Upload
caleb-graham
View
217
Download
0
Tags:
Embed Size (px)
Citation preview
Large Project Identity Management
Guy Huntington, President
Huntington Ventures Ltd.www.authenticationworld.com
May 9,2007
Agenda• Next 20 minutes I’m going
to cover the following:– Large scale identity
projects– Common pitfalls
Who Am I?• Guy Huntington
• Been the lead consultant on numerous large, complicated Fortune 500 identity projects
• I am currently releasing security awareness training products
Why Am I Here?
• I was sitting at a lunch beside Joost who asked me what I did
• After telling him, he asked me if I’d be interested in speaking about my experiences
• I said I would and now…here I am!
My Identity Experience• Boeing single sign on• Capital One identity
architecture• Capital One single sign on• Capital One SarBox
provisioning• Kaiser Permanente WSSO
review• Potash Corp identity
architecture
Boeing• 2001
• 3 million users
• 1,500 web applications
• Multiple identity sources
• 15 different business units each with their own CIO
Boeing• Many different methods of
authentication– AD and Sun directories (uid and
password)– RACF– Proximity badges– Digital certs
Boeing
• RBAC system for airline customers with over 700 roles with complex multi-relationships
• They ran every kind of computing platform known to mankind– AIX, HP-UX, Solaris, Linux and
Windows to name a few
Boeing
• Lots and lots of home-grown applications, proxy servers, etc. in addition to commercial apps like PeopleSoft, etc.
• They also had five separate portal projects each using different portal vendors
Boeing• Lots of problems
– No integrated deployment team– No ranking system of
authentication strength– No one manager in charge of the
program– No factory model for integrating
1,500 applications
Boeing• Lots of problems
– No substantial project documentation
– No change management process in place for the project
Boeing• Lots of problems
– Not enough test servers– Too many promises to quickly
deploy without the wherewithal to deliver
– No transition plan to move away from expensive consultants to Boeing staff
– Not enough budget
What Did I Do?• I took over the project• I re-scoped the project and cut
down the deliverables for the next 6 months
• I re-budgeted the project• I re-staffed the project• I moved the project office• I found over 40 additional
servers to use as a test environment
What Did I Do?• I got the long term Boeing
program manager involved
• I started up mini-teams to focus on specific areas including things like documentation, change management, SSO factory model, testing, authentication strength, problem resolution
What Did I Do?• I put a person in charge of
integrating with the Boeing customized proxy servers
• I staffed up the project with Boeing people to begin a training and transition process
What Did I Do?• I put a person in charge of
integrating with the Boeing RBAC for commercial airlines
• I created daily team meetings
• AND THEN…we worked like hell for six months!
What Did I Do?• I implemented a change
management process
• I implemented a SSO governance process
• I left the project under a successful rollout
• Today, they have integrated approximately 1,500 applications
What Did I Do?• I also laid in place the ground
work for one of the first large scale SAML rollouts
• After I left the team successfully deployed it with Southwest Airlines and then rolled it out to all commercial airline customers
Capital One• Large, credit card company and
bank
• Operate call centers all over the world
• When I appeared they had no identity architecture
Cap One Identity Architecture• No global uid
• No authoritative sources for contractors, consultants, temps
• >70,000 identities in the directory nobody knew if they were current or not
• The directory team was being shredded at the time I showed up
What Did I Do?• Got emergency money to
support the directory team and re-org’d them
• Began discussions with HR on accepting contractors and consultants into PeopleSoft
• Created a global uid
• Then began internal battles to get the global uid implemented
What Did I Do?• Also recommended changes to
the directory DIT and schema
• Created an identity architecture
• Wrote lots of white papers explaining how an identity management system would benefit them
Cap One SSO• It was a disaster when I showed
up
• 2nd effort to deploy it
• The CIO was giving them ten weeks to deploy or else heads would roll
• The project was a subset of a portal project
Cap One SSO• The project manager and team
had no idea of how to deploy SSO
• I also believed the SSO product wouldn’t work
What Did I Do?• I took over the project
• I fought the team
• I put the project back into proof of concept mode
• I then proved over three weeks that the product wouldn’t work
• This lead to lots of discussions!
What Did I Do?• I got the vendor to redesign the
product
• I then got the team to rethink their deployment
• I organized daily meetings
• I got the project successfully rolled out on time while the portal project delayed
Cap One SarBox• I went back to Capital One to
look after six mini identity projects
• On my second day there I wrote a memo to the senior management telling them that their SarBox project was in deep trouble
Cap One SarBox• Problems
– 4 staff– No product chosen– They were reengineering the
business processes for 57 financial applications for 30,000 workers!
Cap One SarBox• Problems
– No one was working on the business processes!
– They had five months to deliver or, the auditors were refusing to sign their financials!
– I believed the Board was going to get very interested in this project
What Did I Do?• I ended up taking over the
project
• I replaced the project manager
• I got over 20 people assigned to the project
• I started daily team meetings
What Did I Do?• I then got a data cleanup team in
place to take care of the >70,000 unknown identity statuses
• I then raced ahead of the team and talked to the business customers, got infrastructure in place, got disaster plans and high availability in place, etc.
• We rolled out successfully!
Federated Identities• Just a footnote that I also got a
SAML pilot going while the provisioning project was underway
Kaiser Permanente• Largest healthcare provider in
the US
• I lead a complete review of their existing web single sign on system
• I found lots of problems
K.P. Problems• There was no data guardian
processes
• They had no high availability systems
• They had a poor disaster recovery process
K.P. Problems• They had no monitoring
specifications
• They didn’t have enough staff
• They didn’t have a single sign on factory model in place to suck up applications and SSO enable them
What Did I Do?• Recommended a new target
architecture
• Recommended high availability and hot disaster recovery
• Recommended monitoring specifications
What Did I Do?• Recommended staff reorgs
• Recommended single sign on factory
• Recommended data monitoring
• Recommended change management processes
• Recommended maintenance budgets
Potash Corporation• I was brought in to recommend an
identity architecture for them
• They had three businesses
• They wanted to move off of NT
My Discovery• I found that they were doing some
web services with their customers but it wasn’t scaleable and I had some security concerns
• I found there was no authoritative source for contractors and consultants
• I mapped out on and off-boarding for employees, contractors, consultants and temps
What Did I Do?• I gave them an Identity Roadmap
• I recommended a directory DIT and schema
• I recommended an authoritative source for contractors
• I recommended a three year plan for implementing SSO, Provisioning, Federated Identities and web services
Comments• Identity projects are
complicated, especially if the project is large and under tight timelines
• Most enterprises don’t have good authoritative sources for non-employees– This is changing but I still
find this to be the weak area in most projects
Comments• Most projects are already
drinking the Kool-aid before they’ve figured out exactly what’s involved in making the Kool-aid first– I have seen provisioning
projects go to the Board for review since they were so badly over budget
– Cost the CIO and Director of Security their jobs
Comments• Most identity projects don’t
have good disaster recovery and high availability
• This is always played down when the projects are starting out
• I tell them that the CEO will get involved if the system goes down
Comments• They usually ignore me
• Several months later I get a call telling me I was right about the CEO calling
• Then they find money and resources to put in a high availability and instant disaster recovery system
Comments• Enterprise identity data
governance is usually poor
• HR usually makes data changes without thinking of the effects throughout the enterprise systems
• I have personally seen this cause the SSO systems to fail
Comments• Enterprises need identity
management governance processes for those identity attributes which are deemed “enterprise”
Scope Creep• Especially with provisioning
projects (and also large scale SSO) scope creep can be deadly
• The benefits are sold before the project has gotten the infrastructure and business processes in place
Politics• Identity projects are full of
this!
• It usually crosses over most departments and business units
• Choose you initial rollout carefully
• Requires strong senior management support
Questions• I’d like to come back and
talk about malware and identities but that’s another topic
• So, what questions do you have?
Contact Information• Guy Huntington
• www.authenticationworld.com
• Cell: 604-861-6804
• Office: 604-921-6797