Visual Design vs. Interaction Design

Posted on May 9, 2012 by Nick Zirnoon

I do not know what makes a good interaction designer –and I still have issues about using the term interaction designer. However, I’ll make a few relatively educated guesses:

  • You need experience. This is a no-brainer. You just cannot learn this stuff in school (trust me, I tried). The challenges that you face when you actually create and support a product that are different, for the lack of a better term, compared to what your problems would be, that you’ll try to design things better the next time round.
  • You need to work on your target medium. This is me saying, in a fancy way, that you need to be able to build your designs.
  • Visual designers need their frameworks such as CSS, HTML5, typography, symmetry, balance, etc. but there are many ways to slice and dice time on interaction and visual design in a project – these are not the alternatives at the same level. I don’t want to stereotype developers, but most of the developers think that the only design that they need is visual design and not the interaction design since the discipline of interaction design is less known in the developer community.
  • In many ways, Interaction design is interface
    design (but not graphical interface design). It is about the story
    that is made up of moments of dialog between different interfacing
    moments made complex through intelligent connections and
    relationships.
  • Interface Design was and is the practice of designing the way someone
    interacts with a product, traditionally on a screen by screen basis.
  • Interaction Design grew out of Interface Design, as those who
    practiced it realized that in order to design a very useful product,
    you must begin by designing how people will interact with it as a
    whole.
  • Interface Design is about where buttons appear on a
    page, and what those buttons look like. IxD is whether or not that
    page needs to exist at all.
Posted in Graphic Design, Mobile UI Design, UX Design, Visual design, Web Design | Tagged , , , | Leave a comment

It’s 4AM!! Where is your Data in the Cloud ? Who is using it ? What is happening to it ?

Posted on December 16, 2011 by Tony

It should be of little surprise to any of us that many companies small or large have already started adopting Cloud based Services to run their business. Many companies have been considering cloud services as a mean to reduce their IT CAPEX and OPEX to stay competitive. Unfortunately while cloud based services and  XAAS, where X=one of the following (Security, Software, Infrastructure ,Computing,Platform) may bring the promise of  a lower cost of technology adoption and ease of deployment they have brought with themselves some major concerns and side effects:

  • XaaS services use SSL or other secure protocols which in-turn are blinding the existing IT Monitoring and Security tools that your IT has invested in.
  • There’s much ambiguity around how to protect the confidentiality of your  company’s data being stored and used via these cloud services.
  • Who should be responsible for ensuring a much needed confidentiality around companies data and intellectual property. i.e. Just think about the data being stored and used in Salesforce.com or netdocuments.com  or services like Dropbox and Box.net.  See emerging companies like CipherCloud that are trying to help solve this challenge around Salesforce.
  • How about the integrity of such systems /data being accessed and modified through cloud services by your mobile users. Who is responsible for ensuring the security posture of the systems connecting to these cloud services ?
  • How can your IT  provide necessary assurances around the integrity of the systems and users accessing their data through these cloud services; Most  companies have, at best, adopted a NAC (Network Admissions Control) strategy that allows them to check for user identity/system security posture ONLY when they connect to their corporate environment via VPN tunnels/Approved Remote Access. Its much more challenging to do that when a remote worker connects to XaaS / Cloud services outside your IT department’s control from a personal tablet, SmartPhone, Internet TV, Kiosk or home systems.

We need to be able to monitor these services and our data as they travel through Co-lo facilities, Public Clouds, and Mobile Networks.  Perhaps it’s time cloud Service providers, Co-Lo Facilities, and Mobile Operators should think about providing MaaS. Monitoring as a Service.

Think about it, what if your IT department had an option to purchase accompanying Monitoring as a Service to monitor and protect the cloud services they are investing in.

What it they have the  ability to securely and privately (i.e. your XaaS provider should not see your data) monitor and protect these services and your data.

What if they could provide access and visibility to your existing Security and Monitoring tools to see into these Cloud Tunnels at either end.

Be able to  build an extension of your Monitoring/Security tools that your Security and Network Operations Centers could access and leverage in the cloud to monitor and protect your Cloud Services.

I am sure we’re going to start seeing Cloud Service Providers, Co-Lo Facilities and Mobile Operators start offering MaaS to us in a newer future.

I would expect a Good MaaS to offer at least the following:

  • Ability to use existing tools or other cloud based monitoring tools  / services to monitor and protect my XaaS and the data traversing through them.
  • Enable my NOC/SOC to tell me who is accessing  my services at all time. (Confidentiality)
  • Enable me to know Who is handling me data and how is me data being modified (integrity)
  • Allow me to measure and improve my users’ experience when interacting with these services (QoS, QoE, Service Assurance and Availability)
  • Measure the performance of the Cloud based Networks, Applications and Services we are relying on to run our business in a competitive manner (SLA adherence, improved efficiency)

I’d be happy to hear your thoughts and suggestions ;)

Posted in Cloud Security, Monitoring, Network Security, Privacy | Tagged , , , , , , , , , , , | 3 Comments

Few Tips for Mobile UI Design

Posted on December 13, 2011 by Nick Zirnoon

In my opinion, good websites and mobile apps have quite some similarities. Both need to connect to the user or visitor instantly. If they fail, the next best alternative is just a couple of clicks away. Most users will not waste their time trying to figure out how to use your app or read a complicated manual. They will simply move on.

At first glance everybody will have the same three questions on their mind:

  1. Where am I?
  2. What can I do here?
  3. What can I do further?

Try to answer these questions instantly. If you can convince your user that this is the right app for them in the first couple of seconds, they will surely dive deeper.

  • Consider the font size for people with poorer eyesight.
  • Think about the scaling and sizing of images for different screen sizes and orientations.
  • Analyse colours and their visibility in different lighting conditions and for people with color blindness.
  • Avoid UI bling so the user understands quickly what they are looking at. For example, keep icons simple rather than adding lots of confusing shading.
  • Think about hot spots and content on the UI.
  • Don’t have too many UI designers on the same app. Everyone likes to make their mark on the app and you can end up going around in circles.
  • Don’t over analyse at the start. The end user actually knows best so plan to obtain feedback and iterate. If you really must pre-analyse, have typical end users assess mockups.

Finally think about branding/skinning/white labeling. It’s far easier to incorporate this from the start rather than add later.

Posted in Mobile UI Design, UX Design, Visual design | Tagged , , , , , , , | 2 Comments

Visual Design Tips

Posted on October 4, 2011 by Nick Zirnoon

Whether visual aids show what something looks like, show how to do something, clarify
relationships, or show how something is organized, they should all be created using the following general design principles:

Layout Layout continuity from frame to frame conveys a sense of completeness in any presentation. Headings, subheadings, and logos should show up in the same spot on each frame. Margins, type-faces, type sizes, and colors should be consistent with graphics located in the same general position on each frame. The use of lines, boxes, borders, and open space also should be consistent throughout a presentation.

Format The type of format used in a visual aid must be well-suited to the point that the trainer is trying to illustrate. Typical choices for computer-generated graphics include text slides, bar charts, tables, area or line graphs, pie charts, organization charts, and diagrams.

 The format of the visual aids will convey a certain mood and tone, which the presenter should consider when deciding on the use of color, typeface, clip art, or other aspects of graphic design and style.

Text slides These highlight key points or reinforce what the presenter is saying. Text slides should be short and to the point, including only key works and phrases for visual reinforcement. Each frame should contain only one idea, and bullet points should express a single thought in each line.

Text must be no smaller than 14 point to be legible. Sans-serif typefaces such as Helvetica are most readable; serif faces (e.g., Times Roman), italics, and script tend to be too busy for use in presentations.

Tables These show exact data values. Tables should contain only necessary information, and large numbers should be rounded off to increase comprehension.

Pie charts Use these to show data as a percentage of a whole. The chart should be divided into a maximum of five sections; small sections can be combined into a section labeled “other.”

Bar charts These show the relationship between parts or variables, often over a period of time. No more than three or four bars (or series of bars) should appear on a single frame.

Area graphics Use large areas of color to show the relationship between different sets of data, such as changes in volume or time

Line graphs These illustrate changes over a period of time or emphasize overall trends. A maximum of four or five lines can be used on each chart.

Organization charts Illustrate structure or work flow using these charts. But keep them simple, and be concise with labeling.

Diagrams Use these to show structures, relationships, or concepts that cannot be expressed with a statistical chart (e.g., maps).

Posted in UX Design, Visual design | Tagged , , , | 8 Comments

Explore the color psychology

Posted on September 30, 2011 by Nick Zirnoon

The way different colors influence our mood, state of soul and body is really exciting. Most of us do not realize how it works and only a few probably pay attention. Though the influence of the colors may be some what overestimated, we can obviously feel it in some situations (imagine yourself in a dark red room or in the room in the sky colors). Today we’ll be speaking about color perception and color psychology in website design, the way different brands use colors and what’s their message.

The colors are divided into two basic groups – colors in the red area of the color spectrum known as warm colors (red, orange and yellow) and colors in the blue area known as cool colors (blue, purple and green). The warm colors evoke emotions ranging from feelings of warmth, comfort and coziness (the fire burning in the rainy cold evening) to anger and aggression. Cool colors are as a rule described as calm and tranquil but can also be associated with sadness (being in blues) or indifference.

In the ancient times people believed that colors can cure from different diseases. This science was called Chemotherapy, and some of the basics were as following:

  • Red increases blood circulation and thus stimulates the body and mind
  • Yellow stimulates the nerves and purifies the body
  • Orange increases your energy
  • Blue treats pain
  • Indigo alleviates skin problems

Though the majority of psychologists take color therapy sceptically big brands don’t seem to agree with that. They create huge marketing campaigns based on the way we perceive the colors and make people buy. Below is the table with the colors and emotions/feelings they are widely associated with. Let’s try to analyze the websites of some world-known companies and see how they implement color techniques.

Color Emotions
Black Symbol of menace or evil, popular as an indicator of power. Associated with death and mourning, unhappiness, sexuality, formality, and sophistication.
White Purity or innocence. Cold, bland, and sterile.
Red Evokes strong emotions, associated with love, warmth, and comfort. Still considered an intense and angry color that creates feelings of excitement, intensity, sexuality.
Blue A favorite color for many people and the color most preferred by men. Gives the feelings of calmness or serenity. Described as peaceful, tranquil, secure, and orderly.
Green Symbolizes nature and the natural world. Represents tranquility, good luck, health, and jealousy. Symbol of fertility, has a calming effect and relieves stress.
Yellow Cheery and warm, but can also create feelings of frustration and anger. Most fatiguing to the eye (that’s why you’ll rarely see a bright yellow website or a room painted with yellow with the exception of playrooms for kids) yet most attention-getting color (so great color for important details or calls to action- remember the yellow stop/caution color).
Purple Royalty and wealth, wisdom and spirituality, sex and relationships, exotic and special.
Brown (all of us love wooden backgrounds). Natural color that evokes a sense of strength and reliability, warmth, comfort, and security.
Orange (banner color of the counter-culture). Blatant and vulgar color, makes you feel excitement, enthusiasm, and warmth. As a combination of red and yellow it’s often used to draw attention.
Pink Associated with love, romance, youth, freshness and may have a calming effect. Pink effect depends on the type of pink (strong, light, deep etc).
Posted in Visual design | Tagged , , , | 2 Comments

There is no “trying” in data protection

Posted on September 30, 2011 by Tony

There is no trying when it comes to protecting your customer’s data: Heartland tries to rally industry in wake of data breach (Network World)

The CEO of Heartland Payment Systems (Robert Carr) is calling for the card payment industry to share security information and consider end-to-end encryption.

Mr. Carr  is a strong advocate of  “end-to-end encryption — which protects data at rest as well as data in motion — as an improved and safer standard of payments security.”  However, his justification for not having it implemented properly before this breach,  is that this technology does not “wholly exist on any payments platform today. “

Mr. Carr, with all due respect, I disagree.

Just because most existing door locks sold today are vulnerable to “bump key” techniques, does not justify anyone leaving their doors unlocked and turning off their alarms. That’s especially true in a high-crime neighborhood.

PCI-DSS compliance does not have to mean that a particular company has the right level of security maturity to support their business model. “Heartland was, at the time of the breach, and currently is, PCI compliant,” as reported by The Tech Herald.

It has become evident that there is no such thing as “just enough security” by just getting the check marks on a PCI-DSS report. Data protection is a dynamic problem that requires a dynamic security, risk and compliance mitigation strategy. As business models change, so should security infrastructure, processes and risk management strategies.

There are plenty of technologies available today that can provide a holistic data protection solution. McAfee Data Protection Suite and McAfee’s overall strategy are examples of this. Solutions like McAfee Data Loss Prevention (DLP) and end-to-end encryption are great technologies that can help mitigate risk.

Other emerging technologies to evaluate could be  CipherOptics‘ tunnelless encryption and APANI’s EpiForce.

However, technology alone is not sufficient. Security architecture model, processes, strategy and more importantly trusted security advisors need to be re-evaluated to ensure that they properly empower an organization to securely support its business model and expected growth.

-Tony

Posted in System Security | Tagged , | 2 Comments

It’s time to revamp your Defense-in-Depth strategy.

Posted on September 30, 2011 by Tony

Up until now if you asked any security professional or consultant to provide you a best practice strategy for securing your enterprise, they would most likely recommend that you follow the Defense-in-Depth (DiD) strategy. That is to use multiple computer security techniques to help mitigate the risk of one component of the defense being compromised or circumvented. Although this has proven to be a sound strategy for the most part, as a security practitioner, I would have a tough time making that recommendation to customers that are adopting a Cloud Computing model.

The problem:

As we move our resources, storage, services, and application into the cloud we are drastically changing our enterprise model. I would argue that we are turning the defense-in-depth model inside-out. We are putting more and more on the edge of our network, if not directly into the cloud.

So let’s think about this for a second,

  • · How much of our existing investment in DiD strategies (firewalls, ids, ips, vulnerability management, NAC, anti-virus, anti-malware, etc) can we leverage as we move our IT infrastructure further in to the cloud?
  • · How can we ensure the confidentiality of our High Business Impact (HBI) data as we adopt more cloud computing services?
  • · Is a SAS70 Type I or II certification sufficient evidence for us to trust the confidentiality of our HBI data in the hands of our trusted Cloud vendor of choice?
  • · Who will be monitoring and protecting the confidentiality of such data as clients with questionable security postures interact with the Cloud service / application?
  • · The SaaS (Software-as-a-Service) provider? The cloud vendor? I was under the impression that they are not supposed to see into our confidential data streams. So if not them, then who?
  • · Who is responsible for ensuring the integrity of that data when users connect from a Starbucks or an internet kiosk without going through our corporate LAN? As far as I know, very few companies (if any) are enforcing Network admission Control (NAC) on systems when they are not connecting to their corporate LAN/VPNs.
  • · What if their system is infected with the latest worm, malware or even worst a rootkit? What if they suddenly get infected with a day-zero worm before connecting to SaaS vendor hosting the corporate secure document repository?
  • · Does that mean IT departments need to re-engineer their entire security architecture and operational models?
  • · What is the cost of doing that? Can that cost be justified by the perceived value you could expect from your Cloud Computing investment?

 

The need:

IT Security organizations need to be smart about this, and start thinking about how to revamp, enhance and adapt their existing Security models and Risk Management strategies to keep up with the Cloud Computing “revolution, and they need to do so quickly. I see these clouds moving really fast towards us.

As the IT infrastructure moves into the cloud, there is a lot less that we can control. Many of us are using GPRS cards, Hotspots, Free Wifi Home Broadband to do our daily work away from the corporate LAN. There’s very little companies can do unless they start expanding their existing technology controls to be effective both inside and outside the corporate walls when dealing with the risk associated with Cloud Computing.

They need solutions to control any system (managed, unmanaged, trusted or un-trusted) and access points (internal, external, secured or unsecured) that can be used to connect to the Cloud service hosting corporate high business impact data.

My thought:

For those of us who have already began to leverage the Cloud services and infrastructure the only thing we can still hope to control is the data itself.

What is being done?

 

On the vendor side:

Many solution vendors especially DLP vendors like McAfee have been thinking about this and are offering new complementary solutions like robust endpoint DLP agents to ensure the DLP policies are enforced even when users are offline. Provide the ability to TAG the data and enforce policies and controls based on the content itself. There is also a lot of talk about SaaS DLP and other complementary technologies. I believe utilizing these would be a great step in the right direction.

On the customer side:

Some organizations have already realized that they can leverage and reuse some of the current investments they have made as part of their DiD strategy. For instance, when users are traversing the corporate LANs, the IT organizations should be able to leverage existing technologies like NAC (although few companies have rolled out internal NAC), HIPS, DLP, Application Firewalls, Anti-malware, Anti-spyware, and Antivirus, and some more advanced proxies that can handle Web 2.0 applications and end-to-end HTTPS/SSL connections. These technologies in conjunction with the right policies and processes can help monitor and protect the integrity and confidentiality of the sensitive data as users interact with the cloud from inside the corporate environment.

What is next?

In the meantime, in order to come up with a real solution, it would require a collective mind shift by all of us (Security Practitioners, Consultants, Advisors, Vendors, customers ) away from System Security (i.e. Defense in Depth) towards data Security, proper data classification and Defense-at-the-Edge. Since data is really the only thing Cloud Computing users own and have control over (I know I am reaching here), perhaps that is where they should plan to invest the scarce security dollars available these days.

Conclusion:

The focus should be on Classifying and Securing the data itself as well as enhancing the security at edge. Unfortunately that is a lot easier said than done.

Challenges:

  • · Today’s data is very dynamic and polymorphic; same sensitive content can be in many forms in the enterprise DOC, XLS, PDF, ZIP, JPG, XML, WMV, MP3, SQL, encrypted or protected by some kind of DRM (Data Rights Management) …
  • · Your sensitive and high impact business data can also be on many locations i.e. SharePoint, Secure vaults, Client laptops, desktops, PDAs, Servers, hosted repositories in the Cloud, partnered websites, etc. No wonder e-Discovery is such an expensive and taunting effort these days.
  • · How do you define the edge of your network? Where are the boundaries? Is it limited to your internet gateways? I doubt it. Think about it:

a. We all use some sort of Smartphone, iPhone or Blackberry everyday for connecting to our corporate and personal email, favorite social network circle, browsing, and checking on our brokerage account.

b. Most of us use GPRS cards at Starbucks coffee houses (well, I go to PETEs myself).

c. We rely on Home Broadband to connect to our corporate email using Outlook Web Access (OWA).

d. Some even are brave enough to Tap into our neighbors’ Wifi or jump on a free Wifi while taking our kids to the Park.

You get the picture…

Solution:

It’s time for security practitioners and consultants to collectively review and re-access Defense-in-Depth strategies used today, and consider devising a complementary and more scalable, feasible and effective Defense-at-the-Edge (DATE) strategy for tomorrow.

As I said before, we should strive to get a better handle on classifying and securing our High Business Impact data at the time of conception and figure out a way to closely monitor and protect it throughout its lifecycle. To top it all, we have to do this in probably one of the toughest economies we have seen for over few decades.

Nobody said Security was easy.

Although, some people joked about the fact that security is just a cost center. I’ll encourage them to wait until they are hit by a lawsuit where the judge orders them to perform an exhaustive e-Discovery within a 30-60 day time span. Let’s then come back and compare the cost associated with the e-Discovery (where a good chunk of the data is dispersed across the globe partially thanks to Cloud Computing) versus the cost for proactively classifying and securing the data itself and closely monitoring and protecting the edge.

What are your thoughts?

Posted in Network Security | Tagged , , | 2 Comments