120 likes | 122 Vues
To Market, To Market: Human Centered Security and LotusLive. Mary Ellen Zurko, LotusLive Security, IBM mzurko@us.ibm.com. Technology Transfer of Usable Security as a Quality. Security and Usability together in a product Business and market requirement Development process and culture
E N D
To Market, To Market: Human Centered Security and LotusLive Mary Ellen Zurko, LotusLive Security, IBMmzurko@us.ibm.com
Technology Transfer of Usable Security as a Quality • Security and Usability together in a product • Business and market requirement • Development process and culture • Continuing challenges
Putting Usability and Security Together • Got Usability? • How? Who? • Organization in Lotus with dedicated user experience (UX) professionals • UX lead for all of LotusLive • Got Security? • How? Who? • Initially, security architect working across all of the development team
Business Need • Pain Point or Return On Investment? • Market data on security as an inhibitor to cloud uptake • Some of the security concerns were around user error and security and company confidential information
Organizational Boundary as Core Concept • User experience should support and emphasize what is entirely within the organization and what is outside of it or shared across the boundary • Security policy and actions should support and emphasize restrictions and awareness of activity across the boundaries • Enable sharing to the cloud defined organization • Restrictions on display of email name outside of the organization
Enterprise Scale and Usable Security • Technical controls and compliance reporting for human processes • Transparency and control for administrators and organizations • Market categories drive or define a number of aspects of purchasing decisions • Data Leak Prevention aligns with attention to organizational boundaries
Process and Culture • Align and leverage • “What is usable security?” • Principles to guide early user experience and development • Process integration points
Overarching Principles • Enable UX designers to think about usable security in early functional design • Transparency • Security state obvious and available to all involved • Control • Owners control objects and administrators control organization’s members • No surprises • Know what could happen in the future • Addresses confusion and mistakes
Process Hooks • Agile development • Tasks tagged as security related • Security themed iterations • Security reviews of substantial components and tasks • UX design tasks and reviews • Security participation in UX reviews • UX design of security related functionality
Culture impact • User experience, security, and developer stake holders able to identify usable security issues • New team members surprised at the requirements for usability and security to work together • Cross pollination of usable security into other projects by user experience folks
Challenges • Burden on user experience to drive early security proposals towards more usable alternatives with the same security model • Opacity of indirection through groups
Thank you for your time • Look forward to more success stories in the future • Drive towards useful set of best practices • Questions, Answers, Comments?