To Market, To Market: Human Centered Security and LotusLive

1
To Market, To Market Human Centered Security
and LotusLive

• Mary Ellen Zurko, LotusLive Security,
  IBMmzurko_at_us.ibm.com

2
Technology Transfer of Usable Security as a
Quality

• Security and Usability together in a product
• Business and market requirement
• Development process and culture
• Continuing challenges

3
Putting Usability and Security Together

• Got Usability?
• How? Who?
• Organization in Lotus with dedicated user
  experience (UX) professionals
• UX lead for all of LotusLive
• Got Security?
• How? Who?
• Initially, security architect working across all
  of the development team

4
Business Need

• Pain Point or Return On Investment?
• Market data on security as an inhibitor to cloud
  uptake
• Some of the security concerns were around user
  error and security and company confidential
  information

5
Organizational Boundary as Core Concept

• User experience should support and emphasize what
  is entirely within the organization and what is
  outside of it or shared across the boundary
• Security policy and actions should support and
  emphasize restrictions and awareness of activity
  across the boundaries
• Enable sharing to the cloud defined organization
• Restrictions on display of email name outside of
  the organization

6
Enterprise Scale and Usable Security

• Technical controls and compliance reporting for
  human processes
• Transparency and control for administrators and
  organizations
• Market categories drive or define a number of
  aspects of purchasing decisions
• Data Leak Prevention aligns with attention to
  organizational boundaries

7
Process and Culture

• Align and leverage
• What is usable security?
• Principles to guide early user experience and
  development
• Process integration points

8
Overarching Principles

• Enable UX designers to think about usable
  security in early functional design
• Transparency
• Security state obvious and available to all
  involved
• Control
• Owners control objects and administrators control
  organizations members
• No surprises
• Know what could happen in the future
• Addresses confusion and mistakes

9
Process Hooks

• Agile development
• Tasks tagged as security related
• Security themed iterations
• Security reviews of substantial components and
  tasks
• UX design tasks and reviews
• Security participation in UX reviews
• UX design of security related functionality

10
Culture impact

• User experience, security, and developer stake
  holders able to identify usable security issues
• New team members surprised at the requirements
  for usability and security to work together
• Cross pollination of usable security into other
  projects by user experience folks

11
Challenges

• Burden on user experience to drive early security
  proposals towards more usable alternatives with
  the same security model
• Opacity of indirection through groups

12
Thank you for your time

• Look forward to more success stories in the
  future
• Drive towards useful set of best practices
• Questions, Answers, Comments?