Application Security for Dummies: The Only Way Forward
To date, tech companies have cloaked security in wizard’s robes. In a world where end users and customers are king, this mystical security approach has become one of the biggest risks to collective security. There is a good reason why some of the most egregious recent breaches have come from misconfigurations of security settings for S3 buckets or Microsoft Azure tokens. The proper processes for using and locking down those systems were hard to understand, poorly documented, and difficult even for engineers, developers and data scientists.
To improve application security, we must make security so stupid that anyone can do it. That applies up and down the stack, from the most complicated security tooling like firewalls, EDRs and SIEMs, to user-facing business applications. The reality is that all of these systems are now juicy targets for attackers and potential vectors for all sorts of bad acts — from ransomware drops and malware infections to high-value social engineering attacks to activate six and seven-figure business email compromise and deepfake trickery. On every application and for every user, the user experience should rival that of buttery-smooth Apple applications.
This will not happen overnight, or probably even in a decade. That said, by adopting the highest standard for UX and solving for the lowest common denominator — non-technical users. Application companies can radically improve security. Ironically, achieving a “security for dummies” simplicity would eliminate many of the worst breaches by reducing manual error and make life easier for the security operators who often deal with such an ugly UX that their CLI is their ultimate single-pane-of-glass.
Mac, not McAfee: Four Design Principles for User-Friendly Security
So, security should be so clear and easy that even aggressively non-technical people can understand and manage it. How to make this happen? You can’t wave a magic wand. It will take time and effort. But here are four design principles to guide these efforts.
Think like a Mac, not like McAfee: Let’s face it. The general standard for security UX is not great. Most security panels in applications are confusing. Often, security is scattered across several different product menus. No wonder engineers struggle to consistently and quickly configure security settings on their applications, never mind normal users. This is a mindset problem. The best software applications are designed from the outside in, looking at the users’ jobs to be done and attempting to create clean pathways to navigate those jobs. Rather than attach security configurations and controls as an afterthought to applications, we need to start designing security functionality as a first-class citizen in the UX. That means elevating security UX to the highest priority, on par with the core functionality of any application. In the designing process of an app, the product team should identify required security features and design for them as if they are part of the signup and onboarding flow. Channel Steve Jobs for jobs to be done, not some wonky security software or an impenetrable settings panel that is impossible to grok.
User test security features frequently, early and on normal users: Many SaaS application companies skimp on user testing security features. This is due to the prevalent “security last” mindset, where security features are viewed as vitamins, not painkillers. Flip the mindset and prioritize testing security features on par with any other feature you launch. Security is no longer a vitamin when ransomware risk is forcing SEC disclosures at publicly traded companies, disrupting hospital operations and shutting down government agencies for extended periods. Equally important,, normal, non-technical users may not be involved in early user tests or ongoing feedback. Their early observations and feedback can help shape security features toward more consumer-grade UX.
Bring the knowledge to the users where and when they need it. A feature is only as useful in a shift-left security world if people know how to use it. Tooltips, in-app tutorials, and other in-workflow suggestions are critical. Some of this is done in security features in SaaS applications but for the most part, in-app security education is sporadic and incomplete. You may also want to re-onboard for new security features, as needed. Overall, if users understand the terms of art like “impossible travel” or “suspicious log-in attempt” or “MFA step-up” and what that means, they will themselves have a better idea of the risks they face and how to improve their security hygiene. An educated user is a more secure user.
Design and follow a panel of metrics on security usability. You have plenty of metrics for product usability and monitoring user behaviors for UX bottlenecks. Take these same capabilities and point them toward security features. This may include watching clickstreams on anonymized user sessions or user panels but can be modeled on lead funnels with actions completed, similar to a shopping cart checkout. These can be fairly standard metrics because good security behavior is most likely similar across many SaaS applications. With specific vertical domains, such as health care and financial services, or in more complicated architectures like multi-layered multi-tenancy or nested privilege structures and authorization inheritance trees, you might want to create more bespoke metrics. Regardless, you must measure because this is important to test whether you are getting the job done and making security accessible even for dummies. These metrics can be an excellent mechanism for measuring an organization’s SaaS security posture down to the individual level.
Conclusion: Dumbing Down Security Means Better Security
There is no reason why security should be so hard and painful in SaaS apps. Today, it is becoming critical to make security easier because the attacks are more frequent, severe and varied. The only way to address these risks is to empower users to be their CISOs and configure and deploy their security features in their SaaS apps. Empowering users this way is impossible unless we radically improve UX and ease of use and stop treating security features as second-class citizens. A “security for dummies” approach to this problem will make everyone much smarter, secure and better prepared to deal with the realities of maintaining a strong security posture in increasingly complex and critical SaaS applications that have come to dominate our software world.
