Presentation is loading. Please wait.

Presentation is loading. Please wait.

Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007.

Similar presentations

Presentation on theme: "Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007."— Presentation transcript:

1 Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007

2 Agenda Next 20 minutes Im going to cover the following: –Large scale identity projects –Common pitfalls

3 Who Am I? Guy Huntington Been the lead consultant on numerous large, complicated Fortune 500 identity projects I am currently releasing security awareness training products

4 Why Am I Here? I was sitting at a lunch beside Joost who asked me what I did After telling him, he asked me if Id be interested in speaking about my experiences I said I would and now…here I am!

5 My Identity Experience Boeing single sign on Capital One identity architecture Capital One single sign on Capital One SarBox provisioning Kaiser Permanente WSSO review Potash Corp identity architecture

6 Boeing 2001 3 million users 1,500 web applications Multiple identity sources 15 different business units each with their own CIO

7 Boeing Many different methods of authentication –AD and Sun directories (uid and password) –RACF –Proximity badges –Digital certs

8 Boeing RBAC system for airline customers with over 700 roles with complex multi-relationships They ran every kind of computing platform known to mankind –AIX, HP-UX, Solaris, Linux and Windows to name a few

9 Boeing Lots and lots of home-grown applications, proxy servers, etc. in addition to commercial apps like PeopleSoft, etc. They also had five separate portal projects each using different portal vendors

10 Boeing Lots of problems –No integrated deployment team –No ranking system of authentication strength –No one manager in charge of the program –No factory model for integrating 1,500 applications

11 Boeing Lots of problems –No substantial project documentation –No change management process in place for the project

12 Boeing Lots of problems –Not enough test servers –Too many promises to quickly deploy without the wherewithal to deliver –No transition plan to move away from expensive consultants to Boeing staff –Not enough budget

13 What Did I Do? I took over the project I re-scoped the project and cut down the deliverables for the next 6 months I re-budgeted the project I re-staffed the project I moved the project office I found over 40 additional servers to use as a test environment

14 What Did I Do? I got the long term Boeing program manager involved I started up mini-teams to focus on specific areas including things like documentation, change management, SSO factory model, testing, authentication strength, problem resolution

15 What Did I Do? I put a person in charge of integrating with the Boeing customized proxy servers I staffed up the project with Boeing people to begin a training and transition process

16 What Did I Do? I put a person in charge of integrating with the Boeing RBAC for commercial airlines I created daily team meetings AND THEN…we worked like hell for six months!

17 What Did I Do? I implemented a change management process I implemented a SSO governance process I left the project under a successful rollout Today, they have integrated approximately 1,500 applications

18 What Did I Do? I also laid in place the ground work for one of the first large scale SAML rollouts After I left the team successfully deployed it with Southwest Airlines and then rolled it out to all commercial airline customers

19 Capital One Large, credit card company and bank Operate call centers all over the world When I appeared they had no identity architecture

20 Cap One Identity Architecture No global uid No authoritative sources for contractors, consultants, temps >70,000 identities in the directory nobody knew if they were current or not The directory team was being shredded at the time I showed up

21 What Did I Do? Got emergency money to support the directory team and re-orgd them Began discussions with HR on accepting contractors and consultants into PeopleSoft Created a global uid Then began internal battles to get the global uid implemented

22 What Did I Do? Also recommended changes to the directory DIT and schema Created an identity architecture Wrote lots of white papers explaining how an identity management system would benefit them

23 Cap One SSO It was a disaster when I showed up 2 nd effort to deploy it The CIO was giving them ten weeks to deploy or else heads would roll The project was a subset of a portal project

24 Cap One SSO The project manager and team had no idea of how to deploy SSO I also believed the SSO product wouldnt work

25 What Did I Do? I took over the project I fought the team I put the project back into proof of concept mode I then proved over three weeks that the product wouldnt work This lead to lots of discussions!

26 What Did I Do? I got the vendor to redesign the product I then got the team to rethink their deployment I organized daily meetings I got the project successfully rolled out on time while the portal project delayed

27 Cap One SarBox I went back to Capital One to look after six mini identity projects On my second day there I wrote a memo to the senior management telling them that their SarBox project was in deep trouble

28 Cap One SarBox Problems –4 staff –No product chosen –They were reengineering the business processes for 57 financial applications for 30,000 workers!

29 Cap One SarBox Problems –No one was working on the business processes! –They had five months to deliver or, the auditors were refusing to sign their financials! –I believed the Board was going to get very interested in this project

30 What Did I Do? I ended up taking over the project I replaced the project manager I got over 20 people assigned to the project I started daily team meetings

31 What Did I Do? I then got a data cleanup team in place to take care of the >70,000 unknown identity statuses I then raced ahead of the team and talked to the business customers, got infrastructure in place, got disaster plans and high availability in place, etc. We rolled out successfully!

32 Federated Identities Just a footnote that I also got a SAML pilot going while the provisioning project was underway

33 Kaiser Permanente Largest healthcare provider in the US I lead a complete review of their existing web single sign on system I found lots of problems

34 K.P. Problems There was no data guardian processes They had no high availability systems They had a poor disaster recovery process

35 K.P. Problems They had no monitoring specifications They didnt have enough staff They didnt have a single sign on factory model in place to suck up applications and SSO enable them

36 What Did I Do? Recommended a new target architecture Recommended high availability and hot disaster recovery Recommended monitoring specifications

37 What Did I Do? Recommended staff reorgs Recommended single sign on factory Recommended data monitoring Recommended change management processes Recommended maintenance budgets

38 Potash Corporation I was brought in to recommend an identity architecture for them They had three businesses They wanted to move off of NT

39 My Discovery I found that they were doing some web services with their customers but it wasnt scaleable and I had some security concerns I found there was no authoritative source for contractors and consultants I mapped out on and off-boarding for employees, contractors, consultants and temps

40 What Did I Do? I gave them an Identity Roadmap I recommended a directory DIT and schema I recommended an authoritative source for contractors I recommended a three year plan for implementing SSO, Provisioning, Federated Identities and web services

41 Comments Identity projects are complicated, especially if the project is large and under tight timelines Most enterprises dont have good authoritative sources for non- employees –This is changing but I still find this to be the weak area in most projects

42 Comments Most projects are already drinking the Kool-aid before theyve figured out exactly whats involved in making the Kool-aid first –I have seen provisioning projects go to the Board for review since they were so badly over budget –Cost the CIO and Director of Security their jobs

43 Comments Most identity projects dont have good disaster recovery and high availability This is always played down when the projects are starting out I tell them that the CEO will get involved if the system goes down

44 Comments They usually ignore me Several months later I get a call telling me I was right about the CEO calling Then they find money and resources to put in a high availability and instant disaster recovery system

45 Comments Enterprise identity data governance is usually poor HR usually makes data changes without thinking of the effects throughout the enterprise systems I have personally seen this cause the SSO systems to fail

46 Comments Enterprises need identity management governance processes for those identity attributes which are deemed enterprise

47 Scope Creep Especially with provisioning projects (and also large scale SSO) scope creep can be deadly The benefits are sold before the project has gotten the infrastructure and business processes in place

48 Politics Identity projects are full of this! It usually crosses over most departments and business units Choose you initial rollout carefully Requires strong senior management support

49 Questions Id like to come back and talk about malware and identities but thats another topic So, what questions do you have?

50 Contact Information Guy Huntington www.authenticationworld. comwww.authenticationworld. com Guy.huntington@authenti cationworld.comGuy.huntington@authenti Cell: 604-861-6804 Office: 604-921-6797

Download ppt "Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007."

Similar presentations

Ads by Google