it is. There are different levels of authentication that people must go through to active accounts and the data that one agency has is sometimes not in sync with what another agency has. Imagine how simple signing up would be with less security. I could have everything linked to an email account. Of course this is rediculous and not going to happen but it is one constraint we could give up. Another more realistic constraint is privacy. It is very understandable that people are concerned about their privacy especially when it comes to government. But consider how much easier and more cost-effective it would be to build out government systems if a single-sign-on solution existed. Instead of a social security number everybody gets their government issues account that is accessible by every agency. This would be far more effecient and convenient. Odds are neither the security or privacy constraints will be relaxed for government run software so expect it to continue to be inconveient.

A more secure system will have to give up on conveience but can go either way on privacy. Two-factor authentication is far less conveinet but far more secure. More and more systems are implementing 2-factor authentication, but it is annoying for me to give my cell phone number. One could argue either way about privacy. Is a system less secure with your personal information breing stored or is it more secure because you can personally identify your account later?

I’d like to get some feedback on this. If you agree with this idea or not let your voice be heard!