Honest Security: One Year Later

Jason Meller
December 8th, 2021

On December 8th, 2020, we published our guide. Now, exactly one year later, I thought it would be nice to reflect on everything we’ve learned since publishing the guide, how other organizations have reacted to it, and finally, our vision for the future.

As part of this one-year commemoration, I sat down with the fine folks who host the MacAdmins Podcast. This time, it wasn’t just me; Harlie Hardage, a Senior Security Specialist at 1Password, joined me after leading the Kolide roll-out in their organization last year. On the podcast, she discusses 1Password’s approach to building a robust internal security culture in a rapidly growing team and the tools they’ve looked into that have been compatible (and incompatible) with that approach.

1Password is one of the many companies that joined us last year and a terrific example of an organization growing rapidly while trying to maintain a culture that celebrates user-empowered security.

The show really turned out great, and I learned a few things by listening to Harlie talk about her experiences. Give it a listen!

What Is Honest Security?

If you missed it last year, Honest Security is one part guide and another part manifesto that defines a user-first approach to security and IT compliance. It’s not just Kolide’s north star but also an aspirational roadmap. It’s our positive contribution to counterbalance the worrying upward trend of human-hostile cyber security, device management, and workplace surveillance philosophies that we’ve seen reach a fever pitch as organizations adapt to the long-term term prospects of remote work.

While the entire document is a great read, we distilled down the philosophy to five simple tenets that, a year later, we still stand behind.

An information graphic that lists the 5 tenets of honest security. They are: 1. The values your organization stands behind should be well-represented in your security program. 2.A positive working relationship between the end-user and the security team is incredibly valuable and worth fostering. 3. This relationship is built on a foundation of trust that is demonstrated through informed consent and transparency. 4. The security team should anticipate and expect that end-users use their company owned devices for personal activities and design their detection capabilities with this in mind. 5. End-users are capable of making rational and informed decisions about security risks when educated and honestly motivated.

What Have We Learned in a Year?

My hope for Honest Security was to identify a population that yearned for a more humanistic approach to IT device management and cyber security. I wasn’t prepared for the sheer avalanche of positive reactions from companies and leaders that we admire. Publishing Honest Security fundamentally changed the trajectory of our business at Kolide, and the outsized response was evidence of a community of IT professionals who longed for tools and philosophies that do not alienate their team from the users that they earnestly wish to support.

Thanks to this influx of growth, we’ve had an opportunity to evolve our understanding of Honest Security as we’ve enabled its adoption at hundreds of new organizations.

While we plan to update our Honest Security guide in 2022, we wanted to share here on the anniversary some of the key insights we learned from putting Honest Security into practice.

The Importance of Radical Transparency

In the Honest Security guide, we discuss how important it is to collect ground truth with honesty and transparency. To us, transparency means end-users can independently understand how their underlying system works without needing to ask a human being or being a technology expert.

In the guide, we use Kolide’s Privacy Center as an example of what an ideal experience might look like. Since then, we’ve completely overhauled it based on the feedback we’ve received directly from end-users from hundreds of customers. Here’s a quick video that explains this overhaul.

Some additional improvements included:

  1. Allowing our customers to create content in the Privacy Center to augment what Kolide provides directly

  2. Creating a new frictionless secure sign-in system, so users do not have to negotiate with a confusing sign-in screen to access the Privacy Center

  3. Creating some of the most detailed and end-user accessible documentation about every piece of information Kolide may collect on a device (even devices you may not have enrolled yet)

A screenshot from the Kolide Privacy Center showing the 1Password Check description and the data collected

An example of the detail we provide for a single check Kolide runs on the device. This information is accessible to all end-users before they enroll a device.

The Importance of Balancing Data Collection Drawbacks With Benefits

We learned that when our customers achieve transparency, they need the tools to address the inevitable questions and concerns that can come up. For example, Kolide collects data about a device’s browser extensions by default. Perhaps after learning this, end-users may not feel comfortable sharing that information, and upon reflection, the IT team may also agree that the benefits provided by data collection do not outweigh the privacy concerns. To ensure Kolide collects the exact amount of data to empower each organization’s specific objectives, we had to build an experience that allows you to turn off certain types of data collection in Kolide and clearly explains the tradeoffs of doing so.

A screenshot of Kolide showing a modal dialog which explains the effects of disabling the chrome extension property collection in the product

Each piece of data Kolide collects from a device is mapped to the benefits it provides, allowing admins to make informed decisions about which data is prudent to collect.

While the screen above is simple to read and understand, it requires us to extensively map every piece of information Kolide is capable of collecting with the precise benefits it affords. This process ensures that each piece of information we collect in the platform going forward is part of a robust discussion which acknowledges the tradeoffs between privacy and security and ultimately puts the final decision in the hands of our customers.

What Informed Consent Looks Like Post-Install

In the Honest Security guide, we talk about informed consent through the eyes of our Slack-based onboarding process. This is a process where end-users actually install Kolide’s endpoint agent after they have an opportunity to understand what Kolide does and what data it collects.

However, when we designed our Lost Mode feature, we leveled up our understanding of what a continuous informed consent process looks like and built it in as a process we will use for all extremely sensitive device actions. In my Building Honest Software talk at RubyConf this year, I break down the anatomy of what proper informed consent looks like in software that practices honesty as a core tenet.

See Slides 28, 29, and 30

This UX breakthrough has let us continue to deliver high-value features without compromising our commitments to transparency and privacy. We plan to leverage this overall workflow for more features that require sensitive data and share our improvements to this consent-based process.

What Is Next For Honest Security & Kolide

There is one section of the Honest Security guide that Kolide still has yet to reach. It’s called Generating Predictable Consequences. In this section, we acknowledge and discuss the realities of relying on fallible human beings to ensure the ongoing security compliance of their devices. We ultimately recommend creating proportionate and predictable consequences to devices not meeting a minimum standard.

This concept of gating access based on a device’s security state is not new. Zero-Trust and Beyond Corp are similar methodologies that enable this exact use case. That said, the existing tools lack two things: an emphasis on user education and a much more nuanced and progressive approach to eventually arriving at effective consequences (like access revocation). Many of these solutions work silently in the background, removing end-users from critical resources with little to no warning, and without any paths to self-resolve the problem without opening a support ticket.

Some of our most technical customers have stunned us with their homegrown efforts to build this nuanced approach on our existing API. One has even open-sourced their efforts. As soon as these efforts rolled out, Kolide instantly became an essential piece of their endpoint visibility and access control story.

With that said, we believe this shouldn’t be something each one of our customers has to build themselves. If there is a singular focus for our product in 2022, it’s releasing a thoughtful and nuanced way to approach this final piece of the Honest Security Guide that doesn’t require programming knowledge or a specific stack of SSO or VPN providers.

A mock-up of a zero-trust Kolide feature that demonstrates blocking access to Github because the end-user has several unencrypted SSH keys. The screen directs the user to fix the issues before they can proceed to Github

An example of what we envision as a proportionate consequence for not securing your SSH keys.

As with everything we do with Honest Security, we expect to tread new ground and learn a lot about how to implement truly predictable and proportion consequences. Once we collect these thoughts, expect a robust and comprehensive update to our Honest Security guide.

Thank you everyone for such an incredible year and for your support of our Honest Security mission. We can’t wait to see how this community and movement evolve in 2022.

Additional Reading/Listening

Share this story:

More articles you
might enjoy:

Introducing 1Password® Extended Access Management With Kolide
Jason Meller
1Password Acquires Kolide
Jason Meller
How Commonlit Balances Student Security and Employee Privacy
Watch a Demo
Watch a Demo