Optimize security architectures by optimizing the UX
Feb 14, 2022
Earlier this year, the Federal Aviation Administration (FAA) awarded a flying car an airworthiness certificate. Retail juggernaut Walmart staked trademark claims in the metaverse. Companies are using AI-based simulations to boost the emotional intelligence of the workforce. Suggested smart replies are completing the thoughts for billions of people across email and messaging platforms every day. Common to all of this technological innovation is that success or failure hinges on human perception, which can be controlled by user experience (UX) design.
Perception, they say, is reality—and that applies to cybersecurity as well. As security continues to evolve as a field, it’s essential for security managers to understand and incorporate the user experience at a deep level to obtain the best results. With cybercriminals leveraging the very common and new technologies that are changing business and society like AI, cryptocurrency, IoT to achieve their goals, security designs that can fully appreciate human factors will be the only way to secure such transformations and stay clear of any devastating events on the path to human-machine symbiosis.
User noncompliance alone can defeat security, however sophisticated it may be. Why? Partly, it’s because when users find security solutions or processes unacceptably cumbersome, they often don’t follow best practices. Therefore, replacing friction caused by the conscious application of a security component tied to a user journey for a product, system, or service with an automated and hidden equivalent is ideal. At second best is minimizing the friction. Nobody complains about fastening their seatbelt when they get into an automobile, but requiring a brake pad inspection before each drive would not go over well.
Obvious historical instances of noncompliance include password reuse across multiple services, far too simple or easily guessed passwords, or exposed (literally) passwords such as on a post-it note hanging from a user’s monitor. All these situations reflect the reality that users tend to prioritize personal convenience over security — and when they do, the organization becomes more vulnerable.
We see a similar situation with multi-factor authentication (MFA). It's a great way to improve the odds that only the right people will get logical access to services and data. But what if users dislike the inconvenience of authenticating multiple times on different platforms? They may disable MFA altogether to simplify matters, potentially defeating the theoretical benefits to the company.
Fortunately, we can now solve such issues by applying zero trust architecture (ZTA) and related technologies. Today, for instance, it’s possible to leverage encrypted security certificates to authenticate identity and top-tier encryption to support end-to-end transactions.
Zero trust architecture isn’t just better security — it’s also better UX because it requires no new learning and minimal user behavior changes. ZTA removes passwords as a potential failure point. It’s a great example of succeeding by considering the human perspective.
New worlds. New user requirements. New security strategies.
Going forward, as new computational platforms and service classes emerge, the same situation will remain: security professionals must find ways to balance security with UX.
Already, we can see several examples of how that balance applies, or soon will. Three that come to mind:
• The growing expectation among workers that all data, apps, and services should be available from any device, anywhere, at any time. This expectation, initiated with the advent of the smartphone, dramatically accelerated with the COVID-19 pandemic as the global workforce instantly became both mobile and remote on a mass scale. And although the pandemic itself will retreat in time, the pandemic-inspired working culture will remain.
Many organizations have responded with more reliance on virtual private networks (VPNs), exposing themselves to IT tickets and mounting complaints about poor user experience. VPNs work well in legacy architecture, where network transactions are presumably safe behind a company firewall. But VPN technology is not fast or secure enough for today’s seamless, remote work way of life. It doesn’t support ZTA principles like least-privileged access. Worst yet, VPNs are discoverable on the internet, making it easy for attackers to find and compromise using freely available tools and compromise.
End users will increasingly challenge organizations that fumble the balance between security and convenient UX with universal access to company resources from wherever users happen to be and whichever device and network they happen to be using.
• Device evolution. Smartphones are no longer cutting-edge; we are rapidly moving to more sophisticated wearable devices that support augmented reality/virtual reality (AR/VR), adding a new logical layer of information and services to real-world experiences. Several tech giants are in the race for a viable mass-market AR/VR headset, such as Apple which anticipates launching one in 2023.
How can that layer be secured against the array of formidable threats it will inevitably confront? Organizations like Facebook (now known as Meta, “a social technology company”) will have to invent new ways to secure metaverse services and data as new cybercrimes evolve. If protecting online user privacy and safety wasn't already challenging enough, metaverse companies face a new set of complex issues, questions, and regulator considerations. Compromised services and data deemed deceptive, manipulative, or misleading in the past could soon actually become lethal. The UX and security involved will both require careful thought.
• Web3. One of the key selling points of a decentralized Web is the premise that the potential for abuse declines with more broadly distributed power and information. However, on the flip side of that coin, the automated management of services and data will surpass human oversight and control. Whether you are bullish or bearish on the next phase of the web defined by metaverses, crypto, blockchain, and NFTs, today’s hype means investment, and that means some winners will have to emerge with sustainable value propositions.
In a Web3 internet (whether it arrives next year or in a decade), users must, more than ever, trust that the security performs as expected and that there is no means of defeating it, yet we know that future developments will challenge that assumption. Hackers, malware, and criminal organizations are all rapidly becoming more powerful, and in some cases, are even operating under the aegis of state sponsorship. Suppose that wasn’t enough worry; future quantum computing platforms, expected within a decade, will almost certainly be powerful enough to crush the encryption schemes upon which Web3 relies for key architectures such as blockchains. Establishing and maintaining trust will be an essential aspect of UX for security managers to consider if Web3 fulfills its potential.
The examples above demonstrate that good security invariably and increasingly requires a good user experience. Security designers and managers must consider what happens inside the technology and the user’s mind. Best results will emerge from balancing the two perspectives so that each supports and enables the requirements of the other.
What to read next