Trust Center Part 1: Principles

Guest writer: Sam Radakovitz.  Over the next several posts, Sam Radakovitz, one of the members of the Excel Program Management team, is going to explain a new feature in Office 2007 called the “Trust Centre”.  While Sam will be discussing the Trust Centre in the context of Excel, it is a feature that has been implemented across Office (Word, Access, PowerPoint, etc.), so you can apply much of what Sam has written about there as well.  Enjoy.

Security means different things to different people and even that meaning will vary depending on the circumstances.  For the next few posts, I’d like to spend some time explaining the work we’ve done in Office 2007 to enhance and improve the experience with security.  Let’s start with a quick look at all the features we did and why.

To help understand this post as well as future posts, Let me give a quick introduction to all the new pieces.  I’ll go into greater detail on these in future posts.

Message bar – you can think of this as the replacement for the ‘macro security’ prompt you get on open of documents.  It is a modeless bar that sits under the ribbon that informs you some of the functionality in the document has been blocked.

Trust Center – a central location for all the security settings.  This is accessible from the Trust Center button on the message bar or from Excel Options on the file menu.

Trusted locations – in 2007 you can define a set of locations that where you can place documents that are considered trusted.  Any document opened from a trusted location is considered “safe” and so things like macros will run and external data connections will work without having to answer more security questions.

Data Connections – We integrated all types of external data connections into the new security model.

So why did we so radically change the user experience for security?  How did we come up with these features?  Well, we based our work on a series of principles that we adapted from what we learned about our users.

For Office 2007 we went through a process we (and maybe others) call “threat modeling” where we sit down and go through all of our features to understand the security risks associated with each. Threat modeling is composed of three high-level steps: understanding the adversary’s view, characterizing the security of the system, and determining threats.  This helps us understand the risks with our features and allows us to account for them in the design phase of the feature which gives us the opportunity to make many features secure without an overt security model, or where a security model is needed to make it much less intrusive. Additionally we saw an opportunity to dramatically simplify and improve the consistency of the trust decisions that we asked customers to make across the Office System. This led to a comprehensive rethinking of the Office Security Model in Office 2007. The overall changes were guided by a few basic principles:

  • Secure by default
  • Avoid asking questions
  • Staying productive
  • Flexibility

Secure by default. The primary principle of the security model remains untouched, to keep the customer safe from attack.

The drive behind this principle is that security is paramount. This is often a difficult choice for a team when they realize that a useful feature also has significant abuse possibilities. Rather than having the feature ‘just work’ they have to consider how to disable or change the default working of the feature to protect the customer first, with the functionality second.

Some of the work that we did that reflects on this principle:

  • Message Bar – the document you are opening opens securely, no need to answer a security decision.
  • Trusted locations – by designating a trusted location you can lower security settings for the documents you trust while still being secure by default on documents from other places.
  • Threat modeling – Each feature has been reviewed for security issues when designed allowing us to work security into the design of the feature instead of adding it on later.

Avoid asking the customer questions they may not be equipped to answer to keep them secure.

In many situations, given the complexity of the threat, the technology involved, and the poor timing of the question, customers could struggle to make an appropriate decision. This actually leads to customers suffering from “message fatigue”, where they simply ignore the prompt and just click whatever button makes it go away. The result being that not only is our security model now worthless, the customer is at risk, and they are being interrupted and frustrated as well!

The goal of this principle is twofold. First to reduce the number and frequency of questions if possible and find another way to protect the customer, and second, if you must ask a question provide the customer with all the details possible to help them make a good decision. That second point also encompasses trying to ask the question in a context that is more intuitive to the customer.

Some of the work that we did that reflects on this principle:

  • Message bar – with the ‘macro’ prompting suppressed on open, you can open the document and start to work with it without needing to make a security decision beforehand.  This also leads to less prompts overall, so when you do get a security prompt it is more meaningful.
  • Security Prompts – because we show less prompts, when we do display a security prompt it makes it more meaningful.  We also make the security prompts more distinguishable from a standard prompt and try to include more relevant information in the prompt when possible to help you make the security decision.

Keep the customer productive; don’t require an answer from the customer before they can get work done.

This principle flows from the previous one of reducing the number of questions you ask the customer as part of your security model. We want to make sure that the customer is only interrupted when such an interruption is really necessary for the customer to keep working securely.

A key driver behind this principle is the unfortunate tendency of feature owners, having accepted the need for a security model for their feature, to gravitate to a ‘get the risk accepted and the feature back working normally’ approach to integrating security into the feature. Thus they will interrupt the customer at the first opportunity, resulting in a potential flurry of prompts that appear to get in the way of getting your work done. The goal of this principle is to push the team to instead look holistically at the customer’s task and goals and verify that their feature is the most common goal and worth resolving the risk immediately.

Some of the work that we did that reflects on this principle:

  • Message bar – no prompting on load means you can load into the document and start using it securely.
  • Threat modeling – each feature has been reviewed for security issues when designed, and catching these issues early allows us to account for them in the design instead of adding ‘prompting’ security later on.

Provide more flexibility for “solutions” which are commonly used.

The final principle addresses the fact that in most cases the security model will need to be customized. While we spend a lot of time analyzing the threat and engineering a flexible and smart security model there will be cases where legitimate content that the customer needs to use will be blocked by default and trigger questions for the customer. To meet the previous three principals it’s therefore important to have a flexible set of options for the valid exceptions.

Some of the work that we did that reflects on this principle:

  • Trusted locations – the fact that you can distinguish between safe documents and unsafe documents is a huge factor in keeping your default security settings secure and not lowering them to account for your everyday work.
  • Trust Center –  Granular security options that are explicitly labeled allow for a lot of flexibility on what gets blocked and how it gets blocked.

The security features of Office 2007 are most visible by their invisibility – customers are provided with a secure environment by default, and are allowed to get on with their work with a minimum of disruption.  In the upcoming posts, I’ll dive deeper into the new features including:

  • Trust Center – one stop shop for your security options.
  • Trusted Locations – places to store documents you deem safe.
  • Message Bar – replacement for the macro security dialog.
  • Data Connections – how it fits into the new security model.