Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

451 AppSense Webinar - Why blame the user?


Published on

At a time when some say users pose the biggest threat, new tools are emerging that give users more freedom than ever.

451 Analyst, Adrian Sanabria speaks on this bold new approach to application control in our latest webinar.


1. Learn from the past: valuing User Experience, IT workload & business/IT relations.
2. Take off the training wheels: it’s possible to trust users to make the right choices, but still have options if they don”t.
3. Drop unreasonable goals: more restrictions ≠ more security.

Published in: Technology
  • Login to see the comments

451 AppSense Webinar - Why blame the user?

  1. 1. Why blame the user? 1
  2. 2. Confusing the victim and the problem “Users will click anything!” “Users are careless!” “Users are the weak link!”
  3. 3. PEBKAC 3
  4. 4. If already you know what can and will go wrong... 4 …what’s the next logical step?
  5. 5. Kneejerk response: punish them “Take away their access” “Remove their rights” “Lock them down”
  6. 6. Kneejerk response: results • Death by Exception • Support Fatigue Removing admin rights • Death by Exception • Support Fatigue App Whitelisting • Implementation complexity • IncompatibilityNAC 6
  7. 7. Learning from posterity 7
  8. 8. App Whitelisting 2011: “By 2015, more than 50% of enterprises will have instituted 'default deny' policies that restrict the applications users can install.” 8
  9. 9. App Whitelisting What went wrong? • Static lists • Manual maintenance • Death by exception • Users = snowflakes App whitelisting exception creep: do your profiles end up looking like this? • Basic CC user • Basic CC user + MS Office • Basic CC user + MS Office + Skype • Basic CC user + MS Office + Skype – No Lync • Basic CC user + MS Office + Skype, Grande, No Whip, Half Caff… 9
  10. 10. Network Access Control: NAC 10
  11. 11. Network Access Control What went wrong? • Too much complexity • Too many standards • Integration/Implementation Nightmares • Confused everyone 11
  12. 12. Meanwhile… 12
  13. 13. Phoenix impressions 13
  14. 14. Phoenix impressions: whitelisting is back “There are no bad ideas in security, just bad implementations” “A pessimist sees the difficulty in every opportunity. An optimist sees the opportunity in every difficulty.” 14
  15. 15. Understand your users Find empathy Let the healing begin 15
  16. 16. Respect the pain threshold 16
  17. 17. First do no harm: the security UI/UX impact scale Best • Be invisible – completely transparent to the user Better • Visible, but zero impact to the user Okay • Minor changes to user’s workflow are necessary Failure • Emails arrive with subjects like “I can’t do my job” 17
  18. 18. What’s better than best? 18
  19. 19. Adrian’s rules for user-facing security 1. Don’t break the workflow 2. Don’t mess with the browser 3. Security must move with the user 4. Give the user more choices, not less 5. Simplify workflow; reduce complexity 6. Minimize static dependencies 7. Educate, empower and involve users 19
  20. 20. Beyond not disrupting the business • Security ROI: more than just the cost of doing business? • Deputizing users • Trusting the user 20
  21. 21. What does it mean to trust the user? 21
  22. 22. What does “trust” mean in this context? First, we need to adopt a term from the startup industry: MVP Minimum Viable Product Drawing and concept by Henrik Kniberg
  23. 23. MVS security example… 23 Security? Huh? Native VPN Client Native VPN client, native firewall, Windows Defender Native VPN client, native firewall, Windows Defender, Windows Bitlocker, UAC A usable version of Vista
  24. 24. Users need a Minimum Safe Environment So “Trust” in this context is the minimum safe environment necessary for the average user to be able to do their job safely. We need to make it difficult for them to make critical security mistakes without making it difficult for them to do their job.
  25. 25. Don’t confuse “Trust” with the other extreme • Giving choices doesn’t mean no control • What does it mean to trust users • Allowing users to install applications doesn’t mean giving local admin • Users may enjoy freedom, but will still expect protection 25
  26. 26. Lessons Learned • When you layer security/defense, compromise is easier • Good security doesn’t mean going to extremes • Lock controls down too tight and user will go around • Shadow business users for a few days • learn their jobs • understand needs and constraints • appreciate the impact of trying to use a heavily restricted system 26