Why Some Security Products Thrive and Others Collect Dust
Some security products see rapid adoption across an enterprise, while others sit unused despite their potential value. There are non-technical factors—such as leadership buy-in and user enthusiasm—but technical barriers often determine whether a product succeeds or fails at scale.
This post focuses on the technical qualities that influence enterprise-wide adoption and why certain security tools struggle while others flourish.
3 Requirements For Full-Scale Deployment
Beyond meeting functional requirements, any enterprise security product must excel in three core areas:
Secure
Fast
Easy
Security is non-negotiable. A solution that compromises confidentiality, integrity, or availability will undermine compliance and introduce unnecessary business risk. But security alone isn’t enough—performance and ease of deployment are equally important.
Falling Short of All 3 Tenants: An Example
Security is an obvious requirement for any enterprise product. A lack of security could mean a lack of compliance, which can have serious business consequences. What it means to be secure depends on the system in question, but, generally speaking, you should look to protect the confidentiality, integrity, and availability of the system.
In today’s world, users are accustomed to lightning fast operations. It doesn’t matter if it is watching a high-definition video on a plane, making an online purchase from a mobile phone, or modifying a shared document online, users demand speed. How fast your solution needs to operate depends on the nature of that solution, but a good general rule of thumb is that it shouldn’t be noticeably slower for an end-user than the alternative (i.e. having no solution in place). For a more accurate analysis, consider calculating the cost of delay for your particular situation.
When deploying a product enterprise-wide, it needs to be as easy as possible. Easy has three components to it: ease of deployment, ease of use, and ease of management and maintenance.
Sometimes, ease of deployment can be overlooked if the product provides a lot of value and it is very easy to use and manage. But, in general, one should look for products that are easy in all three respects. Without ease of use, your end-users are going to require lots of training, submit lots of help desk request tickets, and overall increase the total cost of ownership of the system. The same is true if a product isn’t easy to manage— it can create technical debt and make the product expensive to use, reducing potential for a return on investment.
Falling Short of All Three Tenets: The MFA Example
Multi-factor authentication (MFA) is widely recognized as one of the most effective security controls available. Still, adoption across enterprises is inconsistent.
Why?
MFA checks the “secure” box and does introduce only a minor impact on performance. The real issue is ease of deployment and ongoing management.
For example:
Adding MFA to SSH often requires reconfiguring servers and clients.
Integrating MFA into internal applications typically demands development work.
Physical tokens add training and administrative overhead.
Only recently—thanks to better SDKs, APIs, and simpler deployment options—has MFA become easier to roll out across large environments, which directly contributed to broader adoption.
This illustrates a key truth: if a product isn’t easy to deploy or maintain, it will struggle to achieve enterprise-wide adoption no matter how secure it is.
Enterprises need a code signing system that keeps signing keys secure, but one that doesn’t reduce the tempo of day-to-day operations. Learn how to design such a system here.
Designing For Enterprise-Wide Deployment
The principles of Secure, Fast, & Easy are in Garantir’s DNA and these pillars guide everything we build. The most obvious example of this is in how we designed and built GaraTrust.
Many enterprises lack central access and control over the keys that control the organization’s most critical systems— SSH, code signing, TLS, and more. GaraTrust solves this problem by enabling enterprises to secure and store all cryptographic keys in an HSM, without impeding performance or disrupting existing processes.
Secure
GaraTrust was designed to enable enterprises to store all cryptographic keys in a centrally-managed HSM. As the keys are never exported to clients, the keys remain secured from compromise. Furthermore, since access to the keys is proxied, GaraTrust is able to enforce stricter security controls such as MFA, device authentication, approval workflows, IP address whitelisting, notifications, and more, on a per-user or per-key basis. Additionally, each key’s use can be easily audited from a central location.
Fast
With the keys locked away in a centrally-managed HSM, performance is a primary concern. The biggest performance degradation factors are network bandwidth consumption and HSM connection operations. To reduce the impact of network bandwidth, GaraTrust is designed with a client-side hashing architecture. Additionally, GaraTrust caches the HSM connections (and other connections, such as to the database) server-side, so that the performance impact of establishing connections is kept to a minimum. The result is that signing (and other cryptographic operations) is extremely fast— so fast that it is approximate to signing with locally-stored keys.
Easy
In order to support deployments across a large number of use cases on any platform, GaraTrust comes with all the cryptographic service providers needed for every major platform, plus some of the more esoteric ones for good measure. Additionally, GaraTrust supports single sign-on (SSO) with common identity platforms.
The result: customers can perform a wide number of use cases (code signing, SSH, TLS, S/MIME, document signing, file encryption, etc.) on practically any platform (Windows, macOS, Linux, Java, Android, etc.) using the same tools they use today. By allowing customers to use the same tools and supporting things like SSO, training is kept to a minimum and existing processes require minimal modifications, if any at all.
Learn More About GaraTrust
If you’d like to understand how GaraTrust can secure your cryptographic keys while keeping your workflows fast and user-friendly, the Garantir team would be happy to help.
