Phone Number +1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

Usable Security and the Next Iteration of Privilege Manager

mm

Written by Nicole Sundin

March 24th, 2020

We focus on usable security. Here’s what that means for the next iteration of Privilege Manager

It’s no secret that Thycotic is the usable security leader in the Privileged Access Management space. In the past year our UX team has been working on the entire product line to modernize and simplify the products’ experience. One of the biggest projects our team has been working on is the redesign of Privilege Manager. We are excited to release this redesign in iterations throughout the year, but before we to start to roll out those releases, I wanted to give you a glimpse into our process.

The Privilege Manager Use Case

First, let’s talk about the Privilege Manager Use Case and why UX is so important. Here’s the use case: You want to minimize how Local Admin accounts on endpoints can be used to access other computers, domain resources, and critical servers unless a least privilege security model is implemented. Local Admin accounts exist everywhere because it’s easier to give standard domain user accounts more rights than they actually need. This results in human accounts with privileged access.

The issue is rarely addressed on employee computers, leaving companies vulnerable to privileged account escalation and pass-the-hash attacks on thousands of unmanaged endpoints. Managing these endpoints is critical for the security posture of your organization. However, any mistakes managing your endpoints can lead to catastrophic shutdowns for your organization.

This is why UX becomes so important to the product: it needs to be simple to get these endpoints under management to shrink your organization’s attack surface and improve your security posture.

Privilege Manager Screenshot

The Privilege Manager Redesign Process

User Testing: Customer Interviews

User testing is the backbone to the UX program at Thycotic. We start all new projects, whether a full-scale redesign or new feature design, with user testing. We conducted 15 interviews with existing customers so they could tell us how they currently use Privilege Manager, how it’s utilized in their IT workflow, and day-to-day problems that have occurred.

Participatory Design: Deep Dive with Product Experts

We used a participatory design methodology while redesigning Privilege Manager. Participatory design is an approach to design strategy that brings subject matter expertise into the heart of the design process. These subject matter experts enable the design team to leverage their expertise as another data point during the design process. For Privilege Manager, this meant bringing in our lead architects and developers to provide subject matter expertise about how the product was originally designed and how they see it implemented in real life customer environments.

Wireframing and Prototyping: Taking in the Feedback

Wireframing and prototyping is a staple to any software design process. In this process, the designer takes all the data from user testing and participatory design and starts experimenting with different interactions and Thycotic design system UI patterns. This process also allows us to share our designs with both stakeholders and users for review and comment. Often the design team will go through more than 5 iterations before we land on an ideal state.

Privilege Manager Release

User Testing: Guided Testing

After the wireframes and prototypes were finalized, we started another round of user testing. We used a think-a-loud methodology to guide the users through tasks using multiple design prototypes. Think-aloud protocols involve participants thinking aloud as they are performing a set of specified tasks. Participants are asked to say whatever comes into their mind as they complete the task. This might include what they are looking at, thinking, doing, and feeling. This gives observers insight into the participant’s cognitive processes, to make thought processes as explicit as possible during task performance. This gave the team a lot of data to implement into the next iteration of the designs, which was eventually given to the engineering team for development.

Implementation: Engineering in Action

Thycotic has a very talented group of engineers who partner with the UX team to implement the designs into the actual product. This is where the project really comes to life!

As I’ve seen the new Privilege Manager UI come together through our comprehensive process, I’m confident that we’ve achieved our goal to deliver a cyber security solution that’s usable and effective in helping our customers protect their privileged accounts, implement a least privilege approach, and shrink their attack surface. We’re excited to release iterations of the redesign of Privilege Manager throughout the next year. If you have any questions or are interested in a sneak peek of the designs, feel free to email ux@thycotic.com.

Implementing least privilege needn't be hard.

Privilege Manager makes least privilege adoption easy for users and reduces the workload for IT/desktop support.

 

Like this post?

Get our top blog posts delivered to your inbox once a month.

SHARE THIS