Technology analysis: How easy are infosec products to use?

• Article 32 of 33
• SC Magazine, February 2013
• View the original article online

Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages

Then there is the problem of 'feature creep'. Secunia's Stengaard says that when he arrived at the company, it was so focused on what new features it could add with every release that it had neglected ease of use in its private user product. "We were feature-focused with lots of graphs. Yet something like finding the scan button proved difficult," he explains. In the next version of the software, Stengaard started with a near blank slate for the interface that included only the important features and would automate processes as much as possible. He brought in a new design team to work on the interface, led by someone with experience of both consumer and security software.

However, Stonesoft's Hämäläinen argues that even with the best will in the world, "the domain is so difficult - we do deep-packet inspection, VPN, anti-spam... if you want to set up a VPN, you have to know about cryptography and protocols, so we can't make it too simple". All the same, Stonesoft continues to try to reduce the complexity of processes, to make products easy to set up and to ensure that they contain a good set of defaults - so removing the headache for most users.

Overcoming complexity, particularly in a heterogenous environment where there might be devices from various vendors, is an area where FireMon has carved a niche for itself, offering a management console for multiple firewalls. "We focus on configuration management," says Brazil. "More often than not, configurations are incorrect, with 40 per cent of firewalls completely useless. Two-thirds of configured firewall policy has no business purpose. And that's purely down to complexity."

With perhaps several hundred firewalls, each with between 300 and 500 rules, the path to misconfiguration is well-trodden. While interface improvements, such as Check Point's graphical editor, have helped with the management of individual firewalls, dealing with them en masse has become a serious ease-of-use problem that the vendors are not focused on addressing, Brazil says.

What's more, there is now more than one kind of professional accessing security technology, something that vendors are only slowly waking up to. "In the past, security products used to be sold to security experts, and it was that combination that was then sold to the non-expert," says Tim Keanini, chief research officer at nCircle. "As security permeates throughout an organisation, you're asking, 'To whom is this usable?' The same tool that is absolutely usable to the security professional is completely unusable to the auditor."

Thus nCircle has created different interfaces for different types of users. "Over the past five years, we have restructured the product so it's completely different for different personas, because you don't want to make it easy to use for someone at the expense of others," says Keanini.

Usability vs efficacy
To a certain extent, vendors have perhaps failed to prioritise the interface because doing so goes against the way security technology is procured, argues Dave Taylor, vice president of corporate strategy at WatchGuard. "If Cisco has sold to company A, and all I can say is that my product is 250 times easier to use, there's a challenge to get funding. I have to push the security efficacy," he explains.

Equally, it is hard for a CSO to pitch a new product to the board when the only thing that differentiates it from existing technology is that it is easier to use and less likely to lead to misconfiguration.

Furthermore, adds FireMon's Brazil: "Customers expect good management tools, but they're not willing to pay much more for the tools than for the underlying technology."

Despite all this, ease of use is likely to become of greater importance in the near future. "Ease of use in management will continue to emerge as a key differentiator in the industry," predicts WatchGuard's Taylor. "It's going to become a battleground with TCO-type analyses."

Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages