UAC: the hero of silent security?

There has been a lot of comment since Microsoft stated at RSA that it set out to make User Access Control (UAC) ‘annoying’.  There seems to be general consensus that they achieved their goal.

UAC is an interesting approach. Interestingly, at the very heart of it, it uses the metaphor of asking a user to make a decision to allow an application to run.  On the face of it, you would think there is nothing wrong in that: or would you? We have seen a veritable avalanche of attacks that are all promulgated on getting a user to ‘click’ on something.  So, people view UAC as irritating and not effective given today’s threat landscape.

Users I talk to, on the whole, tell me one of two things in relation to how they want to interact with security programs: “ can you keep that security stuff out of my face” and/or “you are the expert - you solve it for me”. Now, if you line up UAC against these criteria you can see how it scores well it the ‘annoy’ category.

If I were to take a slightly contrary view, what UAC has helped bring focus to is the latent desire from users for smarter and more silent security products.  In going after this request from users (and as Symantec, this is very much the philosophy and direction we are following with the Norton products), we can also help the on-going battle to reduce the attack surface. So, perversely, the current and new generation of smart, silent security products have much to thank UAC for.

May 16, 2008 | Filed Under Security, Technology 

comments

Leave a Reply