Let’s Disguise Security as a Better End-User Experience
I wrote this post for information security professionals, including: CISOs, IT Security, and Security Ops.
Over the past couple years, I have been constantly speaking with leaders in security. In fact, I founded a cloud security company called Airpost, which was acquired by Box (NYSE: BOX) in 2015. The issues I saw in security have only been exacerbated over the last couple years. One of these growing issues is: how security is negatively impacting the end-user, your employees.
I’m sure “end-user experience” is NOT something you think of when you hear “information security”. Why is that? Well, because security initially didn’t need to worry about the end-user’s experience. It was voodoo magic that ran in the background and nobody really understood it. But, then some people started to understand it and take malicious advantage of that — so, security had to evolve. As security evolved, it started to impact the end-user. Employees, who never had to think about security, now have to use VPNs and 2-factor authentication. These employees are trained on complicated corporate security policies, which they are expected to memorize and implement during they daily tasks (yeah, right). Security technology has advanced so far, that now one of the biggest threats to data leakage is the employee (recently, a Snapchat employee leaked PII through a simple phishing attack).
Why does this still happen? We have the technology to prevent these types of attacks, yet these leaks occur frequently. Here’s a simple example of how the Snapchat leak could have been prevented: If the Snapchat employees stored his/her data in a secure cloud storage account, then shared a link to the file (rather than the actual file itself) with the sharing setting of “only people in this company can access the file”, then the file wouldn’t have been accessible by this outsider, simple (btw you can do all of this on Box).
Employees, the people who have access to your sensitive information, are one of your biggest vulnerabilities. You know this. The problem is these people are bombarded with security training, security protocols, and security technology — all of which are (or at least seem) complicated, hard to remember, and most importantly, unproductive to their actual job!
Think about that. Security is becoming a separate job people have to do, but they don’t get paid for it and they don’t see the value since it’s largely preventative. Security is hard for people to understand and it’s hard for people to perform daily.
Now, what if…security was easy? What if…security helped people get their job done? What if…we could disguise security as a better end-user experience? Guess what, we can — we just have to want to.
I understand there are many different types of security. I’m talking about the security that end-users interface with daily. A great example of this is Data Classification. Think about your Classification policy. How many levels do you have? They probably include: Public, Internal, and Confidential. Some of you may have a really complicated matrix. Now, think about the policies that employees are trained to follow for each Classification level. Can you even remember all the policies without looking at that complicated Data Classification policy document?
Try this: ask 3 employees in your company if they know your Classification levels, then ask them to classify 5 random documents. Do you think they can do it? And even if they can, do they feel like they just wasted their time because they should have been working? The reality is, Data Classification is a method to identify document sensitivity and prevent data leakage, but it rarely impacts your employees’ daily work, so most people completely ignore it.
Data Classification is a great example because it is an area where we can disguise security as a better end-user experience.
I’ll explain how…
Data Classification is determined by the type of information in the document, like PHI, PII, or IP. These types of information are usually found in specific types of documents. For example, for healthcare companies, PHI can be found in files like Blood Tests. Let’s assume that PHI is considered Confidential. So, Blood Tests contain PHI, which is Confidential. Here’s how we can disguise security as a better end-user experience using today’s technology:
1- Store your documents in a secure content manager that has robust APIs, so you can integrate with other solutions (I recommend using Box).
2- Integrate with a content scanning product using APIs. Scan the content of your documents while leveraging simple Natural Language Processing (NLP) and Machine Learning to identify, in this case, Blood Tests.
- There are many tools to do this, including DLP, CASB, and other startup products. I can recommend some if you’re interested.
- Important: you’re NOT scanning for specific information/keywords; rather, you’re looking to identify document types, like Blood Tests.
- By leveraging machine learning, you can lower false positives and expand the scope of information identification by looking at broader heuristics rather than just specific keywords or regular expressions.
3- When you have detected a Blood Test, then using the APIs, automatically apply “Blood Test” and “Confidential” to the file metadata.
4- Many DLP and CASB products integrate with Box, and you could leverage the new Box Metadata API integration to do this.
- I’m not trying to plug Box, it’s just the only product that can do this right.
5- Optionally, you can ask the user to confirm, “Is this a Blood Test?, which is much easier than asking “is this file Confidential?”.
6- Build automatic policies that are triggered from Data Classification. For example, if a file is Confidential, the public link should be disabled (Snapchat wish they had this).
- You can do this with IRM tools, like Microsoft RMS, Box or Vera.
In this example, the end-user was not impacted at all, and data security was enhanced by removing the dependency on manual processes. The document was scanned, marked, and policies were applied automatically. In addition, the identification of content type (i.e. Blood Test) actually added value to the end-user by enabling better search and organization of their content! By combining various technologies, we can disguise security as a better end-user experience. The end-user sees this as helping them manage their content by identifying document types, while at the same time, security is being enhanced through automated policies.
The purpose of this example is to illustrate how we can re-think existing processes and combine them with modern technology to enhance both security and the user experience.
MY ASK TO YOU:
1- Think of ONE security policy/process in your company that has negatively impacted your employees.
- Tip: think about something that the company has been doing for a long time, and nobody has ever thought to change it.
2- How can you use technology available today to enhance both the effectiveness and the user-experience of that policy/process?
3- Tell me about it! Message me or comment below.
PS. Even if you’re not a security professional, tell us about a security process that has negatively impacted you at work.
PPS. you can find me on LinkedIn: https://www.linkedin.com/in/navidnathoo
