To Market, To Market: Human Centered Security and LotusLive Mary Ellen Zurko, LotusLive Security, IBM mzurko@us.ibm.com Technology Transfer of Usable Security as a Quality Security and Usability together in a product Business and market requirement Development process and culture Continuing challenges 2 Putting Usability and Security Together Got Usability? How? Who? Organization in Lotus with dedicated user experience (UX) professionals UX lead for all of LotusLive Got Security? How? Who? Initially, security architect working across all of the development team 3 Business Need Pain Point or Return On Investment? Market data on security as an inhibitor to cloud uptake Some of the security concerns were around user error and security and company confidential information 4 Organizational Boundary as Core Concept User experience should support and emphasize what is entirely within the organization and what is outside of it or shared across the boundary Security policy and actions should support and emphasize restrictions and awareness of activity across the boundaries Enable sharing to the cloud defined organization Restrictions on display of email name outside of the organization 5 Enterprise Scale and Usable Security Technical controls and compliance reporting for human processes Transparency and control for administrators and organizations Market categories drive or define a number of aspects of purchasing decisions Data Leak Prevention aligns with attention to organizational boundaries 6 Process and Culture Align and leverage “What is usable security?” Principles to guide early user experience and development Process integration points 7 Overarching Principles Enable UX designers to think about usable security in early functional design Transparency Security state obvious and available to all involved Control Owners control objects and administrators control organization’s members No surprises Know what could happen in the future Addresses confusion and mistakes 8 Process Hooks Agile development Tasks tagged as security related Security themed iterations Security reviews of substantial components and tasks UX design tasks and reviews Security participation in UX reviews UX design of security related functionality 9 Culture impact User experience, security, and developer stake holders able to identify usable security issues New team members surprised at the requirements for usability and security to work together Cross pollination of usable security into other projects by user experience folks 10 Challenges Burden on user experience to drive early security proposals towards more usable alternatives with the same security model Opacity of indirection through groups 11 Thank you for your time Look forward to more success stories in the future Drive towards useful set of best practices Questions, Answers, Comments? 12