Today I will share my experience working with two different organizations on security. One organization is an international development organization based in Africa. The other organization is a startup incubator here in the US. What is the common thread here? Choosing your apps (applications). More accurately, managing how users choose their apps. And how app choice influences security capabilities. Hence, you choose your security when you (or your users) choose their apps.
File Transfer, Anyone?
I am working on an information risk assessment for our African customer. We asked business units to share what tools they use to process different kinds of information. One business unit responded that they use We Transfer to share some files with partners.
We Transfer is a file-sharing service based in Europe. They offer free and other paid plans. I recalled my time working for YouSendIt, another file-sharing startup that was eventually acquired. We also offered free and paid plans. You could choose your security with one of the paid plans.
My Computer, My Apps
Our startup customer is at that stage where Engineering is the key activity. The startup is hiring really bright (the superlative is justified here) people to build potentially game-changing services. Some of these engineers are using their own computers, with their own chosen apps. Mostly, this was due to people being hired before we had set up a process to supply company-standard computers. A few engineers liked the way they had build their machines and wanted to continue using them.
Hardware has not been the concern here. Each of these engineers has become accustomed to using specific apps for design, project management, collaboration, and the like. In some cases, these apps are free to the user. “Choose your security?” “I am building stuff! Ask me about security later.”
User Choice and Unintended Consequences
Companies have offered free and paid subscription plans for a long time. Doing this is called a “freemium” strategy. Marketers and sales folks argue about whether “freemium” is about upselling customers or acquiring customers. I do not really care.
Here is what does matter to me.
- The “free” version of the app is designed to get the user up and running as quickly as possible. As in minutes. And with no IT support or involvement. Anything (such as security) that might slow down the user has been stripped out of the product. With the free version of the app, there is no “choose your security” option.
- Companies see security features as a value-add they can put into paid versions of their products. Organizations care about security. Users… not so much. And organizations are willing to pay for what they want. Hence, security features are bundled into paid subscriptions, along with other management and administrative features that are not relevant when one person uses the app alone. If you are willing to pay, you can choose your security.
What does this mean for you? It means that users, through their choice of apps to use, may have painted the organization into a corner when it comes to security. Did you choose your security? Or did users choose it for you?
Choose Your Security by Choosing the Apps
There is a way out of this challenge. Here are some tactics.
- Offer (or insist on) an upgrade to the paid version of the app. Box, Dropbox, Google Drive, Asana, OneDrive… All these apps have “business” or “enterprise” versions that offer good security. Tell users they can continue using the apps they have come to love. They just need to adopt the paid app. Make it easy for them to say “yes.”
- Set up telemetry to tell you what apps are in use. Since nobody came and asked, “can I use this app?” you do not have insight into what apps people are using. Tools like conditional access and firewalls can help inform you on who is using what and how often. Once you know what apps are in use, you can craft a plan to migrate some apps to a paid plan and eliminate other apps altogether.
- Create conditional access policies to manage use of selected apps. You might ask for a re-authentication. Perhaps you send a warning message. If you are past the “warning” stage, you might just block the app. The point is, you get to choose your security here.
Users want to do the right thing. They also gravitate to the apps they already know. Help them help you choose your security. Educate them. Provide secure tools to replace the apps that are insecure. Automate app discovery and policy decisions. Be confident that it is you who has the power to choose your security.