Maksim Kabakou - Fotolia

Security Think Tank: Practical steps to increasing security without reducing usability

How can organisations maintain usability and keep support costs low without compromising on security?

Security is vital for customer-facing organisations, whether they are banks, online retailers, social media sites or other application or service providers. But this has to be balanced with the drive for greater usability, from app interfaces that deliver a nice, slick user experience to simple and effective application programming interfaces (APIs) for partner developers. This means making access to information, experiences and functionality easier, rather than harder.

The challenge jointly facing security teams, UX (user experience) designers and marketing teams is how to bridge these often conflicting requirements. Security architects and CISOs at the forefront of addressing these challenges are investigating the adoption of techniques such as multi-factor authentication based on the user behaviour, context, location and device history.

The wider use of advanced monitoring technologies allows ease of use, but also spots fraud or unauthorised access more quickly and builds trust into how systems operate – rather than layering security barriers on top of the core functionality. For example, storing data in encrypted form at the back end protects it from attack or theft, while decrypting it close to the end-point display still meets the need to process, search and operate on it.

So, what might this look like in practice? It means having the ability to understand the ways that users interact with systems through the websites and app interfaces that form the front door to the business. Some of these techniques are already starting to be used. For example, forcing authentication for activities that involve accessing data or account details, but not for browsing items or adding things to a basket.

Similarly, transfers of funds between a user’s accounts or past payees may be allowed, but setting up new payments or connecting a new device or browser will force the need for secondary authentication.

There are more evolved examples where the pattern of use or activity is “learned” and forms part of the security authentication and decision-making process. Factors taken into account could include the wireless networks a user connects from, frequent locations visited or stores used regularly for purchases and payments.

Read another Computer Weekly Security Think Tank article

We are also seeing a rise in the use of behavioural, machine learning and automation technology in back-end security processes – not necessarily to improve the usability and attractiveness of solutions for security teams, but rather to automate manual processes and gather data around alerts, incidents and breaches. This moves us to a point where some analysis and decision making can be undertaken by the security systems themselves.

This does not mean fewer security professionals will be required, but it does mean they can work more efficiently and focus on understanding what has actually happened, rather than manually having to gather data from different sources for corroboration of evidence.

In some respects, these techniques are pioneering and novel – but security teams don’t have the ability to say “no” to the business in the modern world.

The result is that innovation is pushing the boundaries of what security technologies and businesses need to deliver beyond asking users for passwords and looking for formulaic network-based attacks.

You cannot slow down or impede legitimate users too much because this will act as a deterrent. Likewise, if your operation’s function gets better at spotting attacks – for example, as a result of investments in detection systems – you cannot then fail to deal with that heightened volume of alerts or allow response times to slip carrying out investigations, disinfections or remediation.

Amanda Finch is general manager of the Institute of Information Security Professionals (IISP) ............................................................... .......................................................................................

Read more on Hackers and cybercrime prevention