Closing the gap between Security and Usability

I want to kick off my personal blog with the struggle that intrigues me the most in modern day end-user computing. The matter of security versus usability. This matter is as old as time itself (well, modern time that is), but becomes more and more of an issue in present-day IT. The essence of IT in my opinion is enabling people to work anytime, anywhere on any device. Tell me, what is more beautiful than empowering hundreds of employees to do their jobs on a daily basis? We (The IT Crowd) create direct value for the organization!

Unfortunately there is always this area of tension in IT-projects with security on one hand and the usability on the other. Users want to roam freely and security wants everything and everyone behind closed doors. I came across this struggle multiple times in various IT-projects. It doesn’t matter which project (mobile device management, the introduction of new devices, user collaboration software, etc.) because the struggle is always there more or less.

We want to create a secure working environment that fulfills the needs and expectations of the user community. In other words: How can we close the gap between security and usability?

 

Security

The traditional way of thinking from a security point of view is to secure everything that even comes close to the workspace. In the old days security was about building a high, firm wall around your IT infrastructure. This would keep intruders out and all the data safely inside and under your control. But times are changing, we’re streaming our music, we create alternate realities, we trade digital currency and cars are flying (why the hell aren’t cars flying yet?). Nowadays the old castle, high wall and moat, approach is more like a playmobile castle than an mythical building from Game of Thrones. If you stand in front of the castle it looks solid and impenetrable, but the back of the castle is completely open.

“Work is no longer a place” is a popular phrase these days. But it’s spot on when describing the new way of working. Securing only IT infrastructure is not the way to go anymore. To secure the new way of working we have to look beyond these boundaries. We have to secure our applications and data instead of only the physical hardware and datacenters.
Applications can be delivered from other sources than our own datacenter. More and more application run in the cloud and are managed by a vendor. These applications are called SaaS (Software as a Service) applications. Companies normally haven multiple SaaS applications from multiple resources integrated in the workspace.
Employees can often choose their own devices instead of using company owned devices. This concept is called BYOD (Bring Your Own Device) and is used by many companies. People work with company applications and data on private owned devices.
Using SaaS and BYOD result in a proliferation of data and storage locations. Employees use personal cloud storage, personal e-mail and unsecured USB-sticks to process company data. Yes, they do. And you can’t do anything about that, it’s 2018.

Today’s security is tight because the risks are high and modern IT is driven by fear. The worst nightmare for companies is a data breach with the loss of vital data. Nowadays it’s more attractive for criminals to gain digital access to your company than unauthorized physical access to the building. Data is money. Besides that, a data breach could be the end of the company. You could spend years building a company and working on relationships with customers. That trust (and your business) could vanish within one day after the national newspapers published the article about the data breach.
Also with the recently active GDPR regulations in Europe you risk ridiculously high fines if you don’t have a tight shut security policy.

Data, applications and devices are no longer within the walls of the company or in the datacenter. This new concept of work demands a new type of security perimeter. A software defined parameter that is flexible to adapt to the ever changing world we live in.
With a software defined perimeter a company can manage security on many levels. Each level with different settings and different dependencies. It is with this new complexity that every action regarding security affects the user environment.

 

Usability

On the other end of the spectrum we have the user community. Or representatives for the user community in a project group. Their first priority is to work efficiently and they don’t want to worry about anything other than their work.

We live busy lives, or we like to pretend we do. Slowly our working life and private life merge into one. We take the kids to the day care, participate in the spinning class at the local gym, do some grocery shopping, clean the house and work eight hours. All that in one day. People are used to make their own planning throughout the day. They work when they want to work.

The development of consumer electronics and technical innovations raise the bar on expectations from the user’s perspective. Products like Google Home, Apple Pay and augmented reality have clouded the standard for business IT in the eyes of the user. A user wants to use technology exactly in the same way at work as they do at home. With the good internet connections which people experience on mobile devices they expect always-on connectivity in the palm of their hand. New consumer technology is really pushing the boundaries of what users expect in work scenarios. They often mistake consumer technology for a business standard.

 

Create value, not confusion

We discussed both security and usability and treat them like they are contrary aspects, but of course they are not. The one simply cannot exist without the other. They eventually serve the same purpose: enabling people to work anytime, anywhere on any device. Now back to our context of working in an IT related project. Within an IT project a common goal has been set. That common goal should be the factor that brings all the different sides together.

If security builds an extremely secured workplace with everything shut tight it is an unworkable situation for end users. No more freedom of devices, no more Saas applications and eventually no healthy balance in work and private life.
If the workspace is completely open and users can do whatever they want there is no control on data, the data is scattered everywhere and the risk that users turn to unsafe data resources is high (shadow IT). An ideal workspace is the best of both worlds.

Unfortunately there are no golden rules to make the perfect workspace and keep security and the user community satisfied. Every company is different and the security strongly depends on the branch in which the organization is active and the sensibility of the processed data. Nevertheless there are some points that could be taken into consideration to take away the tension.

  • Create a clear vision on IT
    The organization should have a clear vision on IT and its employees should be aware of it. The company is more efficient when the data is classified in different categories and everyone knows how to handle sensitive data. When employees are aware of the policy regarding BYOD and SaaS applications they know that they can aspect from future developments within the organization.
  • Be sure to have security in order on infrastructure level
    The base should be secured. All IT components in place (internet- and non-internet facing) and connections should be secured. Security should not be an problem in a (relative) short term IT project when you can fall back on a strong base security. When running an IT project the current infrastructure should not cause any barriers or surprises.
  • Use a software defined parameter
    Apply security on data and application level. Don’t try to control all devices and do not try to rely on the traditional security method of the datacenter castle with the high walls and moat. Design security policies from a data point of view instead of a datacenter point of view. Use the software defined parameter to adapt to changes and stay secure in the hectic always changing environment that is IT.
  • Create a mutual understanding towards each other
    Explain and accept the struggle that both sides endure. The risk of a data breach is high and consequences are enormous. The user expectation is outrageous due to the technical development of consumer electronics. You cannot do anything about that, deal with it.
  • Take the users seriously
    Information is all around us. ‘To Google’ is a verb. People can store everything anywhere. When users have the feeling that they’re not heard they will find other ways to work as they please. This will cause Shadow IT.
    When decisions are made that have a negative influence on usability, explain the user community why this decision had to be taken. Create acceptance among the user community by telling them which consideration had to be made and why this specific choice was made.
    When a security risk cannot be covered because it makes an application or service unworkable then you mustn’t be afraid to leave some responsibility at the users. Communication is key with the user community.

In the end an IT project is not a working for your departments own gain but a collaborating process towards a common cause. If everyone looks at the bigger picture security and usability enforce each other in a better workspace.

One thought on “Closing the gap between Security and Usability

  1. Great article. This is always an issue.
    My problem is that IT can deliver a secure workplace. But users do not always accept it. This is than also not backed by the business leaving our policies open to discussions. And if not careful will lead to an less secure workplace.

    We try to listen to our users. And give them other, more secure, options to do their job.
    But find ourselves overruled by the business because working securely is not a way of thinking. It is just working. And not thinking about the consequences of their actions.

    This is always a “fun” battle.

Leave a Reply

Your email address will not be published. Required fields are marked *