4 design principles for designing enterprise security solutions
Key design principles to consider for crafting effective and efficient security products.
Security management products (like the one that we are building at Juniper Networks) are the very essential cogs in the infrastructure story behind the data-centers, cloud networks and enterprise networks. A whole crew of security professionals toil behind the scenes 24/7 making sure everything is working fine, all the data is safe and the world is up, running and productive. Sound like altruistic super heroes? — sure they are.
Having learnt about the domain, key players, eco-system and working on re-defining the security experience for Juniper Network’s cloud SDSN platform, I wanted to share some key design considerations that would be useful for a product designer to keep in mind while designing the side-kick.
Let us get started by doing what we should be doing as problem solvers — build empathy by peeking into the world of security professionals which will help us to frame the right problems.
The super heroes
A security professional can be a Chief Security Officer, a security architect, SecOps (security operations) or a firewall operator. While they have different specific responsibilities and needs, below are common for all of them and they rely on their side-kick — the security management tool to accomplish these tasks:
- Defining and up keeping the security posture, access control rights and counter measures to secure the entire network from threats, attacks, damages and vulnerabilities.
- Manage and maintain policies regularly to address the ever changing organizational needs.
- Constantly monitor and respond to any untoward security incidents.
- Stay up-to-the-minute on the cybersecurity landscape — attacks and threat models to keep the security posture up-to-date.
Along with the above defined and articulated tasks, we also need to be cognizant of the unarticulated conditions:
- A lot is at stake and a small mistake might lead to disastrous outcomes for the individuals, the organization and its customers.
- Very dynamic environment where on one end the entities to be secured are constantly changing and moving, while on the other end new methods of attacks keep emanating.
- When under attack, the time will be ticking where every second expended is exponentially expensive.
Enabling them to get their tasks complete is not enough, we also need to empower them to accomplish the goals by addressing the conditions and the unarticulated needs. Listed below are some of the key design considerations that will help the designers, help their heroes:
1. Speed, Complexity and Automation
For a security professional, time is the most essential and critical resource which can decide how secure or vulnerable the enterprise is. The design should strive to:
- Provide a simplified, streamlined and intuitive interface. This may require you to challenge and break existing technology focused paradigms and bring in more human centricity to the workflows.
- In times of crisis, it should allow the user to quickly narrow down to the problem and perform remedial actions. The design should focus on having a clear and easy way to organize and use fast mechanisms to search and perform remedial actions.
- Reduce cognitive load on the user — there are a million things going on the users’ head and every second is crucial, any reduced cognitive load will help make the decision faster. This can be achieved by abstracting the complexity, having cleaner designs focusing on actions, smart data visualizations, and relevant contextual recommendations.
- Identify opportunities to automate wherever possible.
As established above, security is a very high-stakes endeavor and it is imperative for the users to trust the product/system and eventually be successful in accomplishing their security goals. For us as designers, trust is the crucial for the adoption and usage of the product itself lack of which might leave all the features unexplored. Below are some of the strategies how we could build trust:
- Make the user feel in total control, which means provide all the necessary data and information but let them take the decisions. Also display the impact this decision would make and how to retract if needed.
- Help the user avoid mis-configurations by pro-actively flagging inconsistencies, conflicts and any potential blind spots. This could be achieved by building intelligence behind the scenes to enhance the security posture.
For e.g. if a firewall rule that has been created has conflicts with other rules which might render the new one useless or worse negate the security posture. Analyze such such blind spots and flag up front, pro-actively.
- Provide smart default configurations / recommendations along with any help needed to understand them and why and how these add value.
Leverage your company’s tech and domain expertise to add value to your customer.
Another challenging job for a security professional is to keep track of all the dynamically changing elements that need to be secured. There are two big buckets of such dynamic objects.
- Internal end-points: These are the various end-points in the enterprise network that are potential gateways for getting into the network. Employees id, devices, personal devices, connected things, applications, websites, physical networks to name a few. Adding to this complexity is that the users and devices are mobile and constantly changing.
- External threats: The types of attacks, threat models are evolving and getting sophisticated by the day and new methods are popping up all the time.
The security professional has to keep track of both these moving parts and ensure the security posture holds strong.
When designing for such scenarios, we as designers should:
- Wear the holistic systems thinking hat to identify possible integrations with different internal and external sources of getting the end points and intelligence into the system.
- Make it possible for the user to define the policies at higher-levels of abstracted constructs that dynamically take care of the changing internal end-points.
- Enable integration with threat intelligence platforms both internal and external to keep the guard high.
- Synthesize and co-relate the information from these different sources that will enable the users to understand and take remedial actions in an instant.
Detecting something before an attack happens is the best and while we get that sophistication built into the product, any early warnings and slightest of anomaly detection goes a long way. Monitoring the network and keeping a vigilant eye is key for security professionals to be successful in their mission.
Bubbling up any anomalies and alerts is surely useful but for these to be effective, we should also provide an option to mute the noise that is not relevant or is an expected exception.
- Provide varying levels of visibility and ability to drill down to the specific event level (IP address or user or any specific device).
- Leverage data visualizations to display data more meaningfully and from different point of views so that any the users do no miss out on anything important.
- In the spirit of providing total control, enable the users to define their own thresholds, severities and watch list that are significant for their environment and areas of interest.
- Displaying events across the system can be overwhelming and may include false positives, providing options to mute any noise and to filter by areas of interest is essential.
- Build intelligence and automation, this helps the users to distinguish between false positives and real threats reducing the Mean Time to Detect (MTTD), and the Mean Time to Respond (MTTR) to an attack.
These are most important considerations for empowering our super heroes that come to my mind now, there could surely be more please do comment with your views.
Our super heroes work very hard and make systems secure for us. I believe as designers it is our responsibility to enable and empower them by making their tools easier, faster and efficient.
Thank you for taking the time out to read, hope it was worth your time.