Scaling the wall

CHALLENGE
To redesign and transform the security management experience into a solution that gives Juniper’s security business a competitive advantage and also sets stage for security in cloud SDSN platform play.

This case study showcases empathy, ability to traverse complex domains and teams, ability to drive innovation, holistic systems thinking and information visualization.

TL;DR Version

Juniper needed a shot in the arm for their declining security business, with that the focus was on improving all the security products across the board. I dove deep to the core of the security domain and focussed on re-designing the policy management experience to make it much simpler and efficient.
Along with a new college graduate, I was able to re-imagine the firewall policy creation and management experience into a much simpler, intuitive and automated experience that improved productivity and instilled confidence in the security administrators.

Outcome

one of the exploratory designs

How it all began

The project started as a self-initiated innovation project, the goal of which was to re-imagine the firewall policy and rule management experience. We chose this because it was at the core of security management and would have the largest impact for the users and also we knew there was scope to improve in this area.
On the other hand, the work SDSN (software defined secure network) cloud platform was gaining momentum for which we needed a simpler and compelling security solution.

The lay of the land

There was some previous research focussing on the tactical problems, instead of jumping right into solving the UI problem, I decided to explore and frame the larger problem at a strategic level and then focus on how to tackle it. 
Dug deeper into the domain and technology, took a look at the competitors, watched a ton of security related videos, read a lot of data sheets, collaborated with PLMs and spoke to customers (personas).
In this process, I discovered that the networking industry was going towards the intent model, which broadly means that the user can express what they need from a network (the intent) and the system would translate that into networks and topologies (connectivity) optimized for that need. The Security PLM org was seriously exploring this area and my timing could not have been better, I joined forces with them and explored of the possibility of creating intent-based security models that could be leveraged across the suite of products that had a security element. Adding the security in the SDSN.
Problem areas
  • Creation and management of security posture
  • Time to react / changing the security posture in case of a possible threat
  • Simplified security management for SDSN platform
possible directions
  • Intent based security policies
  • Dynamic security posture
  • Simplified workflows
Discovery, Research and Competitive analysis

Reframing the problem: Knowing the wall ahead

After the rigorous discovery and analysis phase that included numerous white-boarding sessions, brainstorming sessions, affinity maps and a lot of conversations we were able to see the wall ahead of us, it was big. Some key challenges were:

Tactical shortcomings in the rule creation workflow:

➜ Rule creation wizard too long and convoluted
 Complex multi-tiered object model
➜ Inconsistent grouping and categorization
 Multiple dependencies not clear
 Complex intertwining workflows
 Rule management very troublesome, very hard to know why a rule was created
 Too many rules and a few more…

Current technology that needed a paradigm shift:

➜ The product was engineered to reflect how the devices work
➜ The underlying technology was focussed on enabling the devices and hence were fragmented pieces of functionalities and understood only the construct of devices.
 To enable user intent based policies, the required abstraction layer was missing.
➜ Integrations with external systems and other internal functionalities systems were not present.
➜ An object agnostic identification system was missing – the rules would be translated to IP addresses for every object and any new change had to be explicitly laid out.

Barriers for user adoption:

➜ The intent based constructs in the security domain is a new paradigm. We have to instill enough confidence in the users for them to “trust” the system.
➜ There is no industry standard terminology and patterns that could be adopted
 The solution should provide the options for the advanced user to dig deeper and handle everything manually

Solution explorations

wireframe solution options

The solution trek

Once the problems were framed, the exciting journey to find solutions started. During the discovery phases lots of ideas were being discussed and it was now the right time to crystallize and get implemented. Simplifying the rule creation process, faster search and editing capabilities were definitely the low hanging fruits but I wanted to solve it at a fundamental, conceptual level. The features suggested were implemented in two different products.
To address the challenges identified above the big strategic pieces of the solution were :
1

Simplification of workflows

  • Removing the multi-tier model
    Introducing auto-rule analysis
    Collapsing redundant steps
    Shifting load to the system
    Introducing quick search based model
Image showing integrating all end-points into single rule
2

User centric paradigms

Created a layer of user and business centric concepts that hid the underlying device-centric complexities and dependencies.
  • Automated assignment and deployment of rules to the right device
    User defined and controlled variables for dynamic policies
     Dynamic rules based on end-point metadata and tags. 
Screen showing user defined variables, values and assigned rules
3

Automating - taking the load off the user

 Auto suggestions for the object type and the object

 Dynamic assignment of new or changed objects to policies 

 Auto assignment of policies to the appropriate devices 

 Auto placement of the rule and priority, the user does not have to worry about the right sequence of the rule

 Change in the environment variable updates the appropriate policies automatically.

Screen showing analysis and automated rule placement
4

Building trust in the system

 Real-time rule analysis showing conflicts, anamolies and shadowed rules

 Display the impact of the rule across the network

 Options to review all the changes before deployment

 Ability to review the translated device-centric rules before deployment

 CLI views to see the change in the language the user is familiar with

 Options to retract any change

review configuration before deployment

Wireframes

Outcome: Beyond the wall

These new features were shipped across two products (Contrail service orchestrator and Security director) and we have been hearing positive feedback since then and winning new businesses. These improvements also contributed to the turn-around of security business at Juniper.

Some of the improvements measured:

➜  Improved time to task from 4-5 mins to 45 secs
  Improved click efficiency from 42 clicks to 9
  Reduced cognitive load by reducing number objects, auto assigning and reducing dependencies
  Drastically reduced reaction time from 30 + hours for 6 resources to 3 min for 1 resource
  Pre-created scenarios provide preventive protection which was not possible before
  Drastic reduction in manual errors saving time and effort

More details:

Read more about the personas
Blog on medium ◹
More details with Videos
From leadership
About dynamic security policies
In the Words of a PM leader

Coverage by senior leadership:

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from Youtube
Vimeo
Consent to display content from Vimeo
Google Maps
Consent to display content from Google