You may have missed this jewel of an infosec post by Rich Mogull amid the hashtag avalanche of NSA, PRISM, or FISA articles last week. Rich's post, Apple Security Strategy: Make It Inivisible, impressed me as shedding light on singularly important design objectives that all information security efforts ought to consider. The post is both a really insightful article about Apple's security design and philosophy, and a learning opportunity for security designers or practitioners generally.
Among the many insights Rich shares, these three messages in particular could form the basis for secure implementation or deployment:
- "Good user experience doesn't have to come at the expense of leaving users vulnerable to security risks."
Challenge the widely asserted notion that "you can have security or usability but not both" (Yes, there are variants that add other characteristics such as performance). A recent Washington Post article asks why NSA-proof encryption is available but not widely used. The list of reasons are sadly similar to the list one might have composed in the 1990s. One of the principle inhibitors is the fear of losing the password that users create to protect private keys. Rich notes that Apple's FileVault 2 achieves both security (encryption) and usability (recoverability).
- "The more you impede a user’s ability to do something, the more likely that user is to circumvent security measures, so avoid this as you design."
There may be no more obvious assertion in infosec than this, but I can't think of a single operating system I use that doesn't fail in some respect to consider this design essential.
However, I'd broaden this beyond circumventing a security measure to include having to temporarily override the measure when the user has more (trust) information than the device or OS. If I inventory all my device's OSs, I can quickly recall examples where I'm forced leave an application to alter a security setting to deal with an exception condition (Android's "unknown source", for example) and then must remember to return to the more secure setting once I've dealt with the exceptional circumstance. Micro-managing Java in the Browser as Rich describes in this article is a good example of how to mitigate this threat.
- "Tackle a real-world security issue by trying to make that issue simply go away for the average user."
Leveraging cloud services to help the average user manage security features across a myriad of devices (including her own) as Apple has done with iCloud Keychain is promising and infosec ought to think more in this direction.
Read Rich's article for the full effect.