Talk on Identity Federation: Lessons from the Trenches presented at the EEMA conference, London, June 9th 2010. Zach Sachen and I share our experiences on implementing a full fledged ID Federation solution.
Handwritten Text Recognition for manuscripts and early printed texts
Identity Federation for the Enterprise: Lessons Learned
1. Identity Federation: Lessons From the Trenches Nalneesh Gaur Principal and Chief Security Architect Nalneesh.Gaur@diamondconsultants.com Mobile – 214 649 1261 Zach Sachen Principal Zachary.Sachen@diamondconsultants.com Mobile – 541 782 8463 Jun 9th | 13:45 – 14:15
2. Our Journey What problem did we solve? How did we do it? What did we learn? What did we do?
14. Federated ID Solution Components How did we do it? While additional Components are conceivable, these four components are fundamental to every ID Federation solution
15. Architecture How did we do it? Architecture is influenced by: Communities Trust Relationships Entitlements
16. Process and Policy How did we do it? Policy, Standards and Guidelines Process & Technology Administration Self Service Reporting Management Enforcement Architecture Review Policy Legal Provisioning & Entitlement
17. Applications How did we do it? Classification Framework Many factors determine effort to federate an application, we have found two major factors: 1) native federationsupport 2) level of customization IV III Non- Native(e.g. local authn.) High Effort Medium Effort Federation Support I II Native (e.g. SAML) Low/Medium Effort Low Effort COTS Custom Level of Customization 1 – There are technologies which can deliver “virtual federation” in a relatively easy manner – e.g. Citrix and Microsoft product combinations
18. User Experience How did we do it? Setting the Vision Setting Expectations Self-service Training Solution Support
25. How to position Identity Federation as a catalyst for strong authentication?
26. Should business leverage ID Federation as the spring board to get on the social media bandwagon?
Hinweis der Redaktion
Nalneesh opens w/ self intro, then Zach self intros and covers next slide
ZachOur client recently rolled out <we are in the process of doing this for one app/technology - e.g. for an alliance team site; just didn’t want to over state> an Identity Federation(IdF) solution across their enterprise. While, the (IdF)vision of outsourced Identity Management is real, success requires vision, perseverance, and disciplined execution. The major steps to realize success include an understanding across four areas: Users, Business Architecture (policy and process), Infrastructure, and Applications. <include descriptions of each below - see prior decks for the descriptions>Developing an Architecture that align with the Corporate business and Information Security goalsPlanning the role out by carefully selecting and sequencing the applications that lend themselves to federation both inside and outside the enterpriseLaunching a pilot that tests both the technology and process implications of the solutionIn this talk we will share our experiences regarding building momentum, designing, and realizing Federated Identity. We will use our experience at large organizations (e.g. federal government agency and large pharmaceutical company) as a backdrop. We expect the audience to be able to apply these insights in their own environments.*** Important to let the audience know that the this talk is not about various protocols and technology standards such as SAML, WS-Federation, Microsoft’s roadmap. We however did leverage experts in our journey and the knowledge is incredibly useful ***
Nalneeshtalk about success measures when talking about benefits/promiseImproved ComplianceSafe Harbor, PII, HIPAA, etc.Improved Securitymultiple options from identity providers – e.g. OTP with Blackberry/cell,securID, etc.Improved Collaboration / User Experienceseamless access and authorization in the cloudmore up front, pays dividends in long runBetter User Experiencefaster, less clicks, self-serviceeSignaturesEconomies of ScaleMetcalf’s network law – the more that join the more valuable it will bevolume discounts with providerssupport modelCost Savingsde/provisioning, resets, troubleshootingreused credentials
NalneeshDescribe the three scenarios and tie it to pain points and promise
NalneeshProvide overview of the the four components and why the components were important to our constituents
NalneeshDiscuss architecture layers
NalneeshProvide OverviewYou will notice alignment with the Delivery/Operations diagram Nalneesh coveredPolicies, Standards and Guidelines drive the processes and technologies.For policies, be prepared to deal with how policies get defined – contracts, policies, the second key factor here is about rationalizing conflicting policiesProcess and technologis focus on how identities are provisioned and entitled, how policies are enforced on those identities and the operational aspects of those identitiesWe list 6 process and technology areas that must be dealt with in the IDF solutionWe introduce the top down view late in the presentation to emphasize that the top down view could lead you to believe that one must always start with policies. The reality however is different as we cover in the implementation challenges as described on the next slide.
ZachAgain, FIDisn’t a silver bullet, and although you will have the ability to federate, you still need to federate your applications in a strategic way, and one big part of that is understanding the effort involved with each applicationAdditional Application Considerations:Policy/Regulation: data sensitivity: CFR 11, HIPAA, PIIUser characteristics:numberlocation languagesusage frequencyroles
ZachNotesWho do I call now? (provisioning, authn, authz)the identity provider’s processes and policiessetting expectations training providedself-servicesupport mechanisms and integration of support (IdP, SP, PM, et. al.)security approach – certificates, tokens, etc. vs. zero footprintnumber of touch points as a measure/metric of success
ZachSponsorshipexecutive levelMarketing/Educationpithy elevator statementsexecution teams ready?Great Expectationsa pilot is a no loss dealagree on bufferingExecutionsomeone has to be Mr. Incrediblehiccups, resourcesID Federation is expensive, but lets share with you what we would do differently, we should be prepared to share anecdotes here.As we know, flexibility lends itself to complexity, and without the right experts you won’t realize the benefits, and will have an even more uphill battleAssessment Phasebuild momentum / start the conversation - why this? why now? benefits?consider the audience and messaging – executives to “day to day”educate and involve others to create initialvision – think big, start smallPlanning Phaseuse pilots to build/maintain momentumconsider partner (IdP, SP, et. al.) needs and availabilitydon’t repeat mistakes - leverage your networkset realistic expectations - align with culture; scope, schedule, budget, returnsconsider alignment with existing initiativesExecution Phaseconduct pre-execution phase readiness test – budgets and people in place?communicate frequently – is it real?provide perspective – failure isn’t always a “bad thing”have a plan B – what if...ID Federation benefits can be measured both from a user and business perspectiveUnderstand the investment philosophy and approach up frontUse experiments / pilots to learn and mitigate riskDo your homework – understand your industry and vendorsSignup champions and market ID Federation as a business enablerPersevere to succeed!
ZachLeave the audience with some thought provoking questions and open up the call for questions
