RSAC 2018 - Year of the User: Designing Effective Security UX & Software Security Maturity
The RSA Conference in San Francisco is one of those seismic events in information security that you can count on every year. Vendors plan launches; practitioners plan evasion tactics for the expo floor; analysts plan meetings; and journalists brace themselves for … well, nobody’s sure, but there’s always something.
What’s going to be in the word cloud this year? We were hearing (and leading) more discussions around the BeyondCorp security model last February, and there will doubtless be greater attention on it this April, as organizations try to solve the problem of the “crunchy outside and soft, gooey inside.”
In a similar vein, we expect to see a renewed spotlight on identity, whether or not you consider it to be the “new perimeter.” In an environment where the only difference between work and home rests on which login name you type into a third-party SaaS application, you can’t escape the topic.
After years of password dumps, account takeovers and PII breaches, one thing is certain: the password has become Public Enemy Number One. With the benefit of 20/20 hindsight, it was probably not a good idea to rely on human memory as the main authentication factor, but it was cheap and freely available at the time.
As companies start to explore the concept of “passwordless” authentication, we’ll see whether we can eliminate “something you know” from the roster, or whether we end up squeezing the balloon and dealing with a different topology without raising the actual security level. In the meantime, the password manager is an interface that shields users from the malignant growth of password strings by generating new, unique passphrases, and we will probably see increased complexity along with the effort to make it more transparent.
As the consumerization of IT grows, it may soon be time to declare the Year of the User. Customers who are used to slick, entertaining UX designs are less willing to put up with enterprise-grade, get-the-job-done interfaces.
At some point, they will push back on being blamed as the weakest link, and will demand better security in applications without having to be “educated” until their ears bleed just to be able to get their work done. Duo’s own Advocacy Manager, Zoe Lindsey’s talk at RSAC addresses this topic: ‘The System... is People!’: Designing Effective Security UX. If you want a sneak peek, take a look at her webinar.
The flip side of making software more usable for people is making it more secure so they don’t have to worry about it. Many programs tend to focus on the OWASP Top Ten because it’s well-defined and finite — but potential flaws are infinite; you need a maturity program that takes into account your whole production stack, including frameworks, platforms, languages and libraries. Mark Stanislav and Kelby Ludwig are going to lay down some Duo truth tracks in their talk, Realizing Software Security Maturity: The Growing Pains & Gains. And because dog food can be pretty tasty if you do it right, Chris Czub will be talking about how Duo does its own corporate security: Corpsec: What Happened to Corpses A and B?
Just when you think this is all too much, remember that we can face it together. Sharing information, even on a one-to-one basis, helps the security industry as a whole. Join us at our our booth (#1427) to hear about our latest features and pick up some swag. We look forward to hearing what you have to say about this year’s state of security.