Trust Center Part 2: Trust Bar – Eliminating Unnecessary Trust Decisions

Today we have the second guest post from Sam Radakovitz, Excel Program Manager.  Sam is writing about the Trust Centre, a new feature for Office 2007.

Prior to Office 2007 the Office security model has had solid success in helping combat things like macro viruses, but that has come at a price for legitimate macros and for customers who didn’t care about macros at all.

To even open a document you first had to “get past” a prompt something like the following:

(Click to enlarge)

As mentioned the customer needs to “answer” this question before moving on to do any work.  Let’s explore this a little for a moment from the point of view of the principals outlined in the previous blog post. It’s certainly secure by default, the code is not enabled, and indeed the only option at first glance seems to be “Disable Macros”.  It is, however, asking the user a question, and provides some reasonable details – the file name, the fact that the macro signed by Microsoft, etc.  And after parsing the text we can figure out that by trusting the publisher we can enable the macros (and by extension the solution flexibility of not being prompted again for macros from this publisher kick in).

However the prompt fails on the principle of keeping the customer productive. In short the user is sitting in Word with no context about the file, which might give a clue to the important question of “do I l really need to enable the macros to do what I set out to do?”  Worse, the user cannot progress until they make a decision, and they must make this decision every time the file is opened.  Many customers, faced with this question repeatedly, set their macro security settings to Medium or even Low, exposing themselves to greater risk just to avoid the prompt.

Let’s compare this to the Office 2007 experience. Looking at the screenshot below,  the document is opened immediately, and the user’s looking at the workbook.  We can read the text of the document and work with it.  Instead of the prompt, near the top the document there’s a notification – the ‘Trust Bar’ – indicating that macros have been disabled and allowing the customer to re-enable them if that’s desirable.

(Click to enlarge)

The customer no longer has a message to answer; they are sitting in the document ready to work. They can read the text and interact with the document, and the Trust Bar notification is there allowing them revisit the secure default decision if they need to run the code.

The biggest change is in productivity – the customer’s expectations are met, the document opens and they can continue with their work.  Office quietly enforces a reasonable default security setting and the user has the flexibility to revisit that decision later, when as part of their more normal flow of work they may notice a document or solution isn’t working as expected. In many common cases they may never need to interact with the security issue, getting the planned work done without having to make a decision in order to just get the document open.

This experience applies to other common security situations too, including ActiveX controls, application add-ins and extensions etc. where dealing with the security notification is clearly not part of the primary task. Where data integrity requires that the user address a security issue we will still use a modal dialog to ensure the user gets the outcome they want from Office, but in the most common cases Office 12 will just stay out of the way.

The next screen shot below shows what you will see when clicking on “Enable Content” in the Trust Bar. Again the path to the relevant file is there, as is the signature evidence, but note that there’s a little more detail about the signature in the notification as well as some discrete options to just enable the macros or always trust the publisher and have the code run without being blocked in future.

(Click to enlarge)

One further issue that has caused confusion for Office customers in the past is that in an attempt to bolt on security after a feature or behavior has proven to include some security threat or risk, engineers have tended to overload an existing security model.  A good example is again the VBA Macros case, where in the past Office has ’overloaded’ the VBA macro security model to cover items like Com+ Add-ins, Application add-ins (extensions), even things like updating document data.  This, combined with the notion that some “installed” extensions and templates are automatically trusted, has made understanding “why” some document or solutions prompt and some others don’t difficult for customers to grasp.

In Office 2007 we have broken down the security models to have very discrete behavior, there are separate settings for VBA Macros, ActiveX control, Application extensions (like Com+ Add-ins etc.) and Trusted Locations for solution documents.  The goal here is if the user has to make a decision it’s more transparent what that decision is about.

This clarity combined with being able to review and examine all security decisions associated with the document together in the Trust bar allows the user make a more informed and holistic decision about the trustworthiness of the document, rather than be bullied into it one prompt at a time.

Finally, it’s worth noting that while Office 2007 will greatly reduce the number of security prompts, it would be unrealistic to expect that all prompts will be removed.  For technical and indeed usability reasons Office may still ask for a security decision, but this will most likely be in the context of using some feature or extension rather than simply opening a document.