Security vs Usability – Paper I Wrote

Here’s an 8 page paper I wrote for a systems administration class. The assigned topic was “security vs usability.”

Abstract

In the field of information technology, usability and security are often seen as opposites where an increase in one comes at the expense of the other. Systems administrators must learn to strike a balance between the two. Where other people are concerned, too-stringent security policies can drive them to circumvent or ignore the policies, while lax policies can create organizational vulnerabilities. Newer technologies such as password managers and two factor authentication can increase security while remaining user friendly. Configuration managers, patch management systems, and automation frameworks assist a systems administrator with keeping servers and personal computers updated and secure, and newer mobile device managers do the same for portable, personal devices such as smartphones and tablets. Assisted by these technologies, the systems administrator can set policies and deploy systems that are safe enough to protect organizational assets while still setting up systems that are convenient and efficient for end users.

Keywords: Information technology, systems administration, security, usability, cybersecurity, passwords, antivirus, server, computer

Balancing Security and Usability Trade-offs in Systems Administration

To the average user, cybersecurity may currently mean that they add a number to their children or pet’s name to make a more secure password, they write it down but do not keep it somewhere obvious, or just that they hope no one “hacks” their iCloud photos. To the cybersecurity expert, security means long, random passwords stored in secure places, two (or more) factor authentication, securely encrypted web traffic and reliable backups. Sandwiched awkwardly in between the two is the systems administrator, who may oversee security policies for their organization and know that harder password requirements can result in users writing down passwords and storing them in obvious places or reusing them, yet the systems administrator also knows just how easy it can be to crack hashes of weaker passwords.

Security, of course, entails much more than just passwords, and this paper will explore many aspects of security as they relate to usability. However, authentication is one major problem that involves balancing security and usability. Figure 1 illustrates how many users simply see security measures as obstacles in their day to day tasks and don’t often think about the larger picture and what security measures need to accomplish. Figure 2 gives a more realistic look at how security and usability can be opposites and how a balance can often be found in the middle. Systems administrators, and IT departments generally, must strive to find the balance that allows them to be secure enough to protect critical assets, while still being usable enough that others in the organization are able to do their jobs efficiently.

Security Theory

At a conceptual level, security has always involved staying ahead of criminals or hackers. It is constantly evolving, and constantly involves creating both new technologies and new policies. Security is based on trust. Systems administrators must be able to trust that their systems adequately verify users and must create different levels of users with different access to each system. Because of the nature of security, it always takes time and effort. The more a process relies on built-in assumptions or automation, the easier it is for someone to gain illegitimate access to. Therefore, it seems authentication is always going to require some sort of manual process. Security is always going to need the attention of information technology professionals. For many people, security policies will always seem to be in the way, taking valuable work time away from actually accessing the data or running the process they want.

Because of this, security seems to be at odds with usability. The more secure something is, the more steps it requires to access. Ultra-secure facilities, such as defense contractors, may require many steps of physical and digital security before employees can access anything. Other organizations have to find a balance of requiring enough security precautions to protect themselves, while still allowing people to perform their normal functions and not be totally stopped by the security protocols.

Authentication

As previously mentioned, setting password policies is one of the biggest trade-offs between usability and security. Cybersecurity experts push for longer passwords, citing how easy it is to crack shorter ones. Back in 2012, for instance, researchers demonstrated it was possible to crack every possible 8 character password with $8000 in computer equipment in just 6 hours (Goodin, 2012), and the price and speed of similar hardware have definitely only gone down in subsequent years. However, most IT professionals will cite countless examples of typical users writing passwords down on sticky notes, saving them in plain text, or reusing passwords when forced to specific password policies. As a good compromise, the National Institute of Standards and Technology recommends passwords be at least 8 characters in length, but that developers not force any specific pattern or use of certain characters (NIST, 2017), and that they allow much longer passwords and the use of all special characters. Passwords have been around since the early stages of computing. In many ways, they work the same now as they did then, but some technologies are trying to change that.

Several prominent solutions aim to make passwords more secure but also more usable. Prominent among these are password managers, which store passwords and allow the end user to forget them. This enables easy use of long, randomly generated passwords and unique passwords for each site. The major drawback is that this creates one central point of attack that could allow a hacker complete access to a person’s digital identity. Password managers are generally designed to be as user friendly as possible and represent a good solution for using secure passwords. However, the more technology-averse user may still see them as an additional and unnecessary technology to be learned. Password managers are a relatively new technology that stem from the increasing number of digital accounts people maintain and the increasing awareness of the weakness of reusing passwords across different services.

Two-factor authentication involves using something else for authentication, often a code sent to the user’s phone, in addition to a password. This takes the pressure off passwords as the sole point of failure in account security. Other methods of two-factor authentication include dedicated code generators and biometrics. On the one hand, two-factor authentication is inherently going to be twice as slow (and often slower) compared to only using one method, which makes it less usable and convenient. However, most popular two-factor authentication systems are not difficult for the average person to learn to use, and reduce the risk of more lenient password policies, which make them drastically more secure than strict, lengthy password policies alone.

Much is also being done in the field of biometrics to improve digital authentication experiences. Many phones and some laptops now ship with fingerprint readers, and some devices have facial recognition technology available. These technologies currently represent the ultimate in usability, taking almost no noticeable time or effort to use. However, they may not be the most secure. Apple claims that their Face ID facial recognition technology has about a 1 in 1,000,000 chance of authenticating the wrong user, while their Touch ID fingerprint readers have a 1 in 50,000 chance of doing so (Vrijenhoek, 2017). When compared with the 1 in 10,000 odds of guessing a four-digit passcode correctly, those odds sound pretty good, and may be best for unlocking a phone compared to short PINs or other alternatives. However, just a four-digit password using any combination of all 95 ASCII characters has 81 million possible values, and longer passwords may be better to protect mobile payments or make other more secure transactions. The availability of biometric authentication to the average consumer has drastically increased in recent years.

Updates

Updates are typically not popular among end users. From slow-running Windows updates halting work midday to fast changing web apps updating and losing functionality, many users find updates annoying and many organizations have policies to reduce or delay updates in order to minimize risk. Ironically, not updating frequently carries risks of leaving vulnerabilities unpatched, while updating frequently risks breaking systems and affecting the availability of a service. Systems administrators must be able to find a balance between the two.

When it comes to software updates, especially for endpoint software, faster and more frequent updates are generally preferred so that exposed vulnerabilities get patched. Most medium to large organizations have a patch management system in place. Microsoft System Center Configuration Manager can manage Windows updates as well as deploy and manage other software and keep it updated. System Center Configuration Manager is available for managing both user workstations and datacenter servers.

For Linux servers, a number of systems exist for managing updates and pushing out new software. Puppet, Ansible, Chef, SaltStack and Fabric are all major software platforms for Linux deployment management. From the systems administrator’s perspective, a management service like that is vital for keeping systems running secure software but also doing so efficiently and being easy to use for the systems administrator.

Software (including operating systems) generally needs some sort of review process before being deployed. For instance, one Windows 10 update released in October 2018 resulted in files disappearing for a number of users (Dunn, 2018). The professional and enterprise versions of Windows 10 include an option to delay feature updates for 6 months past their release to home users (Gordon, 2018). Many organizations have implemented this to allow time for bugs to be fixed before they deploy the feature updates, while still getting security updates for Windows.

Mobile Device Management

A large and more recent challenge to systems administrators is managing mobile devices. Depending on an organization’s policies, users may bring in personal devices and connect them to the network. They may also put corporate data, especially emails and contacts, onto an otherwise unsecured and unmanaged device. To combat this, many device management systems are adding features to manage mobile devices. Other mobile device management systems are offered as stand-alone technologies for managing personal devices only. These mobile device management systems are a new branch of configuration managers, which have been around for longer. Mobile device management can be tricky since mobile operating systems (Android, iOS) are different from the desktop and server operating systems typically found in organizations (Windows, Linux) and are built with different security models and permission structures.

Some organizations choose to separate these devices as much as possible. They may create separate wireless networks designed for these devices that have no access to other internal resources and may try to limit or ban organizational data from these devices. In more extreme cases, they may force users to maintain one device for corporate use and another for personal use. Other organizations may try a hybrid approach, allowing employees to access corporate email on a personal device so long as the device has an anti-virus app enabled and meets certain security requirements, such as a minimum passcode length or having a fingerprint reader. Here again a balance of usability must be found. Forcing the user to have especially long passcodes on their phones, for instance, could drive them to find ways to circumvent the policy.

Security Monitoring

From endpoint anti-virus systems to complex intrusion detection systems, it is vital that an organization have systems in place to detect and mediate security threats. In choosing these systems, security and reliability must be the foremost concern.

For endpoint antivirus software, many viable options exist for personal computers and mobile devices. The various and specific needs of an organization as well as their budget may determine the best option. Security should win out here (how reliable is the anti-virus?), however, usability is still a factor. An antivirus that slows down a computer noticeably or that has overzealous user notifications will slow users’ workflows while providing little benefit over a better alternative. Additionally, intrusion detection systems and other security monitoring services should be provisioned for the security of the company. These systems are not at all new in the information technology world, though more modern security software provides increasingly fast updates and options for automated monitoring.

Availability

Another security challenge the systems administrator faces is keeping data available. Many end users may not give much thought to backups, but to IT professionals who have worked with large storage arrays, the risk of data loss is ever present. Here the systems administrator must decide largely for themselves what the trade-offs of different backup systems are and also how to implement file recovery and make it available to the users. Creating a user-facing file recovery system is a necessity in most larger organizations and will involve trade-offs between usability and security.

Implementing file restore systems that are easy for the end user to access is a great way to make restoring files highly usable and avoid the systems administrator having to do each restore manually, which could be a monumental task in a large organization. Windows Backup’s Previous Version feature (Muir), for instance, is a very user-friendly way to allow file restores. However, it has certain security risks, like giving a user the ability to roll an entire network share back to a much older version, which could cause major problems if the files are shared with a large group of people. Other commercial software, like Crashplan for Business, allows users to access and restore their own files backed up from their individual machines, with minimal security risk, other than users maintaining their own accounts and passwords.

On the system’s administrator’s side, backups must be checked occasionally to ensure validity. Increasing automation saves the system administrator time and allows for frequent backups, but these increases in usability mean the system administrator is less likely to notice a failed backup or other errors in the backup system, resulting in increased risk to data availability.

Conclusion

Balancing security and usability is a delicate act for systems administrators, both in the systems they choose to set up for themselves, and in the systems they deploy to non-IT users. In setting up servers and networks, systems administrators may find it worth taking the time to set up complex and secure systems. However, when setting policies for other users, systems administrators need to find the balance that makes the systems usable (otherwise, why have them at all?) and avoids driving end users to do things like writing down passwords, sharing credentials, or otherwise circumventing protocols.

Fortunately, many technologies have been or are being developed to make securing systems easier. Password managers and two-factor authentication allow normal users drastically increased security over the traditional memorized password while maintaining a balance of being easy enough to use that most people can use them. Patch and configuration managers allow systems administrators to deploy updates and security policies to all systems within an organization. Increasing automation in backups and security monitoring present much easier to use systems to the IT professional, while minimizing increased security risk. With the right tools, the systems administrator can create systems that are both easier to use and more secure than they have been in the past.

References

Adams, S. (n.d.). Dilbert comic strip on 2007-11-16 | dilbert by scott adams. Retrieved December 2, 2018, from http://dilbert.com/strip/2007-11-16

Dunn, J. (2018, October 9). Microsoft hits the brakes on latest Windows 10 update – what to do. Retrieved December 2, 2018, from https://nakedsecurity.sophos.com/2018/10/09/microsoft-hits-the-brakes-on-latest-windows-10-update-what-to-do/

Goodin, D. (2012, October 12). 25-GPU cluster cracks every standard Windows password in <6 hours. Retrieved December 1, 2018, from https://arstechnica.com/information-technology/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/

Gordon, B. W., July 6, 2018 8:00AM EST, & July 6, 2018. (n.d.). How to delay major windows 10 updates. Retrieved December 2, 2018, from https://www.pcmag.com/article/362284/how-to-delay-major-windows-10-updates

Infotech solutions & services inc. | security-vs-usability1. (n.d.). Retrieved December 2, 2018, from https://infotechil.com/security-usability/security-vs-usability1/

Leonhard, W. (n.d.). How to restore previous versions of a file in windows 7. Retrieved December 2, 2018, from https://www.dummies.com/computers/operating-systems/windows-7/how-to-restore-previous-versions-of-a-file-in-windows-7/

NIST Special Publication 800-63B. (n.d.). Retrieved December 1, 2018, from /sp800-63b.html

Vrijenhoek, J. (2017, December 20). Apple security: touch id vs. Face id. Retrieved December 1, 2018, from https://www.intego.com/mac-security-blog/apple-security-touch-id-vs-face-id/

 

 

Figures

Figure 1. Many users perceive security as an obstacle to getting their work done. Some managers may be prone to seeing security measures as a waste of budget or time.

Figure 2. Security and usability involve trade-offs, and improving one often comes at the cost of the other.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.