-Common pitfalls in IAM-projects -What to considered up front (IdM readiness check) -A methodological approach

1. Common pitfalls in IAM-projects
Kim Westerlund, Nixu
10.12.2009 Turku
Aug-13-10 © Nixu 2009

2. Agenda 9:00-10:30
1. Considerations for IAM-project planning
2. How to map IAM product capabilities with real
life use cases
Aug-13-10 © Nixu 2009
Sorry, some recycled slides are in Finnish

3. Kim Westerlund Verkot & Tietoturva –konferenssissa 2006:
(Ajatuksia lainattu Mark Dixonilta)

4. It’s a journey…
1. Kick off the learning process
2. Get and keep sponsorship
3. Get value consensus early
4. Manage ambitions
5. Partition, sequence, conquer
6. Understand current processes
7. Offer design choices
8. Plan processes and governance
9. Deploy with clean data

5. To be considered up front (identity
management readiness check)
 Are these normal project initialization questions
for you?
 What do you want to achieve with the IdM-program,
and why?
 What processes should your IdM-program touch?
 Do you have defined owners for systems that are
involved?
 Do we really have time for such a demanding project?
 Do we understand how the resulting IdM-service will
affect our data architecture?
 Do we have the money (license fees could be less
that 30% of the total investment)?
Aug-13-10 © Nixu 2009

6. Look for REAL (business) drivers
that reflects your situation
These could
be headlines,
not the content
itself!!!
Aug-13-10 © Nixu 2009 … you will need them later

7. Example Business capability flows
Operating drivers Business capabilities Functional impact
Complete, unique, Less incremental
Faster time to
current, stable cost
benefit on mergers
accessible identity
data Earlier operational
Business process efficiency
Automated user response to market
provisioning changes Retained assets
and trust
Shared Secure business
processes Points of
authentication
administration
services
eliminated
Cost efficiencies
Delegated user freeing staff and Fewer, faster, less
management cash skilled help desk
incidents
User self-
Internet age
registration Better reputation
services

8. Select a methodological approach…
…like ”JHS165: Tietojärjestelmien vaatimusten määrittely osana
järjestelmän hankintaa”

9. An agile approach
1. Write user stories
http://en.wikipedia.org/wiki/User_story
2. Define use cases of strategic functionalities
http://en.wikipedia.org/wiki/Use_case
3. Illustrate the functionality with wire frame
models
4. Define 3 months phases with useful deliverables
that show real value to your organization
… you will need them later

10. Identity and Access Management as a real
business solution

11. A holistic approach to identity management
services is an elephant
Employees Students Partners
• Policy • Policy • Policy
Manageme
Solution
Access
• Technology • Technology • Technology
nt
• Processes • Processes • Processes
• Services • Services • Services
• Interfaces • Interfaces • Interfaces
• Policy • Policy • Policy
Manageme
Solution
• Technology • Technology • Technology
Identity
• Processes • Processes • Processes
nt
• Services • Services • Services
• Interfaces • Interfaces • Interfaces
• Policy • Policy • Policy
User Data
Solution
• Technology • Technology • Technology
Stores
• Services • Services • Services
SSO SSO SSO

12. Slicing the elephant into pieces (example1):
Focus on student on boarding and termination processes with
automation to some select applications.
Aug-13-10 © Nixu 2009

13. Slicing the elephant into pieces (example2):
Enable a better user experience and a architectural building
block for renewable application with WebSSO.
Aug-13-10 © Nixu 2009

14. Use a proven methodological approach
– start with a pre-study project
Pre-study
03/13/09 © Nixu 2009

15. Define (feasibility study)
• Key planning factors of current
state
• Architecture guiding principles
• Building-block architecture
• Technology recommendations
• Business value
communications
• High level roadmap
• Key stakeholders

16. Sequencing the work – what first
 Early business value
 High benefit to cost
 High benefit to risk
 Greatest testimonial impact
 Friendly or captive client
 Critical mass necessity
Operational Security
efficiency
Cost Risks
Aug-13-10 © Nixu 2009

17. Inspect what is the cost of doing
nothing…
 Hidden costs due to redundant work
 Cost due to delays in getting access
 Checks, fixes and reporting costs
 System implementation projects re-
inventing the wheel
 Technology itself doesn’t generate benefits
 Technology is involved in implementing
new processes

18. Optimal IAM Project Methodology
• Focussed on;
• People and Processes,
• Business Benefits,
• Requirements and use cases,
• Risk Management
• Producticed approach

19. The waterfall model
The proposed project
Requir
Imple Verific Mainte
ement Design
ment ation nance
s
http://en.wikipedia.org/wiki/
Big_Design_Up_Front
The waterfall model is argued by many to be a bad idea in practice.
This is mainly because of their belief that it is impossible for any non-trivial project to
get one phase of a software product's lifecycle perfected, before moving on to the next
Aug-13-10 © Nixu 2009 phases and learning from them.

20. … and what’s sometimes
forgotten
Roadma Role Support
p Commun
mining & model ication
Current develop- modellin Process
state ment g alignmen Change
Roadma
study t New manage
Data p
Overall processe ment executio
clensing
architec- s n
ture impleme
Aug-13-10 © Nixu 2009
ntation

21. Problems with public procurement
 You should know in advance what you want
 Customer responsibilities are usually not defined
in the call for bids
– Vendors estimate (misjudges) these differently –
proposals aren’t comparable
 The Desing phase could and should change the
desired state  minimize desing upfront by defining only
functional requirements and only some non-functional reqs.
 Fixed fee IAM-projects seldom work for the best
and may lead to a lose-lose result
Aug-13-10 © Nixu 2009

22. It’s a journey; remember to…
1. Kick off the learning process
2. Get and keep sponsorship
3. Get value consensus early
4. Manage ambitions
5. Partition, sequence, conquer
6. Understand current processes
7. Offer design choices
8. Plan processes and governance
9. Deploy with clean data

23. How to map IAM product capabilities with
real life use cases
Aug-13-10 © Nixu 2009

24. It’s too hard to pick the right IAM-products
by mapping features to your needs
Product solutions per area
Identity Management Web Access Federated Single Sign-
management On
 Oracle Identity Manager
 IBM Tivoli Identity Manager  Sun Access Manager  Almost every access
 Sun Identity Manager  Oracle Access Manager management vendor
 CA Identity Manager  EMC/RSA Access Manger  PingIdentity
 BMC User Administration and  CA Siteminder access  Symlabs
Provisioning manager  OSS: OpenSAML, SourceID,
 SAP NetWeaver Identity  Novell Access Manager SimpleSAML
Management  BMC Access Management
 Novell Identity manager  IBM Tivoli Access Manager
 Omada Identity Manager  Entrust GetAccess
 Microsoft Forefron Identity  Ubisecure Ubilogin
Manager  Fujitsu mPollux
 Propentus Permission  OSS: OpenSSO, JOSSO,
Manager Pubcookie, WebAuth, JASIG
 OSS: Velo, Ganymede CAS

25. Selecting the right products
 DO NOT MAKE THE SELECTION BEFORE YOU KNOW
WHAT YOU WANT
 Do not think about the suite if it’s not about the product
price
 Choose it based on real use cases, not product features
 Define minimal tailored functionality that you want be
supported by the vendor.
– Most of your desires are “can do, but it will cost you big bucks”
– Try simplifying processes – it’s anyway cheaper
– Requires open discussion with the vendor –
“neuvottelumenettely” read JHS167
http://www.jhs-suositukset.fi/suomi/jhs167
IT DOESN’T COMP
 Consider also post-implementation processes
Aug-13-10 © Nixu 2009

26. kim.westerlund@nixu.com
040 5123 125

27. Thank you, kiitos, tack
Nixu Oy
P.O. Box 39 (Keilaranta 15)
FI-02150 Espoo
Finland
Tel +358 9 478 1011
Aug-13-10 © Nixu 2009

28. Nixu IdM feasibility study deliverables (fi or en)
Deliverable Purpose
Work plan Project plan for pre-study phase
Work shop presentations Executive summary and supporting graphics
Identity management Helps to understand the Identity and Access Management concept and “speak the same
glossary language”.
Business overview with Describes the business as-is and to-be situation. The business environment with partner
business flows and customer network material flows between the unit and other parties. Explains the roles
description of parties in the process. Volumes of flows are attached. Business requirements are linked
to the business flows
Requirements Understand and document the key requirements to be covered
• Business requirements (e.g. KPIs, critical functionalty)
• Process & organisation requirements (usability, language, resource reqeuirements)
• Performance requirements (speed, volumes)
• System requirements (integration)
• Technical requirements (infrastructure and environments)
• Data requirements
• General project requirements e.g. schedule, resources, other
Main requirements are recorded and prioritized on the issue site latest when project is
approved.
Solution architecture/ Description of in scope modules and components, remaining and replaced systems and
Solution Match required integration
Initial fit/gap list and open issues that need to be clarified
Business case Business case calculating espected costs/benefits from the project
Management material Summarizes findings of feasibility study. Answers the questions: ”why should the project be
implemented?” ”What should be implemented?” How and when and on what terms is it
possible? ” What are the risks and constraints?”. Decision to start project can be made.
© Nixu 2009