At a time when some say users pose the biggest threat, new tools are emerging that give users more freedom than ever.
451 Analyst, Adrian Sanabria speaks on this bold new approach to application control in our latest webinar.
1. Learn from the past: valuing User Experience, IT workload & business/IT relations.
2. Take off the training wheels: it’s possible to trust users to make the right choices, but still have options if they don”t.
3. Drop unreasonable goals: more restrictions ≠ more security.
Blaming the user won’t get you anywhere. Sure, you can train them, but they’ll still be a weak point. Instead of blaming them, how about designing for them or even helping them?
Anyone know this acronym? Want to drop it in the comments for the others?
Have you ever used it in trouble ticket notes?
We’ve all poked fun at users because we needed to blow off some steam and frustration. Seriously though, you still have a problem to deal with, and blaming the user won’t get you any closer to solving it.
Blaming the user is missing the issue It isn’t users’ fault the tools provided to them are vulnerable and fragile. The user isn’t expected to be a security expert. We can’t fix this problem by training the user. Not entirely. The moment you get done training one batch of employees, some of them have left and you have new ones. I believe training the user can help, but security awareness is just one imperfect layer of defense. You need more layers.
Of course, the kneejerk response is to lock down users and take away access.
None of this has really been very effective over the years. People are still looking for a solution.
Nope – helpdesk email and phones are blowing up – no one can get their job done.
It all added up to an unmanageable mess. But it isn’t gone, what happened to it?
Most of the original app control vendors found a niche in locking down environments that don’t change often: PCs in healthcare and retail, especially. This software has also been successfully used as an alternative to running anti-virus, which is handy when you have a system not connected to the Internet, and the auditor expects it to be up-to-date on AV signatures.
A few others, like AppSense continued looking for a way to make app control work for the broader user base outside the niches.
Look at the dates here! NAC was dead, and people
We’re driving users nuts.
Users are punished, and must suffer through our attempts to make the company “safer” by removing the “threat” they present. Who really suffered through all these failed security trends? How do we fix this?
NAC and App Control are back, with better implementation, manageability and user experiences.
Whitelisting is back! Find a reference to someone/something to be back.
Mobile was able to design for these issues – that’s why there really isn’t a demand for mobile ant—malware – these things aren’t set up where you can make an easy mistake with a malicious executable.
Understand your users. Understand their workflows. Understand their jobs. How much of a delay starts to cause a problem? Know where the security/productivity balance tips.
Aim for Zero (best). Users have a pretty low pain threshold for anything that makes their jobs harder.
There’s actually a level above “Best” called “Unicorn”. That’s where security not only avoids impacting the user, it actually helps them while making them secure. Security products that create non-security ROI deserve the title of unicorns.
To avoid confusing these unicorns with startups that have >$1bn valuations, is there a better term we could use?
Use the previous slide, but have a unicorn breaking out the top!
#3 – in other words, if the security solution only works on the corporate network and 40% of your employee computing assets leave the corporate office every day… you’ve got a problem.
#4 – SaaS apps; mobile or laptop; configurations; mac or pc, etc
Where does this slide go?
Talk about ROI potential & examples
Deputizing users – if you see something say something; users as sensors New application Control tools create a partnership through enough granular control to empower both sides. Make the user a sensor Make users your first line of defense Why wouldn’t you want your users working for you?
Trust and partner with users incorporate user responses into decisions users can be part of the security workflow – users as threat sensors, etc. Self-service opportunities
So how do we apply this to security?
Unfortunately, security is nearly always deemed unnecessary for an MVP, and often still doesn’t exist in mature, polished products. That’s why a considerable chunk of the security industry exists – to address these gaps.
Short of completely reckless behavior, users should be able to do their jobs without worrying about losing data or getting hacked.
In other words, we need visibility into what they’re doing and we need to make it difficult for them to mess up without making it difficult to do their job.
Giving choices doesn’t mean you don’t monitor or have ability to control Allowing users to install applications doesn’t mean giving local admin Sure, users will enjoy the freedom, but will still expect protection… and they’ll blame you!
MC Escher sketch represents chaos and order
Really go into the trust but verify and what it means to trust users, but also keep an eye on them
Put yourself in their shoes. Have YOU tried to do their job with whatever crazy security restrictions you put in place???
451 AppSense Webinar - Why blame the user?
Why blame the user?
Confusing the victim and the problem
2011: “By 2015, more than 50% of enterprises will have
instituted 'default deny' policies that restrict the applications
users can install.”
What went wrong?
• Static lists
• Manual maintenance
• Death by exception
• Users = snowflakes
App whitelisting exception creep: do your
profiles end up looking like this?
• Basic CC user
• Basic CC user + MS Office
• Basic CC user + MS Office + Skype
• Basic CC user + MS Office + Skype –
• Basic CC user + MS Office + Skype,
Grande, No Whip, Half Caff…
Phoenix impressions: whitelisting is back
“There are no bad ideas in security, just bad implementations”
“A pessimist sees the difficulty in every opportunity. An optimist sees the
opportunity in every difficulty.”
Understand your users
Let the healing begin
First do no harm: the security UI/UX impact scale
• Be invisible – completely transparent to the user
• Visible, but zero impact to the user
• Minor changes to user’s workflow are necessary
• Emails arrive with subjects like “I can’t do my job”
Adrian’s rules for user-facing security
1. Don’t break the workflow
2. Don’t mess with the browser
3. Security must move with the user
4. Give the user more choices, not less
5. Simplify workflow; reduce complexity
6. Minimize static dependencies
7. Educate, empower and involve users
Beyond not disrupting the business
• Security ROI: more than just the cost
of doing business?
• Deputizing users
• Trusting the user
What does “trust” mean in this context?
First, we need to adopt a term from the startup industry: MVP
Minimum Viable Product
Drawing and concept by Henrik Kniberg http://blog.crisp.se/2016/01/25/henrikkniberg/making-sense-of-mvp
MVS security example…
Native VPN Client
Native VPN client, native firewall,
Native VPN client, native firewall,
Windows Defender, Windows
A usable version of Vista
Users need a Minimum Safe Environment
So “Trust” in this context is the minimum safe environment necessary for the
average user to be able to do their job safely.
We need to make it difficult for them to make critical security mistakes
without making it difficult for them to do their job.
Don’t confuse “Trust” with the other extreme
• Giving choices doesn’t mean no
• What does it mean to trust users
• Allowing users to install applications
doesn’t mean giving local admin
• Users may enjoy freedom, but will
still expect protection
• When you layer security/defense,
compromise is easier
• Good security doesn’t mean going
• Lock controls down too tight and
user will go around
• Shadow business users for a few
• learn their jobs
• understand needs and constraints
• appreciate the impact of trying to
use a heavily restricted system