In many publications about computer security, the term best practice appears prominently and repeatedly. It's a way a developer, analyst, or other expert can succinctly say, "This is what I recommend to keep yourself out of trouble or what's generally recommended in the industry." More often than not, the best practice is simply the most secure option — which is to say the most restrictive.
The problem with best practices is that they usually presume a single course of action is best for everyone. As this chapter shows, that isn't the case. What's best for an individual user at home, an executive traveling with a laptop, and a system administrator managing a rack full of Xserves in a corporate data center may be very different. And what I consider a fair balance between security and convenience may seem too weak or too burdensome to someone else.
That's not to say you should disregard best practices. Far from it. You should certainly know what experts recommend, what companies consider safe behavior, and what the consequences of ignoring that advice may be. But blindly following best practices doesn't ensure security, and the choices you face are too complex to be distilled into tidy proclamations. You're far better off understanding your range of options and the pros and cons of each and then making your own decisions.
Granted, you may not always have a choice. If you're required (by your employer, a client, or industry rules) to ...