One of the longest ongoing discussions in the history of computing is that having good security results in a negative impact on usability. I am here to show that this is simply, not true. Usability and security are not two sides of a coin, they are equivalent and in fact can complement each other; good usability can improve security, but often needs more thought and better tools.
Get Individual Advise
A member of our team will get back to you to discuss the topic further with you tailored to your individual needs.
Any IT system, either internally facing or with external, web service integration, has many layers where human-computer interactions happen. The creation of a good user experience (UX) means that we need to make those interaction points usable. At the same time, we also need to make sure that security is an important factor in their configuration and setup. This is especially true in a landscape that has heightened threats and a large attack surface because of web involvement. Achieving good UX within a secure environment is a goal that results in excellent data governance and increased productivity.
United Security Providers know the security/usability conundrum well and we have designed version 5 of our USP SES to offer a holistic approach to the resolution of security with usability. The new version encompasses all the requirements needed to create usable, yet secure use cases across your enterprise web applications.
We can illustrate our argument by using examples where good security actually creates good user experience and vice versa.
Authentication
The humble password has caused more security issues than probably any area across the extended enterprise. And yet its presence persists. Passwords insecurities are, let’s face it, behind many of the hacks we have seen in recent years; hacks that often begin with a spear phishing campaign, resulting in administrators username and passwords being stolen. Passwords for the wider user base of a system are even more difficult to keep control of. So how do we square the round with the conundrum of password insecurity / usability?
Let’s look at the use of password policy for password strength. The obvious step would be to make a password longer and more complex, for example a mix of capital letters, lower case and alphanumeric. This would mean that brute force attacks would be much more difficult to perform. However, password complexity is offset by a number of forces:
In a Ponemon Institute study they found that up to 70% of people (depending on location) forgot a password if it was long and / or complex. This puts a lot of strain, in terms of online recovery or help desk calls for security benefit in a single area of concern.
In another study by Janrain when asked the question if having forgot a password would the person recover it, or leave the site, 90% of respondents stated they would just leave the site.
People write down or share passwords, in a study at Berkeley University, at least 40% of respondents at least sometimes, or often, wrote passwords down.
And increasing your password strength doesn’t prevent:
- Phishing attacks
- Key logging and screen scraping
- Attacks on your database
Today, there are many tools available that can give you a great UX and maintain security. The USP Secure Entry Sever® offers you the ability to increase your productivity whilst ensuring security. It leverages Windows account Single Sign On (SSO) and can be extended for inter-organization SSO through federation. Second factor and even risk-based authentications can give enhanced login security, and can be utilized in combination with SSO to give the perfect mix of usability and security. But again, adding a second factor, potentially compromises usability, so choosing the right second factor method, for the right environment and user type, is essential to getting the security/usability balance right. USP SES allows you to choose from a number of different second factor options, including RSA SecureID, SafeNet, X509 certificates, mTan, and newly also Google Authenticator,so you can ensure you have the right tools for the right user type.
Business Applications and Web Portals
One of the areas that requires real and urgent attention in terms of security, are enterprise applications that have touch points out into the Cloud. The Cloud has massively improved usability, allowing anywhere access. Well designed, modern Cloud based interfaces have also given us a great UX. But the Cloud has also opened up many security implications by expanding our attack surface up, away and beyond the clouds.
When internet based data communications start to come into play, security starts to become more complicated. This can result in a more stringent and ‘locked down’ interface with complicated access control. Again Single Sign on, or its cousin, federation, can come to the rescue, allowing seamless authentication between Cloud applications.
Similarly, SSO can ensure that the usability improvements afforded through Bring Your Own Device (BYOD) technology does not also open up potential security holes in your organization.
Preventing web attacks via web facing portals, doesn’t need to create a poor UX either. The use of background monitoring and analysis of threats can mean you can retain a highly usable interface, whilst securing the backend. Web Application Firewalls are a way to ensure that common web attacks like XSS, SQL Injection and CSRF are handled without having to compromise the user interface of any web-based application.
The Web Application Firewall (WAF) offered by USP SES is designed to make sure that administrators can more easily spot security issues and prevent breaches becoming a security event. With our state of the art administration console interface and easy view monitoring and real time analytics, web threats can be spotted and contained.
The Compliance Conundrum
Data protection laws and regulations can be onerous and our reaction to them is often to lock everything down, to within an inch of its life. But as mentioned previously, making things seemingly more secure can in fact have usability consequences. If something is so complex to use because it has been made extremely secure, then it won’t be used, it may even force some clever employees to circumvent the security to use it. This is a situation that can result in poor practises which take you outside of the compliance requirements.
Sometimes this issue can be resolved through user awareness and understanding of how the security measures operate. But often it is the security measures themselves that may diminish productivity and create working practise that are themselves, insecure. Getting the balance right will prevent accidental compliance mistakes which is why USP SES has so much emphasis on the seamless and usable design of our administration console and the solutions that can be realized with it.Encouraging the administrators to administer security properly, reduces mistakes and encourages good practise.
Security + Usability = Good Design
USP SES encompasses a state of the art Web Application Firewall, Single Sign On, federation and all aspects of these, including authorization and authentication options. Using a holistic approach to security, whilst encouraging usable systems for administrators applying the security settings and those using them, you can ensure that you have a best of breed approach to your enterprise security infrastructure.
This balance is achievable. But the right mind-set and tools need to be used in equal measure to achieve it. Our highly complex, extended enterprise has to reduce the complexity of the underlying design. We can do this with a USP SES approach. Pulling all of the parts of a robust security strategy together, we will need to look at improving the usability of authentication through SSO or federation, yet improving security using second factor. Then with the additional features offered in the WAF component, offering monitoring and threat analysis you have a rich and holistic approach that allows your organization to have security and usability working in harmony.
The bottom line is that if your security seriously impacts usability, then chances are it’s not done correctly and at worst can actually make the system you’re securing, less secure – something no one can afford to do. And as we have succeeded in bringing together security and usability in the new USP Secure Entry Server®, we are sure that our product will convince you too.
Discuss further directly with us
We are looking forward to discussing the topic further with you in terms of your individual needs. Please request a call back to get in touch with us.