Securing Credentials to Bring Users Ease, Power, and Oversight.

API keys, tokens and passwords are cumbersome to configure over and over again. Redundancy is frustrating and introduces security risks. Users needed a central place to manage credentials across their suite of cyber security products.

Company
Sophos
Product
Central Management Console
Task
Design a Global Credential Manager
Role
Security Operations UX

Credentials Too Isolated

Sophos is a large cyber security organization with a suite of several security products. The Central Management Console existed as a hub and single access point but the suite was still grappling with a fragmented system where each product required separate credential configuration and individual management.

Credentials play a critical role in allowing products to interact with the user's estates and other third-party product connections. They consist of username/password pairs, API keys, tokens, access permissions, and other related configurations that must be managed securely.

Previous individual approach vs one with reusability and oversight functionality.

User Burden and Security Risks

Users had given feedback that they were frustrated with the redundancy and complexity of managing separate credentials for each product, and security experts were concerned about the potential risks associated with this disjointed approach:

  • Lack of high level overview: Credential audits and monitoring were left to each product and if supported would need individual review.
  • More opportunities for error: By adding credentials separately there was a higher risk for misconfiguration and more steps involved in remediation.
  • Consistency and Standards: Different products used different methods and would have an increased learning curve and potential for confusion.

A Headstart from an Acquired Product

The coming changes were finally sparked by the acquisition of the DevSecOps workflow automation tool, Factory, which revealed a significant opportunity to leverage its credential manager for the rest of the Sophos offerings. Factory's version highlighted the benefits of a unified system, but it also underscored the inefficiencies of the existing system in the Central Management Console.

Since I was already familiar with Factory as its Security Operations UX Designer, my task was to design a Global Credential Manager that would start with this approach but extend to cover the rest of Sophos' user's needs. It would not only consolidate the management of credentials across all Sophos products but also enhance security and streamline user operations with new features. This system needed to be intuitive, secure, and capable of integrating seamlessly with the existing product ecosystem. This would also be a mutually beneficial first step that would align with a future project of integrating all of Factory's capabilities into the Central Management Console.

Factory's credential features offered a baseline for the Global Credential Manager.

From Concept...

Gathering Insights

The project kicked off with in-depth consultations with security experts to align the design with the best security practices. I also gathered the feedback taken from Factory's implementation to dive deep into the users’ pain points and gather actionable insights. Shortcomings identified there would include:

  • No Granular Permissions: A need to control what actions a credential can take.
  • No Individualized Product Access: A need to control where actions can take place.
  • No Bulk Management: A need for visibility of usage metrics, mass suspension and expiration options.

Visualizing Features

During these initial meetings I took inventory of objects and access paths, particularly what data and connections users would be interfacing with. By creating quick visuals on the fly while in discussions, stakeholders were able to understand how this might come together and have an easier time contributing requirements. After these sessions, wireframes and flows were presented to and agreed upon by the PM, security team, and engineers. I then moved to high-fidelity prototypes which could be rapidly built using Sophos' design system and Figma component library. Getting to this point quickly was important as mockups that look closer to the final output were easier for all members of the team to digest. The design process at this point continued to be flexible and iterative, involving multiple rounds of workflow examination to refine the interface and functionality. Notable features here included:

  • Branching Configuration: New product configurations would need to choose to add a new credential or select an existing one. I prioritized the adding of a new credential since it was the more common case and always relevant to new users.
  • Three-Step Credential Creation Wizard: If adding a new credential users would proceed to a wizard that would guide them through the process in logical thematic steps rather than overwhelm them with the complexity of all fields at once.
  • Global Management Table: A sortable and filterable table that would show statues, metadata, and controls for credentials. This was an important aspect of the credential overview that presented information that was previously buried in each product or in some cases not available at all.
  • Bulk Actions: Provided the ability to control many credentials at once, whether it was enabling, suspending, or deleting. This required context considerations when selecting multiple types of credentials. This gave users a large speed boost when making changes.
Initial inventory of object data and locations before wireframing.
Mapping user flows and each page's access point.
Concepts of variations for differing configuration entry points.

...To Reality

Engineering Collaboration

Throughout the design phase and development phases, I maintained a close collaboration with the engineering team. Some sprints required daily calls with international teams. This partnership ensured that the design specifications were not only technically feasible but also aligned with Sophos’ stringent security requirements. Gaps and edge cases in the mockups were addressed quickly and requirements were clarified as needed.

Navigating Challenges and Prioritizing Features

One of the significant challenges faced during the project was the need to adhere to strict timeline restrictions, which necessitated a strategic approach to feature development. To address immediate user needs within a timely rollout, we decided to focus on creating a minimum viable product (MVP) that included only the most critical features. This approach allowed us to launch a functional system that could be enhanced in later phases. The prioritization of features was carefully managed in collaboration with project managers and security experts. Together, we identified and implemented urgent security features that were essential for the first phase of the final implementation, ensuring that the most impactful elements were ready at launch while planning for future enhancements. Some aspects of user workflow optimization were designed but implemented in a more limited way that required fewer new components.

Efficiency and Security Increased

The deployment of the Global Credential Manager marked a significant improvement in how credentials were managed at Sophos. Users now had access to a streamlined process that saved time by offering the ability to reuse credentials but also the power to oversee and manage them from a single location without drilling down into each product to maintain them. The unified approach also bolstered security, incorporating advanced features like granular access controls and comprehensive usage logs and metrics.

Strategic Impact

Beyond the immediate benefits, the Global Credential Manager facilitated integration steps that would be required for the full transition of the Factory product into Central, setting a precedent for future acquisitions. The project received positive feedback from stakeholders including those outside of the team who would need the changes made here to move forward with their own projects' reusability and access to credentials for automation processes.

Future Directions

After the success of this project's first phase, plans are underway to further enhance the Global Credential Manager based on user feedback and more thorough security expectations. The timeline limitations on this project meant that not all ideas were fully engineered in the initial pass. Prioritization and compromises had to be made for creating the most effective version of this tool with room to expand capabilities that were left in the evaluation and design stage.