Making Security Usable at HubSpot

Security_Usability_HubSpot.jpgSecurity and usability have been at odds with each other since the dawn of time. We usually associate trusted software with clunky interfaces, not an intuitive user experience. This disparity has inspired many people to find clever (and not so clever) ways to work around common security measures. Some of the biggest information security breaches in the last year have been attributed, in large part, to this. We've been working hard to improve both security and usability internally at HubSpot. While we haven't found a perfect balance between the two, understanding their co-dependencies has helped us make our system safer and more user friendly.

 

Usability is critical to security

Security and usability are both important: if a system isn't user friendly, people won't use it. If a system isn't secure, anyone might use it. One of the best examples of this issue is passwords. The most secure passwords are long, complex, randomly generated, and almost impossible for the average user to remember. The human brain excels at pattern matching. Patterns are much easier to remember, but passwords following a pattern make it much easier to guess.

Requiring regular password changes usually leads to partial password reuse (e.g. password1→password2). Enforcing complex passwords that do not match patterns tends to cause other bad behaviors: passwords on sticky notes, excessive password resets, password reuse across systems, and even bypassing authentication entirely. The ultimate goal is to make accounts very difficult to compromise, but strict password policies can have the opposite effect.

Given two paths, people tend to choose the easiest:

  • Why deal with sudo prompts when you can go in as root?
  • Why test with real SSL when you can disable it entirely?
  • Why use the two-factor enabled VPN when you can install your own remoting software?
  • Why bother with the office web filter when you can use a public proxy?
  • Why struggle to setup office wifi security when you can plug in an open access point of your own?

With all of these examples, it's clear that this is a real problem. People like to be efficient and productive, and anything annoying or repetitive in their workflow is going to cause friction. Friction causes frustration, so people will naturally try to avoid it. If you upset your own users while attempting to secure your system, you now have two types of adversaries instead of just one.

So how can we increase security without sacrificing usability? I recently spoke at Facebook's Security @ Scale conference about some of the things we've done to improve usability around authentication, authorization, and accounting, and I've shared some of those key learnings below. 

 

 

Authentication

Strong passwords are necessary to secure most systems, but they make the user experience difficult. Since reducing security isn't an option here, we need ways of increasing usability:

  • Set reasonable session timeouts to help reduce the repetition of having to type a password over and over.
  • Provide secure password management software to cut down on password reuse across systems and speed up the login process.
  • Give users more control over their own account and reduce work for support staff by providing a self-service portal for password resets and other common account operations.
  • Use secure secret management software such as HashiCorp Vault, Square Keywhiz, or Lyft Confidant to simplify access, and automate rotation and auditing of secrets.

 

Authorization

You need rigid security roles for nuclear launch controls, but not everything requires that level of security:

  • Design your permission systems with change in mind. People change roles, roles change scope, systems change as well.
  • Plan for exceptions to the rules, make exceptions a supported workflow. Sometimes it really is better to encourage asking for forgiveness instead of asking for permission.
  • Support role-based access beyond strict organizational hierarchies.

 

Accounting

Traditional audits are ineffective in a fast paced company.

  • Small, timely, contextual audits are much more useful than long infrequent ones.
  • Audits must be timely. We’ve found daily or weekly to be a good cadence. If you can't remember what you had for breakfast that day, you probably won't remember why you connected to a random server that day.
  • Context is really important in understanding the implications of a given action. Involve the owners and maintainers of the system being audited.
  • Watch for trends and points of friction. If users are frequently making exceptions to rules, what are their reasons? Are they just being lazy? Are they up to no good? Or is it part of their job requirements? If it's the latter, it probably shouldn't be an exception anymore. Adjust your permissions to match the needs of your users.


We've created a ton of automation to fit our needs around authentication, authorization, and accounting. Just like the rest of our product, we regularly evaluate how well things are working, gather feedback from users, and make changes where appropriate. If you work in development I challenge you to look for points of friction in your security and find a way to make it better. Solving for both security and usability is a hard problem. We haven't found the perfect balance yet, but we're certainly working on it.

Kenneth Breeman

Written by Kenneth Breeman

Kenneth is a Technical Lead at HubSpot.

Comments