Can security and convenience be mutually exclusive?

“Security is a pain; it just gets in the way.”

“Every time you security guys want to install something, it makes it harder for me to do my job.” 

“I understand that we want to be secure, but this is getting ridiculous…” 

If you have worked in Information/Cyber Security for any length of time, you have heard these complaints. (Perhaps you have even made them yourself … I have.)

[ InfoSec: Understanding business goals is key to embedding company-wide security practices ]

One objection that security professionals face every day is that you can’t have both.  That security and convenience are on opposite ends of a mutually exclusive continuum:

I reject that objection: security and convenience are not mutually exclusive. Yes, this used to be true, or at least mostly true, and still definitely can be, but things are changing in the security industry. These days, clever design and innovative solutions can deliver solid security without unreasonably impacting the user experience.

The word “unreasonable” is really the key to all this. People understand the need for security – they really do!  People are fine with doing a few simple, common sense things to help be secure as long as the demands don’t go too far. Most people lock their house and car, especially in the city; but most people also complain about the security at the airport as being overboard. It is when security becomes obtrusive that issues arise. This is an issue with how people feel about something; it is the end user—not security—that defines this particular type of success. (More on this point in a future blog.)

This situation evolved in a completely understandable way. One of the central models of Information Security is called the InfoSec Triad: Confidentiality, Integrity and Availability. We as professionals are supposed to design all solutions with an appropriate balance of these three central tenets. But it is easy for security practitioners and product designers to spend all our time thinking about the confidentiality side—preventing unauthorized people from accessing information—and not as much time thinking about the availability side—allowing authorized people the appropriate access. Yes, it is true that unless we have strong control over confidentiality (usually via access control), we cannot ensure availability only to the right people, and this leads to the attitude that confidentiality is more important than availability, but this is not how solutions should be designed.

These three core tenets are all equally important and we practitioners need to be developing solutions with this in mind and rewarding contracts to companies that understand and actively support this concept. Otherwise, we end up with solutions that people complain about that are too demanding of them in the name of good security.

The consumerization of IT has help. One example: People once had no choice but to rely on their internal IT group to provide network storage. Today, there are a large and growing number of cloud vendors that will give consumers huge amounts of easily-accessed and shared storage at no monetary cost. People, frustrated with the options (or lack thereof) available from their IT shop, or with the charge back structure, or with a host of other things, can now go online to solve their own issue, completely bypassing IT (and therefore many kinds of security that the organization might have in place) – and are doing so in droves. If you think this is not happening in your organization, think again.

This trend of simple, self-service IT has led people to have those same expectations for security. People expect security to be built in and to be reasonable; to not impact them more than it absolutely has to. And, where it does have to impact them, to have a clear reason behind it.

Security is going through a very exciting period right now. More and more vendors understand these points and are bringing new designs to the table: 

• Solutions that can bring a strong security benefit with minimal impact to the end user or customer—sometimes to the point that the end user is completely unaware that a security feature is functioning to protect them. 
• Solutions that bring benefits not only to the security team, but to other units inside an organization as well—often going so far as to reduce the budget other groups need to spend to maintain their core business function. 
• Solutions that reduce the complexity of security, thereby reducing the number of systems required, the number of points of failure, the cost and the total amount of support required.   
• Solutions that make security more transparent to the end user or that provide explicit and clear information to the end user at the moment that person is making a security decision—a greatly-desirable capability I have been talking about for years.

This blog will focus on topics like this. What can we do, what solutions are out there, what does not yet exist that should, what should we be demanding from the industry and from vendors? Things that can help us build simpler, more effective, more cost effective and more convenient security.

Next time: VMs designed for sensitive research and business needs. Building a gold image that already includes the security features required for HIPAA/PCI/NIST/FISMA/name your regulation, allowing researchers and business people to spin up new compliant servers in moments.