\u201cSecurity is a pain; it just gets in the way.\u201d\u201cEvery time you security guys want to install something, it makes it harder for me to do my job.\u201d\u00a0\u201cI understand that we want to be secure, but this is getting ridiculous...\u201d\u00a0If you have worked in Information\/Cyber Security for any length of time, you have heard these complaints. (Perhaps you have even made them yourself \u2026 I have.)[ InfoSec: Understanding business goals is key to embedding company-wide security practices ]One objection that security professionals face every day is that you can\u2019t have both.\u00a0 That security and convenience are on opposite ends of a mutually exclusive continuum:I reject that objection: security and convenience are not mutually exclusive. Yes, this used to be true, or at least mostly true, and still definitely can be, but things are changing in the security industry. These days, clever design and innovative solutions can deliver solid security without unreasonably impacting the user experience.The word \u201cunreasonable\u201d is really the key to all this. People understand the need for security \u2013 they really do!\u00a0 People are fine with doing a few simple, common sense things to help be secure as long as the demands don\u2019t go too far. Most people lock their house and car, especially in the city; but most people also complain about the security at the airport as being overboard. It is when security becomes obtrusive that issues arise. This is an issue with how people feel about something; it is the end user\u2014not security\u2014that defines this particular type of success. (More on this point in a future blog.)This situation evolved in a completely understandable way. One of the central models of Information Security is called the InfoSec Triad: Confidentiality, Integrity and Availability. We as professionals are supposed to design all solutions with an appropriate balance of these three central tenets. But it is easy for security practitioners and product designers to spend all our time thinking about the confidentiality side\u2014preventing unauthorized people from accessing information\u2014and not as much time thinking about the availability side\u2014allowing authorized people the appropriate access. Yes, it is true that unless we have strong control over confidentiality (usually via access control), we cannot ensure availability only to the right people, and this leads to the attitude that confidentiality is more important than availability, but this is not how solutions should be designed.These three core tenets are all equally important and we practitioners need to be developing solutions with this in mind and rewarding contracts to companies that understand and actively support this concept. Otherwise, we end up with solutions that people complain about that are too demanding of them in the name of good security.The consumerization of IT has help. One example: People once had no choice but to rely on their internal IT group to provide network storage. Today, there are a large and growing number of cloud vendors that will give consumers huge amounts of easily-accessed and shared storage at no monetary cost. People, frustrated with the options (or lack thereof) available from their IT shop, or with the charge back structure, or with a host of other things, can now go online to solve their own issue, completely bypassing IT (and therefore many kinds of security that the organization might have in place) \u2013 and are doing so in droves. If you think this is not happening in your organization, think again.People expect security to be built in and to be reasonable; to not impact them more than it absolutely has to.This trend of simple, self-service IT has led people to have those same expectations for security. People expect security to be built in and to be reasonable; to not impact them more than it absolutely has to. And, where it does have to impact them, to have a clear reason behind it.Security is going through a very exciting period right now. More and more vendors understand these points and are bringing new designs to the table:\u00a0Solutions that can bring a strong security benefit with minimal impact to the end user or customer\u2014sometimes to the point that the end user is completely unaware that a security feature is functioning to protect them.\u00a0Solutions that bring benefits not only to the security team, but to other units inside an organization as well\u2014often going so far as to reduce the budget other groups need to spend to maintain their core business function.\u00a0Solutions that reduce the complexity of security, thereby reducing the number of systems required, the number of points of failure, the cost and the total amount of support required.\u00a0 \u00a0Solutions that make security more transparent to the end user or that provide explicit and clear information to the end user at the moment that person is making a security decision\u2014a greatly-desirable capability I have been talking about for years.This blog will focus on topics like this. What can we do, what solutions are out there, what does not yet exist that should, what should we be demanding from the industry and from vendors? Things that can help us build simpler, more effective, more cost effective and more convenient security.Next time: VMs designed for sensitive research and business needs. Building a gold image that already includes the security features required for HIPAA\/PCI\/NIST\/FISMA\/name your regulation, allowing researchers and business people to spin up new compliant servers in moments.