usability vs. security: how usp secure entry server® (ses) gives you both – by united security...
TRANSCRIPT
Usability vs. Security:How USP Secure Entry Server (SES) Gives You Both
Extremely secure
SUMMARY
1. Introduction
2. Authentication
3. Business Applications and Web Portals
4. The Compliance Conundrum
5. Security + Usability = Good Design
2Cybersecurity
Cybersecurity
1. INTRODUCTION
3
Usability and security are not two sides of a coin. They are equivalent and in fact can complement each other : good usability can improve security, but often needs more thought and better tools.
Any IT system, either internally facing or with external, web service integration, has many layers where human-computer interactions happen.
The creation of a good user experience (UX) means that we need to make those interaction points usable. At the same time, we also need to make sure that security is an important factor in their configuration and setup.
Achieving good UX within a secure environment is a goal that results in excellent data governance and increased productivity.
Cybersecurity
1. INTRODUCTION
4
United Security Providers know the security/usability conundrum well and we have designed version 5 of our USP Secure Entry Server® to offer a holistic approach to the resolution of security with usability.
The new version encompasses all the requirements needed to create usable, yet secure use cases across your enterprise web applications.
We can illustrate our argument by using examples where good security actually creates good user experience and vice versa.
Cybersecurity
2. AUTHENTICATION
5
The humble password has caused more security issues than probably any area across
the extended enterprise.
Passwords insecurities are, let’s face it, behind many of the hacks we have seen in recent
years.
Hacks that often begin with a spear phishing campaign, resulting in administrators
username and passwords being stolen.
Passwords for the wider user base of a system are even more difficult to keep control of.
Cybersecurity
2. AUTHENTICATION
6
how do we square the round with the conundrum of password insecurity / usability?
The obvious step would be to make a password longer and more complex, for example a mix of capital letters, lower case and alphanumeric. This would mean that brute force attacks would be much more difficult to perform.
However, password complexity is offset by a number of forces:
of people (depending on location) forgot a password if it was long and / or complex. (Ponemon Institute study)
of respondents stated they would just leave the site if they have forgot a password instead of recover it. (study by Janrain)
of respondents at least sometimes, or often, wrote passwords down (Berkeley University Study)
70%
90%
40%
Cybersecurity
2. AUTHENTICATION
7
Increasing your password strength doesn’t prevent:
• Phishing attacks
• Key logging and screen scraping
• Attacks on your database
Cybersecurity
2. AUTHENTICATION
8
There are many tools available that can give you a great UX and maintain security.
The USP Secure Entry Sever® (SES) offers you the ability to increase your productivity whilst ensuring security. It leverages Windows account Single Sign On (SSO) and can be extended for inter-organization SSO through federation.
Second factor and even risk based authentications can give enhanced login security, and can be utilized in combination with SSO to give the perfect mix of usability and security.
Cybersecurity
2. AUTHENTICATION
9
Adding a second factor, potentially compromises usability, so choosing the right second factor method, for the right environment and user type, is essential to getting the security/usability balance right.
USP SES allows you to choose from a number of different second factor options, including RSA SecureID, SafeNet, X509 certificates, mTan, and newly also Google Authenticator, so you can ensure you have the right tools for the right user type.
Cybersecurity
3. BUSINESS APPLICATIONS AND WEB PORTALS
10
One of the areas that requires real and urgent attention in terms of security, are enterprise applications that have touch points out into the Cloud.
Well designed, modern Cloud based interfaces have also given us a great UX. But the Cloud has also opened up many security implications by expanding our attack surface up, away and beyond the clouds.
When internet based data communications start to come into play, security starts to become more complicated. This can result in a more stringent and « locked down » interface with complicated access control. Again Single Sign on, or its cousin, federation, can come to the rescue, allowing seamless authentication between Cloud applications.
Cybersecurity
3. BUSINESS APPLICATIONS AND WEB PORTALS
11
SSO can ensure that the usability improvements afforded through Bring Your Own Device (BYOD) technology does not also open up potential security holes in your organization.
Preventing web attacks via web facing portals, doesn’t need to create a poor UX either. The use of background monitoring and analysis of threats can mean you can retain a highly usable interface, whilst securing the backend.
Web Application Firewalls are a way to ensure that common web attacks like XSS, SQL Injection and CSRF are handled without having to compromise the user interface of any web-based application.
The Web Application Firewall (WAF) offered by USP SES is designed to make sure that administrators can more easily spot security issues and prevent breaches becoming a security event. With our state of the art administration console interface and easy view monitoring and real time analytics, web threats can be spotted and contained.
Cybersecurity
4. THE COMPLIANCE CONUNDRUM
12
Data protection laws and regulations can be onerous and our reaction to them is often to lock everything
down, to within an inch of its life.
If something is so complex to use because it has been made extremely secure, then it won’t be used, it
may even force some clever employees to circumvent the security to use it.
This is a situation that can result in poor practiseswhich take you outside of the compliance
requirements.
Cybersecurity
4. THE COMPLIANCE CONUNDRUM
13
Sometimes this issue can be resolved through user awareness and understanding of how the security measures operate.
But often it is the security measures themselvesthat may diminish productivity and create working practise that are themselves, insecure.
Getting the balance right will prevent accidental compliance mistakes which is why USP SES has so much emphasis on the seamless and usable design of our administration console and the solutions that can be realized with it.
Encouraging the administrators to administer security properly, reduces mistakes and encourages good practise.
Cybersecurity
5. Security + Usability = Good Design
14
USP SES encompasses a state of the art Web Application Firewall, Single Sign On, federation and all aspects of these, including authorization and authentication options.
Using a holistic approach to security, whilst encouraging usable systems for administrators applying the security settings and those using them, you can ensure that you have a best of breed approach to your enterprise security infrastructure.
This balance is achievable. But the right mind-set and tools need to be used in equal measure to achieve it. Our highly complex, extended enterprise has to reduce the complexity of the underlying design.
Cybersecurity
5. Security + Usability = Good Design
15
Pulling all of the parts of a robust security strategy together, we will need to look at improving the usability of authentication through SSO or federation, yet improving security using second factor.
Then with the additional features offered in the WAF component, offering monitoring and threat analysis you have a rich and holistic approach that allows your organization to have security and usability working in harmony.
The bottom line is that if your security seriously impacts usability, then chances are it’s not done correctly and at worst can actually make the system you’re securing, less secure –something no one can afford to do.
company/united-security-providers
companies/unitedsecurityprovidersag
https://www.united-security-providers.ch/