On a recent podcast episode of the Security Table, the gang and I discussed the Lastpass breach and the impact of security products as utilities. We spent time unpacking the concept of a security utility.
A security utility is like a municipal utility, say, your water service. You have expectations of your water service. You expect that water is available on the line as long as you regularly pay your bill. When you lift the faucet or turn on the washing machine, you expect water to come out. A security utility is much the same — a security service that you rely upon to enhance your security stance and one that you expect to always work. You can also think of it as a product or service that, if it fails, results in the breakdown of your approach to securing your digital footprints.
This discussion caused me to think deeper about the expectations of a security utility. It came down to three primary categories:
- Secure by default and in every situation.
- When purchasing a security utility, expect that its creators have thought about security from every angle and in every situation. In the example of a password manager, expect that passwords will be securely stored in the cloud so that only the owner can access the passwords. Secured in such a way that the provider cannot even access the passwords.
- Simple to install/administer.
- Security utility should be simple. Of course, simple is always more secure than complex, but in this case, with security utility, end-users don’t want to spend time “figuring the service out.” This leads to the final category.
- Always works without any thought.
- Security utility should always work. Consumers don’t want to think about how a security product or service will work; they expect it will always work. That is the beauty of the solution — you don’t have to think about it; it is always there, always protecting you.
All of this to say, I had a personal experience where utility, and to some degree security utility, came into play. I built my home Wifi network using Ubiquiti gear a few years ago. I had a Wireless Controller, six access points distributed around the property, and a PoE switch that fed the access points. What I also had was a significant amount of complexity. I added a 48-port PoE switch to work in additional wired connections, which broke the setup. The network was down a few times over a month, and I spent hours troubleshooting a phantom problem where devices would appear and disappear. When they disappeared, they stopped functioning but would reappear minutes later as if nothing had happened.
I decided to adopt a utility approach, and I ripped out all this complex gear and replaced it with a mesh Wifi solution. Instead of multiple layers of network and security devices, my Wifi is now the gateway to my home network. I now have a solution that is secure by default, simple to work with, and always works, with no troubleshooting by me.
As folks who build products embrace the idea of security utility, anything you build should strive to become a security utility, easy to use by those who gain value from it, with minimum effort required to make it all work.
