The bring your own device trend has resulted in a shift in where responsibility for security rests, according to RSA Conference. For more than a decade, the conference has played host to extremely complex and powerful security solutions that must be driven into an organization from the top down. But this year, that balance of power moved back down toward the bottom, because enterprises now have to deal with the security of their employees’ personal devices.
To that end, numerous companies have been offering solutions that lock down end-user phones, or that wrap sensitive apps and data in a security layer that can be monitored and managed. But as the needs of enterprises in this space have gotten more complex, new companies have cropped up to deal with the problem.
Bluebox Security, for example, came out of stealth mode at RSA Conference to show off its enterprise mobile device security solution for the iPhone. The company spent the last two years reverse-engineering iOS in order to offer a true security product that goes beyond the MDM specifications Apple itself created to deal with the problem.
At its core, Bluebox secures the enterprise data that’s stored on a phone, rather than wrapping existing applications. But while the software makes things easier for administrators, it was a top priority of the project to not make the end user feel put upon by the complexity of the security solution.
Caleb Sima, CEO of Bluebox, said that user interfaces are becoming increasingly important to security developers, who traditionally have not worried very much about UI design.
“It’s not just on mobile, [it’s] the security industry as a whole: We’re moving into a world where not only does the enterprise not own the device, they don’t own the service,” he said. “It is a user-focused world, user-centric. Security no longer has the ability to be the bouncer and say ‘You can’t do that.’ They need to be a bodyguard, that allows you to do things, but watches your back while you do it. We need to start looking at employees no longer as being nefarious, but as being people we work with and monitor, versus stopping and controlling. That goes beyond mobile, that goes to the security industry as whole.”
(Related: How BYOD is also changing testing)
Call it the security UI revolution. Thanks to bring your own device, security tools now must be easily usable by novice users inside the enterprise. They must be unobtrusive and not stop the end user from doing things he or she would normally do with their phone. Why treat users with kid gloves? Because if the end user simply bypasses or turns off the security tool because it’s getting in their way, all the efforts of a security team are suddenly thwarted.
Ryan Kalember, chief product officer at WatchDox, agreed. His company offers a secure document storage system, similar to SharePoint, but with integrated encryption and extra security features. It is for this reason, he said, that Hollywood uses WatchDox to store its soon-to-be-made scripts.
Kalember said that mitigating user rejection of security tools can be accomplished through better user interfaces, and also by staying away from categorizing a piece of software as a security tool when describing it to users. He said WatchDox specifically uses the same type of interface as Dropbox, simply because it’s easy and it’s what users expect.
“We advise people to roll out WatchDox as a productivity tool, not a security tool,” said Kalember. “They bump up against security only when they do something they’re not supposed to do. The process of sharing is ‘right-click and share.’ There’s no reason not to emulate this UI. You don’t want to force the end user to make too many decisions, and you want to empower them to share anything they want. Whether they use the Web or use a mobile device, who cares? The data should be accessible to people the same way regardless of how it travels from point A to point B.”
Indeed, the RSA Conference show floor was crawling with software that touted security capabilities, coupled with standard interfaces similar to those of more popular commercial applications like Box, Google Docs, or even Amazon Web Services. It seems that security is becoming a friendlier topic for developers and users alike.