The reason the security-usability balance is often difficult to achieve is that the stakeholders have different opinions about what's important. While vendors of IT security solutions try to protect users' interests, the majority of users aren't convinced security measures are necessary--especially if they hamper what they are trying to do.
Until the proponents of security solutions truly understand this, progress will continue to be slow. So argues Adrian Davis, principal research analyst at the Information Security Forum (ISF), an independent, not-for-profit organization based in the UK that provides guidance on all aspects of information security.
Nowhere is the situation more acute than in a mobile context, where busy people need to access content and services with maximum ease and speed--and minimum fuss.
"Even when it comes to banking or their Facebook accounts, the majority of people don't worry about security," Davis argues. "They're much more interested in pushing the boundaries of what their smartphones can do. Also, many assume that if they're buying something via the app store, over a national mobile network, security will be inherent."
Generations that have grown up with Amazon and online banking are already used to entrusting sensitive information to Internet channels. Transferring these activities to the mobile medium feels comfortable, whatever the warnings about security risks. This puts the onus back onto the service providers and device manufacturers to make security more seamless.
In a work context, users' concerns about risk are even less pronounced, Davis adds. Again, security is seen as a barrier to productivity, particularly if the employee is trying to view critical content remotely. Often, the employee must use a designated laptop and secure VPN connection, with unintuitive passwords and timed-out access. "Everything about these measures goes against the way users want to work," Davis says.
Realizing this, security developers are trying to reduce the number of sign-ons employees have to go through to get into core systems. Advanced identity management and single sign-on solutions mean that users are required to enter only one password for access to everything they need. This is happening increasingly on the Web as complementary sites become better connected.
Context-based access rights
Defining personalized access rights according to who the users are, their role and where they are connecting from is another way to extend greater freedom to them.
"The ability to provide different levels of access for different users is important," says Bob Tarzey, a service director at UK-based IT analyst organization Quocirca. "It makes sense to restrict the activities of call centre agents, for example, so that they only need access to limited applications. But if you're trying to control Internet access for sales people who may be out on the road and working 15 hours a day for the company, that would be unreasonable and counterproductive."
One approach would be flexible, context-sensitive security management, as enabled by advanced data loss prevention (DLP) systems. "So if I'm trying to copy sensitive customer data onto a mobile device, I'm prevented. Whereas if it's a spreadsheet or Word document, I can download it," Tarzey explains.
Ultimately, shielding the user from security without compromising sensitive data demands greater complexity under the surface. This, in turn, demands more cooperation between device manufacturers, security software specialists and those running the networks.
This would help support a more integrated, multi-layered approach to security, applied within the network, but also at a device and application/data level.
Frank Stajano, a senior security researcher at Cambridge University, warns that security engineers need to develop a greater understanding of users if they want to achieve a real breakthrough in restoring usability. He concludes: "Those who think they can enforce behavior that is fundamentally contrary to human nature will not only annoy and alienate their users but also fail to achieve their goal."
The contents or opinions in this feature are independent and do not necessarily represent the views of Cisco. They are offered in an effort to encourage continuing conversations on a broad range of innovative technology subjects. We welcome your comments and engagement.
We welcome the re-use, republication, and distribution of "The Network" content. Please credit us with the following information: Used with the permission of http://thenetwork.cisco.com/.