Zero Overhead Security
Perhaps the biggest challenge in Information Security today is usability. However good the cryptography is, it does no good unless the user is prepared to actually use it.
Everyone agrees that usability is good, but very few people agree on what usability is. And no, the answer is not 'get a Mac'. I do have a MacBook Air, I like the hardware, but I don't see a tremendous difference in usability between the OS/X and Vista. And neither system allows me to send secure email with the same ease of use as insecure email.
Usability testing is a great way to determine user acceptance. Usability testing delivers an impressive return on investment for vendors because the lab testing conditions almost precisely match the conditions in the salesroom and to a lesser extent the type of testing a reviewer performs. But laboratory tests are not very effective in determining how users will behave six months later after using a system every single day.
Folk tell me that if you take 60 confused users, split them into three groups of 20 and show them different security interfaces they are all still confused. Well what did they expect?
And so for the past few months I have been thinking about ways to avoid the need to perform testing by raising the bar for security designers. We don't need to rely on security usability testing if we can add security to a system without impacting the user experience at all.
SSL is the most successful security protocol today, precisely because it is so easy to use. Visiting a secure site takes no more user effort than visiting an insecure site.
At first i was thinking of calling this approach 'zero impact'. But that does not capture the full set of requirements as there are situations in which we want a security system to cause a modification of the user's behavior. 'zero impact' implies that the user will never notice anything. This is one of the chief drawbacks of SSL today: the user may not notice anything at all. Hence the move to Extended Validation certificates and the 'green bar' experience.
So instead I am thinking that 'Zero Overhead' is a better description of what I think we need to achieve:
- Configuration of the security system should be entirely automatic.
- A security control is 'zero overhead' with respect to a particular task if and only if the number and complexity of user interactions required to perform the task under the security control are less than or the same as previously without the security control
- The user should be provided with all necessary and available required information to make a decision with security consequences.
In other words, security should work in the application 'out of the box'. It should not be necessary for the user to register for a client certificate, much less renew it every year. Nor should the user be tasked with configuring Webs of trust or choosing their roots of trust. If a protocol requires these features they MUST be performed transparently without user intervention.
I believe that the last criteria is also essential, but have not quite decided if it is a separate criteria or a subordinate one. Too often the user is not given the information they need to do a job securely and 'usability' is given as the excuse. Should this be a part of the 'zero overhead' criteria or is 'inform the user' a separate criteria?
