Securing Systems

Designing a secops workflow

Puppet is a platform that helps system administrators manage and automate system configuration.  It is often used to enforce policy compliance, when that can be defined as system configuration settings.

What if Puppet could do more in the security space? What if, as system vulnerabilities arise, Puppet could provide a path from awareness to security patching that would also enable two teams in different parts of an organization - Operations and Security - to communicate automatically, creating a real secOps workflow?

My team and I set out to understand how users manage system vulnerabilities outside of Puppet, and how we might extend Puppet's tools to help these users simplify their vulnerability awareness-to-remediation workflows. 

Discovery

I interviewed system administrators charged with maintaining security on the base configurations of systems in enterprise IT organizations. 

I learned from these users that vulnerability remediation is an ongoing process, and a balancing act of weighing security against performance. I discovered two primary workflows that would benefit from improvement: one, to enable better communication between developers and sysadmins, the other, to automate communication between Security and Operations.

Whiteboard analysis of user interviews

Map of the user experience

The aspirational experience

Since our Product Manager's research indicated that focusing on a secOps workflow made the best sense for our business, we chose the second problem to solve.

Process

I organized a 4-day workshop in Belfast, where most of our team was based, and presented my research; I had our principal engineer observe as many user interviews as he could attend, so he could more quickly and directly connect with the pain and frustration of the current experience. For the rest of team, I used quotes and stories, as well as the experience map above. 

We discussed the user stories I'd gathered from users, and those our PM had gathered from customers. We looked at vulnerability scanning tools - could we integrate reporting from any of these into our management tools, and, if so, which ones? Were there other solutions we could explore, beyond integrations? 

By the end of the workshop, we had a prioritized, rough-sized set of user stories, a plan for our our first several iterations, and, most importantly, a shared understanding of the user problems we were setting out to solve.

User story repository and prioritization tool

While our Product Manager began reaching out to vulnerability scanning services, looking for the right partnerships, I worked with our lead engineers on task flows and the interface. 

We decided to prototype an integration, using data available via a public API from our most likely partner, Tenable. My research indicated that this partner's products were widely used by Puppet Enterprise customers, and we knew from our PM, that it was a market leader.

I created wireframes to show the page IAs, and how existing UI patterns in our tooling would be used in the interface.

Outcome

We released a beta in late 2017 to a select group of large-infrastructure customers, who planned to begin testing sometime in early 2018.