Skip to main content

Lessons Learned

Purpose

This page captures key insights derived from the design, operation and evolution of Scheol Security Lab.

The objective is to:

  • document practical lessons from real decisions and constraints
  • improve future design and governance choices
  • support a more mature and realistic security approach

Key Lessons

1. Security issues are often structural, not technical

Early design decisions (e.g. service co-location, direct administrative access) created more risk than individual technical weaknesses.

Addressing these issues required architectural changes, not only hardening.

→ Security must be considered at the architecture level first, not only at the configuration level.

2. Visibility is as important as protection

Initial focus was placed on hardening and exposure reduction.

However, lack of centralized logging made it difficult to:

  • detect abnormal behaviour
  • understand incidents
  • validate control effectiveness

→ Without visibility, security controls cannot be properly assessed.

3. Administrative access is a critical attack surface

Administrative paths were initially treated as a convenience rather than a security boundary.

This created risks related to:

  • uncontrolled access paths
  • lack of traceability
  • exposure of privileged credentials

→ Administrative access must be treated as a high-risk architectural component.

4. Perfect security is not achievable - explicit trade-offs are required

Several design choices (e.g. VPS co-location, snapshot-based backups) were accepted temporarily due to constraints.

These decisions are:

  • documented
  • linked to risks
  • tracked as security debt

→ Security maturity depends on making trade-offs explicit, not avoiding them.

5. Documentation is part of the security system

At early stages, documentation lagged behind implementation.

This created:

  • lack of traceability
  • inconsistent understanding of the environment
  • difficulty in reviewing decisions

→ Documentation is not a by-product - it is a core security control.

6. Consistency matters more than complexity

Introducing tools or mechanisms without a consistent model reduced clarity.

Progress required:

  • simplifying structure
  • aligning documentation
  • enforcing consistent logic (risk → control → validation)

→ A simple, consistent system is more effective than a complex, fragmented one.

Current Maturity

At the current stage, lessons learned are considered emerging but meaningful.

Established

  • identification of key structural and governance issues
  • linkage between lessons and real design decisions
  • alignment with documented risks and improvements

In Progress

  • systematic capture of lessons during evolution
  • better integration with improvement workflow
  • stronger linkage with audit and evidence

Planned / Next Phase

  • formalisation of lessons after major changes or incidents
  • reuse of lessons in design and risk modeling
  • integration into continuous improvement cycle

This page reflects a shift from ad-hoc learning to a more structured and reusable knowledge base.