Large Project Identity Management

Guy Huntington, President

Huntington Ventures Ltd.www.authenticationworld.com

May 9,2007

Agenda• Next 20 minutes I’m going

to cover the following:– Large scale identity

projects– Common pitfalls

Who Am I?• Guy Huntington

• Been the lead consultant on numerous large, complicated Fortune 500 identity projects

• I am currently releasing security awareness training products

Why Am I Here?

• I was sitting at a lunch beside Joost who asked me what I did

• After telling him, he asked me if I’d be interested in speaking about my experiences

• I said I would and now…here I am!

My Identity Experience• Boeing single sign on• Capital One identity

architecture• Capital One single sign on• Capital One SarBox

provisioning• Kaiser Permanente WSSO

review• Potash Corp identity

architecture

Boeing• 2001

• 3 million users

• 1,500 web applications

• Multiple identity sources

• 15 different business units each with their own CIO

Boeing• Many different methods of

authentication– AD and Sun directories (uid and

password)– RACF– Proximity badges– Digital certs

Boeing

• RBAC system for airline customers with over 700 roles with complex multi-relationships

• They ran every kind of computing platform known to mankind– AIX, HP-UX, Solaris, Linux and

Windows to name a few

Boeing

• Lots and lots of home-grown applications, proxy servers, etc. in addition to commercial apps like PeopleSoft, etc.

• They also had five separate portal projects each using different portal vendors

Boeing• Lots of problems

– No integrated deployment team– No ranking system of

authentication strength– No one manager in charge of the

program– No factory model for integrating

1,500 applications

Boeing• Lots of problems

– No substantial project documentation

– No change management process in place for the project

Boeing• Lots of problems

– Not enough test servers– Too many promises to quickly

deploy without the wherewithal to deliver

– No transition plan to move away from expensive consultants to Boeing staff

– Not enough budget

What Did I Do?• I took over the project• I re-scoped the project and cut

down the deliverables for the next 6 months

• I re-budgeted the project• I re-staffed the project• I moved the project office• I found over 40 additional

servers to use as a test environment

What Did I Do?• I got the long term Boeing

program manager involved

• I started up mini-teams to focus on specific areas including things like documentation, change management, SSO factory model, testing, authentication strength, problem resolution

What Did I Do?• I put a person in charge of

integrating with the Boeing customized proxy servers

• I staffed up the project with Boeing people to begin a training and transition process

What Did I Do?• I put a person in charge of

integrating with the Boeing RBAC for commercial airlines

• I created daily team meetings

• AND THEN…we worked like hell for six months!

What Did I Do?• I implemented a change

management process

• I implemented a SSO governance process

• I left the project under a successful rollout

• Today, they have integrated approximately 1,500 applications

What Did I Do?• I also laid in place the ground

work for one of the first large scale SAML rollouts

• After I left the team successfully deployed it with Southwest Airlines and then rolled it out to all commercial airline customers

Capital One• Large, credit card company and

bank

• Operate call centers all over the world

• When I appeared they had no identity architecture

Cap One Identity Architecture• No global uid

• No authoritative sources for contractors, consultants, temps

• >70,000 identities in the directory nobody knew if they were current or not

• The directory team was being shredded at the time I showed up

What Did I Do?• Got emergency money to

support the directory team and re-org’d them

• Began discussions with HR on accepting contractors and consultants into PeopleSoft

• Created a global uid

• Then began internal battles to get the global uid implemented

What Did I Do?• Also recommended changes to

the directory DIT and schema

• Created an identity architecture

• Wrote lots of white papers explaining how an identity management system would benefit them

Cap One SSO• It was a disaster when I showed

up

• 2nd effort to deploy it

• The CIO was giving them ten weeks to deploy or else heads would roll

• The project was a subset of a portal project

Cap One SSO• The project manager and team

had no idea of how to deploy SSO

• I also believed the SSO product wouldn’t work

What Did I Do?• I took over the project

• I fought the team

• I put the project back into proof of concept mode

• I then proved over three weeks that the product wouldn’t work

• This lead to lots of discussions!

What Did I Do?• I got the vendor to redesign the

product

• I then got the team to rethink their deployment

• I organized daily meetings

• I got the project successfully rolled out on time while the portal project delayed

Cap One SarBox• I went back to Capital One to

look after six mini identity projects

• On my second day there I wrote a memo to the senior management telling them that their SarBox project was in deep trouble

Cap One SarBox• Problems

– 4 staff– No product chosen– They were reengineering the

business processes for 57 financial applications for 30,000 workers!

Cap One SarBox• Problems

– No one was working on the business processes!

– They had five months to deliver or, the auditors were refusing to sign their financials!

– I believed the Board was going to get very interested in this project

What Did I Do?• I ended up taking over the

project

• I replaced the project manager

• I got over 20 people assigned to the project

• I started daily team meetings

What Did I Do?• I then got a data cleanup team in

place to take care of the >70,000 unknown identity statuses

• I then raced ahead of the team and talked to the business customers, got infrastructure in place, got disaster plans and high availability in place, etc.

• We rolled out successfully!

Federated Identities• Just a footnote that I also got a

SAML pilot going while the provisioning project was underway

Kaiser Permanente• Largest healthcare provider in

the US

• I lead a complete review of their existing web single sign on system

• I found lots of problems

K.P. Problems• There was no data guardian

processes

• They had no high availability systems

• They had a poor disaster recovery process

K.P. Problems• They had no monitoring

specifications

• They didn’t have enough staff

• They didn’t have a single sign on factory model in place to suck up applications and SSO enable them

What Did I Do?• Recommended a new target

architecture

• Recommended high availability and hot disaster recovery

• Recommended monitoring specifications

What Did I Do?• Recommended staff reorgs

• Recommended single sign on factory

• Recommended data monitoring

• Recommended change management processes

• Recommended maintenance budgets

Potash Corporation• I was brought in to recommend an

identity architecture for them

• They had three businesses

• They wanted to move off of NT

My Discovery• I found that they were doing some

web services with their customers but it wasn’t scaleable and I had some security concerns

• I found there was no authoritative source for contractors and consultants

• I mapped out on and off-boarding for employees, contractors, consultants and temps

What Did I Do?• I gave them an Identity Roadmap

• I recommended a directory DIT and schema

• I recommended an authoritative source for contractors

• I recommended a three year plan for implementing SSO, Provisioning, Federated Identities and web services

Comments• Identity projects are

complicated, especially if the project is large and under tight timelines

• Most enterprises don’t have good authoritative sources for non-employees– This is changing but I still

find this to be the weak area in most projects

Comments• Most projects are already

drinking the Kool-aid before they’ve figured out exactly what’s involved in making the Kool-aid first– I have seen provisioning

projects go to the Board for review since they were so badly over budget

– Cost the CIO and Director of Security their jobs

Comments• Most identity projects don’t

have good disaster recovery and high availability

• This is always played down when the projects are starting out

• I tell them that the CEO will get involved if the system goes down

Comments• They usually ignore me

• Several months later I get a call telling me I was right about the CEO calling

• Then they find money and resources to put in a high availability and instant disaster recovery system

Comments• Enterprise identity data

governance is usually poor

• HR usually makes data changes without thinking of the effects throughout the enterprise systems

• I have personally seen this cause the SSO systems to fail

Comments• Enterprises need identity

management governance processes for those identity attributes which are deemed “enterprise”

Scope Creep• Especially with provisioning

projects (and also large scale SSO) scope creep can be deadly

• The benefits are sold before the project has gotten the infrastructure and business processes in place

Politics• Identity projects are full of

this!

• It usually crosses over most departments and business units

• Choose you initial rollout carefully

• Requires strong senior management support

Questions• I’d like to come back and

talk about malware and identities but that’s another topic

• So, what questions do you have?

Contact Information• Guy Huntington

• www.authenticationworld.com

• Guy.huntington@authenticationworld.com

• Cell: 604-861-6804

• Office: 604-921-6797