I attended the Usenix Enigma conference this week in Oakland, which brought together some of the brightest minds in security across academia, government, and business. After watching a few of the videos from last year’s conference, I wanted to be there in person this time around. Everything about the conference was top-notch, with a diverse and thoughtful community really coming together for the greater good.
A major theme echoed across the conference, from the sessions to the hallways – usability. The most advanced security measures are rendered useless if they are not clearly understood, which the industry is now humble enough to admit. That humility may be partially attributed to the continued lack of adoption and general understanding of security technologies outside of the industry. Parisa Tabriz from Google said during a fireside chat, “As security professionals we spend too much time on crypto and not enough on making security usable.”
For those of us who build security products, education through good documentation is paramount to adoption, but continues throughout. While speaking on this topic, Lorrie Cranor from Carnegie Mellon said, “If you’re doing a disclosure to users, make sure they notice, comprehend, and act.” Notifying users is critical to their understanding of what’s happening and what’s at stake, however too often “alert fatigue” kicks in where the default is to just blindly accept. Similarly, Anthony Vance from BYU said “Security should be brain compatible, and work with the brain, not against it.” He then went on to say that a good time to show security messages is during wait times. During her session, Franziska Roesner said, “To build effective security, we need to understand our users.” That may sound obvious, but she went on to speak about different groups needing entirely different tools.
Now I’m a strong proponent of the “Jobs to be Done” principles of product development, where the focus is delivering an experience that makes the end user better at his or her job. The challenge with incorporating security measures into products is providing a safe environment that checks all the boxes, while delivering a streamlined workflow that doesn’t get in the way of progress. In today’s world, the user should at least be aware of the security implications of using a product, but rarely needs to know the implementation details – relevant examples being WhatsApp implementing the Signal protocol and Keybase.io building on top of PGP. There will most certainly always be people who don’t believe in abstraction layers such as these, however a product owner who is considering the end users must certainly keep an open mind.
At ScaleFT, we give a lot of thought to usability as we continue to further our Dynamic Access Management platform. Authentication and authorization tools with complicated workflows only anger and frustrate users enough to attempt workarounds or give up entirely, which is counterproductive to the primary goal of granting access to someone who belongs. Making a trust attestation in a dynamic manner is no easy task, though. Alex Stamos from Facebook said, “What’s the biggest problem in security? It’s password reuse and nothing else is close.” This is as much to do with the way end users misuse passwords as it is with their static nature themselves.
When Google embarked on their security transformation through the BeyondCorp initiative, they gave a lot of thought to the usability with its employees. It may have been an attack that sparked the effort initially, but Google used that as an opportunity to reimagine what it means to operate at global scale, where employees work from all locations and devices. Through the lens of “Jobs to be Done”, Google hit the nail on the head. By making trust decisions for a resource in real-time based on the user and connecting device, they were able to remove the obstacle of the VPN to enable secure remote work. The VPN is a common pain point across numerous organizations, which is why we’re seeing more and more companies migrate towards a perimeterless architecture of their own as Google did with BeyondCorp.
I am fortunate to have been able to attend the conference, and to have mingled with so many from the community who I admire. The overall vibe I witnessed throughout the week was a strong desire to educate the world about security practices, and to do so in a way that makes sense for everyone. As a software company delivering modern security solutions for the enterprise, we feel the same way, and will continue to promote the benefits of the BeyondCorp ‘Zero Trust’ architecture.