webinar: eliminating negative impact on user experience from security solutions

PowerPoint Presentation

Eliminating Negative Impact on User Experience from Security SolutionsWebinar

STRICTLY CONFIDENTIAL | 2015 SECUDE AG

STRICTLY CONFIDENTIAL | 2015 SECUDE AGSECUDE has many customers using SAP and each and every one we have spoken to has confirmed to us that they do NOT know when, what, who or how often data is extracted from their SAP systems!

Clearly not knowing what data is leaving SAP, Who is accessing it, Where it is going is a serious Security Vulnerability.Our Halocore solution can deal with that issue and more.It is best described with the 5 simple words highlighted here which will be the basic sequence we us in understanding the Halocore solution.

1

About SECUDEEstablished in 1996, Spin-Off from Fraunhofer & SAPDeveloper of a Secure Login (SAP Single Sign-On) technology, sold to SAP in 2011SAP partner and Value Added Reseller (VAR)Trusted by a large number of Fortune 500 and DAX companies4 global locations: Switzerland, Germany, USA, IndiaNew focus extends to data-centric security and classification with Halocore solutions

SECUDE is an innovative global provider of IT data protection solutions for SAP customers. Our user-friendly solutions protect the integrity of data, prevent intellectual property theft and data breaches, while enforcing regulatory compliance.

STRICTLY CONFIDENTIAL | 2015 SECUDE AGFirst a bit of history about SECUDE . . .

2

User eXperience (UX) is the process of enhancing customer and loyalty by improving the usability, ease to use and interaction between the user and product.User eXperience (UX) is the understanding of what people do and how we can Make It Better.ORWhat is User Experience?

STRICTLY CONFIDENTIAL | 2015 SECUDE AG It took our industry a number of years to fully understand how important user experience (UX) is to everything that we build. At its heart, UX design is about effectively addressing the needs and circumstances of your users, to produce an interface that is comfortable and even joyful to use. your users needs are always changing, as people continually evolve their expectations and technologies.

3


The Design of Everyday Things


The Design of Everyday Things

STRICTLY CONFIDENTIAL | 2015 SECUDE AGLittle Things That Make a DifferenceIn the vast majority of cases, splash screens do little more than needlessly annoy users. Rather than make us sit and stare at a logo for five seconds every time we open an app, why not -- I don't know -- just let us into the app?

STRICTLY CONFIDENTIAL | 2015 SECUDE AGLittle Things That Make a DifferenceThere's rarely a reason for a "Loading" dialog to hijack our screen and force us to stare at a spinning wheel. How about a Gmail-style progress bar that doesn't take over the entire experience instead?

STRICTLY CONFIDENTIAL | 2015 SECUDE AGResults of Little Things Big Difference - Uber

STRICTLY CONFIDENTIAL | 2015 SECUDE AGUX Research is About Changing Assumptions

STRICTLY CONFIDENTIAL | 2015 SECUDE AGShopping Experiences Are Measured By UX



Wearables Are Changing UX


How the Customer explained itHow the Project Leader understood itHow the Analyst designed itHow the Programmer wrote itHow the Business Consultant described itHow the project was documentedWhat Operations installed What the customer was billedHow it was supported

What the Customer really needed

STRICTLY CONFIDENTIAL | 2015 SECUDE AGUX Fails - Bad Design

STRICTLY CONFIDENTIAL | 2015 SECUDE AGUX Fails - Confusing Users

STRICTLY CONFIDENTIAL | 2015 SECUDE AGUX Fails - Registration

STRICTLY CONFIDENTIAL | 2015 SECUDE AGUX Fails Bad Website Design

STRICTLY CONFIDENTIAL | 2015 SECUDE AG3 of 12Reasons why software fails are directly related to problems with UX

- IEEE Report Why Software Fails?

STRICTLY CONFIDENTIAL | 2015 SECUDE AGDoes This Sounds Familiar?

This software is very complex!

I liked the old app better

Why do I have to click so many times to do something?

Why cant I copy/paste all the data from my Excel sheet?

Why can I not download this file?Why do I get an error message?Why is this taking so long?

STRICTLY CONFIDENTIAL | 2015 SECUDE AGAre usability and security competing goals?Humans are the weakest link in the security chainSecurity systems are social as well as technicalSecurity mechanisms require extra work. Humans find shortcuts and workaroundsUsers will find ways to evade security demands that are considered unreasonable or burdensomeHumans & Security

STRICTLY CONFIDENTIAL | 2015 SECUDE AGTradeoffs between security, privacy, and convenience are sometimes inevitable Active X controls CookiesPutting up walls just keeps people from getting their work done, from creating value in the organization. And, it creates discord between value creators and information protectors."

21

Security vs User ExperienceFor user experience designers the question isHow do you design the security experience to fit the needs of the digital identity. Behind the identity there is a person with the same basic needs as stated in Maslows hierarchy of needs security among the most critical.

For security professionals the question isHow do you enable your customers business in an environment, where the speed and comfort override the traditional understanding of security environment, where user experience overrides security?

STRICTLY CONFIDENTIAL | 2015 SECUDE AGBe enablers. non-intrusive tracking and monitoring capabilities. present users with understandable options that allow them to perform their tasks with a minimum of inconvenience.

22

Layered Approach to SecurityNetworkData Loss Prevention (DLP)FirewallsVirtual Private Network (VPN)StorageFull Disk Encryption (FDE)Database EncryptionFilePretty Good Privacy (PGP)Information Rights Management (IRM)

File

NetworkStorage

STRICTLY CONFIDENTIAL | 2015 SECUDE AGNetwork LayerCommon problems with VPNs Connection attempt is rejected when it should be acceptedConnection attempt is accepted when it should be rejectedUnable to reach locations beyond the VPN serverDisconnected from a VPN sessionMore than three-quarters (77%) of Americans are less than satisfied with their current capabilities offered by their IT organization.Source: Petino Study

STRICTLY CONFIDENTIAL | 2015 SECUDE AGNetwork LayerCommon issues with DLP DLP is far away from where data is created (applications)DLP lacks contextual awarenessDLP can't make sense of content sent as CAD diagrams, graphics, pictures or non-text-based mediaDLP doesnt understand the user and her intentionsNegative impact on user experience

So secure that it is unusable?

STRICTLY CONFIDENTIAL | 2015 SECUDE AGStorage LayerMobile technology impact on productivity: Thinking about the next 24 months, how critical a role will the following mobile technologies play in business productivity at your company?Source: Information Week Mobile Device Management and Security Survey

STRICTLY CONFIDENTIAL | 2015 SECUDE AGStorage LayerStandardizing on a mobile device platform:Has your organization standardized on a mobile device platform?Source: Information Week Mobile Device Management and Security Survey

STRICTLY CONFIDENTIAL | 2015 SECUDE AGStorage LayerLevel of data sensitivity allowed for storage on mobile devices:What is the maximum data sensitivity level that is permitted to be stored on any type of mobile device? Source: Information Week Mobile Device Management and Security Survey

STRICTLY CONFIDENTIAL | 2015 SECUDE AGStorage LayerMobile devices and data policies:Does your organization currently have written policies or procedures pertaining specifically to mobile devices or the handling of mobile data?Source: Information Week Mobile Device Management and Security Survey

STRICTLY CONFIDENTIAL | 2015 SECUDE AGData LayerFile-encryption (PGP)Key/password management issuesProtection is gone once file is unlocked/decryptedRights Management (DRM, IRM RMS)Capabilities of IRMProtection = encryption + policyControl who can open, edit, print, copy/pasteExpiration dateEstablished IRM solutionsAdobeMicrosoft

STRICTLY CONFIDENTIAL | 2015 SECUDE AGCreate different user types. "Those that do not need access to the sensitive information can't retrieve itChannel application flows. "Make it easy to get access to sensitive information only if needed. And make sensitive information harder to access otherwise."Help users understand the potential consequences of their actions. "Give them steps they must acknowledge to access sensitive information or execute risky operations. Along with building in automatic flows that may be invisible to users, develop agile processes that enhance the sense of ownership. 3 Ways to Accomplish Security While Heightening User Experience

STRICTLY CONFIDENTIAL | 2015 SECUDE AGHow Many Clicks Do You Need?

SAP SecurityRoles and AuthorizationsSegregation of Duties (SoD)InfotypesSingle Sign-On (SSO)Password HashesSecure Network Communications (SNC)

Enterprise SecurityFirewallsVPNsClassificationData Loss Prevention (DLP)Cloud security and MDMRisk and vulnerability management

STRICTLY CONFIDENTIAL | 2015 SECUDE AGSAP Data is the Heart of the Enterprise

STRICTLY CONFIDENTIAL | 2015 SECUDE AGAs an SAP customer you run most of your business on SAP thus you have a tremendous amount of sensitive mission-critical data in SAP.Your security team has spent a lot of time to ensure that what is in SAP can only be accessed by the people who have the roles and authorizations to access it.

Strong Roles and Authorizations have been developed to ensure that.SAP IS YOUR MISSION CRITICAL DATA STORE

From PII to HR to Financial to Product Plan, your Crown Jewels reside in the SAP data stores.33

Every Day Data is Extracted from SAP

STRICTLY CONFIDENTIAL | 2015 SECUDE AGUnfortunately, every day a multitude of data is extracted from SAP by your users who need it to do their job, most of them likely spreadsheets but many other data types as well.It is then sent to many places like Dropbox, a PC hard drive, a mobile device and may be shared with employees, partners and possibly even a competitor.Or worse it may get out loose on the Internet!34

Today: Traditional Security Solutions Are Not Connected to SAP

STRICTLY CONFIDENTIAL | 2015 SECUDE AGCatch it if you can..You have many DLP solutions to try to protect your data outside of SAP. Most GUESS what the data may be, look for cc # patterns, to decide to alert, block or so on, even ask for user input.

EDC today, if used only comes into play when a user open a document after it has been downloaded from SAP and mostly depends on the User to do it.

So why not classify data at creation? When data is extracted out of SAP, When all of the rich SAP meta-data is available, What system, What table, What roles, authorizations, even Where the user is at the time and much more is available?

35

Cohesive UX with Securing Data

STRICTLY CONFIDENTIAL | 2015 SECUDE AGThat is EXACTLY what Halocore does.At the point of extraction/download using an algorithm called Attribute Derivation; Halocore intelligently classifies the data right then when most is known about it. App, System, Tx, table, even what device it is going to.Right at that time it can Audit, Block even Protect,By automatically and intelligently applying Classification Meta-Data Tags your downstream solutions become far more accurate and effective and produce far fewer false positives.36

Extend Existing Classification Frameworks to Data Leaving SAP


STRICTLY CONFIDENTIAL | 2015 SECUDE AGThis UI is completely optional. Classification and Tagging can be done without any user involvement or it can involve the user in confirming or even changing the classification.Many allow User involvement to create awareness of document sensitivity.All actions are logged.What you see is entirely configurable.

37

Block Sensitive Data Downloads Directly from SAP


STRICTLY CONFIDENTIAL | 2015 SECUDE AGAn Atlanta beverage company does not want password hashes to EVER be downloadedSo they blocked any downloads of Tx SE16 Table USR02.Locked and any access attempts Logged.

38

Extend Roles and Authorizations Configured in SAP for Continuous Protection

STRICTLY CONFIDENTIAL | 2015 SECUDE AGMS RMS is template based, in this example we use a Finance template which allows open only and others only have read only print only access.Once a user attempts to download, Halocore pops up and asks the user to confirm the template again. Assuming the user confirms (Save) in next step Excel comes as normal but as you can see by the yellow bar Excel confirms that this spreadshe

Clicking will bring up the second example, will try to have changed into two distinct slides.

As you can see user have View and Print only, cannot Copy, Edit or Save it elsewhere.So if this was sent to someone outside of the finance department they would not even be able to open it.

39

Audit All Activity



Helps to track sensitive data distribution in the company and identify possibly weak spotsDoes not require a Microsoft RMS infrastructureEach and every download is trackedThe log can be displayed with an easy-to-use report transaction, in an ALV gridData can be extracted and analyzed with more powerful tools, such as Business Objects

40

Demo


Demo

STRICTLY CONFIDENTIAL | 2015 SECUDE AGAparna JueTechnical Product Manager

Office: +1 (404) 977-0940

[email protected] | www.secude.com


STRICTLY CONFIDENTIAL | 2015 SECUDE AGCopyrightSECUDE AG 2015 All rights reserved.

All product and service names mentioned are the trademarks of their respective companies. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express written permission of SECUDE AG. The information contained herein may be changed without prior notice.

Microsoft, Windows, and Active Directory are the brand names or registered trademarks of Microsoft Corporation in the United States.


webinar: eliminating negative impact on user experience from security solutions

Technology