Cybersecurity by Design is the closest thing EPAM has to a philosophy of security. “To stay ahead of an ever-evolving battle against cyber attacks, security must be architected into every facet of your business—building resilience from the ground up and putting trust at the center of the modern, digital enterprise,” it says on the EPAM.com website. “You need security as pervasive as your cloud, security that matches the pace of agile development, security designed into your enterprise systems.”
In other words, what Sam Rehman, our Chief Information Security Officer and SVP, and his team do is normalize and universalize the practice of security; they encourage defensive thinking and teach that security is everyone’s responsibility within our organization for our clients. As the executive producer of the EPAM Continuum Podcast Network, I’ve often heard Rehman talk about this idea. It’s time to take a closer look.
Consider the phrase “by design” in the context of cybersecurity: What does it mean? On the one hand, it demonstrates our zero-trust commitment to being intentional and thorough about security throughout the software development process. “To design something, you have to first pull yourself out of the domain—look at it from one side (need) to the other side (practice/tactics/what’s possible),” says Rehman. “Immediately, it forces the thinker to put security as a foundation, not an afterthought.” The phrase also carries a sense that design—experience design, digital design—is a critical element here. Understanding how users think and feel, do and don’t act, is essential to creating and maintaining a necessary level of security.
There are two questions to ask: (1) What’s the current relationship between design and cybersecurity by design? and (2) What should it be?
Customers and businesses generally operate under the assumption that faster and smoother is always better. Friction, in this narrative, is never not the enemy. Many see the job of designers to locate and eliminate friction’s grip. As the CEO of Box once wrote: “If you’re making the customer do any extra amount of work, no matter what industry you call home, you’re now a target for disruption.”
But friction is not an absolute villain. In the world of security, it can be an ally—or even a hero. The security perspective recognizes that our digital lives aren’t just composed of friendly users (customers and employees) and their software. Security professionals know that there are bad actors, lots of them, who seek to steal data and cause mayhem at every scale... and that they’re becoming more dangerous in the era of generative AI.
Friction is not an absolute villain. In the world of security, it can be an ally—or even a hero.
“The trick is how to create friction for attackers, but not for users,” says Rehman. “Most designs fall short—clump the two together. ‘If I make it hard to log in, then it will be hard for the attacker too, right?’ Right, but not right. Right if the attacker takes the same path—a huge assumption. But the side effect is: Good users will now want to circumvent the controls! This is in the data, which shows that most users will try to ‘cheat’ for ease of use, and hence create a much bigger problem.” Users get acclimated to disrespecting the systems, he says. This allows attackers to manipulate them into doing things that are obviously not kosher. It’s a function, Rehman says, of how “rigid and unreasonable the system is.” It’s a very complex balance.
One thing is certain: Systems must be designed to make things as difficult as possible for the bad guys. Hackers, it turns out, are users, too. Making their lives a challenge is a central part of the contemporary security game. This is the opposite of the remove-the-friction ethos. Cybersecurity could be described as a shadow form of experience design.
Let’s call this the hacker experience or, ahem, HX. In a 2020 Silo Busting podcast, Rehman says, when it comes to dealing with bad actors, it’s a matter of raising security “up to a degree that the hacker would actually have to work really hard” to get into a system. Maximize friction for these malicious users. We’re talking about the opposite of design’s favorite buzzword, empathy. We’re talking about entropy.
Entropic design is the right approach for hackers. “LOE + Risk vs Yield is always the equation,” he says, summing things up for us non-security professionals. LOE is “the level of effort needed by the attacker to achieve an objective.” Risk is “the risk of getting caught, and how hard it is to evade capture.” Yield is “the value of the hacker’s objective. Could be an asset. Could be an actual monetized transaction. Could be bragging rights.”
Rehman says that “from a cryptography perspective, entropy is always our friend.” In a podcast with Anshu Sharma, CEO of Skyflow, Rehman notes: “Cybersecurity shines in entropy,” adding that it creates a lot of “small, time-based, sensitive information.” This, he says, allows us to confuse the hackers, “making sure that whatever you present and had to expose had a limited time to live. That reduces your blast radius substantially.”
As far as consumers go, they will, yes, want as easy an experience as possible. But, as it says in this 2019 blog post, too much of this can have an adverse effect: “Removing every obstacle from the customer experience makes businesses into snowplow parents and doesn’t necessarily allow a customer to feel like he or she has achieved something meaningful. Which isn’t, we recognize, good for anyone.”
It’s also worth noting that, in recent years, thanks to a pandemic, myriad hacking stories in the news, and hours and hours of requisite cyber training, consumers have started getting smarter about security. In 2020, TechRepublic wrote: “Two-factor authentication is necessary no matter how inconvenient users think it is.” Today, 2FA has become a more mainstream experience, one that feels, to many users, not like an annoyance but as a reassurance. After the pandemic, many people have learned that there is value in going slightly slower.
But not too slow. That would be bad UX. Speaking of which: One of the major, regular, annoying speed bumps in our digital life is, as we all know, passwords. We all hate them. Rehman says, in a conversation with Mandeep Khera, CMO of SecureAuth, on Silo Busting, that people make passwords too easy. Then they’re told to make them more complex and difficult... and they write them down, even though they’re told not to. Say no to reusing passwords, and they do anyway. “You really almost can't blame the user, right?” says Rehman.
Hackers, it turns out, are users, too.
“Ultimately when we design these security protocols we have to think about human behavior and motivations as much as software architecture,” says Alison Kotin, a Director of Innovation Consulting at EPAM Continuum and a frequent podcast host. “A significant percentage of hacks begin with employees or users sharing their credentials with bad actors unwittingly through phishing scams or other kinds of social engineering. Part of cybersecurity’s job today is to help people be savvier about what and how they share, which is as much (if not more?) about social expectations and relationships than it is about onscreen touchpoints.”
Which is why organizations and security people are hot on the idea of a passwordless experience.
Passwordless, of course, is a complex challenge and difficult to execute. One path to an effective passwordless system, says Khera, is behavioral monitoring or behavioral analytics. Knowing about a user, and that user’s behavior, is key to ditching passwords. “We know who Sam is, where he's logging in from every day. What's his behavior?” What types of applications does he go into?” With this approach, he says, if Sam goes to the Bahamas and starts accessing his apps, it’s time to create some friction.
Khera’s idea that friction can be applied in cases that warrant it—in which suspicious behavior appears—makes sense. Of course, in order for this to work, a user needs to allow for a considerable amount of surveillance. As Kotin says: “Conversations with users tell us that people tend to assume their behaviors are already being tracked by the entities they do business with.”
The question is: Can a fingerprint on a smartphone solve the problem? Many organizations and security providers are pushing for the idea of a biometric-based, passwordless experience.
“Relying on the biometric on the phone,” says Shaked Vax, Co-Founder and Chief Product Officer of Anonybit, on our podcast. “That creates a bit of a false sense of security.”
He notes that a biometric on the phone is really not validated against who it belongs to. A fraudster could obtain a user’s credentials and go through an account-recovery- or new-device-enrollment process, connecting my own attacker biometric to your account, “and then it's game over,” Vax says.
We need to design for how these touchpoints fit into people’s broader lives to help our users build habits that will keep them safe online.
Rehman says, “You truly want to identify and bind that to the end user.”
Which brings us to Rehman's summation, in an article titled “A Passwordless Future”: “As brands transition to passwordless, biometric models, they must remember the user experience. Passwordless authentication processes should be convenient and natural.”
The thing to remember is, “convenient and natural” mean different things to different people.
“It’s a question of experience design—not just what’s happening on the screen, but the behaviors and relationships that surround those interactions,” says Kotin. “We need to design for how these touchpoints fit into people’s broader lives to help our users build habits that will keep them safe online.” And she’s absolutely correct. Listening deeply to what people want and designing against that is essential.
As Rehman writes: “When selecting a solution (in addition to finding one with multi-factor authentication and a decentralized network for data storage), choose a vendor that offers multiple modalities that cater to different populations.”
Creating layered security experiences that really take users’ differing needs into consideration? I’d call that Cybersecurity by Design.
About the Author
Ken GordonChief Communications SpecialistKen makes EPAM Continuum’s work visible to the necessary people. He creates superlative content, works with colleagues to do the same, and employs social networks to share it widely.
A card-carrying humanist, Ken co-founded QuickMuse, the improvisational writing website, and JEDLAB, the Jewish education community. He has written for TheAtlantic.com, the New York Times, and many other pubs.
Ken has an English degree from the University of Massachusetts at Amherst and an MA in English from the State University of New York at Albany. He framed both diplomas long ago, but can’t seem to find them now—a fact he considers all-too-human.
More from Ken Gordon
