Security works well when it is part of a consistent, unified, seamless experience. This occurs when security is embedded within the product or service in hand. This allows users to simply go about their business without being distracted by the invasion of security into their activities.
A good example of this embedded security approach is the https protocol for secure internet communication. Https means that internet data transfer is encrypted at the Transport Layer Security (TSL), or its predecessor, the Secure Sockets Layer (SSL). This occurs end-to-end and by default. Users are not exposed to the fact that the website they are using is verified, and that and communications or data transfer are protected against the prying eyes of third parties. It simply works, without intruding upon user experience.
Despite the existence of such embedded approaches, security often is not a seamless experience. That is because, in the past, security has been an after-thought. It is viewed as something to be layered on top of existing IT deployments, rather than being integral to them. For example, endpoint protection that needs to be installed on devices or authentication that needs to be integrated with applications.
Part of the problem has also been the traditional perception of security, which has been seen as something of an insurance policy that kicks into action when things go wrong. As a result, buyers may take the view that, when everything is running smoothly, they are not gaining value from their investments in security.
This mentality has, in the past, encouraged security vendors to make their products more visible to users, rather than staying out of their way. Typically, this has come in the form of (for example) alerts demonstrating scans launched, logs retained or malware blocked. However, this has a negative impact on user experience, serving as a distraction rather than a comfort. In fact, this may even lead users to switch off or remove those security products, prioritizing a smoother user experience over security.
IDC contends that a new mindset is required, and that this is increasingly present amongst both users and providers. Specifically, the view of security as an enabler rather than a cost. For example, with developments in user experience and convenience being sought through digital transformation, the other side of the coin is increased exposure to risk as corporate data is moved beyond the corporate perimeter. A traditional reaction might be to block the proliferation of digital transformation in order to reduce risk. However, the more positive view would be to position security as an enabler, allowing users to benefit from enhanced productivity and collaboration in a secure fashion. In other words, there need not be a binary choice between usability and security, rather solutions to harness both as standard.
There are always exceptions: there is a case where security should be very visible and onerous to the user. High-security environments and applications need to convey their seriousness, and overt security reassures authorized users while dissuading casual no-gooders. But the number of such cases is – and should remain – small.
It is perhaps no surprise that some of the most ardent adopters of embedded security principles are the ‘born in the cloud’ providers. Box.com and Salesforce.com are good examples here. Both provide data encryption as standard within their propositions, although it is worth noting that, in both cases, further stand-alone security is available for those who require greater functionality. As with https, this encryption was designed as an integral element of the service that they provide, and therefore does not interrupt user experience. It is also driving behavior amongst the competitive landscape, with the likes of Dropbox and Workday adding enhanced built-in security to their products.
Despite their prominent role in driving embedded security, CSPs are not alone. For example, SAP, one of the world’s software giants, is putting identity at the heart of its proposition. SAP was an early integrator of Fujitsu’s PalmSecure biometric technology to drive its concept of field-level security. That is to say, administrators can determine which fields within an ERP implementation (e.g. transferring funds between accounts), and those fields will only be presented to, or changeable by, the user if they re-authenticate with their biometric. This is part of how SAP aims to offer solutions that are compliant with the EU’s upcoming General Data Protection Regulation (GDPR) for the security and privacy of data. Not because it is compulsory for them to do so, but because they think that it is beneficial for their customers.
It is clear that embedded security is already having an influence on the marketplace, and IDC expects that this trend will only intensify. In a perfect world, ubiquitous adoption of the embedded security principle may even result in the end of the security products market as we know it. However, it must be noted that there is no such thing as perfect security, and security vendors are specialist that will remain relevant regardless of the degree of success that embedded security achieves. Nonetheless, the point remains: if all IT were secure by design, then there would be a radically different approach to adding security layers on top. However, this movement will be driven by customer demand. There is no legal requirement for vendors to offer security built-in to their technologies, but user expectations are key.
This can be seen in the race to embrace end-to-end encryption in messaging apps following WhatsApp’s high profile announcement in April 2016. This is despite the fact that the likes of Telegram and Apple’s iMessage already offered these as standard. Nonetheless, this chimed with users’ evolving perceptions around the need for privacy and security, and subsequently the likes of Facebook Messenger and Viber have been driven to offer end-to-end encryption as at least an option for users.
There may be no legal requirement for security to be embedded within IT, other than the need to remain relevant to buyers. Those that fail to adapt may well find themselves on the bonfire of history. A key question that providers must ask them is not whether they have to offer embedded security, but whether they should embrace the opportunity to meet customer expectations.
If you want to learn more about European Security matters, please contact Dominic Trott.