One of the longest-running debates in the history of information technology is that security has a negative impact on usability. I set out to show that this is simply not true. Usability and security are not two sides of the same coin. They are equal and can complement each other. Strong usability can increase security, but this requires a more thoughtful approach and better tools.
Every IT system – whether internal or external with web service integration – has different layers of human-computer interaction. To create a good user experience (UX), we need to make these interaction points usable. At the same time, we need to ensure that security is an important factor in their configuration and setup. This is especially true in a landscape that is facing more threats and has a large attack surface due to strong web integration. A good UX is a goal that leads to excellent data governance and increased productivity.
At United Security Providers, we are well aware of the security/ease-of-use trade-off. Accordingly, we have developed version 5 of our USP Secure Entry Server® to provide a holistic approach that balances security and usability. The new version covers all conditions for creating usable yet secure use cases across all enterprise web applications.
Authentication
The inconspicuous password has probably caused more security problems than any other area in the wider corporate environment. It is a persistent phenomenon. The fact is that many attacks in recent years have been linked to password insecurities. Hacks often start with a spear-phishing campaign that steals usernames and passwords from administrators. It is even more difficult to maintain control over passwords for a wider user base. So how do we resolve the apparent contradiction between password insecurity and usability?
Let’s take a look at password policies and password strength. One obvious step is to make passwords longer and more complex, for example with a mix of lower and upper case letters and alphanumeric elements. This makes it more difficult for brute force attacks. However, password complexity is offset by various influences:
A study by the Ponemon Institute shows that up to 70% of people (depending on location) forget a password if it is too long or complex. This means that just this one problem area alone causes high levels of online recovery and helpdesk calls.
In a study by Janrain, the question of whether a forgotten password is recovered or the site is left was addressed. 90% of respondents stated that they simply leave the site. Passwords are also written down and shared. A study by the University of California, Berkeley found that at least 40% of respondents sometimes or even often write down passwords.
Increasing the password strength can:
- Phishing attacks,
- Keylogging (keystroke logging) and screen scraping
- and attacks on your database.
There are many tools available today that provide a very good UX and maintain security. The USP Secure Entry Server® allows you to increase productivity while maintaining security. It uses Windows user accounts single sign-on (SSO) and can be extended with federation for cross-organizational SSO. Two-factor authentication or even risk-based authentication can improve login security and, in conjunction with SSO, provide the perfect blend of usability and security. But once again, it must be emphasized that the two-factor addition potentially limits usability. Therefore, it is crucial to choose the right two-factor method for the right environment or user type to achieve the balance between security and usability. With the USP Secure Entry Server®, you can choose from a range of two-factor options, including RSA, SecureID, SafeNet, X509 certificates, mTan and, most recently, Google Authenticator. So you can find the right tool for the right type of user.
Business applications and web portals
One of the areas that urgently requires real attention in terms of security is enterprise applications with touchpoints to the cloud The cloud has massively improved the user experience by providing access from anywhere. Well-built, modern cloud-based interfaces have given us a great UX. However, the cloud also has a major impact on security, as it has increased the attack surface – “beyond the clouds”, so to speak.
When internet-based data communication comes into play, security becomes more complicated. This can lead to stricter and “locked down” interfaces with complicated access controls. Again, single sign-on or its cousin, federation, can come to the rescue to enable seamless authentication between cloud applications.
Similarly, SSO can also ensure that user-friendliness gains achieved through BYOD (Bring Your Own Device) technology do not also open up security gaps in your organization. Preventing attacks on portals that are open to the web doesn’t have to lead to a poor UX either. Using background monitoring and analysis can mean that you still have a highly usable interface while securing the backend. Web application firewalls can be used to deal with common web attacks such as XSS, SQL injection and CSRF without restricting the user interface of web-based applications.
The Web Application Firewall (WAF) offered by United Security Providers is designed to make it easier for administrators to detect security problems and prevent security breaches from becoming security events. With our state of the art management console interface, easy to use monitoring and real-time analytics, web threats can be detected and controlled.
The compliance dilemma
Privacy laws and regulations can be onerous, and we often respond by locking everything down, sometimes to the point of almost choking it off completely. Making things seemingly more secure can, as mentioned earlier, have an impact on usability. If it becomes extremely complex to use because extreme security was also sought, then it will not be used. It may even tempt users to bypass security in order to use it. Such a situation can lead to bad practices and cause you to be out of compliance.
Sometimes the problem can be solved by making users aware and understanding how the security measures work. But often it is the security measures that may be limiting productivity and creating ways of working that are not secure in themselves. The right balance avoids inadvertent compliance errors. That’s why USP SES places so much emphasis on the seamless and usable design of the management console and the solutions that can be implemented with it. By encouraging administrators to apply security correctly, errors can be reduced and good practice encouraged.
Security + user-friendliness = good design
USP SES includes a state of the art web application firewall, single sign-on, federation in all its aspects, including authorization and authentication options. In order to apply a best-of-breed approach to the security infrastructure for your company, you rely on a holistic security concept that also promotes usable systems for administrators and users who use these security settings.
This balance is feasible. But to achieve it, the right mindset and tools must be considered in equal measure. The highly complex extended enterprise must reduce the complexity of the underlying design. This is possible with the USP SES approach. If we bring all the pieces of a robust security strategy together, we can start to improve the usability of authentication via SSO or federation, but also increase security with two-factor means. If you then add the additional features of the WAF components such as monitoring and threat analysis, you get the holistic approach that gives your organization the harmonious balance between security and usability.
If, in the end, your security seriously weakens the user experience, then it is likely that the wrong approach has been taken. And in the worst case scenario for you, the opposite will happen: the system you wanted to secure will become less secure – something that nobody can afford today. And because we have succeeded in combining security and user-friendliness with the new USP Secure Entry Server®, we are sure that our product will also convince you.