In line with a recent Security Art Work post, it is quite easy to come to the conclusion that corporate security makes no sense without user awareness and policy fostering.
Corporate security policies, if any, are often a pipe dream: Almost all employees are aware of them and only a few know some into detail, while only a couple of them are concerned to apply these policies conveniently.
However, these policies are the key for companies to protect important company assets, even more since new trends’ adoption like BYOD (Bring Your Own Device) or COPE (Company Owned Personally Enabled), where the company data flows across mobile devices and where the personal and professional use gets mixed.
If we could wish a system to foster our corporate security policies, our wish list would look like this:
- A system to enable awareness of corporate security policies, instead of reading the policies description. Additionally, it would be really good if it could provide “learn as you go” mechanisms, with recommendations on how to proceed for each situation.
- Make it multi-device and multi-platform (operating system), in order to allow using a wide range of smartphones and tablets, as well as our laptops.
- A framework that, depending on each situation, allows performing a risk analysis of the situation, to balance the best action from a security point of view, taking into account both risks and opportunities.
- A user-centric platform that allows operating without unnecessary interruptions. Ideally, it would be perfect if we barely notice that existence of it, just receiving recommendations in certain situations where there is a high risk for concrete company assets.
That said, as users of the system, we would still miss something very important:
- What about our privacy?
- What kind of interactions would monitor this system?
- Is our personal information safe?
Therefore, the final wish is that it would only collect the necessary data to ensure policy compliance, without storing personal information.
Let’s take an example to make it clearer: If the security policy claims that a blacklisted application should not be installed, the system should monitor only if that concrete application is installed on the device, discarding the information concerning other installed applications.
As for the information that the CSO (Chief of Security Operations) would receive, personal data would be encrypted. Only the action that jeopardizes the company information should be registered, not who came close to violate a corporate policy.
Hence, the goal is not to enable a system that controls users to throw warnings of punishment, but a system automating such control through automated recommendations. These recommendations are meant to reflect the evolution of corporate culture (security awareness), gradually and progressively acquiring corporate policies knowledge. In my opinion, much more bearable that reading an extensive document, with one more advantage: sometimes, documented policies are not easy to relate with our daily tasks.
All these wishes, as well as some ones that will emerge on our way, are the ones that we target in the MUSES project, whose motto is “Corporate security with the user at heart”, coordinated by S2 Grupo, with the participation of partners belonging to several European countries (Sweden, Germany, Austria, Switzerland, Belgium, Italy and Spain).
The possibility of sharing the project towards the creation of an open-source community is one of our main goals. Hence, everybody is welcome to participate on this open-source experience through the participation on our GitHub project.
Starting with this post, we will report on the project development. Meanwhile, please do not forget to follow the project on twitter (@MUSESproject) and facebook (MUSES Project).
Success is a journey, not a destination. We will keep you informed along the way.