How often does the Security team directly influence customer growth and user experience for the business? Unless it’s for a security or privacy product or component, the answer is rarely.
Securing the product tech stack, protecting customer data, and keeping the business ahead of those who might seek to disrupt or do harm are must-dos for any organization, rather than serving as a direct element in the customer journey. On top of those core functions in our Security program, Security at DigitalOcean puts customer experience at the forefront by fighting to keep our compute and network free from the degradation brought on by abusive behavior.
Security’s focus on the customer starts at the very beginning of a customer's journey on DO, as we’re the designers of fraud and abuse detection throughout the journey. We want to share some of what we’ve learned in fighting internet-scale fraud and abuse, while maintaining focus on customer experience.
Monetizing Free Compute
It’s no mystery to any internet faring human that for all the magical wonder the internet has created, there’s a lot of bad that happens. From the truly heinous and harmful, to grey market activities like click-farming, the malintended will find a way to put an internet connected computer to use, most often in pursuit of money. As cloud infrastructure has exploded in popularity over the past decade, so has access to free computing: free trials, free tiers, and pay-after-use means a low barrier to access computing power. Great for marketing, but quite the challenge for security.
Solving for fraud and abuse at scale means identifying and counteracting the economics of how computers are monetized for harm. The challenge in that game is counteracting only harm without creating a poor experience for well-intended customers. The problem statement is actually relatively straightforward: reduce harmful impact on the internet, protect the bottom line for the business, and help good customers grow as fast as possible. Simple, right?
Laying Down The (Transparent) Gauntlet
Hyperscale cloud providers have the benefit of a high-spend target market in the realm of massive legacy businesses shifting workloads to the cloud. At DigitalOcean, we’re out there for the individual developers, startup founders, small businesses, and new-to-the-cloud explorers of the world. Hyperscalers have the luxury of employing friction that focuses on capturing big business, where revenue growth is not tied to engaging a founder at an early stage.
The behaviors and expectations of these target markets are quite different, especially during a signup process. Larger businesses are used to some amount of friction; it’s part of how they operate in a regulatory environment. A captcha + email verification + payment verification + mobile phone verification during signup is not a drag on the customer experience. For DigitalOcean, many of our customers are just exploring what it takes to create a viable business, and we want to help them on that journey. Too much friction for some of these customers would certainly create an acquisition drag. Not enough friction, and we’re swimming in abusive behavior that ruins IP and business reputation, also a negative customer impact. It’s a delicate balance.
Like any good security strategy, we look to the onion: there must be layers. Starting at the core and building outwards, there are hundreds of knobs and levers to build that allow calibration for achieving an equilibrium. Hundreds of levers may seem like overkill, but in a world where shifts happen constantly in cybercrime tactics, privacy, payment methods, and monetization methods, stabilization requires constant shifting of weight on the balance.
Friction levers are built in throughout the customer journey, allowing for constant experimentation and optimization. From bot protection at signup, through traffic analysis for bad behaviors like spamming, we acknowledge two challenging truths: (1) we will never stop all the bad guys at the door, and (2) we will always stop some of the good guys. Stated differently, every piece of fraud and abuse tooling will be imperfect in that there is a false negative and false positive percentage. Many of the levers are designed in sequence, ramping up friction in a way that helps minimize potentially negative customer experiences. Without careful sequencing, signals can get lost between components.
Speed Is the Key To Balance
Similar to when riding a bike, the faster you go the more successful you’ll be at balancing. Pace of experimentation and measurement will help avoid major perturbations in the system. Waiting too long can allow attackers to dictate the pace, increasing the risk for over-rotation that will impact good customers.
The risk / reward calculation in loosening or tightening certain friction is constant. Approaches get stale quickly, and a thesis from even three to six months prior will often prove outdated. Attacker tactics change, global events (like a pandemic) can shift behaviors, and even how banks function -- the popularity of virtual credit cards are a favorite of global fraud -- the shifts in landscape dictate constant tweaking and tuning. To do this at pace, and at scale, components must be built in a way that allows for rapid tuning and more importantly, rapid measured experimentation.
The DigitalOcean Security, Product, and Marketing teams continue to build, iterate, and optimize for this problem. It’s not just important for growth and customer trust, but also for the betterment of the global internet community. The problem will always exist, so it’s not a matter of if this is “solved”, it’s a matter of staying a step ahead.