Is visible security desirable?
Sep 4th, 2008 by Jesper Kråkhede
I attended a very interesting workshop today that you most probably will hear more of in a few months from now. Afterwards I had a discussion with a few colleagues regarding security and visible effects of security. We discussed the usage of visible deterrents with it-security. When deploying physical security the deterrent is sometimes the major part of the protection but is that actually needed or desirable when looking at technical solutions?
From an attackers point of view, he/she is more or less already invisible due to the possibilities to use anonynmiser services like TOR or any http-proxy services there is. This means that the only ones that actually are affected by deterants are the ordinary employee. The obvious conclusion for the common worker is that security is cumbersome and in the way of work.
This is where invisible security comes in. Using an open approach to security, meaning that information should be accessible if you are allowed to, also means that it should be invisible. The secure way of working must be the easy way of working.
This of course sounds very obvious but just take a look at the standard system today. Login on often means klicking yes on several screens, entering a password and waiting for the system to load. What if the logon process actually was context sensitive so that while you are starting your computer, entering the first commands on the screen and starts you mail client it identifies your setting, checks logs from the doors where you enter the room and recognizes your face from the webcam you use for speaking to collegues? There you have a much safer authentication that is integrated with your current tools and tasks. Invisible security at is best.
I am most certain that this is the future we are looking at: contextual and invisble security!