Consumer Grade UX Design That Respects Highly Secured Enterprise Software Requirements

One common problem in user-centric software design is that often security requirements are in direct conflict with your UX design goals. For UX design, one of the fundamental tenets is “know thy user”; and not all user demographics are equal in terms of their technical sophistication and needs.

If you are designing your software systems and UX to target B2C and B2B clients, a commercial product-led growth model which demands extreme simplicity and usability is necessary. On the other end of the spectrum, high-security clients with IT management control-enabled on-prem software must also be accommodated. In between these two groups, you must meet the security needs of small medium enterprises, large high-security commercial enterprises, and very high-security FedRAMP environments. Your UX design teams and software development teams will have very complex challenges in front of them when considering the various needs of these groups.

Fundamentally we must combine the progressive disclosure of UX and the progressive degree of security with as little compromise as possible. To do that we must solve both product development operation problems as well as engineering, architecture, and UX design problems. The entire organization needs to prioritize a design-conscious mentality as well as a security-conscious mindset.

Deep security engineering knowledge and know-how is often highly concentrated among a small group of engineers in a product development organization of any size. In addition, developers with a cross-disciplinary understanding of security needs, and knowledge of engaging and simplified UX design can be scarce. For the development of product features with complex security elements, the trio of engineer, UX designer, and product manager must be well coordinated to maintain a strong understanding of the user aspects of the security requirements. In addition, it is prudent to have early engagement with your software security architects to develop a shared understanding of the security implications of any planned updates.

Here at Bluescape (https://www.bluescape.com/), one recent example of this process was encountered while redesigning workspace-sharing capabilities. Our business needs require us to ensure that workspace sharing can handle standard data share patterns, nuanced enterprise sharing, social sharing, and highly restrictive sharing/access control use cases for our on-premises customers. The UX model along with data and user security needed to consider the following items:

1. Role Based Access Control (RBAC): A well-established pattern that is common in most SaaS software. However, in enterprise use cases this can be highly nuanced.
2. Social sharing, which involves anonymous user access, data lifetime and other considerations
3. Time-based access controls
4. For highly security-sensitive enterprises, granular IT admin controls of data, enterprise resources, users, and auditability
5. For federal customers, establishing externally configured and controlled additional access and user roles

As we designed our UX model, we had to ensure that average users were not overwhelmed with the complexities required by the advanced and highly security-sensitive needs of enterprises or federal customers. By building and encouraging a well-connected team of developers and UX designers, we at Bluescape have been able to make major UX improvements for all users without overwhelming our less security-minded clients with complex systems and methods of sharing access to collaborative material. We understand that sharing is of paramount importance to all users, and we strive to maintain methods of sharing that are both secure and simple. This ensures that a single solution can benefit a variety of user groups, from the most security-conscious organization to the typical consumer.