Balancing Security and Usability

There seems to be a constant struggle between keeping your company’s data safe and maximizing the productivity and satisfaction of your employees.  There are enough security systems out there to find one that will lock your data down very securely… the problem is you don’t want to make it so secure that even your own employees can’t access the data.  On the flip side, if employees are not challenged when they access data, this means would-be bad guys will also not be challenged.  So the trick is to find a security product that will allow the officers of the company to sleep well at night, but also permit the employees to be as productive as possible during the day.

What is security?  Security is a mechanism put in place to only allow the appropriate people access to what is being requested.  You have a key to the front door of your house which you use to enter your home if the door is locked.  No one else can get into your home through the front door without the key.  Passwords are used the same way for computers, applications, web sites and files.  Similar to how your key can get into the wrong hands and subject your home to an unwanted invasion, passwords can be guessed or learned by cyber criminals and give them access to your online valuables.  So to further secure your home, you can add additional locks with different keys.  An intruder now would have to acquire more than one key to easily break into your home.  For computers, we have two factor authentication which means in addition to something you know (password), you will also be required to have possession of a device such as a key fob or cell phone.  Additional restraints can be put on access by also requiring something that physically identifies you as you, such as a fingerprint or retina scan.  You can see how increased security can make it more difficult for the right people to access what is being protected which brings us to usability.

What is usability?  Usability defines how easy or difficult it is to use something.  Ideally, the easiest way to get into your home is to just twist the knob and walk right in.  This would be considered very usable and in fact completely tip the scale to the usability side and leave nothing on the security side.  Having to open five locks with 5 different keys would be much more secure, but very time consuming and possibly frustrating if you can’t remember which key fits which lock.

So by now you might be getting an image in your head of an old fashioned balance scale that is dipping back and forth, depending on how secure or usable a system is.

One method for having a secure and usable system is to require 2 Factor authentication, but automate the 2nd factor.  For instance, a browser add-on would have a mechanism for creating a security token that only it and the requested server will know how to process.  After the user enters their password when getting into the site, the browser will send the security token on the user’s behalf.  The user is happy because they only need to provide a password and the security officer is also happy because 2 factors are needed to access the site.

Single Sign On (SSO) can also be employed to balance the security and usability scale.  A user logs into an authentication server and is presented with a security token.  The other sites that the user then accesses do not prompt for additional logins because the security token is automatically delivered to the servers and the servers know how to process the token to authenticate the user.

Some environments may not be well suited for balancing security and usability and have to require very strong authentication before gaining access.  You’ve watched the scenes in the movies where three different people have to be in the same room with their physical keys and passwords in order to launch an end of the world nuclear attack.  But on the other hand you wouldn’t put any security on a public park where people can exercise and relax.

The balance point (or lack thereof) between security and usability is not going to be the same for everyone.  The goal is to understand what is being protected and how secure it has to remain.  Then the appropriate security mechanisms can be put in place.

Here are additional resources on this topic:

http://reports.informationweek.com/abstract/18/8643/Mobility-Wireless/informed-cio-striking-a-security-usability-balance.html

http://www.gfi.com/blog/security-usability-finding-balance/

http://www.schneier.com/blog/archives/2009/02/balancing_secur.html