large project identity management n.
Skip this Video
Download Presentation
Large Project Identity Management

Loading in 2 Seconds...

play fullscreen
1 / 50

Large Project Identity Management - PowerPoint PPT Presentation

  • Uploaded on

Large Project Identity Management. Guy Huntington, President Huntington Ventures Ltd. May 9,2007. Agenda. Next 20 minutes I’m going to cover the following: Large scale identity projects Common pitfalls. Who Am I?. Guy Huntington

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Large Project Identity Management' - havyn

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
large project identity management

Large Project Identity Management

Guy Huntington,


Huntington Ventures Ltd.

May 9,2007

  • Next 20 minutes I’m going to cover the following:
    • Large scale identity projects
    • Common pitfalls
who am i
Who Am I?
  • Guy Huntington
  • Been the lead consultant on numerous large, complicated Fortune 500 identity projects
  • I am currently releasing security awareness training products
why am i here
Why Am I Here?
  • I was sitting at a lunch beside Joost who asked me what I did
  • After telling him, he asked me if I’d be interested in speaking about my experiences
  • I said I would and now…here I am!
my identity experience
My Identity Experience
  • Boeing single sign on
  • Capital One identity architecture
  • Capital One single sign on
  • Capital One SarBox provisioning
  • Kaiser Permanente WSSO review
  • Potash Corp identity architecture
  • 2001
  • 3 million users
  • 1,500 web applications
  • Multiple identity sources
  • 15 different business units each with their own CIO
  • Many different methods of authentication
    • AD and Sun directories (uid and password)
    • RACF
    • Proximity badges
    • Digital certs
  • RBAC system for airline customers with over 700 roles with complex multi-relationships
  • They ran every kind of computing platform known to mankind
    • AIX, HP-UX, Solaris, Linux and Windows to name a few
  • Lots and lots of home-grown applications, proxy servers, etc. in addition to commercial apps like PeopleSoft, etc.
  • They also had five separate portal projects each using different portal vendors
  • Lots of problems
    • No integrated deployment team
    • No ranking system of authentication strength
    • No one manager in charge of the program
    • No factory model for integrating 1,500 applications
  • Lots of problems
    • No substantial project documentation
    • No change management process in place for the project
  • Lots of problems
    • Not enough test servers
    • Too many promises to quickly deploy without the wherewithal to deliver
    • No transition plan to move away from expensive consultants to Boeing staff
    • Not enough budget
what did i do
What Did I Do?
  • I took over the project
  • I re-scoped the project and cut down the deliverables for the next 6 months
  • I re-budgeted the project
  • I re-staffed the project
  • I moved the project office
  • I found over 40 additional servers to use as a test environment
what did i do1
What Did I Do?
  • I got the long term Boeing program manager involved
  • I started up mini-teams to focus on specific areas including things like documentation, change management, SSO factory model, testing, authentication strength, problem resolution
what did i do2
What Did I Do?
  • I put a person in charge of integrating with the Boeing customized proxy servers
  • I staffed up the project with Boeing people to begin a training and transition process
what did i do3
What Did I Do?
  • I put a person in charge of integrating with the Boeing RBAC for commercial airlines
  • I created daily team meetings
  • AND THEN…we worked like hell for six months!
what did i do4
What Did I Do?
  • I implemented a change management process
  • I implemented a SSO governance process
  • I left the project under a successful rollout
  • Today, they have integrated approximately 1,500 applications
what did i do5
What Did I Do?
  • I also laid in place the ground work for one of the first large scale SAML rollouts
  • After I left the team successfully deployed it with Southwest Airlines and then rolled it out to all commercial airline customers
capital one
Capital One
  • Large, credit card company and bank
  • Operate call centers all over the world
  • When I appeared they had no identity architecture
cap one identity architecture
Cap One Identity Architecture
  • No global uid
  • No authoritative sources for contractors, consultants, temps
  • >70,000 identities in the directory nobody knew if they were current or not
  • The directory team was being shredded at the time I showed up
what did i do6
What Did I Do?
  • Got emergency money to support the directory team and re-org’d them
  • Began discussions with HR on accepting contractors and consultants into PeopleSoft
  • Created a global uid
  • Then began internal battles to get the global uid implemented
what did i do7
What Did I Do?
  • Also recommended changes to the directory DIT and schema
  • Created an identity architecture
  • Wrote lots of white papers explaining how an identity management system would benefit them
cap one sso
Cap One SSO
  • It was a disaster when I showed up
  • 2nd effort to deploy it
  • The CIO was giving them ten weeks to deploy or else heads would roll
  • The project was a subset of a portal project
cap one sso1
Cap One SSO
  • The project manager and team had no idea of how to deploy SSO
  • I also believed the SSO product wouldn’t work
what did i do8
What Did I Do?
  • I took over the project
  • I fought the team
  • I put the project back into proof of concept mode
  • I then proved over three weeks that the product wouldn’t work
  • This lead to lots of discussions!
what did i do9
What Did I Do?
  • I got the vendor to redesign the product
  • I then got the team to rethink their deployment
  • I organized daily meetings
  • I got the project successfully rolled out on time while the portal project delayed
cap one sarbox
Cap One SarBox
  • I went back to Capital One to look after six mini identity projects
  • On my second day there I wrote a memo to the senior management telling them that their SarBox project was in deep trouble
cap one sarbox1
Cap One SarBox
  • Problems
    • 4 staff
    • No product chosen
    • They were reengineering the business processes for 57 financial applications for 30,000 workers!
cap one sarbox2
Cap One SarBox
  • Problems
    • No one was working on the business processes!
    • They had five months to deliver or, the auditors were refusing to sign their financials!
    • I believed the Board was going to get very interested in this project
what did i do10
What Did I Do?
  • I ended up taking over the project
  • I replaced the project manager
  • I got over 20 people assigned to the project
  • I started daily team meetings
what did i do11
What Did I Do?
  • I then got a data cleanup team in place to take care of the >70,000 unknown identity statuses
  • I then raced ahead of the team and talked to the business customers, got infrastructure in place, got disaster plans and high availability in place, etc.
  • We rolled out successfully!
federated identities
Federated Identities
  • Just a footnote that I also got a SAML pilot going while the provisioning project was underway
kaiser permanente
Kaiser Permanente
  • Largest healthcare provider in the US
  • I lead a complete review of their existing web single sign on system
  • I found lots of problems
k p problems
K.P. Problems
  • There was no data guardian processes
  • They had no high availability systems
  • They had a poor disaster recovery process
k p problems1
K.P. Problems
  • They had no monitoring specifications
  • They didn’t have enough staff
  • They didn’t have a single sign on factory model in place to suck up applications and SSO enable them
what did i do12
What Did I Do?
  • Recommended a new target architecture
  • Recommended high availability and hot disaster recovery
  • Recommended monitoring specifications
what did i do13
What Did I Do?
  • Recommended staff reorgs
  • Recommended single sign on factory
  • Recommended data monitoring
  • Recommended change management processes
  • Recommended maintenance budgets
potash corporation
Potash Corporation
  • I was brought in to recommend an identity architecture for them
  • They had three businesses
  • They wanted to move off of NT
my discovery
My Discovery
  • I found that they were doing some web services with their customers but it wasn’t scaleable and I had some security concerns
  • I found there was no authoritative source for contractors and consultants
  • I mapped out on and off-boarding for employees, contractors, consultants and temps
what did i do14
What Did I Do?
  • I gave them an Identity Roadmap
  • I recommended a directory DIT and schema
  • I recommended an authoritative source for contractors
  • I recommended a three year plan for implementing SSO, Provisioning, Federated Identities and web services
  • Identity projects are complicated, especially if the project is large and under tight timelines
  • Most enterprises don’t have good authoritative sources for non-employees
    • This is changing but I still find this to be the weak area in most projects
  • Most projects are already drinking the Kool-aid before they’ve figured out exactly what’s involved in making the Kool-aid first
    • I have seen provisioning projects go to the Board for review since they were so badly over budget
    • Cost the CIO and Director of Security their jobs
  • Most identity projects don’t have good disaster recovery and high availability
  • This is always played down when the projects are starting out
  • I tell them that the CEO will get involved if the system goes down
  • They usually ignore me
  • Several months later I get a call telling me I was right about the CEO calling
  • Then they find money and resources to put in a high availability and instant disaster recovery system
  • Enterprise identity data governance is usually poor
  • HR usually makes data changes without thinking of the effects throughout the enterprise systems
  • I have personally seen this cause the SSO systems to fail
  • Enterprises need identity management governance processes for those identity attributes which are deemed “enterprise”
scope creep
Scope Creep
  • Especially with provisioning projects (and also large scale SSO) scope creep can be deadly
  • The benefits are sold before the project has gotten the infrastructure and business processes in place
  • Identity projects are full of this!
  • It usually crosses over most departments and business units
  • Choose you initial rollout carefully
  • Requires strong senior management support
  • I’d like to come back and talk about malware and identities but that’s another topic
  • So, what questions do you have?
contact information
Contact Information
  • Guy Huntington
  • Cell: 604-861-6804
  • Office: 604-921-6797