Security should be transparent, but ready when needed

miércoles, 12 de junio de 2013

Security should be totally transparent for users; this was one of the key messages we discussed last week during the press conference we did with several journalists when launching Eleven Paths; nowadays users are overwhelmed with technical words hard to understand  (VPN, Firewall, Antivirus, patches, phishing, malware, ransomware, etc.) that makes them angrier and as a result, they tend to ignore any security measures. Security vendors often seem to build products and services only for security specialists or geeks.

Of course we need security products and services for security specialists or geeks, and they will take advantage of those products, but we also need implicit security in any technology, without forcing a user to become a specialist. Criminals perfectly know that it is easier to target normal users (that use online banking, stores sensible information, connects to social networks, etc.) than an enterprise with tons of security specialists.

During the press conference we visually explained this concept with 'The Big Bang Theory' characters: nowadays security is designed for people like Leonard, Sheldon, Howard o Raj, specialists or geeks. But we also want to create products for people like Penny.

I always mention the same example that I learnt from Hugh Thompson's keynote during RSA Conference 2012; he perfectly explains the role of security using an analogy with asymmetric/uneven bars in artistic gymnastics. There is always a person (known as the spotter) that helps the gymnast to jump to the bars and then the spotter appears or disappears depending on the difficulty of the movement; the spotter is always ready to protect the gymnast when it's needed:
  • The spotter is continuosly adapting to the gymnast's movements
  • The spotter knows perfectly the gymnast and detect when there could be any risk
  • The spotter appears and disappears depending on the gymnast's needs

Security should be like the spotter: transparent, but protecting the user when needed.

No hay comentarios:

Publicar un comentario en la entrada