Sunday, November 25, 2012

Security and Convenience - The Balance Matters

In our world, where information is the ultimate strategic resource, security is important. Very important. But security usually stands in the way of productivity and convenience.

Take something like strong passwords and the need to change them regularly. We could significantly increase the system security if we mandated very long, strong passwords with 256 characters and if we mandated them to be changed every day. The data would be very safe with these passwords. Of course remembering such passwords would be highly inconvenient, if not impossible, and changing them daily would be annoying. Want even higher security? How about 1024 character long passwords that have to be changed every hour?

Practical security today has to reach a compromise; a balance between security and convenience. We have to keep pushing the barriers on security without annoying users so much that they either give up or develop behavior that actually compromises the security altogether. In my password example above, people would lose productive time every day and they would likely have no choice but to write the password down every morning on a piece of paper kept right next to their monitor. All of those passwords lying around would severely compromise the security of the system which would achieve exactly the opposite from the intended result. If you are interested in learning more about password related challenges, I recommend reading the recent Wired article titled Kill the Password: Why a String of Characters Can’t Protect Us Anymore.

Clearly, there is a constant tradeoff that we have to make between security and convenience. However, not every organization is the same in terms of how strong their security needs to be  and how much inconvenience they can impose on their employees. I often meet customers who are on very different points of the spectrum, from very casual to utterly paranoid.

Of course nobody will admit that they have a casual attitude towards security. However, consider the differences between retail, manufacturing, and, yes, many technology companies which often get by with relatively simple security (I know, there are always exceptions) versus organizations such as military installations, intelligence agencies, and nuclear facilities. These operate on a completely different security level and have no choice but to impose a lot of inconvenience on their employees.

Think about all of the employees working at Internet startups in Silicon Valley and about how much security hassle you could put them through - not much! James Bond, on the other hand, never tires of opening the cafeteria doors using his palm and voice print. Apparently, high security standards come with some jobs (or companies).

What’s important is that one size doesn’t fit all when it comes to security. Different organizations face different security problems and their solutions have to be adjustable. For example, a two-factor authentication may be appropriate in some environments while a biometrics based authentication is a good fit in others.  Getting the balance right between security and convenience is important - the balance matters!

No comments:

Post a Comment