(User Experience, Visual Design, Design Research, Design Lead)
Vulnerability Advisor (VA) is a security capability of the IBM Bluemix cloud platform. VA provides developers and system administrators with comprehensive monitoring and reports for Docker containers. A container is a standard way to package an app and all its dependencies so that the app can be moved between environments and run without changes. I designed the VA experience as lead product designer. The solution I designed was a unique effort to execute. Due to the important nature of VA’s data I collaborated with multiple teams to ensure that our users were aware of their container health in context of their workflow.
The Problem
Developers and system administrators need to know when their containers and container images are vulnerable to avoid infecting their cloud environment. An image is a container blueprint. It is the template used to create a running container. Due the high risk nature of vulnerabilities, developers need instruction on how to remediate these issues and make their images safe. Additionally, system administrators need control over which images are deployed in their organization’s cloud to protect their entire cloud ecosystem.
The Solution: Vulnerability Advisor
In 2015, the IBM Bluemix research team launched the Vulnerability Advisor capability in IBM Containers to discover vulnerabilities and compliance policy problems in images and running containers hosted on Bluemix. Vulnerability Advisor provides developers a view into their image and container health and gives guidance on how images should be improved to meet best practices and upgrade to known industry fixes.
My Role
In December 2015 I took over the project as the lead designer and worked with the offering manager and engineering team to update the entire experience.
Research
I began the project by interviewing developers and system administrators from startups to national banks. I focused on individuals who were already using the IBM Container service. Through a number of interviews, I began to understand their workflow and identified their pain-points. I also asked users to review the existing VA experience for feedback on what was vital and what was needed.
Early Feedback
The participants all confirmed the desire to understand which images had infected packages and how to remediate them.
Usability test of the existing VA experience revealed:
• The desire to see the image vulnerability status before selecting images
• Deeper explanation of vulnerability status names
• Unsure of how to view images across their organization
• Confused by what polices are and why they can only manage three
• Confused on how to navigate to the VA Manager
• Users desire to create VA polices
Hills & User Stories
After learning the pain-points of our users, I worked with my lead engineer and offering manager via a set of virtual design thinking workshops to create a set of Hills (mission statements) and user stories that addressed the top concerns of our users.
Hill 1
A developer can view compliance level details of all of her containers and virtual machines without disrupting her natural workflow.
Hill 2
A system administrator can be made aware of vulnerabilities in images (container/vm) and deployed elements (containers/VMs) at any time.
Hill 3
A system administrator can set policies and view reports of all images, containers and virtual machines without deviating from his natural workflow.
To-Be Journey
These stories were then prioritized and top priority stories were placed into a to-be journey map and reviewed with users to validate the new experience.
Aligning the Team
To make sure our entire team was on the same page about the experience I hosted a sketching session where the engineers had a chance to review and ask questions about the proposed experience. This allowed for them to determine the technical foundation and story point values.
I used a lean approach to get faster feedback from users and to constantly align the team. With an emphasis on rapid sketching, prototyping, user feedback and design mockups the design process garnered designs that directly address user concerns and a sense of ownership by the team.
The Approach
Start at the beginning
When developers and system administrators are starting the life of a container they start in the catalog. Whether they pushed the image that moment, weeks ago or would like to use an IBM created one, they will browse their options in this location.. Knowing which images are healthy at the top level view was ideal to save time and allow for the ability to filter status.
Continuous access in context
As the container was configured and monitored, access to the VA report and policy manager were key to include at each major interaction. If there was ever a problem with the individual image or container the report would contain the information needed to remediate. The key main touch points for the report included the image configuration and container monitoring page. The policy manager is the area where system administrators can see all of their images and containers across their organization and update their organization's policy settings.
Close the loop
To stay true to the relationship between images and containers the report for images includes information about which running containers are using that image. This is important because if there is a vulnerability that is flagged within an image it will also exist in the running container. Having the list available allows for an easy review of the containers status and access to the container management area.
A home for monitoring: Vulnerability Advisor Hub
The VA overview page is a key area for system administrators that spend alot of their time managing the safety of the environment. Once an organization gets large they will have hundreds of images and containers. To maximize their time and prioritize the threats the overview page surfaced the images with the largest number of vulnerabilities and a roll up of how the images have been categorized by status.
The Experience
The following designs that beginning at the “Create a Container” area illustrate how a developer (Maureen) can be kept aware of her vulnerability status throughout her container creation and maintenance workflow.