Privileged Session Proxy Portal. Case Study

Dynamic internal enterprise tool that support 40K+ users with privileged sessions

Description

It is a dynamic internal tool that support 40K+ users with privileged sessions and passwords. This page will describe the goals of our UX engagement with the Privileged Session Proxy (PSP) team and allow us to plan the scope and detailed progress of the project.

Vision

Managing privileged access is critical due to the extensive financial and reputational harm from unauthorized access to business systems and information. Proper control of privileged access is at the top of the Firm’s internal and external auditor’s findings list, and is an essential component of a compliance mandates

Whenever possible, privileged access should be eliminated through the principles of least privilege and automation. Resources such as Automation as a Service (AAAS) or a Session-based solutions should be adopted to replace the need of using privileged access to perform activities.

A key goal of PSP Portal is to significantly enhance firm’s security posture by improving the way privileged access is managed. It will enforce a least-privileged approach top the most sensitive data and critical business application infrastructure. This will be accomplish by minimizing the use of passwords, mandating multi-factor authentication and eliminating local passwords

PSP portal will allow for the following:

  • Provides a simple interface where users can select accounts they have access to
  • Maintain current control logic / Ticket Exit / Compliance Review process etc
  • Zero (additional) on-boarding time. Existing accounts will be available through PSP.

Projects Goals

  • Decrease the amount of time users spend establishing a new session from 10 min to 10 sec
  • Make PSP UI more intuitive to reduce the number of requests in a PSP support
  • Reduce the amount of “break glass” events
  • Eliminate human knowledge of credentials for privileged access (replace returning a password with provisioning of a session).
  • Simplify and better secure user experience for privileged access to mitigate risk of sharing/storage of these credentials electronically/physically.
  • Seamlessly adopt 40K+ users with 100+ different use cases to improve their productivity along with a higher security standards adoption across the firm
  • Provide a friendly, intuitive end user experience

UX Roadmap (Q4 2020)

Research

Understand the infrastructure

Stakeholder Management

User Journeys

This is an example of one very common use case. In total we had over 100 different use cases

Personas

This is an example of a persona I’ve created for this project. We had about 20+ personas created for each user type. We contribute our personas to a persona catalog as a knowledge base for all UXers across the firm.

Quantitative research

It’s important to understand how many users use the platform daily and how our UI/UX changes affect the user’s behavior. In this case, I worry about breaking glass events the most. I want to see “0” in this field.

Users job stories:

  • “When I need to modify the development or UAT environments configuration, I have to pull the proper password to login / get a session to login and make the change.”
  • “When I need to research production issues, I have to pull the proper password to login / get a session to login.”
  • “When I need to analyze the issue for an existing alacrity ticket, I have to open up multiple PSP sessions for DB analysis so that I can first pinpoint the issue.”
  • “When I need to implement a change or investigate any issue I want to login to database using PSP so I can implement the change or troubleshoot”

User’s top blockers

  • It would be better for new joinees if we had cross-vault search so that we don’t care about which vault it is in
  • Hardest part is usually finding a ticket. Honestly, not everything is ticket based.
  • Sessions are ok, however I Prefer the comfort of my own desktop though for the sessions that are virtualized.
  • Unable to map our local drives (to execute our scripts) in the PSP sessions is one of the top limitation.
  • We use multiple sessions (toad/sqlplus/Unix) to troubleshoot performance issues.
  • OEM login needs our support account password & PSP does not support this functionality
  • As compared to the native logins, we find PSP session extremely slow, and usually it involves multiple re-tries to get a stable DB connection open via the remote IDE session. This is a major pain point for our team while using PSP.
  • Very slow UI on the PSP session, especially the IDE session on the remote box—the IDE (i.e Toad ) is almost unusable or very jittery at times. SQL*Plus is not an option for us as we need some form of visual IDE for the kind of research we need to do. Typically, we don’t log in to fire some DMLs and log out; our activities involve running complicated SQLs to understand the issue
  • Lack of custom settings persistence in the RDP DB PSP session. Each login creates a new session and the default UI (i.e. Toad that opens up) provides quite less workspace to work on. Each time, we need to fix the session to have large work area depending on our preference.
  • No data export option. This is another major pain point. The UI is slow and the data cannot be exported out to our adhoc end users. We are circumventing this issue by using clipboard as of now.
  • Toad for Sybase is another slow IDE available that we find to execute the Sybase analysis. We would prefer lighter IDE alternatives for Sybase

l

Problem statement summary

  • No Data “Export” capabilities in RDP session
  • Not all the accounts supported at the moment
  • Lack of UI customization for RDP PSP session
  • Slow UI within RDP Session
  • PSP Platform UI is not user friendly and performance is very low
  • No capability to execute scripts from a local drives
  • Toggling between Multiple Sessions is confusing
  • Stability of DB connection
  • Ticket finding process

Notification System Implementation

Humanizing Error Messages

Session Web Terminal Proposal

Interactive Prototype