Trusting Untrusted Computers (Part 4)

By Guest Author Taher Elgamal

In my most recent post I introduced the idea that while the information security industry must build products that enable end users to trust networked systems, business needs often conflict with end user needs. This post considers business versus consumer information security products in more detail through the discussion of the installation of security systems. I would like to share views on two different sectors of the information security industry. Startups and small companies in this industry often confuse these two areas, which can result in their missing the mark. Much of the issue here is the difference between the buyer and the user of a particular security system. Also, as we have mentioned before, the privacy concerns of the consumer are almost always in conflict with the enterprise’s need for security. It is relatively rare that the same product or technology can be practically useful for both enterprise and consumer needs; however, there have been a few exceptions.

In an enterprise environment, the buyer is usually a network operations or a system administrator who has support from a dedicated security professional. Security officers and directors usually make recommendations for the security products to be used; these are often point solutions that address a current pain point in the security space. The installation and administration of the products are done by IT personnel who are normally knowledgeable in managing such security products. The enterprise end user is therefore usually isolated from the potential complexity of some of these products. Most enterprise products need (and come with) central enterprise management systems that manage user accounts and any configurations that are needed by the enterprise. System administrators and security professionals are able to configure the advanced features of these products so that the end user can get the benefit from the products. An enterprise product can solve 80 to 90% of a security problem if the effort of administering the product is removed from the end user and assigned completely to the administrator.

When building a security product that targets the general consumer, these assumptions are usually not valid. It is a lot more efficient and beneficial to build consumer products with ease of use as the most important issue in mind. It is always helpful to remember that a product that solves 50% of the problem but easy to use by the end user is more helpful than a sophisticated product that solves 90% of the problem — we should always avoid attempting to solve 100% of any problem since that is never actually possible in any case.

Examples will be discussed in future posts.

This segment is part 4 in the series : Trusting Untrusted Computers
1 2 3 4