Strong security doesn’t have to compromise the user experience
For many enterprises, security has often come at the expense of usability. The more important an area of work is, the more stringent protection it’s often subject to, which has typically placed more friction on those doing the work. But it doesn’t need to be this way.
Safeguards must still be easily usable by everyone involved in your business and visibility into the data security protections you employ should vary based on each person’s role. Your security practitioners need the highest level of visibility, internal employees need appropriate access, and an organization’s customers need the lowest level of visibility to ensure a frictionless experience with your product or service.
Enterprises, especially after the COVID-19 pandemic, continue to invest millions of dollars into creating digital experiences and optimizing user journeys. But as businesses’ online footprints expand, so do their attack surfaces. User interfaces need to be protected. But far too often, enterprises place the onus of proving a user’s identity onto their customers. The resulting friction undermines the strategy and effort that went into creating that smooth digital customer experience in the first place. Frustrated users bounce from the page, leave your business to go to a competitor, and damage your bottom line.
Secure the user, with usability in mind
Table of Contents
Security for end users can and should be invisible, defending against account takeovers, credential stuffing, and other forms of online fraud and abuse. As attackers have evolved, captcha challenges—such as checking boxes or entering in words—have become easier for bad actors or malicious software to work around and more difficult for humans to complete. But new technologies have emerged to help. A frictionless bot management solution can stop fraudsters without impacting real customers. Instead of requiring your customers to check boxes or click objects to validate their identity, bot management relies on behavioral detection. This technology can learn patterns of behavior on your website and then stop automated software from engaging in abusive activities. Your bot management solution can also provide visibility into activities on your web page and the changes you can make to prevent attacks.
And though it may be the most visible, your website isn’t the only part of your online attack surface. As more enterprises modernize their security, it’s important to work with a provider that will maintain security practices that are both usable and invisible to you. They will provide regular updates at scale to patch software vulnerabilities or add new functionalities that don’t require the involvement of your internal employees or disrupt your end users.
As your data migrates to the cloud, it travels through an encrypted global network. Once your data reaches the cloud, a responsible cloud provider will use automatic data encryption methods that don’t require extra effort from your security team.
We recommend that the products you use in your cloud for data analytics, computation, disaster recovery, or other use cases regularly undergo independent verification of their security, privacy, and compliance controls. Certifications, attestations of compliance, or audit reports should also be checked against global standards. Here, an independent auditor, not internal employers or end users, will examine the controls present in cloud data centers, infrastructure, and operations. A good cloud provider will also continuously enforce the policy goals you initially set up.
Related content: Learn how customer HBO Max uses a bot management solution to make its customer experience frictionless
Balancing secure remote access without compromising productivity
Employees need security to be usable, but they should have higher visibility into your enterprises’ security practices. Internal employees should ideally validate their identity before accessing company applications or securing permission to share a document with others. These employees usually tolerate more friction—such as reentering login credentials—even when prompted multiple times.
But internal employees who serve your business in roles outside of security are understandably focused on other business priorities. The tools they use should only apply the minimum amount of friction needed in order to secure their work environments so as to not interfere with their productivity. If they face too much friction in their workflow, they’ll take their work outside the corporate environment, creating even greater risks to your organization’s security posture.
At Google Cloud, we’ve made products available to our customers that we use to protect our own internal users and employees with minimal friction. As workforces become increasingly remote and globally distributed, enterprises need technologies that provide secure remote access to business-critical resources. These can include SaaS applications, internal apps, and other resources, both hosted in the cloud and on-premises. Being able to access these applications and resources from virtually any device, anywhere, without a VPN, is one way to remove friction for the user. Leveraging the browser to provide secure access is another way to make the experience simple and seamless for users.
Google believes in a zero trust approach which we’ve applied across our own organization. We ensure that even if employees or contractors are outside of the corporate network, they can still be secure and productive, and have access to the information and resources they need by verifying their identity and device health. This verification can take place behind the scenes, so users are able to continue their work without disruptions.
For best practices, after your employees validate their credentials and gain their appropriate access, usable and slightly visible defense mechanisms can still be in place to protect company resources. For example, most of your employees use email to communicate with others in your company or with customers to share promotions or respond to inquiries. You can put measures in place that protect the content of your emails before they even reach inboxes. This removes the responsibility of determining what is safe versus malicious content from your employees and customers. Now, your employees can be confident they are sharing legitimate information and resources with others.
Tools for your security practitioners can be focused on providing visibility into the security state of your organization, but they need to be usable as well. When your organization is under attack, every second counts. Your security team needs to know exactly what is going on with your infrastructure, network, and applications. To do so, they often use a wide array of security tools. But data can be aggregated across different dashboards or exported into other tools, slowing and complicating security investigations. Many tools also bombard security practitioners with alerts, false positives, and additional noise.
To add to the complexity, many security tools provide visibility into the security issue but offer no insights into how to solve the challenge or automate a response to a similar problem in the future. Security practitioners struggle with getting visibility not only into security itself, but also into the actions of other internal teams. Many organizations are siloed, and individuals responsible for security don’t always report to a CISO or a single organization. You may have people responsible for the security of different parts of your organization who don’t always give their counterparts visibility into their own projects, security practices, or security hygiene. Piecing together security information from tools and peers then becomes normalized. But security practitioners deserve tools that provide clear visibility into security risks and suggest the best methods to resolve the issue and the appropriate roles to involve.
Keep reading: our security whitepaper details how we utilize ongoing trainings and company-wide events to build an inclusive security culture
Our security philosophy
At Google Cloud, we recommend that your security team has maximum visibility and usability with a centralized security management tool. This tool can help your team get quick insights into the security state of your distributed infrastructure, and recommended actions to reestablish security. This tool can allow your security practitioners to see misconfigurations, vulnerabilities, compliance violations, active or past threats, and even information from integrated third-party tools. This information can help provide a complete assessment of your security state and prevent unwanted behavior.
Enterprises today can ensure security and usability along a spectrum. Customers and others that support your business (like cloud providers) at one end can experience or provide security measures that are highly usable with low visibility into your security procedures. At the middle of the spectrum, internal employees can also have usable products, but higher visibility into the security. To stay productive and serve their customers, they need to interact with your security to validate their identities or objectives. At the far end of the spectrum, security practitioners security products that are highly usable, with the highest levels of visibility into the security state of your organization. This will help them better protect, detect, and respond to adversaries. With each part of the spectrum having the right levels of usability and visibility, your enterprise can ensure its security while providing a frictionless experience for your users.
Watch the 2021 Security Summit on demand to learn how you can solve for the future of cloud security.