Enhanced Security through Transparency

At first glance one may think that security and transparency contradict each other. I am however of the opinion that is not necessarily true. We may sometimes forget that we put security controls in place for one reason and one reason alone: to fend against access to information by unauthorized entities. These controls should not be there to delay or block authorized users from achieving their goal: accomplishing the task they have been asked to complete. Yet we all have to admit that most controls we put in place do affect user experience in a negative way. It is my belief that as security professionals we should increase our efforts in making security measures as transparent as possible to trusted parties, as it will eventually result in our goal: enhancing the protection of corporate data.   

Why is transparency key?

Back in 2004 the Jericho Forum introduced the notion of de-perimeterisation: breaking down the boundary between the corporate network and the Internet. These days the corporate perimeter has dissolved even further with BYOD and similar acronyms causing boundaries between personal and corporate data to disappear. Next stop will be the boundaries between digital identities: federation between personal and corporate identities, taking trust and identity validation to a whole new level.

Through this consumerisation of IT, our business partners have or will become more demanding on ease of use and thus enhanced transparency of security controls in place.

Path of least resistance

If we put measures in place that displease or delay authorized users, they will try and eventually find an alternative path of lesser resistance. Cloud services and other advances in IT technology have given end-users an unimaginable amount of power. Whether or not these “free” IT resources are detrimental to the security of the information, the result is the same: our expensive security controls have failed to achieve their goal.

Best-of-breed

Instead of trying to lock down each and every alternative route and plugging each nook and cranny, we have to work with our IT colleagues and ensure our solutions are the best and easiest to use of all. With that our customers will have less of a need to use alternatives in the first place.

Transparency is achievable

By naming Apple iOS as an example of good yet transparent security, you may unequivocally disagree. But I would argue that they have done a pretty good job in several areas like:

  • Different levels of hardware-based data encryption virtually unnoticeable to the user. Sandboxing of applications and data prevents unauthorized access from rogue apps, yet allows certain information to flow between applications where required and/or approved.

Although I was sceptical myself at first, it has been pretty smooth sailing for a platform used by millions around the globe.

How to achieve transparency

Transparency requires a change in strategy: instead of bolting it on, security must be made part of the initial design. Only then can you achieve true transparency. In projects security should not just be seen as a set of requirements, it needs to become a deliverable. Yes, this will result in more cost, require more time and resources, but I am convinced that in the end it will result in a better end-product.

But to be fair it can’t be achieved in all cases. The security industry may not developed the right technical means or the risk might just be too great. But there are many areas where we can implement more transparent controls that increase security yet ensure a more user-friendly experience.