1 / 50

Large Project Identity Management

Large Project Identity Management. Guy Huntington, President Huntington Ventures Ltd. www.authenticationworld.com May 9,2007. Agenda. Next 20 minutes I’m going to cover the following: Large scale identity projects Common pitfalls. Who Am I?. Guy Huntington

havyn
Download Presentation

Large Project Identity Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. www.authenticationworld.com May 9,2007

  2. Agenda • Next 20 minutes I’m going to cover the following: • Large scale identity projects • Common pitfalls

  3. Who Am I? • Guy Huntington • Been the lead consultant on numerous large, complicated Fortune 500 identity projects • I am currently releasing security awareness training products

  4. Why Am I Here? • I was sitting at a lunch beside Joost who asked me what I did • After telling him, he asked me if I’d be interested in speaking about my experiences • I said I would and now…here I am!

  5. My Identity Experience • Boeing single sign on • Capital One identity architecture • Capital One single sign on • Capital One SarBox provisioning • Kaiser Permanente WSSO review • Potash Corp identity architecture

  6. Boeing • 2001 • 3 million users • 1,500 web applications • Multiple identity sources • 15 different business units each with their own CIO

  7. Boeing • Many different methods of authentication • AD and Sun directories (uid and password) • RACF • Proximity badges • Digital certs

  8. Boeing • RBAC system for airline customers with over 700 roles with complex multi-relationships • They ran every kind of computing platform known to mankind • AIX, HP-UX, Solaris, Linux and Windows to name a few

  9. Boeing • Lots and lots of home-grown applications, proxy servers, etc. in addition to commercial apps like PeopleSoft, etc. • They also had five separate portal projects each using different portal vendors

  10. Boeing • Lots of problems • No integrated deployment team • No ranking system of authentication strength • No one manager in charge of the program • No factory model for integrating 1,500 applications

  11. Boeing • Lots of problems • No substantial project documentation • No change management process in place for the project

  12. Boeing • Lots of problems • Not enough test servers • Too many promises to quickly deploy without the wherewithal to deliver • No transition plan to move away from expensive consultants to Boeing staff • Not enough budget

  13. What Did I Do? • I took over the project • I re-scoped the project and cut down the deliverables for the next 6 months • I re-budgeted the project • I re-staffed the project • I moved the project office • I found over 40 additional servers to use as a test environment

  14. What Did I Do? • I got the long term Boeing program manager involved • I started up mini-teams to focus on specific areas including things like documentation, change management, SSO factory model, testing, authentication strength, problem resolution

  15. What Did I Do? • I put a person in charge of integrating with the Boeing customized proxy servers • I staffed up the project with Boeing people to begin a training and transition process

  16. What Did I Do? • I put a person in charge of integrating with the Boeing RBAC for commercial airlines • I created daily team meetings • AND THEN…we worked like hell for six months!

  17. What Did I Do? • I implemented a change management process • I implemented a SSO governance process • I left the project under a successful rollout • Today, they have integrated approximately 1,500 applications

  18. What Did I Do? • I also laid in place the ground work for one of the first large scale SAML rollouts • After I left the team successfully deployed it with Southwest Airlines and then rolled it out to all commercial airline customers

  19. Capital One • Large, credit card company and bank • Operate call centers all over the world • When I appeared they had no identity architecture

  20. Cap One Identity Architecture • No global uid • No authoritative sources for contractors, consultants, temps • >70,000 identities in the directory nobody knew if they were current or not • The directory team was being shredded at the time I showed up

  21. What Did I Do? • Got emergency money to support the directory team and re-org’d them • Began discussions with HR on accepting contractors and consultants into PeopleSoft • Created a global uid • Then began internal battles to get the global uid implemented

  22. What Did I Do? • Also recommended changes to the directory DIT and schema • Created an identity architecture • Wrote lots of white papers explaining how an identity management system would benefit them

  23. Cap One SSO • It was a disaster when I showed up • 2nd effort to deploy it • The CIO was giving them ten weeks to deploy or else heads would roll • The project was a subset of a portal project

  24. Cap One SSO • The project manager and team had no idea of how to deploy SSO • I also believed the SSO product wouldn’t work

  25. What Did I Do? • I took over the project • I fought the team • I put the project back into proof of concept mode • I then proved over three weeks that the product wouldn’t work • This lead to lots of discussions!

  26. What Did I Do? • I got the vendor to redesign the product • I then got the team to rethink their deployment • I organized daily meetings • I got the project successfully rolled out on time while the portal project delayed

  27. Cap One SarBox • I went back to Capital One to look after six mini identity projects • On my second day there I wrote a memo to the senior management telling them that their SarBox project was in deep trouble

  28. Cap One SarBox • Problems • 4 staff • No product chosen • They were reengineering the business processes for 57 financial applications for 30,000 workers!

  29. Cap One SarBox • Problems • No one was working on the business processes! • They had five months to deliver or, the auditors were refusing to sign their financials! • I believed the Board was going to get very interested in this project

  30. What Did I Do? • I ended up taking over the project • I replaced the project manager • I got over 20 people assigned to the project • I started daily team meetings

  31. What Did I Do? • I then got a data cleanup team in place to take care of the >70,000 unknown identity statuses • I then raced ahead of the team and talked to the business customers, got infrastructure in place, got disaster plans and high availability in place, etc. • We rolled out successfully!

  32. Federated Identities • Just a footnote that I also got a SAML pilot going while the provisioning project was underway

  33. Kaiser Permanente • Largest healthcare provider in the US • I lead a complete review of their existing web single sign on system • I found lots of problems

  34. K.P. Problems • There was no data guardian processes • They had no high availability systems • They had a poor disaster recovery process

  35. K.P. Problems • They had no monitoring specifications • They didn’t have enough staff • They didn’t have a single sign on factory model in place to suck up applications and SSO enable them

  36. What Did I Do? • Recommended a new target architecture • Recommended high availability and hot disaster recovery • Recommended monitoring specifications

  37. What Did I Do? • Recommended staff reorgs • Recommended single sign on factory • Recommended data monitoring • Recommended change management processes • Recommended maintenance budgets

  38. Potash Corporation • I was brought in to recommend an identity architecture for them • They had three businesses • They wanted to move off of NT

  39. My Discovery • I found that they were doing some web services with their customers but it wasn’t scaleable and I had some security concerns • I found there was no authoritative source for contractors and consultants • I mapped out on and off-boarding for employees, contractors, consultants and temps

  40. What Did I Do? • I gave them an Identity Roadmap • I recommended a directory DIT and schema • I recommended an authoritative source for contractors • I recommended a three year plan for implementing SSO, Provisioning, Federated Identities and web services

  41. Comments • Identity projects are complicated, especially if the project is large and under tight timelines • Most enterprises don’t have good authoritative sources for non-employees • This is changing but I still find this to be the weak area in most projects

  42. Comments • Most projects are already drinking the Kool-aid before they’ve figured out exactly what’s involved in making the Kool-aid first • I have seen provisioning projects go to the Board for review since they were so badly over budget • Cost the CIO and Director of Security their jobs

  43. Comments • Most identity projects don’t have good disaster recovery and high availability • This is always played down when the projects are starting out • I tell them that the CEO will get involved if the system goes down

  44. Comments • They usually ignore me • Several months later I get a call telling me I was right about the CEO calling • Then they find money and resources to put in a high availability and instant disaster recovery system

  45. Comments • Enterprise identity data governance is usually poor • HR usually makes data changes without thinking of the effects throughout the enterprise systems • I have personally seen this cause the SSO systems to fail

  46. Comments • Enterprises need identity management governance processes for those identity attributes which are deemed “enterprise”

  47. Scope Creep • Especially with provisioning projects (and also large scale SSO) scope creep can be deadly • The benefits are sold before the project has gotten the infrastructure and business processes in place

  48. Politics • Identity projects are full of this! • It usually crosses over most departments and business units • Choose you initial rollout carefully • Requires strong senior management support

  49. Questions • I’d like to come back and talk about malware and identities but that’s another topic • So, what questions do you have?

  50. Contact Information • Guy Huntington • www.authenticationworld.com • Guy.huntington@authenticationworld.com • Cell: 604-861-6804 • Office: 604-921-6797

More Related