by Jaclyn Sanchez, CTA & CUGC Women In Tech Mentor

Achieving a positive user experience and a successful information security program can be a good team building process. Create that positive user experience by keeping it simple with the three T’s of Technology: Teamwork, Training and Testing.

Teamwork– Developing a good relationship between your end user and your technology operations team is key for success. Building a relationship with the end users assists in every aspect of what you are trying to accomplish. Knowing the roles of teammates and their daily processes allows you to really identify the opportunities for risk and get insight into the user experience.

Training– More training equals reduced risk. Integrating the cybersecurity education program into all trainings is also vital for success. If it is an annual, onboarding or monthly lunch and learn training, information security needs a seat, a slide deck, a course, at those sessions. The biggest risk to an organization is the human factor. Frequent, consistent training of staff has been shown to reduce risk.

Testing – Familiarity with the application and the product prior to launch is essential for success. A well-structured testing program, including sample users from every department/role, and a deep understanding of the product will help set everyone up for victory. A sample group of diverse end users will identify potential impacts across all departments. Understanding the new technology, how it can work with existing applications, knowing all the details and the minutia of how one thing could impact the other, will help to identify barriers that could impact the end user’s workflow and experience.

The three T’s in the real world – an example from my experience: The three T’s helped identify a security policy that had negatively impacted the user experience. Upon deployment of an enhanced security workflow, the health operations team expressed concern about the inconvenience of complying with the workflow changes. The IT team’s mantra that “Compliance Over Convenience” was not understood by the operations team. We needed to fix that.

Due to the quick transition to a remote workforce, we needed to roll out a process for users to access the environment securely offsite. We needed to put our newly-migrated O365 and our Citrix environment behind OKTA for secure remote access. The users quickly adjusted and accepted the changes as we all felt the “we had no choice but to adjust” feeling. The change was made, and we were able to keep working. As the remote workforce environment became a more permanent solution, it was time to review and optimize the user experience. Things slowed down enough to have conversations, ticket reviews and brainstorming sessions. We found that in the Citrix desktop, when accessing the desktop office applications, it was prompting users to authenticate to each app and sometimes re-activate their office account. Users were authenticating 4-8 times in some cases.

After some research, we were able to implement agent-less DSSO and Silent activation to O365 with Okta only in the Citrix desktop to improve the user experience. As this was technology we already used and implemented, educating myself on its advanced features and how the technology could work together was essential. This has been a big win for the team. Keeping the security in place and improving the user experience was vital to the team! So yes, compliance can trump convenience, but when it comes to your best defense against risk…it is ideal to go find a solution that will work for both! By applying the three T’s, we were able to show the operations team that compliance is the convenient path.

References

Putting your Citrix Cloud behind Okta
https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-management/identity-access-management/okta-identity.html

Okta Agentless DSSO
https://help.okta.com/en/prod/Content/Topics/Directory/Configuring_Agentless_SSO.htm

O365/Okta Silent Activation
https://help.okta.com/en/prod/Content/Topics/Apps/Apps_O365_Silent_Activation_Before_2019_09.htm

If you have any questions about the location/network-based MFA, Delegated authentication, or anything else I touched on in my post, please do not hesitate to DM me. 😊