Taking security out of the hands of users

Bruce Schneier found this study of the nature of the insider threat as reported by The Register. Two of the points jump out at me:

  • Two thirds (62 per cent) of those quizzed admitted they have a very limited knowledge of IT Security.
  • More than half (51 per cent) of those polled had no idea how to update the anti-virus protection on their company PC.

Taking the second item first, that half of those polled have no idea how to update their anti-virus protection. My question is, why should they know? Given that a security system is as good as its weakest link and that time and time again users are that weakest link, it seems to me functions like this have to be taken out of end-users’ hands. Making end-users responsible for their the security administrator of their IT assets is a recipe for disaster. Security and identity management solutions, in order to be effective, have to be invisible from the end-user perspective. Like my Mac… they should just work. Despite what a lot of companies think, the majority of users out there are not computer savvy. They treat computers as a necessary tool, not unlike how people treat cars. They get you from point A to point B and you don’t have to know how they work to drive them. Computers get my draft budget up to finance and then my group gets money next year; I don’t want to know how the virus scanner peeks through my inbox looking for bad things. It is irresponsible to put the administration of security and identity management products on the end-user community. Yes, I know that the IT department is understaffed and overworked. Vendors know this too. IT departments have to hold their vendors more accountable. Demand easier to install and maintain solutions. Search out products that do not put the administrative onus on the end-user.

The other bullet point is troubling. I don’t have access to the raw data from this study, but I’d love to know how that other point was derived. 62% admitted they have a very limited knowledge of IT Security. My first question is: a limited knowledge of IT Security administration or best practices? Companies need to train their users on safe computing, how to avoid phishing and other social attacks, not how to update their anti-virus protection. Knowing which icon to click to start a VPN session does not make the computing world safer for anyone. Teaching people what the little lock means in Firefox and to look for it, teaching them not to disclose their passwords for a candy bar, teaching them that not all websites are full of happy loving downloads: these things help make users safer. They help make corporate computing environments safer too. (They help make home computing safer as well.) We have trained users over the years to disgorge their username and password into any fields labeled username and password. We haven’t given our end-users a more transparent way to be more secure. We haven’t truly embraced the education and self-assessment side of security and identity management; we need to.

Take security administration and related decisions out of users’ hands. Foster a security-aware culture in the enterprise. Educate users; don’t inundate them with products that throw yet another icon in the system tray. Make their lives simpiler, educate them, give them less security (administrative) choices, and we will start finding our IT environments safer and more secure.

Identity as an unpatched device

So I am sitting here at the Internet Identity Workshop and so far, I’ve been impressed with the quality of the presenter. (I’ll have more on that later.)

I was chatting with Dale Olds from Novell and came across the following thoughts. With the rise of the empowered user, as Doc Searls speaks of, we may be facing a major downside. These concepts of user-centric identity are great… if the user actively manages their identity. What happens when this empowered user isn’t actively managing his or her identity? It seems to me that an inactive empowered user’s identity is equivalent to an unpatched Windows machine. Without actively managing my identity, it becomes a great target for not nice people to do not nice things.

If we elevate identity to the same status as a domain or device, then we elevate the responsibility of the identity owners. I, as an identity owner, have to maintain that identity: update privacy choices, update demographics, geographic information, etc. I would say that maybe, just maybe, 5% of the overall web population actively maintain their identities. My grandparents, for example, are not part of that 5%. So of the nearly 1 billion web users out there, there are literally hundreds of millions of identities which will not be actively maintained. An unmaintained identity is a prime target for not nice people just as an unpatched machine is a prime target.

Will unmaintained identities become weedy vacant lots in the city of the web in which nefarious types can use to their own ends? I think so.

Which means:

  • the default settings for empowered users matter. But who creates these defaults? Communities? Governments? Insurance companies?
  • the tooling for maintaining my identity must be usable by my grandparents. We must not expose the underlying data model to the end user. We have to present identity and identity-related preferences in a way that the most basic users can understand.
  • there needs to be a way to remain un-empowered. There will be a majority of users who do not want to have to actively manage their identity. These people will not manage their identities and those identities, left unmanaged, will be perfect targets for phraud and other identity crimes.
  • we as an industry have a lot more work to do.

Technorati Tag: