The Case for Building Identity Security into Enterprise UX Design

March 8, 2022 CyberArk Blog Team

The Case for Building Identity Security into Enterprise UX Design

People expect nothing short of exceptional from their personal tech experiences. Yet these lofty, consumer-driven standards haven’t really applied to work-issued technology until recently. Now with ample work-from-anywhere time under their belts, workers are demanding more of the enterprise applications they use to do their jobs. And if user-centric Identity and Access Management (IAM) protections aren’t integrated tightly into enterprise software design, overall product security and quality will likely suffer.

The Evaporating Expectation of Constraint Is Why Security UX Needs an Overhaul

We recently spoke with Brandon Traffanstedt, CyberArk senior director, field technology office, and Khizar Sultan, CyberArk senior director, IAM product strategy and solutions, about business end-users’ shift from what Traffanstedt calls “the expectation of constraint” — and what it means for enterprise software design.

“Maybe your work computer was slower than your devices at home. Maybe you had to change your password every month. But we were mostly okay with it — our brains were wired to accept that when we entered the office; we’d sit down and slow down,” he explains.

But then came the pandemic and the remote work scramble. “If end-users couldn’t get their work done in typical fashion, they improvised, which often meant subscribing to new SaaS applications or taking security shortcuts like reusing the same passwords,” explains Sultan.

After all, he notes, people were at home where they felt safe and accustomed to fast, convenient technology experiences — from streaming movies to gaming to shopping online. Soon, this mental disconnect between corporate constraint and uninhibited technology freedom began to evaporate, and workers began to expect more.

Want to Create a Better Security UX? Start with the End-User

Many enterprise software providers are wisely tracking this push for more flexibility, especially as it pertains to security design. At the same time, they’re rearchitecting security mechanisms to surround individual identities, recognizing it’s now the only practical way to protect system components and data from misuse or harm.

These technologists understand that if end-users can’t easily access or use their applications because of constant requests for re-authentication or blocked access to things they legitimately need, they’ll find ways around IAM protocols. Sultan points to downloading rogue applications or providing the second factor for multi-factor authentication (MFA) without question as common “knee-jerk responses” to access fatigue.

It comes down to “anticipating barriers and removing them,” says Traffanstedt. And that means putting yourself in the end-users’ shoes. Take developers, for example. “These modern power users are operationally minded by default and have to move quickly, so they can be very enterprising when it comes to security workarounds,” he says. They won’t accept constraints, such as proving their identity repeatedly to gain access to resources they need to use regularly.

Overcome Three Common UX Concerns Through Intelligent Security Design

That’s where Identity Security comes in, says Traffanstedt and Sultan. Incorporating technologies that work to secure access — regardless of device or location and at just the right time — into application design can help meet these common user experience (UX) expectations:

1. Eliminate Friction from My Day

End-users need easy access to key applications, data and services. What they don’t need is to juggle more passwords. Bringing real-time attribute and behavior-based context into authentication processes such as MFA and single sign-on (SSO) can help eliminate unnecessary “check points” that slow end-users down — while helping their organizations decrease overall reliance on problematic passwords and credentials.

As Sultan explains it, “Artificial intelligence and machine learning enable a more open-world work approach by baselining end-user habits and activity and dynamically adjusting authentication measures based on risk.” For instance, if a worker typically accesses the same resources from the same IP address at roughly the same time each day, authentication requests can be automatically scaled back to the minimum. If a deviation is detected from this “normal” behavior, access can be restricted until a stronger round of authentication happens.

2. Keep Me in the Loop

While ease of use should be the goal, Traffanstedt is quick to point out that less friction does not equal less information. If an end-user is granted just-in-time privileged access to do a job, for example, they need to be informed that their privileged session activity is being recorded.

“People don’t want to jump through security hoops, but they do need transparency about systems in place and confirmation that they are working,” he says. This confirmation can be as simple as a pop-up that lets the user know, “‘Hey, we automatically took care of authentication for you. Isn’t that cool?’”

Judicious security control and more transparency also go a long way in strengthening an organization’s security culture in which end-users feel empowered, but they also understand that vigilance and security are now part of everyone’s job.

3. Show Me Your Support

In such a competitive job market, employees expect more than just fair compensation and meaningful work. They’re also looking for empathy — an employer that prioritizes well-being across multiple dimensions. In fact, 83% of employees say they would leave their organization for a more empathetic employer. And sometimes, it’s the more subtle aspects of workforce empathy that can make a big impact.

A key example: ensuring that technology serves as an enabler, not a barrier, for employees doing their jobs. Especially in a time when 78% of remote workers say technology issues related to connecting to corporate systems and resources are their biggest hurdle to doing their jobs effectively.

Corporate leaders who prioritize the improvement of employee experiences can gain a true ROI on empathy as it pertains to product innovation and employee engagement. And security leaders concur: 86% say end-user experience optimization is “important” or “very important.”

Embrace Identity Security to Elevate Experiences

Real-time intelligence and analytics make it possible to infuse user-centric Identity Security policies into enterprise product design. This not only empowers workers to perform at their full potential, but it also shows their employers care enough about their success to protect them from threats that could undermine their hard work.

The ability to simultaneously enhance customers’ security postures, strengthen employer-employee connections and exceed end-user expectations is a powerful competitive differentiator for technology providers. And that, agree Traffanstedt and Sultan, means a world of opportunity for the companies that can rise to the occasion and deliver on a brand promise that connects directly to exceptional, highly secure experiences.

Previous Article
Endpoint Credential Theft: How to Block and Tackle at Scale
Endpoint Credential Theft: How to Block and Tackle at Scale

Tracking and fixing bugs across digital enterprise environments has always been tricky — and it’s getting e...

Next Article
What to Do with Your “Second Chance” at Identity Security Success
What to Do with Your “Second Chance” at Identity Security Success

At the start of the pandemic, security decision makers were focused on making remote work feasible — fast. ...