User Experience: Achieving Performance and Security

Slow or inconsistent devices are the bane of a user’s existence. It’s understandable, as these types of experiences inhibit the user’s ability to be productive. But, a compromised user poses greater risks to the organization than a non-productive one, right? That’s the paradoxical battle security teams find themselves in as they attempt to keep pace with today’s changing threat landscape.

In a post-Spectre/Meltdown world, a sort of adversarial relationship has developed between the security team and the end user support team. Organizations struggle to make decisions about vulnerabilities and patching because of the impact those decisions will inevitably have on performance. It’s a challenge set to get even more interesting with the end of life of Windows 7, and the move to “evergreen IT” and always updated software with Windows 10.

DevOps Connect:DevSecOps @ RSAC 2022

Even the White House is challenged with end users tweeting from an unsecured phone, a choice that is ostensibly insecure but far easier to manage than the highly secured devices issued by the Secret Service. Tal Klein, CMO at Lakeside Software, said this is the situation that many companies are facing today: a battle to paradoxically provide both usable and secure end user computing environments.

They Will Circumvent Security

While security teams are armed with an arsenal of endpoint security solutions, any solution that doesn’t take into consideration the user experience as a primary measure of success is doomed to fail. “Most technically savvy users will circumvent security controls,” Klein said. “We’ve seen a significant rise in endpoints that are on the corporate network tethered to hotspots.”

“According to our SysTrack Community data, the average enterprise endpoint in organizations greater than 5,000 employees has over seven security agents on it. The most commonly deployed endpoint security agents are antivirus and firewall, followed by DLP, VPN, encryption, whitelisting, e-Discovery collectors, remediation tools, forensic tools, SIEM sensors and so on.”

Users will log in under a local admin to avoid having to deal with all the obstacles that company policy is forcing them to have on their desktop. Instead of joining as an employee, they are joining as a guest, which Klein said represents a greater threat to the overall security posture than the security tools that are put in place to reduce the attack surface.

Giving Equal Priority

A lax security policy will likely provide insufficient protection; however, one that overreaches often results in increased support issues and under-resourced endpoints that could grind end user productivity to a standstill, according to Klein.

“Although both end user computing and information security teams both co-exist in the IT organization, the cyberattack landscape has created a divide between them,” he said.

To avoid compromising productivity in the name of security, make a decision based on an awareness not only of the individual impact but also the cumulative impact. Without having a fundamental understanding of the impact on end user experience, implementing new security solutions will inevitably exacerbate this already challenging issue.

“Unfortunately in many cases, security tools’ protective benefits come at the cost of system performance. It’s a catch-22 in many ways: The IT staff is trying to optimize for security and productivity, but reduced security and deteriorated productivity are both unacceptable outcomes,” Klein said.

Both security and performance should be given equal priority, which means as end user computing leaders define “acceptable user experience,” information security leaders need to define their organization’s “acceptable risk.”

How to Optimize Both Security and Performance

Communicating expectations to business users is the first step in getting them on board with security objectives. What does this look like in practice? Let’s say the organization has implemented a new data loss prevention (DLP) tool.

First, it’s critical that when deploying a tool they understand how it will interface with other IT deployed software. Only measuring the impact on productivity with no visibility into the sum of the impact on the desktop user workflow when other software is active can also hinder usability.

Then, let business users know, “We now have a new DLP, and here is what you should expect in terms of how it will impact your user experience. These are the benefits to you and to the business of having it on.”

“By inviting users to be part of the conversation and explaining the performance impact, they understand the benefit of the tool, and they will be less likely to try and bypass it,” said Klein.

The way most security teams think of users is analogous to wardens and prisoners. “I think the ideal shift would be more towards cops and citizens. The super ideal would be like crossing guard and pedestrian, but IT can’t be that hands-off,” Klein said.

Kacy Zurkus

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Kacy Zurkus

Prior to joining RSA Conference as a Content Strategist, Kacy Zurkus was a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition's security portfolio. Zurkus was a regular contributor to Dark Reading, Infosecurity Magazine, Security Boulevard and IBM's Security Intelligence. She has also contributed to several industry publications, including CSO Online, The Parallax, and K12 Tech Decisions. During her time as a journalist, she covered a variety of security and risk topics and also spoke on a range of cybersecurity topics at conferences and universities, including Secure World and NICE K12 Cybersecurity in Education. Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). In addition, she's also spoken on a range of cybersecurity topics at conferences and universities, including SecureWorld Denver and the University of Southern California.

kacy-zurkus has 62 posts and counting.See all posts by kacy-zurkus