Identity in the Bechtel Cloud Why and how one of the most successful Engineering & Construction companies rebuilt their digital world…..

Christian Reilly – Manager of Global Systems Engineering Brian D Ward – Manager of Integration Services

Information Evolution & Business Change Introducing the Project Services Network

Our business model is evolving to be more complex and distributed.

Our two main challenges are related to:

 Geography Our projects are executed in many and distributed locations

  People Our resource model includes permanent and temporary employees, as well as vendors, customers, partners, and competitors

GRAY

ZONE

Current Position

Square pegs and round holes…. How much pain would you like?

  Active Directory – separate internal and external forests

  Integrated Authentication, Kerberos Constrained Delegation, Reverse Proxy

  Complex trust models & ICC’s   Application mix from Bechtel, Client,

Partner, Competitor   Wide variety of application architectures

Printers

File Shares

Mail

Internet Access AD

Desktop

Other apps (long tail)

Core Apps: TimeCard, SAP, Intranet

SaaS

SaaS Bridge

  High degree of operational complexity   Poor visibility into what people are

accessing what resource   Inflexible model slows down deployment of

services and applications to projects   Difficult to accommodate new user

communities (which change daily)   Not readily adaptable to SaaS offerings

Why is it so easy in The Cloud? And yet so hard in the Enterprise?

  Realizations –  “Castle and Moat” approach to security is dead – Our Windows-centric approach has significant

technical and operational constraints – Authentication/Authorization are the key problems

to solve   Resolutions

– We need a completely new approach – Make all applications/services SaaS – Make Bechtel a SaaS Provider (wow) – Replace, not augment, the current model

  Identity “2.0” – A new identity model – identities for life – BYOI with OpenID (Janrain), Federation – Anyone can have an account – Self Registration based on relationships

  Authorization –  Integrated into SAP – Attribute store – single source of truth,

replacement for groups – Coarse grained authz performed by Ping – Fine grained done in apps for now, centrally later

  Integration – SAML / OpenToken integration for all deployed

applications – Citrix integration with credential translation for

legacy application support – Two-legged OAuth STS for web services

  Services – New application stacks (SaaS-style) – File / Print / Internet Access authentication

replacement – New desktop model – BYOD

Browser

Other apps (long tail)

Core Apps: TimeCard, SAP, Intranet

Identity Array

Printers

File Shares

Mail

Internet Access

SaaS

  Simplicity – Built for the “Internet” not for the “Enterprise” – No “internal” vs. “external” architectural

constraints – Moving away from managing every user account

  Agility – Modular framework of security, UI and services – Applications decoupled from infrastructure – No vendor lock in via open standards/open

source – Able to accommodate SaaS and new identity

pools natively (with added hope for Geneva)

 Affordability –  Lower overall operational cost –  “B3” approach allows greater flexibility in cost

management – New vendors embrace new commercial models

 Security – Standards based security – Single point of entry & logging – Secured by policy not by topology (secure the

data and not the device) – Easily allow any user access to any data in a

controlled life cycle

Why can’t we just buy this…hint, hint ? Unraveling years of LAN / WAN based legacy is, well, damn hard.

  Facts – SaaS integration quickly becoming a commodity – Federation and/or OpenID fills in the moat – SaaS moves you out of the castle in the “Metro”

  Key Questions – What does the enterprise have left? – How long is the tail for traditional enterprises?

  Challenges – Authorization is THE game to win – Push provisioning is, at best, an interim solution – A central model with standards-based interfaces

is desperately needed

Questions & Answers Or if you’re too shy, grab one of us later….