Security vs Usability - Wireless Access at RSA 2006: An Anti-Pattern
How many times have you had a security solution / process forced upon you that for whatever reason is unworkable - forcing you you to work around it?
The classic example is of course where tough password policies are implemented that make it impossible for people to remember passwords without writing them down. The last place you would expect this mistake to be made is at a conference organized by RSA - but for the second year in a row this is exactly the challenge that many attendees experienced whilst trying to access the secure wireless network.
I spent over an hour trying to connect to the wireless network. I even followed the 6 page instruction document that you can obtain after tracking down their help desk. I spent a further 15 minutes with a help desk guy who was also unable to help... until it worked for a brief 5 minute period. Naturally minutes after I left the help desk the connection stopped working again.
Prior to my presentation today I asked how many people had laptops - the answer was about 1/2 of the room. I asked how many people had successfully connected to the network and I would guess only about 20% of that group had managed to connect. I asked how many people had connected without any problems - and only 1 person put his hand up! Not great odds...
Now don't get me wrong - I understand the importance for RSA to be perceived as being security conscious - but it appears that little consideration was given for simplicity or usability. I wonder if any usability testing was actually performed?
The really funny thing is that I was talking with a Chief Security Architect from a Fortune 50 company and mentioned the problems I was having and he said he had the same problems and suggested that I wonder down the hall to the foyer of the Hilton hotel - where there is free public wireless Internet available.
Perfect! The wireless network at the Hilton worked like a charm - but for myself and obviously many other attendees to be productive we have had to completely bypass the security system that RSA set up and go and use an alternate completely insecure solution...
I think this scenario is worth formalizing as an anti-pattern. I wonder what we should call it? Respond with ideas... Also feel free to respond with other of these Dogbert like scenarios if any spring to mind...
Comments
- Anonymous
February 16, 2006
Great presentation on Wednesday, I especially enjoyed the MITM graphic and witnessing the herd assault on your free books. But it was a great talk, very practical, clear, and concise.
Your comments go to the heart of what your Boss and most of the keynoters have been hammering away at, i.e. usability and simplicity of security. My company, being a security services vendor, struggles with this on a daily basis at many levels. Adoption (er, profits) is hindered by complexity, at least as long as the risk threshold of any alternatives is sufficently low, a la "trust".
So I totally agree with an anti-pattern formalization. I'll have to think about a name after I go listen to Mr. Squyers. - Anonymous
February 17, 2006
Chosing a custom security level in Internet Explorer is another good example. If I want to enable allow a site to download applets etc I could either spend 10 minutes looking through the 11 page list of options in the security menu or I could just say I trust the site... when perhaps I don't want to give it full trust options. - Anonymous
March 06, 2006
I think the only way to solve this is to provide free wireless access in cities and eventually, everywhere.
Profit should be for content, not access, imho. Uncle Sam would have to pay for the access. - Anonymous
March 06, 2006
RSA Conference 2006 - Summary
 
Sorry for the late post, but I flew straight from RSA in San Jose...