If it isn't simple, it isn't secure. Almost a security truism, yet we still build layer more and more complexity into our applications and servers and wonder why they have security problems.\nInstead of adding application security tools to try to figure out if a system is secure, why not simplify the application and platform until it is self-apparent that it is secure?\nIn part 1 of this series, I introduced the notion of building the Internet of Security Things (or Internet of Secure Things) based on the notion of building secure systems from simple components connected by dedicated, secure network segments (greynets).\nPassword protection problems again\nThis past week, the flood of security breaches has continued with a breach at Scottrade and yet another password exploit on the Outlook mailserver. The first proposed "security thing," called an "Oracle," that I posed last week could have protected those passwords by isolating the access control portion of the mail application.\nEt tu, football?\nIf you've watched television this past couple of weeks, it has been hard to avoid the ads for fantasy football wagering. A particularly interesting security problem is emerging in the hot daily fantasy sports businesses FanDuel and DraftKings .\nThe problem is similar to stock brokerages or hedge funds "trading ahead" in the recent high frequency trading incidents.\u00a0Insiders at the wagering firms can see player picks before anyone else and they are using this information to make bets at the other sites.\nEscrows and blind systems\nWhy does this happen? There is no reason for anyone at the sports wagering company to have access to this information prior to its public disclosure for everyone to resolve all of the wagers. One option would be to have the system work in a peer-to-peer fashion, but a simpler escrow or blind system where no one has access to the system's internal state is also effective.\nAnd this can work in other, more familiar applications.\nThe Sony Pictures Entertainment email breach in November 2014 disclosed personal information on employees and tons of email.\u00a0It appears the hackers used an IT administrator's account to break into the companies networks and applications.\nIt is a "convenience" that IT staff has acccess to the contents of databases and email servers, but there is really no reason for them to do so. Edward Snowden's disclosures were\u00a0also do to a traditional, but vulnerable IT architecture where IT staff are trusted.\nThis is not necessary.\nAnd, as these incidents have shown, certainly not desirable.\nAccording to a report by Intel, 43 percent of data breaches are carried out by insiders either intentionally or not. I'm sure that many more breaches are due to hackers masquerading as legitimate users.\nPhishing and spear-phishing turn outsiders into privileged insiders.\nBut do insiders really need all the access they have?\nIn many cases, users need to operate on data, but not "see" the data's contents.\nMail administrators shouldn't really need to be able to read my mail to administer my account on a server.\nBusinesses may need to have use of my personal information, but it could be protected by an "escrow" entity who holds it in trust and has a vested interest in the protection of my data.\nThis isn't some new-fangled fantasy. Direct marketing mail lists are owned and controlled by one company with access leased to companies who can use and query the list list without direct access to it.\nAvoiding the security services trap\nOne of the common architecture approaches for security is to create separate "security services." These dedicated pieces of security functionality, such as access control and encryption, have, in some cases, had the effect, of making security weaker by making it easier to strip off. An attacker wins if they can get through or around the security service.\nA "secure things" architecture integrates security functionality into many of the architecture's components. These components provide building block business functionality in a secure fashion that is appropriate to themselves. Much as with traditional good architecture, these components are "loosely coupled and high coherent".\nStill more secure things to come\nAn escrow or blind system along with oracles are powerful tools for composing secure business systems from basic components. They are just a start with more to come in the next part of this series. I'd love to hear your thoughts on implementing security through simplicity.