Security is Usability — Examining Cybersecurity Erosion

It's often said that humans are the weakest link in security and social engineering is easier than hacking. This is true — but there's another facet that isn’t discussed enough: when the security design causes friction, the system will deteriorate and lead to gaps over time due to user action (or inaction).

Great security solutions rarely fail on technical merits, but rather on human ones. However, it is possible to avoid this with security design which focuses on usability. The two — security and usability — do not need to be opposing forces.

• We’ll cover several aspects of this topic:
• Security is usability to avoid cybersecurity erosion
• Why do we care about cybersecurity erosion?
• What are some design choices to mitigate cybersecurity erosion?
• Actionable takeaways

Security is usability

This is a key pillar of Pomerium’s security philosophy: you’re only as secure as your least compliant user.
The concept flows naturally into why some solutions suffer from what we call “Cybersecurity Erosion”: the solution’s architecture is technically sound but the design causes user friction and frustration, which in turn results in users looking for ways to overcome, go around, or even ignore the solution itself.

This is tangentially related to the concept of “Sustainable Security” covered by Sam Ainsworth. It’s a pervasive trend: even when correctly implemented, many security solutions degrade over time due to human factors. The designers simply didn’t take into account how the human element would erode the security solution over time in pursuit of “efficiency.”

As for why coin a new term, it’s because Sam Ainsworth’s coverage focuses specifically on a system’s technical aspects while this piece will focus on the system’s usability when it comes to user experience. In the end, security is usability.

If the security system gets in the way of productivity and workflow, even the most technically sound solution will erode as the human element seeks to navigate around the system or even take it down, piece by piece.

Here’s a few all-too-common examples:

• Decision-fatigue: When users are bombarded with frequent alerts and notifications, they become desensitized. Many users tend to end up muting alerts and other notification screens, which directly weakens the system.

• Password-fatigue: Without Single Sign-On (SSO), users juggling many passwords may resort to reusing them, compromising security. Password managers solve the interim problem but cause decision-fatigue when frequent prompts lower user acuity.

• Inconsistent best-practices: A good example is network segmentation. When DevOps teams become too inundated with resource requirements and start cutting corners on network segmentation by not segmenting correctly or even adding new applications to existing network segments instead of creating isolated networks. The best practice isn’t followed, resulting in cybersecurity erosion.

• Misapplied Access Control: In a rush, developers may incorrectly implement OpenID Connect (OIDC), creating vulnerabilities.

• Client-based access: From usability to performance and reliability problems or even being considered unnecessarily invasive, client-based solutions add friction in the form of human design issues.

Why is cybersecurity erosion bad?

Let’s jump right to why it’s a concept worth discussing alongside “security is usability”. It’s impossible to ignore cybersecurity erosion as it has familiar costs and consequences:

• Management overhead — Architecture requiring constant upkeep due to overhead will face de-prioritization or languish as resources are re-allotted or cost-cutting measures come into place.

• Security friction — Security is often seen as a productivity inhibitor, but it doesn’t have to be designed that way. When users find security measures to be in the way of their workflow, they inevitably look for alternative pathways in search of a more efficient user experience. As a result, security teams begin viewing internal users as a problem to be managed, and the organization suffers internal conflict.

Neither symptom should be new. However, attributing these symptoms to a root cause of architectural design is new. When viewed in this manner, the following questions become relevant:

• Why are we choosing between security and cost-reduction? If the security system is designed to minimize overhead and resource-drain, all discussions around efficiency in the future only need to ask if the organization is still maintaining the highest security posture with the minimal upkeep costs.

• Is there security architecture that doesn’t inhibit workflow? Minimizing user frustration should be a new key objective when evaluating the existing security infrastructure. The architecture should keenly focus on smoothing out the user’s experience to avoid cybersecurity erosion. Otherwise, the safest security solution in the world will only be dismantled over time.

Tangibly, this means forward thinking organizations must evaluate solutions based on how well they’ll last, which often involves asking how it affects internal productivity and workflow. The fundamental architecture should actively avoid:

• Frustrating the user. Any amount of workflow friction will lead to users trying to overcome the access control measures over time. The water of rivers will erode even the most durable stone, so the best answer is to design for the user’s workflow of least resistance.

• Being difficult to implement. Access control isn’t implemented just once, but continuously over time as the organization grows and expands. When new environments or applications are created, the security should be easy and straightforward to implement to minimize mishaps. The system should not be overly prescriptive with implementation or you risk the practitioners being forced to architect around it.

• Being difficult to maintain. No system can avoid needing maintenance, but it can be architected to either minimize the maintenance or enable a straightforward maintenance cycle. You never want your system to fail because the practitioners were overwhelmed by maintenance overload.

Tackling cybersecurity erosion with usability-first

Let’s share some of our successful learnings when designing for usability to mitigate cybersecurity erosion.

• Clientless access
• Speed and latency
• Simple configuration

If you’re only as secure as your least compliant user, then we need to design accordingly. Thoughtful consideration for how users interface and interact with the system will pay long-term dividends for sustainable security.

Clientless access
Ask any user how they want to use the internet; does “logging into a client” make it into their preferred user flow? No — they usually say some form of “open the browser, type in a URL, hit enter.”

You need to minimize the amount of obstacles between users getting what they want, or they’ll look for ways around it. This is why we made clientless access a key Pomerium feature from the outset instead of as an after thought. For end users, this core feature translates to improved productivity and reduced costs for their business through:

• Reduced user friction: No client, no additional hoops to jump through. Additionally, removing the need to memorize an additional set of credentials for logging into a client reduces user burden.
• Minimal management burden: Removing the need to install and update a client across all user devices lightens a burden for IT management. If there’s nothing to misconfigure or forget, then there’s nothing that can be eroded.

Security is usability. There is no better way to design around cybersecurity erosion than to remove all semblances of the obstacle itself. With clientless access, most users don’t even know they’re going through Pomerium’s access control measures when accessing resources! As a nice bonus, this results in more productive employees when time is not lost dealing with clunky clients. This simple principle embodies the concept of security without friction, meaning the security team’s mandates are aligned with the company’s core desires for increasing productivity.

Speed and latency
This is specifically about your access control solution: Is the connection fast and does it minimize latency?

Let's face it, slow connections and lagging applications are productivity killers. Every second wasted waiting for a page to load or an action to register is a second stolen from your workday. Across a large organization, these delays can add up to significant lost hours.

That's why Pomerium prioritizes speed through a design enabling edge deployments. This minimizes latency and ensures a smooth, responsive experience. We've seen real-world results: helping Fortune 100 organizations slash latency from a sluggish 1.5 seconds down to a snappy 20 milliseconds.

Simple configuration
In today's fast-paced development environment with continuous integration and deployment (CI/CD), security solutions can become bottlenecks. Developers are constantly adding features and updating applications, and security needs to keep pace.

Gone are the days of one-time cybersecurity infrastructure deployments. As companies evolve, they find themselves constantly integrating their security solution with new acquisitions, expansions, and even mergers. This integration process can be a vulnerability minefield as traditional security implementations often require significant infrastructure changes, leading to misconfigurations and security gaps.

Traditional security solutions often require complex configurations that can introduce room for errors. This is especially true when deploying at scale in a CI/CD world. Even a seemingly small error rate, like 0.1%, can leave hundreds or even thousands of applications vulnerable. This cybersecurity erosion becomes a major liability over time, and we once again find the root cause to be: usability.

So what did Pomerium do differently to address this? We worked backwards from what we believe first principles are for what adding security should look like:

• Error-Proof: Minimize the potential for human error during implementation, preventing disastrous security breaches.
• Seamless Integration: Integrate seamlessly with existing infrastructure without forcing disruptive changes.
• Effortless Testing: Simplify testing for potential misconfigurations and ensure a smooth security posture.

This was a difficult problem to solve. How can we offer a solution that allows companies to simply "add" security without disrupting their operations? We saw that many providers required extensive reconfiguration of existing infrastructure to fit their model. This created unnecessary complexity and discouraged adoption. Additionally, their implementation processes were often cumbersome and time-consuming.

In the end, our architectural model enables the following:

• Deployed at edge: A key feature of Pomerium is being able to be deployed however you want it onto any existing infrastructure with minimal changes. The fewer parts that need to be moved, the better.
• Programmatic deployments: We provide an API and SDK for developers so access control is being added the same way they would ship code. This achieves our goal of minimizing the potential for human error and misconfigurations.
• Unified access controls: Because Pomerium is already greenlit by the security team, the only necessary tests are whether Pomerium was correctly added in front of each application. These application-centric deployments should have no security gap because they are shipped with the company’s pre-defined access controls.

This architectural decision ensures the solution serves the organization, not the other way around.

Actionable takeaways for any organization

• Evaluate your cybersecurity system for sustainable usability or potential erosion.
• Explore replacements which prioritize usability in its design to minimize erosion.

As your organization grows and evolves, it's crucial to ensure your cybersecurity doesn't become brittle and prone to gaps. Here's what you can do:

1. Conduct a Cybersecurity Sustainable Usability Audit: Take a close look at your current security system. Is it designed to adapt to changes and integrations, or does it require frequent updates and adjustments? Identify points where misconfigurations or gaps could occur during deployment or modification.
2. Explore Erosion-Resistant Solutions: Research options that prioritize a secure-by-design approach — for humans. The point of this write-up is to emphasize the importance of minimizing human deviation factors in your organization’s security system. This means looking for solutions designed to be secure without interfering with users or adding to the IT team’s burdens.

Liked what you read about Pomerium?
Pomerium’s design results in sustainable and usable security without cybersecurity erosion.

DevOps teams only need to configure Pomerium once through Zero then give API access to development teams. Developers can then add Pomerium’s access control and deploy to production with full confidence that the company’s security policies are being enforced. Finally, users can now access applications using the browser just like they would with any other website while Pomerium continuously verifies each action against identity and context.

Beautiful, isn’t it? We invite you to try out Pomerium today!