Security Should be Simple For the End-User?

3/9/2021

person using phone with lock icon on it in front of laptop

"I wish it were easier to turn on security," grunted my wife through gritted teeth as she tried to configure some security feature in yet another app on her laptop. We can probably all sympathize: if you want to add security to an application, you have to do work upfront and every time you use it.

Generally, ease of use and strong security fall at different ends of a continuum. That means that we have to trade simplicity for lack of security. A trivial example is a password: a single-character password is surely easier than a complex random 14 character password with upper and lower case letters, and so forth. Of course, the former is not really at all secure, but it is easy to use.

Ease of Use and Security scale line graphic

Fortunately, some vendors have begun to recognize this. Phones can now be unlocked by fingerprint or via facial recognition, for example. That's simple, and it is far better than nothing. Few folks balk at the enrollment effort for facial recognition on their phone, but many found the issues with trying to access the device while wearing a mask to be a separate challenge.

But faces and phones are a consumer mass-market segment of the much broader overall cybersecurity space. If securing data in the cloud were just as easy, we would not be hearing about exposed cloud data so often. In that particular case, security had to be turned off for the vulnerability to exist. That is becoming more common, but existing belt-and-braces support tools may not be.

And small and medium business (SMB) software (the type of tool my wife was configuring) often lacks the enterprise configuration tools of, say, a large cloud provider. That's reasonable as the users would not know how to use the complex tools. But, in those cases security must be the default.

Another comment my wife made was that she did not want to need to know how things work inside an application in order to secure things. We sometimes think that a user who wants to work in a secure environment knows the details about what that means in good detail. Not all do, of course, especially outside the enterprise space. Most such users have little or no knowledge of access control mechanisms, default file permissions, or encryption techniques, even if their systems use them behind the scenes.

Most SMB users will seldom need to reduce a device or application's overall security or even specific security settings. Therefore, the settings should be reasonably strong and the users should b warned if they try to weaken settings. Most are more likely to accidentally change a meaningful setting than to change it intentionally. In that case, the security warning would be a failsafe or backstop.

The basic idea is to protect user/administrators not only from evildoers but from themselves as well. A major benefit is simpler administration and that is a benefit to small business software owners.

Written by John McDermott

John McDermott, CPTD, started his work in computer security in 1981 when he caught an intruder in a system he was managing. In recent years his consulting has included security consulting for small businesses. He is Security+ and CCP certified. In his 30 years with Learning Tree John has written and taught courses in programming, networking and computer security. He is the co-author of Learning Tree’s course System and Network Security: A Comprehensive Introduction. John is currently a learning and development consultant in northern New Mexico. He lives in a house made of earth with his wife, who is an artist.