“There’s an app for that!”
Popularized by Apple in 2008, this catchphrase indicates how ubiquitous mobile applications were becoming. From reading the news to starting your car, tracking exercise to finding a new job, we live an app-driven culture.
Increasingly, enterprises rely on mobile and web applications to get business done. Critical business is now performed exclusively in applications like Salesforce, SAP, Siebel, Netsuite, and PeopleSoft.
As enterprises accelerate their use of applications to share information, they often put that information at risk. Threats are everywhere, including system breaches, phishing attacks, and the work of malicious insiders.
How can an enterprise move forward in our app-driven culture without being overwhelmed by risk?
Improving user experience may be the key to reducing risk and increasing security.
Data, Information, and Applications
I define information as ‘data with context and value.’ Data is just a series of 1’s and 0’s. When you add the context of what that data means, the data can have value.
We build applications to provide context and intelligence, allowing individuals to access information — not data. As the pace of business increases, more access leads to more value creation. Similarly, more applications (and more access) means more potential value.
While more applications and access — from anywhere, on any device — creates value, it also increases risk.
Applications and Risk
A common way to think about security and risk is the “CIA” triad. Confidentiality, Integrity, and Availability are the three main components to consider when thinking about the risks present to information. Some examples of how applications affect each part of the CIA triad:
Confidentiality: Increasing access to information creates value. It also creates risk, by making information more accessible and less confidential.
Integrity: If the application allows changing information, the information’s integrity may also be at risk.
Availability: Applications can also put the availability of information at risk, through denial-of-service or similar attacks.
In addition, there is always the potential of bad user actions. Whether intentional or unintentional, user application behavior may also increase risk.
It is unrealistic, unnecessary, and not generally effective to reduce risk by limiting (or eliminating) access to applications. Putting up walls just keeps people from getting their work done, from creating value in the organization. And, it creates discord between value creators and information protectors.
Smart people find a way to get their jobs done. How, then, can we reduce risk while continuing to create value?
Consider the importance of focusing on user experience and information architecture.
At 10Pearls, we place an emphasis on creating an enjoyable user experience by enabling users to navigate to the most important content and functionality in as few clicks or taps as possible. To build the best experience, we create optimized workflows to the most frequently used feature sets, design intuitive navigation paths, and take advantage of interface specific features.
We do this with both manual experience and the use of carefully selected tools. There are tools for performing A/B or split testing to compare designs for effectiveness. Other tools can record user interactions and experiences to create analytics and capture errors. And even more tools for capturing user feedback while using the application.
It is incredibly powerful to understand where people are looking, where they are clicking, and what paths they are taking through an application. With this insight, you can reduce friction and create the best experience. Knowing how people use applications helps you to understand what information should be protected. It’s also valuable when something goes wrong during testing of an application, to know where someone was in the application and what they had clicked on in order to cause an error.
Can we reduce risk by improving user experience?
A key to improved user experience and reducing risk is the use of non-intrusive tracking and monitoring capabilities.
For example, an application that shares two types of information: basic and sensitive. Tracking reveals that 85% of application users only access the basic information on a daily basis. The other 15% need daily access to the sensitive information. This can inform our user experience in a few ways:
- We can create different user types. Then, those that do not need access to the sensitive information can’t retrieve it.
- We can change flows through the application to make it easy to get access to sensitive information only if needed. And make sensitive information harder to access otherwise.
- We can help users understand the potential consequences of their actions. Give them steps they must acknowledge to access sensitive information or execute risky operations. We can also record these riskier operations for further review without overloading our systems or administrators.
By ensuring a smooth experience for the common, good, low-risk paths, we reduce the likelihood of accidental traversing into riskier behavior. And by ensuring the experience informs the user of their potential consequences, we can help increase awareness.
Tracking and monitoring tools can continue to have value outside of the user experience development as well. They can be leveraged to alert not just in the case of an error, but also in the case of unexpected or unusual behavior. Wouldn’t it be nice to know if someone has been clicking buttons madly for an hour, or if they did something that caused a file to be deleted?
What is your user experience?
Are you using an application that makes you click way too many times to get to the information you need? Do you see information that you know you probably shouldn’t? Is it too easy to export the company’s secret formula using the same application you use to enter your timesheet?
Reducing risk in applications begins with a great user experience. Getting the user experience right means gaining visibility into how people use the system. What are you waiting for?
Join me in a panel discussion to discuss how to operationalize these ideas as part of a broader conversation about automating visibility into critical applications on Thursday March 26th. The discussion will occur live at 1pm Eastern (1700 UTC) and is hosted by SANS Institute and ObserveIT. You can register for the panel here: https://www.sans.org/webcasts/live-panel-discussion-risk-data-exposure-application-usage-99427