Reading the ZDNet piece “Killing Security Through Obscurity to Defeat Competitors”, I couldn’t help thinking that the missing piece was user friendly IAM. When you want to make security less obscure, what you’re really doing is making the rules obvious and easy to follow. You’re making it possible for any user to do their own security work while also keeping the system very tight. And what kind of work do users do? They pick passwords. They forget and reset passwords. They hook up accounts (e.g. Facebook accounts) so they don’t have to worry about passwords. What users do is manage identity and access. Think about it. Does the user care what strength the encryption is? Well, if you’re reading this then maybe *you* do. But you also know most don’t. You know users care about getting in and getting the things they think they should have. They also want to be sure there isn’t a bunch of stuff in their way – like overbearing security routines.
How does this translate into things you can do? First, you need to know where the line in the sand is. The way I would draw it is putting all the IAM stuff on the easy for users to do side, and all the rest on the invisible but helpful side. What does invisible but helpful mean? That’s stuff like the encryption or assertions or other techy bits needed to make your security work. The user should never see that stuff. The cardinal sin here is failing to update certificates and giving the user that big, ugly, scary red screen in their browser warning them that the site certificate is fishy. The stuff you put in their view is the way to do all the account, password, and even access to content stuff that they do want. When they come to a part of the site that they do not have access to, don’t just say “access denied” with the usual frame. Tell them they don’t have access. Tell them the kind of people or roles that do have access. Give them a path to get access – or tell them why someone in their role does not have a path to get access. When you make the reasons and means to change things obscure, then you’re just creating work for IT when the users come knocking to get all those explanations you could have just put right there on the page.