Security of the workstations in your organization is paramount. However, you don’t want to sacrifice employee productivity for security, especially for users who require elevated privileges, such as developers. By embracing user-focused security, companies can empower users to take charge of their own workstation security, and increase company-wide compliance and productivity at the same time.
In this article, we’ll explore the pros and cons of user-focused security, giving you the vital information you need to decide whether it is the right approach for your business.
What is user-focused security?
Contrary to some beliefs, user-focused security is not about protecting user accounts by safeguarding passwords and cloud accounts.
Instead, user-focused security—or perhaps more aptly, user-driven security—is the practice of distributing security efforts across the workforce by empowering end-users to take responsibility for securing their respective assets. The goal is to make the user environment more flexible while ensuring the security configurations remain compliant.
What are the benefits of user-driven security?
While the notion of relinquishing control over your workstations may seem risky, there are several advantages to employing user-based security measures:
User-driven security gives employees the power to get their work done, and at the same time, supports a culture where the company trusts them to be responsible for securing their endpoints. (Tweet this!)
For example, software developers occasionally need to turn off the firewall on their Macs when they are running tests for a new app. If the company grants them local admin privileges, developers can switch off the firewall, do their testing, and then reset it when testing is complete.
User-driven security can reduce the time to resolution, as the organization’s security posture doesn’t rely solely on security technicians or IT administrators. Instead, your company has more employees taking action to improve security, which ultimately improves compliance to desired security standards across the organization.
For example, traditionally, if security teams detected a disabled firewall on a machine, a ticket would need to be opened, and a technician would need to be assigned to remedy the issue. (Or, worse, it would go undetected for a long time.) With Uptycs User Driven Security, if the firewall is off, a notification can be sent to the employee through Slack prompting them to take action immediately.
A user-focused security strategy gives users greater flexibility to be more productive, as they no longer have to wait around for a technician or administrator to conduct simple tasks.
For example, if you need to encrypt all company laptops, the initial encryption process could slow down everyone’s workstations for an entire workday. While that might be acceptable to some of your workforce, it may not suit someone giving a presentation to the board that day, or a developer with an important milestone to hit. Showing people how to encrypt their laptops enables them to perform the updates at a more convenient time, employee by employee.
How To Succeed With User-focused Security: 4 Critical Factors
If tight control is essential, a user-driven approach may not be suitable. For example, it wouldn’t be wise for bank managers to give administrative privileges to all their tellers. The bank must be confident all machines are securely configured when dealing with the personal banking information of their customers; also, there is no benefit for a standard system such as this to be configured by end-users, as their productivity is enabled by the standard system.
However, while this approach won't necessarily work for 100% of your workforce, a modified approach to user-driven security is applicable to virtually 100% of companies today. Tech companies may roll out user-focused security to everyone, whereas a bank, government entity, college, or insurance company may only apply it to a select group of individuals.
Here are four factors to keep in mind if you want to succeed with user-driven security:
1. Strive for balance.
Traditionally, security teams tried to lock everything down, but that invariably leads to people finding workarounds to get things done. If a company blocks Dropbox and Google Drive, users may end up saving sensitive data to their USB drives and transferring company information to their personal laptops. If that is also blocked, they’ll use their personal webmail accounts to send it out. There’s always one more thing to block.
The most effective security strategies do more than just minimize risk. They also strive to discourage people from creating side channels by implementing user-driven security measures that strike a balance between productivity and security. With the right balance, you empower employees with more flexibility, and ensure the company meets its goals from a cybersecurity point of view.
2. Automate compliance checks.
For all its benefits, user-driven security is prone to human error. If a company doesn’t monitor activity and stay alert to gaps in its security posture, it could be exploited. For example, when an employee needs to disable the firewall, what happens if they forget to reset it after doing their work?
You can avoid many of the pitfalls associated with human error by using a software solution to automate periodic checks of your security settings. Doing this makes it easy for your security team to monitor the status of your workstations, so they can quickly identify any endpoints that are currently vulnerable. One such example of an automated compliance check is Netflix’s Stethoscope app, as it sends recommendations to users and also provides feedback after a user makes a change.
3. Provide clear instructions.
For user-driven security to work, companies must provide their team with a defined list of preferred security settings that clearly defines the company’s expectations for compliance on all user workstations. You can distribute these instructions and track compliance at a global level. If you don't explain to a user how to fix a problem, it’s unreasonable to expect that they’ll figure it out on their own. Frustrated users are also more likely to ignore future security messages. If you find that compliance levels are low, consider how you can improve the instructions.
For example, many students now use their laptops at school, leaving the network open to malware threats. While the school can't remove admin privileges on the students' laptops, they can employ user-driven methods to advise students on how to configure their security settings.
4. Leverage audit history.
It’s beneficial to employ a security platform that makes it easy to oversee the security status on all workstations, and to assess historical compliance from specific users.
Your team should have a dashboard that shows where controls such as local firewalls are operational—and where they are disabled. Going further, the team needs the ability to identify users who have a history of ignoring reminders or leaving workstations open to exploitation. By auditing settings over time, you can pinpoint problematic end-users, and reassess their admin privileges.
Implement user-driven security the right way with Uptycs.
Uptycs is an osquery-powered security analytics platform that offers an innovative user-driven security solution, allowing organizations to meet their compliance and security goals without sacrificing productivity. Uptycs’ User Driven Security offering is a customizable solution that offers the following benefits:
- Tracking of your desired settings (aka policies) and alerts whenever settings deviate from your ideal configuration. Alerts are initiated with users through Slack, with step-by-step instructions on how to remediate the issue.
- Recording of all your company security data in a global database, so you can track compliance levels across all workstations.
- Greater insights about historical compliance issues at any machine that is currently disconnected.
- Increased trust between security teams and end users. Trust end users with the permissions they need to be productive while communicating to them clearly how to improve the security of their systems. A good relationship will lead to accelerated future security improvements, and motivate end users to report more potential incidents.
Curious about what might go into your policy/settings in a user-driven security environment? Here’s a short video discussing configuration best practices for macOS which would be ideal to implement and enforce with a user-driven model:
To learn more about osquery and security best practices for macOS, check out this hands-on webinar.