To Market, To Market: Human Centered Security and LotusLive

advertisement
To Market, To Market:
Human Centered Security and LotusLive
Mary Ellen Zurko, LotusLive Security, IBM
mzurko@us.ibm.com
Technology Transfer of Usable Security as a
Quality
Security and Usability together in a product
Business and market requirement
Development process and culture
Continuing challenges
2
Putting Usability and Security Together
Got Usability?
 How? Who?
 Organization in Lotus with dedicated user experience (UX)
professionals
 UX lead for all of LotusLive
Got Security?
 How? Who?
 Initially, security architect working across all of the development
team
3
Business Need
Pain Point or Return On Investment?
Market data on security as an inhibitor to cloud
uptake
 Some of the security concerns were around user error and
security and company confidential information
4
Organizational Boundary as Core Concept
User experience should support and emphasize
what is entirely within the organization and what is
outside of it or shared across the boundary
Security policy and actions should support and
emphasize restrictions and awareness of activity
across the boundaries
 Enable sharing to the cloud defined organization
 Restrictions on display of email name outside of the organization
5
Enterprise Scale and Usable Security
Technical controls and compliance reporting for
human processes
 Transparency and control for administrators and organizations
Market categories drive or define a number of
aspects of purchasing decisions
 Data Leak Prevention aligns with attention to organizational
boundaries
6
Process and Culture
Align and leverage
“What is usable security?”
Principles to guide early user experience and
development
Process integration points
7
Overarching Principles
Enable UX designers to think about usable security
in early functional design
Transparency
 Security state obvious and available to all involved
Control
 Owners control objects and administrators control organization’s
members
No surprises
 Know what could happen in the future
 Addresses confusion and mistakes
8
Process Hooks
Agile development
 Tasks tagged as security related
 Security themed iterations
 Security reviews of substantial components and tasks
UX design tasks and reviews
 Security participation in UX reviews
 UX design of security related functionality
9
Culture impact
User experience, security, and developer stake
holders able to identify usable security issues
New team members surprised at the requirements
for usability and security to work together
Cross pollination of usable security into other
projects by user experience folks
10
Challenges
Burden on user experience to drive early security
proposals towards more usable alternatives with the
same security model
Opacity of indirection through groups
11
Thank you for your time
Look forward to more success stories in the future
Drive towards useful set of best practices
Questions, Answers, Comments?
12
Download