Balancing Security and Usability in Enterprise App Development
The importance of security can never be understated in today’s age of big-time security breaches, where cyber-criminals strike at will. However, the enterprise app development team needs to make sure that the security does not impede usability, or in other words, security is not self-defeating.
Most apps and solutions tap into the corporate database and handle sensitive data, including personally identifiable information. The implications of a breach can be ruinous and even sound the death-knell of the company. However, at the same time, today’s demanding workforce and highly pampered customers seek intuitive and easy-to-use apps. Customer satisfaction is critical to the survival of the app.
The conventional approach to security is akin to adding more number of locks to the door of a house. While it makes it difficult for thieves to penetrate such a house, it also makes it difficult for the occupants themselves to enter. In the digital world, forced to log in every time, forced to log in first into the device, then log into the software, and then enter a transaction password, being forced to change all these passwords once every two weeks, being said the password is not long enough or was used previously, and more, all strengthen security, but are major irritants and impede usability greatly.
Here are some ways to balance the security-usability conundrum, or ensure security does not end-up self-defeating the very purpose of the app.
Implement Security by Design
The best approach to security is “security by design” or co-opting security during the development process itself.
When security is embedded into the planning, design and implementation phases, developers may code with security in mind, use secure frameworks, and co-opt security testing a part of the app development process.
Adding security layers at a later stage makes the entire process awkward, and hinders usability. Often tweaks have to be affected, and well-written code redone. The analogy is to manufacturing a door with a single tamper-proof deadbolt lock built-in, as opposed to adding multiple locks after the door is installed, to get the same strength.
Collaborate with all Stakeholders
App developers need to collaborate with security experts and business managers, to assess the security risks and determine the best solutions to solve underlying security issues.
If bringing the security and development team together is a challenge, establishing common ground is an even bigger challenge. Developers seek to make things as easy as possible for their customers or users. The security team remains obsessed with the safety of data, often with the attitude if someone has to wait a few extra seconds to access the data, so be it. They remain oblivious to the implications of the harried customer moving on elsewhere rather than wait or put up with a convoluted system. Google usability studies reveal even a tenth of a second delay in an app’s performance adversely affects the user experience.
A collaborative team effort, where every stakeholder is part of the prototype, design, and testing tasks make finding a common ground and workarounds easy. For instance, with a security team in the mix, developers will no longer have to figure how to securely connect to the enterprise every time they build an app. Inputs from the security team would help them build a secure connection, VPN or otherwise, which may even be reused for other apps. In the same way, security could design a secure way for users to log into these apps.
Opt for Hardware-Based Authentication
Developments in hardware technology offer an effective antidote to security vulnerabilities, without having to compromise on usability. A case in point is Apple’s Touch ID fingerprint scanner and compatible Android systems. By deploying such hardware-based security and authentication, users do not have to wrestle with irritating passwords, and developers are spared the cumbersome work in securing data and authenticating users through the application code. It also leads to faster development lifecycle and a much cleaner code.
Limit Availability of Sensitive Data
If data is not there to be stolen, it won’t be stolen.
Businesses would do well to reconsider their business model and limit the availability of data online only to the minimal extent required. Hypersensitive data may be stored in impregnable silos, using military grade authentication, quite contrary to the much-touted logic of eradicating silos to facilitate big data analytics. Only the data required for analytics may be released, on a need-basis.
Developers could also make use of Security Information and Event Management (SIEM). SIEM collects security log events from numerous hosts connected to the enterprise servers, to identify normal patterns. An abnormal usage pattern triggers alerts, and even lockdowns, safeguarding the data. At the same time, normal, routine usage is allowed unobtrusively. The challenge lies in the complexity of configuring the SIEM.
Leverage the Power of Simplicity
Leverage the power of simplicity. Simple apps, with a minimalist design, and lean coding are not just easy on the users but contain lesser vulnerabilities. Such a set-up also minimize the chance of users doing anything to compromise security. A case in point is Amsterdam-based Usabilla putting in the minimal security necessary, and nothing more for its consumer feedback service. The simplifying services and features encouraged users to follow the right path rather than take actions having potential security implications.
Hire Competent Developers
Often skills gaps, poor planning and poor understanding of the business model by the developer aggravates the usability-security conundrum. Hiring competent enterprise app developers, who have considerable experience and exposure to the business, who are able to work closely with business managers, and who are able to deploy the best tools and techniques of the trade, is the key to develop highly intuitive apps, which are highly secure at the same time.