a security solution is as good as it's configured ... · white paper cyberoam utm a security...
TRANSCRIPT
Cyberoam UTMWhite paper
A Security Solution is as Good as it’s Configured
How a Well-Designed UI Gets it There
www.cyberoam.com
Executive Summary
Three elements have evolved together for security solutions to
reach the current stage – Features, interfaces and security
administrators. On the one hand, security features moved from
rudimentary firewalls to application firewalls that demanded high
granularity and expanded in breadth with the emergence of
Unified Threat Management solutions. On the other hand, the
interface itself evolved from -based black screens to
, to to today’s technology, delivering
higher levels of security by minimizing security errors. Driven by
these two elements, security administrators have begun to expect
greater depth and breadth of security in features, while
demanding ease-of-use and interfaces that involve shorter
learning curves, fewer security errors and downtime.
CLI software
GUIs Web GUIs Web 2.0
www.cyberoam.com I [email protected] Elitecore Product
Security
Administrators
Features Interfaces
Contents
.........................
..........................
...............
Is your Security Solution Putting you at Risk?
What should Security Software GUIs Deliver?
Security Software Risks – Caution to Administrators
5 Questions Security Administrators Pose
15-Point Security Software Checklist
What is Cyberoam
.......................................
...............................
....................................................................
1
2
3
4
5
6
www.cyberoam.com I [email protected] Elitecore Product
Web 2.0
Web GUIs
CLI
Software GUIs
Is your Security Solution Putting you
at Risk?
That is a truth that has
been ignored far too long. Although a well-designed user interface
solves this problem, security softwares, with their focus on features and
granularity, have always lagged behind web portals in adopting usability
and new interface technologies. In the process, they have ignored the
fact that security GUIs in particular should not increase security risk and
downtime.
When basic firewalls first emerged in the late 1980s, they walked in with
Command Line Interface - - making administrators enter hundreds of
lines of code from configuration to policy setting to checking logs and
taking corrective action.
Soon, these firewalls began offering that applications
and operating systems were already providing. Administrators were
quick to move to this easier interface.
During the late 90s, the Internet was expanding at a furious pace; the dot
com boom and bust were around the corner; firewalls and other security
solutions followed web portals and moved to . This was the
true beginning of usability.
Soon, application firewalls emerged with increasing granularity. At the
same time, Unified Threat Management solutions began delivering
multiple security solutions over a single interface. While solutions
became more complex, the technical capability and inclination of
administrators moved towards ease-of-use and intuitive UIs. But with
the average UI coming with some 40 flaws , interfaces had some
catching up to do.
The emergence of during the mid-2000s finally introduced the
ability to deliver the intuitive interface that security solutions needed.
Although the solutions are still to incorporate this technology, Web 2.0
enables them to ease administrator tasks, minimize security errors and
downtime while enhancing administrator productivity. A note of caution
here security administrators should be wary of solutions which, carried
away by the Web 2.0 flexibility, add more fizz than functionality.
a security solution is as good as it is configured
CLI
Software GUIs
Web GUIs
Web 2.0
-
*
www.cyberoam.com I [email protected] Elitecore Product
1
What should Security Software GUIs
Deliver?
First and foremost, as with all interfaces, a good security software GUI
lets the administrator feel in control. This is borne out in our survey
where 55% administrators would like to have simple navigation, the
single largest demand from them. Another 34% asked for clarity in
message, buttons and menu. These 2 factors were leading to long
configuration times, longer learning curves and in quite a few cases,
security errors and downtime. Given these facts, the key elements of
good security software GUIs are to:
The end result would be satisfied administrators. At Microsoft several
years ago, Word for Windows' print merge feature was generating a lot
of lengthy (average = 45 minutes) support calls. As a result of usability
testing and other techniques, the user interface for the feature was
adjusted. In the next release, support calls 'dropped dramatically' .
Similarly, security software GUIs that are administrator-friendly, reduce
the need to use Help and Search buttons as well as tech support calls.
Further, they minimize security errors, simplify policy creation and
editing, speed up response time, reduce down time and can make the
difference between keeping all the systems up and leaving a gap in
security. Plus, they lead to higher satisfaction levels for administrators
and their team - in a 1992 Gartner Group study, usability methods raised
user satisfaction ratings for a system by 40% .
• Minimize errors - by predicting what the administrator is
likely to do
• Enhance productivity - through consistency and intuitive
ability
• Reduce training need and the learning curve
*
*
Key Elements of Good
Security Software GUIs
• Minimize Errors
• Enhance Productivity
• Reduce Training
www.cyberoam.com I [email protected] Elitecore Product
2
Security software, more than any other software product carries
inherent security risks which can be controlled through usability.
Ranging from complex navigation, slowing the response time, hard-to-
see alerts, complexity in configuring and applying policies and expired
subscriptions, the list is endless. The idea is to reduce the frequency and
severity of errors and enable administrators to recover from errors easily
and quickly.
Effective navigation makes up 80% of usability.
Administrators require precise instructions for the start and end points,
and clarity in the navigation steps. Since most security softwares have
optional features based on subscription, navigation should be clear for
administrators who hold the entire bundle as well as those that operate
with limited features. Multiple back and forths among screens lead to
confusing GUIs that can cause long security policy creation cycles,
leading to administrator frustration.
When administrators have to search for reports,
take a long time to drill down to the origin of the threat, and longer still to
change policies to minimize its spread, it has serious security
implications for the entire network.
Zero-day threats, feature malfunction, say IPS, Anti-
virus, Anti-spam, invalid access attempts to the solution, the solution
itself being under attack, or any number of such happenings, must be
displayed as a difficult-to-miss alert on the GUI.
Creating a policy, say to control access to applications,
can involve controlling a long list of signatures running into the
thousands. Cumbersome GUIs with long scrolling windows or multiple
scrolls between the outer window and an inner window can easily
disorient administrators, making them miss some applications or add
some that are best left accessible. Typically, at the end of a policy
configuration, administrators must know how to apply a policy, say scan
or block, must understand whether they've achieved what they set out
to achieve, including helping them grasp the implication of order of rows
where policy in a higher row overrides that in the rows below.
Renewals and updates can go unnoticed when
the subscription details remain hidden or are unclear as they do in many
software GUIs. Placing them on the dashboard with no ambiguity in the
message helps to make sure that the organization's security cover is up-
to-date.
To sum up, usability is a matter of not just productivity and ease-of-use,
but more importantly, of higher levels of security in case of security
softwares. Web 2.0 techniques used judiciously with the principles of
usability can achieve this goal.
Here is a representative list of risks that administrators must look
out for with security solutions:
Complex Navigation:
Slow Response Times:
Dashboard Alerts:
Applying Policies:
Renewals and Updates:
Security Software Risks -
Caution to Administrators
Security Software Risks
• Complex Navigation• Slow Response Times• Dashboard Alerts• Applying Policies• Renewals and Updates
www.cyberoam.com I [email protected] Elitecore Product
3
5 Questions Security Administrators
Pose
Security administrators typically pose the following 5 key questions and
concerns. Given similar feature sets, they need to use these questions
during their evaluation phase to select a more intuitive GUI:
1. Security administrators need to understand
the meaning and context of a term before applying a policy. They
cannot employ a method of trial and error. When disallowing certain
site categories to users, they need to look for a definition of the
category itself eg. productive, harmful, unproductive, bandwidth
consuming and a sample set of sites within the category itself
without having to change screens. They need to look for best
practices recommended by the vendor as a security expert although
they might customize this to meet their requirements.
2. Administrators are human. They make mistakes. They
need to look for fool-proof solutions that make them double-check
when an error can lead to expensive and time-consuming mistakes.
This can take the form of confirmatory questions and disallowing
certain changes. Similarly, they need to look for a solution that gives a
confirmation at each successful stage, easing the pressure of going
wrong.
3. Certain policies and settings require a
solution restart, bringing to halt downloads, uploads,
communications and system back-ups in progress. Administrators
must look for solutions that provide a warning prior to such policy
creation, so that they can choose the time to apply the change and
hence allow the solution to restart.
4. Navigating a new GUI is like walking in a new city without
the familiar landmarks. Hence, they need to look for solutions with
certain familiar elements to reduce the learning curve unless they are
looking for a radically new solution.
5. Administrators and their team mates find it easier
making fair guesses and figuring out for themselves rather than read
lengthy user guides in making a first time deployment and policy
creation. Hence, they need to look for GUIs that minimize the guess
work, which comes from clarity in titles and placement.
What does this mean?
Did I go wrong?
Why didn't you warn me?
Where am I?
Where can I find it?
5
5 Questions to Evaluate a
GUI
•
•
•
•
•
What does this mean?
Did I go wrong?
Why didn't you warn me?
Where am I?
Where can I find it?
www.cyberoam.com I [email protected] Elitecore Product
4
15-Point Security Software Checklist
When business representatives did a cost-benefit analysis for a new
system, they estimated that a well-designed GUI front end had an
Internal Rate of Return of 32%. This was realized through a 35%
reduction in training, a 30% reduction in supervisory time, and improved
productivity, among other things . Looking at it from the security
administrator point-of-view, the 32% rate of return on the vendor-side
indicates a saving in training time to security administrators and fewer
deployment and support calls that they are forced to make, not to speak
of the security errors that are eliminated.
To generate such benefits to administrators, we have compiled the
following 15-point checklist, including navigation, design and text
elements, that administrators must consider when evaluating security
solutions:
1. Are the start and end points clear?
2. Are multiple paths and intermediate steps between the start and
end points clear as with a GPS?
3. Do administrators know at which point they are on the GUI?
4. Does policy creation involve multiple back and forths between
screens, features or between CLI and GUI?
5. Can a policy be undone mid-way if the administrator decides that it
does not meet the corporate security policy?
6. Are error, renewal and update messages prominent in display on the
dashboard?
7. Is critical information readily available?
8. Does the page fit the window size horizontally with key elements?
9. Are page scrolls kept to a minimum?
10. Is the layout and design uncluttered?
11. Are the policy and category definitions clear to the administrator?
12. Are the tabs and messages clear and consistent?
13. Does each single word or title have a unique meaning?
14. Are the save-submit buttons clear in meaning and layout?
15. Are warnings clear in their implication?
Navigation
Layout & Design
Meaning and Readability
*
Checklist for Evaluating
Security Solutions
• Navigation
• Layout & Design
• Meaning and Readability
www.cyberoam.com I [email protected] Elitecore Product
5
6
www.cyberoam.com I [email protected] Elitecore Product
Unified Threat Management
(UTM)
SSL VPN Cyberoam iViewIntelligent Logging & Reporting
Cyberoam Central Console(CCC)
Cyberoam
Endpoint Data Protection
Toll Free Numbers
USA : | India :
APAC/MEA : | Europe :
+1-877-777-0368 1-800-301-00013
+1-877-777-0368 +44-808-120-3958
C o p y r i g h t © 1999-2010 E l i t e c o r e Te c h n o l o g i e s L t d. A l l R i g h t s R e s e r v e d . Cyberoam & Cyberoam logo are
registered trademarks of Elitecore Technologies Ltd. ®/TM: Registered trade marks of Elitecore Technologies or of the owners
of the Respective Products/Technologies.
Although Elitecore attempted to provide accurate information, Elitecore assumes no responsibility for accuracy or completeness
of information neither is this a legally binding representation. Elitecore has the right to change, modify, transfer or otherwise
revise the publication without notice.
What is Cyberoam
Cyberoam Identity-based Unified Threat Management is at the
forefront in incorporating principles of usability and Web 2.0 technology
to provide a security software GUI that is easy to use for security
administrators. It also minimizes security errors and enhances
administrative productivity. Available from Version X in 2010, it took a
full architectural revamp and a complete change in its GUI to deliver this
intuitive interface to administrators.
The aim was clear - given the increasingly ubiquitous nature of UTMs in
organizations, to deliver a GUI which administrators can deploy and
configure rapidly and by themselves.
For sales enquiries, please contact us at [email protected]
Cyberoam Awards & Certifications
Cyberoam Security Portfolio
Cyberoam UTM Features
•
•
•
•
Application Firewall
VPN (SSL VPN & IPSec)
IPS (Intrusion Prevention System)
Anti-Virus and Anti-Spyware
•
•
•
•
Anti-Spam
Content & Application Filtering
Bandwidth Management
Multiple Link Management
Data Protection
& Encryption
Device
Management
Application
Control
Asset
Management
*http://www.amanda.com/resources/ROI/AMA_ROIWhitePaper_28Feb02.pdf