Credentials Too Isolated

Sophos is a large cybersecurity organization with a suite of several security products. The Central Management Console existed as a hub and single access point, but the platform still relied on a fragmented approach where each product required separate credential configuration and individual management.

Credentials play a critical role in allowing products to interact with the user's infrastructure and third-party systems. They include username/password pairs, API keys, tokens, permissions, and other sensitive configuration data that must be handled securely.

Users frequently recreated the same credentials across multiple products. This redundancy increased operational burden and introduced security concerns because there was no centralized oversight of where credentials were used.

User Burden and Security Risks

User feedback confirmed that the existing approach created frustration and redundancy when managing integrations and automation tasks. Security experts also raised concerns about the risks associated with credentials being scattered across multiple products without a unified management model.

• Lack of high level overview: Credential audits and monitoring were left to each product and if supported would need individual review.
• More opportunities for error: By adding credentials separately there was a higher risk for misconfiguration and more steps involved in remediation.
• Consistency and Standards: Different products used different methods and would have an increased learning curve and potential for confusion.

A platform-level solution was needed to consolidate credential management while maintaining the strict security standards required for enterprise environments.

A Headstart from an Acquired Product

The coming changes were finally sparked by the acquisition of the DevSecOps workflow automation tool, Factory, which revealed a significant opportunity to leverage its credential manager for the rest of the Sophos offerings. Factory's version highlighted the benefits of a unified system, but it also underscored the inefficiencies of the existing system in the Central Management Console.

Since I was already familiar with Factory as its Security Operations UX Designer, my task was to design a Global Credential Manager that would start with this approach but extend to cover the rest of Sophos' user's needs. It would not only consolidate the management of credentials across all Sophos products but also enhance security and streamline user operations with new features. This system needed to be intuitive, secure, and capable of integrating seamlessly with the existing product ecosystem. This would also be a mutually beneficial first step that would align with a future project of integrating all of Factory's capabilities into the Central Management Console.

From Concept...

Gathering Insights

The project kicked off with in-depth consultations with security experts to align the design with the best security practices. I also gathered the feedback taken from Factory's implementation to dive deep into the users’ pain points and gather actionable insights. Shortcomings identified there would include:

• No Granular Permissions: A need to control what actions a credential can take.
• No Individualized Product Access: A need to control where actions can take place.
• No Bulk Management: A need for visibility of usage metrics, mass suspension and expiration options.

Visualizing Features

During these initial meetings I took inventory of objects and access paths, particularly what data and connections users would be interfacing with. By creating quick visuals on the fly while in discussions, stakeholders were able to understand how this might come together and have an easier time contributing requirements. After these sessions, wireframes and flows were presented to and agreed upon by the PM, security team, and engineers. Notable features here included:

• Branching Configuration: New product configurations would need to choose to add a new credential or select an existing one. I prioritized the adding of a new credential since it was the more common case and always relevant to new users.
• Three-Step Credential Creation Wizard: If adding a new credential users would proceed to a wizard that would guide them through the process in logical thematic steps rather than overwhelm them with the complexity of all fields at once.
• Global Management Table: A sortable and filterable table that would show statues, metadata, and controls for credentials. This was an important aspect of the credential overview that presented information that was previously buried in each product or in some cases not available at all.
• Bulk Actions: Provided the ability to control many credentials at once, whether it was enabling, suspending, or deleting. This required context considerations when selecting multiple types of credentials. This gave users a large speed boost when making changes.

...To Reality

Engineering Collaboration

Throughout the design phase and development phases, I maintained a close collaboration with the engineering team. Some sprints required daily calls with international teams. This partnership ensured that the design specifications were not only technically feasible but also aligned with Sophos’ stringent security requirements. Gaps and edge cases were addressed quickly and requirements were clarified as needed.

Navigating Challenges and Prioritizing Features

One of the significant challenges faced during the project was the need to adhere to strict timeline restrictions, which necessitated a strategic approach to feature development. To address immediate user needs within a timely rollout, we decided to focus on creating a minimum viable product (MVP) that included only the most critical features. This approach allowed us to launch a functional system that could be enhanced in later phases. The prioritization of features was carefully managed in collaboration with project managers and security experts. Together, we identified and implemented urgent security features that were essential for the first phase of the final implementation, ensuring that the most impactful elements were ready at launch while planning for future enhancements. Some aspects of user workflow optimization were designed but implemented in a more limited way that required fewer new components.

Efficiency and Security Increased

The deployment of the Global Credential Manager marked a significant improvement in how credentials were managed at Sophos. Users now had access to a streamlined process that saved time by offering the ability to reuse credentials but also the power to oversee and manage them from a single location without drilling down into each product to maintain them. The unified approach also bolstered security, incorporating advanced features like granular access controls and comprehensive usage logs and metrics.

Strategic Impact

Beyond the immediate benefits, the Global Credential Manager facilitated integration steps that would be required for the full transition of the Factory product into Central, setting a precedent for future acquisitions. The project received positive feedback from stakeholders including those outside of the team who would need the changes made here to move forward with their own projects' reusability and access to credentials for automation processes.

Future Directions

After the success of this project's first phase, plans are underway to further enhance the Global Credential Manager based on user feedback and more thorough security expectations. The timeline limitations on this project meant that not all ideas were fully engineered in the initial pass. Prioritization and compromises had to be made for creating the most effective version of this tool with room to expand capabilities that were left in the evaluation and design stage.