Large project identity management
This presentation is the property of its rightful owner.
Sponsored Links
1 / 50

Large Project Identity Management PowerPoint PPT Presentation


  • 57 Views
  • Uploaded on
  • Presentation posted in: General

Large Project Identity Management. Guy Huntington, President Huntington Ventures Ltd. www.authenticationworld.com May 9,2007. Agenda. Next 20 minutes I’m going to cover the following: Large scale identity projects Common pitfalls. Who Am I?. Guy Huntington

Download Presentation

Large Project Identity Management

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Large project identity management

Large Project Identity Management

Guy Huntington,

President

Huntington Ventures Ltd.

www.authenticationworld.com

May 9,2007


Agenda

Agenda

  • Next 20 minutes I’m going to cover the following:

    • Large scale identity projects

    • Common pitfalls


Who am i

Who Am I?

  • Guy Huntington

  • Been the lead consultant on numerous large, complicated Fortune 500 identity projects

  • I am currently releasing security awareness training products


Why am i here

Why Am I Here?

  • I was sitting at a lunch beside Joost who asked me what I did

  • After telling him, he asked me if I’d be interested in speaking about my experiences

  • I said I would and now…here I am!


My identity experience

My Identity Experience

  • Boeing single sign on

  • Capital One identity architecture

  • Capital One single sign on

  • Capital One SarBox provisioning

  • Kaiser Permanente WSSO review

  • Potash Corp identity architecture


Boeing

Boeing

  • 2001

  • 3 million users

  • 1,500 web applications

  • Multiple identity sources

  • 15 different business units each with their own CIO


Boeing1

Boeing

  • Many different methods of authentication

    • AD and Sun directories (uid and password)

    • RACF

    • Proximity badges

    • Digital certs


Boeing2

Boeing

  • RBAC system for airline customers with over 700 roles with complex multi-relationships

  • They ran every kind of computing platform known to mankind

    • AIX, HP-UX, Solaris, Linux and Windows to name a few


Boeing3

Boeing

  • Lots and lots of home-grown applications, proxy servers, etc. in addition to commercial apps like PeopleSoft, etc.

  • They also had five separate portal projects each using different portal vendors


Boeing4

Boeing

  • Lots of problems

    • No integrated deployment team

    • No ranking system of authentication strength

    • No one manager in charge of the program

    • No factory model for integrating 1,500 applications


Boeing5

Boeing

  • Lots of problems

    • No substantial project documentation

    • No change management process in place for the project


Boeing6

Boeing

  • Lots of problems

    • Not enough test servers

    • Too many promises to quickly deploy without the wherewithal to deliver

    • No transition plan to move away from expensive consultants to Boeing staff

    • Not enough budget


What did i do

What Did I Do?

  • I took over the project

  • I re-scoped the project and cut down the deliverables for the next 6 months

  • I re-budgeted the project

  • I re-staffed the project

  • I moved the project office

  • I found over 40 additional servers to use as a test environment


What did i do1

What Did I Do?

  • I got the long term Boeing program manager involved

  • I started up mini-teams to focus on specific areas including things like documentation, change management, SSO factory model, testing, authentication strength, problem resolution


What did i do2

What Did I Do?

  • I put a person in charge of integrating with the Boeing customized proxy servers

  • I staffed up the project with Boeing people to begin a training and transition process


What did i do3

What Did I Do?

  • I put a person in charge of integrating with the Boeing RBAC for commercial airlines

  • I created daily team meetings

  • AND THEN…we worked like hell for six months!


What did i do4

What Did I Do?

  • I implemented a change management process

  • I implemented a SSO governance process

  • I left the project under a successful rollout

  • Today, they have integrated approximately 1,500 applications


What did i do5

What Did I Do?

  • I also laid in place the ground work for one of the first large scale SAML rollouts

  • After I left the team successfully deployed it with Southwest Airlines and then rolled it out to all commercial airline customers


Capital one

Capital One

  • Large, credit card company and bank

  • Operate call centers all over the world

  • When I appeared they had no identity architecture


Cap one identity architecture

Cap One Identity Architecture

  • No global uid

  • No authoritative sources for contractors, consultants, temps

  • >70,000 identities in the directory nobody knew if they were current or not

  • The directory team was being shredded at the time I showed up


What did i do6

What Did I Do?

  • Got emergency money to support the directory team and re-org’d them

  • Began discussions with HR on accepting contractors and consultants into PeopleSoft

  • Created a global uid

  • Then began internal battles to get the global uid implemented


What did i do7

What Did I Do?

  • Also recommended changes to the directory DIT and schema

  • Created an identity architecture

  • Wrote lots of white papers explaining how an identity management system would benefit them


Cap one sso

Cap One SSO

  • It was a disaster when I showed up

  • 2nd effort to deploy it

  • The CIO was giving them ten weeks to deploy or else heads would roll

  • The project was a subset of a portal project


Cap one sso1

Cap One SSO

  • The project manager and team had no idea of how to deploy SSO

  • I also believed the SSO product wouldn’t work


What did i do8

What Did I Do?

  • I took over the project

  • I fought the team

  • I put the project back into proof of concept mode

  • I then proved over three weeks that the product wouldn’t work

  • This lead to lots of discussions!


What did i do9

What Did I Do?

  • I got the vendor to redesign the product

  • I then got the team to rethink their deployment

  • I organized daily meetings

  • I got the project successfully rolled out on time while the portal project delayed


Cap one sarbox

Cap One SarBox

  • I went back to Capital One to look after six mini identity projects

  • On my second day there I wrote a memo to the senior management telling them that their SarBox project was in deep trouble


Cap one sarbox1

Cap One SarBox

  • Problems

    • 4 staff

    • No product chosen

    • They were reengineering the business processes for 57 financial applications for 30,000 workers!


Cap one sarbox2

Cap One SarBox

  • Problems

    • No one was working on the business processes!

    • They had five months to deliver or, the auditors were refusing to sign their financials!

    • I believed the Board was going to get very interested in this project


What did i do10

What Did I Do?

  • I ended up taking over the project

  • I replaced the project manager

  • I got over 20 people assigned to the project

  • I started daily team meetings


What did i do11

What Did I Do?

  • I then got a data cleanup team in place to take care of the >70,000 unknown identity statuses

  • I then raced ahead of the team and talked to the business customers, got infrastructure in place, got disaster plans and high availability in place, etc.

  • We rolled out successfully!


Federated identities

Federated Identities

  • Just a footnote that I also got a SAML pilot going while the provisioning project was underway


Kaiser permanente

Kaiser Permanente

  • Largest healthcare provider in the US

  • I lead a complete review of their existing web single sign on system

  • I found lots of problems


K p problems

K.P. Problems

  • There was no data guardian processes

  • They had no high availability systems

  • They had a poor disaster recovery process


K p problems1

K.P. Problems

  • They had no monitoring specifications

  • They didn’t have enough staff

  • They didn’t have a single sign on factory model in place to suck up applications and SSO enable them


What did i do12

What Did I Do?

  • Recommended a new target architecture

  • Recommended high availability and hot disaster recovery

  • Recommended monitoring specifications


What did i do13

What Did I Do?

  • Recommended staff reorgs

  • Recommended single sign on factory

  • Recommended data monitoring

  • Recommended change management processes

  • Recommended maintenance budgets


Potash corporation

Potash Corporation

  • I was brought in to recommend an identity architecture for them

  • They had three businesses

  • They wanted to move off of NT


My discovery

My Discovery

  • I found that they were doing some web services with their customers but it wasn’t scaleable and I had some security concerns

  • I found there was no authoritative source for contractors and consultants

  • I mapped out on and off-boarding for employees, contractors, consultants and temps


What did i do14

What Did I Do?

  • I gave them an Identity Roadmap

  • I recommended a directory DIT and schema

  • I recommended an authoritative source for contractors

  • I recommended a three year plan for implementing SSO, Provisioning, Federated Identities and web services


Comments

Comments

  • Identity projects are complicated, especially if the project is large and under tight timelines

  • Most enterprises don’t have good authoritative sources for non-employees

    • This is changing but I still find this to be the weak area in most projects


Comments1

Comments

  • Most projects are already drinking the Kool-aid before they’ve figured out exactly what’s involved in making the Kool-aid first

    • I have seen provisioning projects go to the Board for review since they were so badly over budget

    • Cost the CIO and Director of Security their jobs


Comments2

Comments

  • Most identity projects don’t have good disaster recovery and high availability

  • This is always played down when the projects are starting out

  • I tell them that the CEO will get involved if the system goes down


Comments3

Comments

  • They usually ignore me

  • Several months later I get a call telling me I was right about the CEO calling

  • Then they find money and resources to put in a high availability and instant disaster recovery system


Comments4

Comments

  • Enterprise identity data governance is usually poor

  • HR usually makes data changes without thinking of the effects throughout the enterprise systems

  • I have personally seen this cause the SSO systems to fail


Comments5

Comments

  • Enterprises need identity management governance processes for those identity attributes which are deemed “enterprise”


Scope creep

Scope Creep

  • Especially with provisioning projects (and also large scale SSO) scope creep can be deadly

  • The benefits are sold before the project has gotten the infrastructure and business processes in place


Politics

Politics

  • Identity projects are full of this!

  • It usually crosses over most departments and business units

  • Choose you initial rollout carefully

  • Requires strong senior management support


Questions

Questions

  • I’d like to come back and talk about malware and identities but that’s another topic

  • So, what questions do you have?


Contact information

Contact Information

  • Guy Huntington

  • www.authenticationworld.com

  • [email protected]

  • Cell: 604-861-6804

  • Office: 604-921-6797


  • Login