In the end, user acceptance is the real test
- By William Jackson
- Sep 10, 2008
Maintaining security in increasingly complex networking environments requires working with users, not against them, said David O'Berry, director of information technology systems at South Carolina's Department of Probation, Parole and Pardon Services.
'We have to remember that our front-facing stuff matters more than anything,' he said.
At the least, a new solution should not add to the user's burden. At best, it should make life easier ' which is what single sign-on does. The key is doing the social engineering first.
'Make sure you know what your business needs are upfront' so that the products you buy meet those needs, O'Berry said. 'Make sure you're not buying a horse when you need a cow.' Get management's buy-in for the program and bring everybody to the table to explain the need for the change and its benefits, he said.
No matter how well conceived, change brings some discomfort, and that should be anticipated. When the probation department adopted a single-sign on product from Imprivata, it also wanted to implement strong authentication that used fingerprint readers so security would not be compromised by removing passwords from the log-in equation. That was not a technical problem, but fingerprint authentication was an additional step that would not be popular with many users.
So the department implemented single sign-on first to give the users a taste of the benefits and added fingerprint authentication later.
'Once it's properly implemented, it sells itself,' O'Berry said. 'But they have to be rewarded.'
William Jackson is a senior writer of GCN and the author of the CyberEye blog.