Simplified Security: Avoiding the ‘Expense in Depth’ Phenomenon
What exactly does it take for people to start taking security seriously?
- A mass revelation that the U.S. government was spying on citizens for decades
- Further revelations that certain major corporate entities were assisting with such efforts
- What appears to have been a steady string of high-profile data breaches
Part of the challenge is ensuring that security is accessible and simple enough to use - some of the major barriers to adopting security measures include usability and deployability. If security = lots of time, money and effort to get it implemented + difficult to use, then no one will use it, and as a result, no one will be secure.
It’s the same old story, but it still rings true. In a way, it’s driving the commodification of security products in effort to reach a larger market: organizations of all sizes that need an affordable and simple solution to new threats introduced by mobile and cloud.
But that introduces a new paradigm of industry profiteering turned security strategy - the idea of Defense in Depth. It can be an effective approach to security but only if product value and effectiveness is tempered against cost and usability.
Global research and advisory firm Forrester Research writes about this phenomenon in their Tech Management/Security & Risk Professional blog, dubbing it Expense in Depth, the multilayered approach to ensuring minimal return on investment, meaning that more often than not, we’re getting diminishing returns on the additional investments we’re making because the solutions we choose aren’t providing the security we need.
But some are striving to simplify security and make it work for everyone - one example is Google’s new End-to-End Chrome browser extension that enables end-to-end encryption, ensuring data that leaves your browser is encrypted in-transit over all servers/networks until your recipient decrypts your message locally, and vice versa.
As Google’s Online Security blog states, their reasoning behind the extension was to make this specific kind of encryption easier to use, as the existing tools currently require more technical knowledge and manual effort to use - “...we hope that the End-to-End extension will make it quicker and easier for people to get that extra layer of security should they need it.” - Stephan Somogyi, Product Manager, Security and Privacy.
Currently in alpha phase, the extension code was made available to the public with an open call for security testing to ensure the extension is secure enough to protect “at-risk groups that may not be technically sophisticated - journalists, human-rights workers, et al,” as Google stated in their extension FAQ in a request that developers not take the code, build it and submit prematurely to the Chrome Web Store.
By introducing security in a way that both uses something familiar to most users already (a browser extension - easy to set up and start using quickly), Google is headed in the right direction in packaging and delivering security in a more palatable way. Security shouldn’t be difficult and cumbersome for your users, nor require a lot of resources to set up.
Similarly, here at Duo, we’ve built an authentication solution that’s easy to use and implement by design in effort to make two-factor painless - by integrating the approval process of authentication with something most users already use on a daily basis (their smartphones), we’ve made security intuitive and fast for even the most non-technical user. Find out more in our Product Tour.