Large project identity management
1 / 50

Large Project Identity Management - PowerPoint PPT Presentation

  • Uploaded on

Large Project Identity Management. Guy Huntington, President Huntington Ventures Ltd. May 9,2007. Agenda. Next 20 minutes I’m going to cover the following: Large scale identity projects Common pitfalls. Who Am I?. Guy Huntington

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Large Project Identity Management' - havyn

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Large project identity management

Large Project Identity Management

Guy Huntington,


Huntington Ventures Ltd.

May 9,2007


  • Next 20 minutes I’m going to cover the following:

    • Large scale identity projects

    • Common pitfalls

Who am i
Who Am I?

  • Guy Huntington

  • Been the lead consultant on numerous large, complicated Fortune 500 identity projects

  • I am currently releasing security awareness training products

Why am i here
Why Am I Here?

  • I was sitting at a lunch beside Joost who asked me what I did

  • After telling him, he asked me if I’d be interested in speaking about my experiences

  • I said I would and now…here I am!

My identity experience
My Identity Experience

  • Boeing single sign on

  • Capital One identity architecture

  • Capital One single sign on

  • Capital One SarBox provisioning

  • Kaiser Permanente WSSO review

  • Potash Corp identity architecture


  • 2001

  • 3 million users

  • 1,500 web applications

  • Multiple identity sources

  • 15 different business units each with their own CIO


  • Many different methods of authentication

    • AD and Sun directories (uid and password)

    • RACF

    • Proximity badges

    • Digital certs


  • RBAC system for airline customers with over 700 roles with complex multi-relationships

  • They ran every kind of computing platform known to mankind

    • AIX, HP-UX, Solaris, Linux and Windows to name a few


  • Lots and lots of home-grown applications, proxy servers, etc. in addition to commercial apps like PeopleSoft, etc.

  • They also had five separate portal projects each using different portal vendors


  • Lots of problems

    • No integrated deployment team

    • No ranking system of authentication strength

    • No one manager in charge of the program

    • No factory model for integrating 1,500 applications


  • Lots of problems

    • No substantial project documentation

    • No change management process in place for the project


  • Lots of problems

    • Not enough test servers

    • Too many promises to quickly deploy without the wherewithal to deliver

    • No transition plan to move away from expensive consultants to Boeing staff

    • Not enough budget

What did i do
What Did I Do?

  • I took over the project

  • I re-scoped the project and cut down the deliverables for the next 6 months

  • I re-budgeted the project

  • I re-staffed the project

  • I moved the project office

  • I found over 40 additional servers to use as a test environment

What did i do1
What Did I Do?

  • I got the long term Boeing program manager involved

  • I started up mini-teams to focus on specific areas including things like documentation, change management, SSO factory model, testing, authentication strength, problem resolution

What did i do2
What Did I Do?

  • I put a person in charge of integrating with the Boeing customized proxy servers

  • I staffed up the project with Boeing people to begin a training and transition process

What did i do3
What Did I Do?

  • I put a person in charge of integrating with the Boeing RBAC for commercial airlines

  • I created daily team meetings

  • AND THEN…we worked like hell for six months!

What did i do4
What Did I Do?

  • I implemented a change management process

  • I implemented a SSO governance process

  • I left the project under a successful rollout

  • Today, they have integrated approximately 1,500 applications

What did i do5
What Did I Do?

  • I also laid in place the ground work for one of the first large scale SAML rollouts

  • After I left the team successfully deployed it with Southwest Airlines and then rolled it out to all commercial airline customers

Capital one
Capital One

  • Large, credit card company and bank

  • Operate call centers all over the world

  • When I appeared they had no identity architecture

Cap one identity architecture
Cap One Identity Architecture

  • No global uid

  • No authoritative sources for contractors, consultants, temps

  • >70,000 identities in the directory nobody knew if they were current or not

  • The directory team was being shredded at the time I showed up

What did i do6
What Did I Do?

  • Got emergency money to support the directory team and re-org’d them

  • Began discussions with HR on accepting contractors and consultants into PeopleSoft

  • Created a global uid

  • Then began internal battles to get the global uid implemented

What did i do7
What Did I Do?

  • Also recommended changes to the directory DIT and schema

  • Created an identity architecture

  • Wrote lots of white papers explaining how an identity management system would benefit them

Cap one sso
Cap One SSO

  • It was a disaster when I showed up

  • 2nd effort to deploy it

  • The CIO was giving them ten weeks to deploy or else heads would roll

  • The project was a subset of a portal project

Cap one sso1
Cap One SSO

  • The project manager and team had no idea of how to deploy SSO

  • I also believed the SSO product wouldn’t work

What did i do8
What Did I Do?

  • I took over the project

  • I fought the team

  • I put the project back into proof of concept mode

  • I then proved over three weeks that the product wouldn’t work

  • This lead to lots of discussions!

What did i do9
What Did I Do?

  • I got the vendor to redesign the product

  • I then got the team to rethink their deployment

  • I organized daily meetings

  • I got the project successfully rolled out on time while the portal project delayed

Cap one sarbox
Cap One SarBox

  • I went back to Capital One to look after six mini identity projects

  • On my second day there I wrote a memo to the senior management telling them that their SarBox project was in deep trouble

Cap one sarbox1
Cap One SarBox

  • Problems

    • 4 staff

    • No product chosen

    • They were reengineering the business processes for 57 financial applications for 30,000 workers!

Cap one sarbox2
Cap One SarBox

  • Problems

    • No one was working on the business processes!

    • They had five months to deliver or, the auditors were refusing to sign their financials!

    • I believed the Board was going to get very interested in this project

What did i do10
What Did I Do?

  • I ended up taking over the project

  • I replaced the project manager

  • I got over 20 people assigned to the project

  • I started daily team meetings

What did i do11
What Did I Do?

  • I then got a data cleanup team in place to take care of the >70,000 unknown identity statuses

  • I then raced ahead of the team and talked to the business customers, got infrastructure in place, got disaster plans and high availability in place, etc.

  • We rolled out successfully!

Federated identities
Federated Identities

  • Just a footnote that I also got a SAML pilot going while the provisioning project was underway

Kaiser permanente
Kaiser Permanente

  • Largest healthcare provider in the US

  • I lead a complete review of their existing web single sign on system

  • I found lots of problems

K p problems
K.P. Problems

  • There was no data guardian processes

  • They had no high availability systems

  • They had a poor disaster recovery process

K p problems1
K.P. Problems

  • They had no monitoring specifications

  • They didn’t have enough staff

  • They didn’t have a single sign on factory model in place to suck up applications and SSO enable them

What did i do12
What Did I Do?

  • Recommended a new target architecture

  • Recommended high availability and hot disaster recovery

  • Recommended monitoring specifications

What did i do13
What Did I Do?

  • Recommended staff reorgs

  • Recommended single sign on factory

  • Recommended data monitoring

  • Recommended change management processes

  • Recommended maintenance budgets

Potash corporation
Potash Corporation

  • I was brought in to recommend an identity architecture for them

  • They had three businesses

  • They wanted to move off of NT

My discovery
My Discovery

  • I found that they were doing some web services with their customers but it wasn’t scaleable and I had some security concerns

  • I found there was no authoritative source for contractors and consultants

  • I mapped out on and off-boarding for employees, contractors, consultants and temps

What did i do14
What Did I Do?

  • I gave them an Identity Roadmap

  • I recommended a directory DIT and schema

  • I recommended an authoritative source for contractors

  • I recommended a three year plan for implementing SSO, Provisioning, Federated Identities and web services


  • Identity projects are complicated, especially if the project is large and under tight timelines

  • Most enterprises don’t have good authoritative sources for non-employees

    • This is changing but I still find this to be the weak area in most projects


  • Most projects are already drinking the Kool-aid before they’ve figured out exactly what’s involved in making the Kool-aid first

    • I have seen provisioning projects go to the Board for review since they were so badly over budget

    • Cost the CIO and Director of Security their jobs


  • Most identity projects don’t have good disaster recovery and high availability

  • This is always played down when the projects are starting out

  • I tell them that the CEO will get involved if the system goes down


  • They usually ignore me

  • Several months later I get a call telling me I was right about the CEO calling

  • Then they find money and resources to put in a high availability and instant disaster recovery system


  • Enterprise identity data governance is usually poor

  • HR usually makes data changes without thinking of the effects throughout the enterprise systems

  • I have personally seen this cause the SSO systems to fail


  • Enterprises need identity management governance processes for those identity attributes which are deemed “enterprise”

Scope creep
Scope Creep

  • Especially with provisioning projects (and also large scale SSO) scope creep can be deadly

  • The benefits are sold before the project has gotten the infrastructure and business processes in place


  • Identity projects are full of this!

  • It usually crosses over most departments and business units

  • Choose you initial rollout carefully

  • Requires strong senior management support


  • I’d like to come back and talk about malware and identities but that’s another topic

  • So, what questions do you have?

Contact information
Contact Information

  • Guy Huntington


  • [email protected]

  • Cell: 604-861-6804

  • Office: 604-921-6797