Usability is pervasive. Not just in high tech, but in daily tasks ranging from taking out the garbage to doing the dishes. Wheeled garbage cans and dishwashers provide big improvements in efficiency by being more usable and user-friendly than their predecessors. However, sometimes usability can compromise quality. For example, a frozen waffle from a box is never as good as a homemade waffle. But who has time to make the batter and heat the waffle iron (never mind the cleanup)? So, we bring out the toaster and make a quick breakfast that’s more convenient, even though we can make a tastier, healthier waffle from scratch.
As with waffles, so goes our experience in information security. We are forever striking a balance between usability and security, and usability almost always wins. The web application that took 18 months and $1M to get from design to deployment will be launched whether it’s filled with security vulnerabilities or not. And if our fancy VPN solution is hindering adoption among users, then we’re going to have to make access easier, regardless of security concerns. Usability typically trumps security, but it doesn’t have to.
As the world has become increasingly digital, users are demanding seamless, frictionless access to applications and data, regardless of location or device type. Users have become accustomed to accessing data this way in their personal lives, and now also demand it when accessing corporate resources. Nowhere is this more evident than in the trend we call BYOD (bring your own device). Users want to use whatever device they’d like—corporate laptop, personal smartphone, or tablet—and have the same user experience across all platforms. Not only that, they’d like that experience to be uniform whether they’re on the corporate LAN, in their homes, or on a business trip overseas. Further complicating matters, those application and data resources may live in our data centers, in the cloud with a SaaS provider, or just about anywhere else.
Gone are the days when we can impose extra “hoops of fire” like VPN tunnels. Users are already complaining that they have too many passwords, and they’re tired of having to sign in to each resource. The traditional methods for remote access are becoming obsolete, and that trend can be traced back to growing awareness of the User Experience (UX). UX is often mentioned in the context of a User Interface (UI), but only recently has UX become a topic of conversation in security circles.
These growing UX demands require a new approach to security—one that can’t be driven by data center perimeters or even the concept of remote access. We must consider that any location is valid for both users and resources, and we must work to preserve a uniform user experience regardless. So, in place of data centers, let us consider identity, and in place of remote access, let us consider access management.
We have the ability to assert identity for remote employees and customers accessing apps from the Internet. We can enable functionality such as single sign-on (SSO) without requiring a VPN client—or anything other than a web browser. These tools also enable us to determine a user’s location and their level of privilege. They enable us to federate that user’s identity to other data centers and services via protocols like SAML, OAuth, and OpenID. Leveraging these tools requires extra planning and integration work, but it achieves the effect of improving usability. Efficiency and productivity are often improved right along with usability.
So, the next time we’re rolling out a new web application, we must spend the time to consider identity as the perimeter, rather than the data center. From there, it’s all about access management, because no location is truly remote any longer. Like that homemade waffle, integrating applications with more seamless access management may get messy and take some more work, but if we plan ahead, the benefits are significant, and usability improves without compromising security. Just like freezing a big batch of those homemade waffles on Sunday.
As a Senior Security Solutions Architect at F5 Networks, Brian McHenry focuses on web application and network security. McHenry acts as a liaison between customers and F5 product teams, providing a hands-on, real-world perspective. He is a regular contributor on InformationSecurityBuzz.com, a co-founder of BSidesNYC, and a speaker at AppSecUSA, BC Aware Day, GoSec Montreal, and the Central Ohio Infosec Summit, among others. Prior to joining F5 in 2008, McHenry, a self-described IT generalist, held leadership positions within a variety of technology organizations, ranging from startups to major financial services firms.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.