Slow or inconsistent devices are the bane of a user’s existence. It’s understandable, as these types of experiences inhibit the user’s ability to be productive. But, a compromised user poses greater risks to the organization than a non-productive one, right? That’s the paradoxical battle security teams find themselves in as they attempt to keep pace with today’s changing threat landscape.
In a post-Spectre/Meltdown world, a sort of adversarial relationship has developed between the security team and the end user support team. Organizations struggle to make decisions about vulnerabilities and patching because of the impact those decisions will inevitably have on performance. It’s a challenge set to get even more interesting with the end of life of Windows 7, and the move to “evergreen IT” and always updated software with Windows 10.
Even the White House is challenged with end users tweeting from an unsecured phone, a choice that is ostensibly insecure but far easier to manage than the highly secured devices issued by the Secret Service. Tal Klein, CMO at Lakeside Software, said this is the situation that many companies are facing today: a battle to paradoxically provide both usable and secure end user computing environments.
They Will Circumvent Security
While security teams are armed with an arsenal of endpoint security solutions, any solution that doesn’t take into consideration the user experience as a primary measure of success is doomed to fail. “Most technically savvy users will circumvent security controls,” Klein said. “We’ve seen a significant rise in endpoints that are on the corporate network tethered to hotspots.”
“According to our SysTrack Community data, the average enterprise endpoint in organizations greater than 5,000 employees has over seven security agents on it. The most commonly deployed endpoint security agents are antivirus and firewall, followed by DLP, VPN, encryption, whitelisting, e-Discovery collectors, remediation tools, forensic tools, SIEM sensors and so on.”
Users will log in under a local admin to avoid having to deal with all the obstacles that company policy is forcing them to have on their desktop. Instead of joining as an employee, they are joining as a guest, which Klein said represents a greater threat to the overall security posture than the security tools that are put in place to reduce the attack surface.
Giving Equal Priority
A lax security policy will likely provide insufficient protection; however, one that overreaches often results in increased support issues and under-resourced endpoints that could grind end user productivity to a standstill, according to Klein.
“Although both end user computing and information security teams both co-exist in the IT organization, the cyberattack landscape has created a divide between them,” he said.
To avoid compromising productivity in the name of security, make a decision based on an awareness not only of the individual impact but also the cumulative impact. Without having a fundamental understanding of the impact on end user experience, implementing new security solutions will inevitably exacerbate this already challenging issue.
“Unfortunately in many cases, security tools’ protective benefits come at the cost of system performance. It’s a catch-22 in many ways: The IT staff is trying to optimize for security and productivity, but reduced security and deteriorated productivity are both unacceptable outcomes,” Klein said.
Both security and performance should be given equal priority, which means as end user computing leaders define “acceptable user experience,” information security leaders need to define their organization’s “acceptable risk.”
How to Optimize Both Security and Performance
Communicating expectations to business users is the first step in getting them on board with security objectives. What does this look like in practice? Let’s say the organization has implemented a new data loss prevention (DLP) tool.
First, it’s critical that when deploying a tool they understand how it will interface with other IT deployed software. Only measuring the impact on productivity with no visibility into the sum of the impact on the desktop user workflow when other software is active can also hinder usability.
Then, let business users know, “We now have a new DLP, and here is what you should expect in terms of how it will impact your user experience. These are the benefits to you and to the business of having it on.”
“By inviting users to be part of the conversation and explaining the performance impact, they understand the benefit of the tool, and they will be less likely to try and bypass it,” said Klein.
The way most security teams think of users is analogous to wardens and prisoners. “I think the ideal shift would be more towards cops and citizens. The super ideal would be like crossing guard and pedestrian, but IT can’t be that hands-off,” Klein said.