At a time when some say users pose the biggest threat, new tools are emerging that give users more freedom than ever.
451 Analyst, Adrian Sanabria speaks on this bold new approach to application control in our latest webinar.
KEY TOPICS
1. Learn from the past: valuing User Experience, IT workload & business/IT relations.
2. Take off the training wheels: it’s possible to trust users to make the right choices, but still have options if they don”t.
3. Drop unreasonable goals: more restrictions ≠ more security.
6. Kneejerk response: results
• Death by Exception
• Support Fatigue
Removing
admin rights
• Death by Exception
• Support Fatigue
App
Whitelisting
• Implementation complexity
• IncompatibilityNAC
6
8. App Whitelisting
2011: “By 2015, more than 50% of enterprises will have
instituted 'default deny' policies that restrict the applications
users can install.”
8
9. App Whitelisting
What went wrong?
• Static lists
• Manual maintenance
• Death by exception
• Users = snowflakes
App whitelisting exception creep: do your
profiles end up looking like this?
• Basic CC user
• Basic CC user + MS Office
• Basic CC user + MS Office + Skype
• Basic CC user + MS Office + Skype –
No Lync
• Basic CC user + MS Office + Skype,
Grande, No Whip, Half Caff…
9
14. Phoenix impressions: whitelisting is back
“There are no bad ideas in security, just bad implementations”
“A pessimist sees the difficulty in every opportunity. An optimist sees the
opportunity in every difficulty.”
14
17. First do no harm: the security UI/UX impact scale
Best
• Be invisible – completely transparent to the user
Better
• Visible, but zero impact to the user
Okay
• Minor changes to user’s workflow are necessary
Failure
• Emails arrive with subjects like “I can’t do my job”
17
19. Adrian’s rules for user-facing security
1. Don’t break the workflow
2. Don’t mess with the browser
3. Security must move with the user
4. Give the user more choices, not less
5. Simplify workflow; reduce complexity
6. Minimize static dependencies
7. Educate, empower and involve users
19
20. Beyond not disrupting the business
• Security ROI: more than just the cost
of doing business?
• Deputizing users
• Trusting the user
20
22. What does “trust” mean in this context?
First, we need to adopt a term from the startup industry: MVP
Minimum Viable Product
Drawing and concept by Henrik Kniberg http://blog.crisp.se/2016/01/25/henrikkniberg/making-sense-of-mvp
23. MVS security example…
23
Security? Huh?
Native VPN Client
Native VPN client, native firewall,
Windows Defender
Native VPN client, native firewall,
Windows Defender, Windows
Bitlocker, UAC
A usable version of Vista
24. Users need a Minimum Safe Environment
So “Trust” in this context is the minimum safe environment necessary for the
average user to be able to do their job safely.
We need to make it difficult for them to make critical security mistakes
without making it difficult for them to do their job.
25. Don’t confuse “Trust” with the other extreme
• Giving choices doesn’t mean no
control
• What does it mean to trust users
• Allowing users to install applications
doesn’t mean giving local admin
• Users may enjoy freedom, but will
still expect protection
25
26. Lessons Learned
• When you layer security/defense,
compromise is easier
• Good security doesn’t mean going
to extremes
• Lock controls down too tight and
user will go around
• Shadow business users for a few
days
• learn their jobs
• understand needs and constraints
• appreciate the impact of trying to
use a heavily restricted system
26
Editor's Notes
Blaming the user won’t get you anywhere.
Sure, you can train them, but they’ll still be a weak point.
Instead of blaming them, how about designing for them or even helping them?
Anyone know this acronym? Want to drop it in the comments for the others?
Have you ever used it in trouble ticket notes?
We’ve all poked fun at users because we needed to blow off some steam and frustration. Seriously though, you still have a problem to deal with, and blaming the user won’t get you any closer to solving it.
Blaming the user is missing the issue
It isn’t users’ fault the tools provided to them are vulnerable and fragile.
The user isn’t expected to be a security expert.
We can’t fix this problem by training the user.
Not entirely. The moment you get done training one batch of employees, some of them have left and you have new ones.
I believe training the user can help, but security awareness is just one imperfect layer of defense. You need more layers.
Of course, the kneejerk response is to lock down users and take away access.
None of this has really been very effective over the years. People are still looking for a solution.
Okay, everyone’s locked down. We’re secure, right?
Nope – helpdesk email and phones are blowing up – no one can get their job done.
It all added up to an unmanageable mess. But it isn’t gone, what happened to it?
Most of the original app control vendors found a niche in locking down environments that don’t change often: PCs in healthcare and retail, especially. This software has also been successfully used as an alternative to running anti-virus, which is handy when you have a system not connected to the Internet, and the auditor expects it to be up-to-date on AV signatures.
A few others, like AppSense continued looking for a way to make app control work for the broader user base outside the niches.
Look at the dates here! NAC was dead, and people
We’re driving users nuts.
Users are punished, and must suffer through our attempts to make the company “safer” by removing the “threat” they present.
Who really suffered through all these failed security trends?
How do we fix this?
NAC and App Control are back, with better implementation, manageability and user experiences.
Whitelisting is back! Find a reference to someone/something to be back.
Mobile was able to design for these issues – that’s why there really isn’t a demand for mobile ant—malware – these things aren’t set up where you can make an easy mistake with a malicious executable.
Understand your users.
Understand their workflows.
Understand their jobs.
How much of a delay starts to cause a problem?
Know where the security/productivity balance tips.
Aim for Zero (best).
Users have a pretty low pain threshold for anything that makes their jobs harder.
There’s actually a level above “Best” called “Unicorn”. That’s where security not only avoids impacting the user, it actually helps them while making them secure. Security products that create non-security ROI deserve the title of unicorns.
To avoid confusing these unicorns with startups that have >$1bn valuations, is there a better term we could use?
Use the previous slide, but have a unicorn breaking out the top!
#3 – in other words, if the security solution only works on the corporate network and 40% of your employee computing assets leave the corporate office every day… you’ve got a problem.
#4 – SaaS apps; mobile or laptop; configurations; mac or pc, etc
Where does this slide go?
Talk about ROI potential & examples
Deputizing users – if you see something say something; users as sensors
New application Control tools create a partnership through enough granular control to empower both sides.
Make the user a sensor
Make users your first line of defense
Why wouldn’t you want your users working for you?
Trust and partner with users
incorporate user responses into decisions
users can be part of the security workflow – users as threat sensors, etc.
Self-service opportunities
So how do we apply this to security?
Unfortunately, security is nearly always deemed unnecessary for an MVP, and often still doesn’t exist in mature, polished products. That’s why a considerable chunk of the security industry exists – to address these gaps.
Short of completely reckless behavior, users should be able to do their jobs without worrying about losing data or getting hacked.
In other words, we need visibility into what they’re doing and we need to make it difficult for them to mess up without making it difficult to do their job.
Giving choices doesn’t mean you don’t monitor or have ability to control
Allowing users to install applications doesn’t mean giving local admin
Sure, users will enjoy the freedom, but will still expect protection… and they’ll blame you!
MC Escher sketch represents chaos and order
Really go into the trust but verify and what it means to trust users, but also keep an eye on them
Put yourself in their shoes. Have YOU tried to do their job with whatever crazy security restrictions you put in place???