identity and access management town hall february 10, 2014monday10:00am-12:00pm6 story street
TRANSCRIPT
Identity and Access ManagementTown Hall
February 10, 2014 Monday 10:00AM-12:00PM 6 Story Street
Agenda
• Team News (Jason)
• Recent Accomplishments (Jane/Magnus)
• Program Plan (Erica/Jason)
• Project Methodology (Ann)
• Upcoming Project Milestones (Ann)
• IAM HUIT Website (Greg)
• Hiring Update (Jason)
• Questions and Answers (All)
2
Team News
• There is greatness among us!
– Congratulations to Joe Hardin on your well deserved HUIT Cup win!
• We’ve been busy creating IAM Program awareness!
– First iteration of the IAM Program Plan complete!
– Successful IAM Executive Leadership meeting on 1/28/13
– Program budget and resource requests have been approved.
– CIO Council update for IAM to take place today.
• We created a monthly dashboard for the Executive Committee
• We are creating an IAM Community Plan
– Provides an approach for keeping Harvard schools and departments, not to mention other higher education institutions involved
• We are looking to introduce a Program CRM solution to assist us in tracking our involvement with partners
3
Recent Accomplishments
• Auth-LDAP release deployed to Production without issue!
– Lessons learned to be gathered to assist with future process changes and release planning.
• DM Sailpoint Identity Cubes built (and built, and built…)
– Further performance tuning is in process
• Connections deployed to the Cloud!
• Working test repository created to enable efficient reuse of test data
• Working Puppet setup of our standard architecture for web apps (Apache/Tomcat) used in development.
• On-boarding of additional SPs (e.g.; ServiceNow)
4
Program Plan - Overview
• What is a Program Plan?
– High-level, governing document for all facets of IAM Program:
• Program Goals
• Team Structure
• Governance Structure
• Planning Approach
• Implementation Roadmap
• Communication/Partner Engagement
– Capture User Benefits
• End users
• Application Owners
• People Administrators
– Date driven, not scope driven deliverables
5
Program Plan (cont.)
• Four IAM Program Tenets will:
– Simplify the User Experience
• Eliminate perceived complexities surrounding user identities.
– Enable Research and Collaboration
• Enable students and faculty to share information and work across School boundaries leveraging authentication standards and federation.
– Protect University Resources
• Protect sensitive information and data.
• Meet audit and regulatory requirements.
– Facilitate Technology Innovation
• Enable HUIT-wide strategic initiatives (SIS, UC)
• Cloud
6
Program Plan - Implementation Approach
7
The IAM Program will be implemented in accordance to the four strategic objectives and work will be managed as a portfolio of eleven projects:
Program Plan - Deliverable Roadmap
• Review of the IAM Program Deliverables Roadmap (Hand-out)
• Review of the IAM Release Benefit Roadmap (Hand-out)
• Review of the One Way Federation One Pager (Hand-out)
8
Project Management Methodology
• Implementing expanded PM Approach
– Keep everything that works well
– Add structure where needed
9
Project Management Methodology Cont.
– Formalize additional phases of the releases
– Planning & Analysis Phase– Development Phase– Release/ Go-Live– Support/ Maintenance
– Adjust JIRA structure to mirror Program Plan to allow for reporting
– Releases: Epics– Deployments: Versions
– Release Documents on Confluence
– Project Charter– Go-Live Playbook– Release Plan
10
Project Management Methodology Cont.
– Project Management Plan draft due on 2/14/14
– Pilot Release to “kick off” on 2/28/14
11
12
Release Milestones
5/1: Read-Only Connectors &
Cube Aggregation in Prod
6/30: Claims; SPAC Tool; AD Provisioning
4/1: Prod Release6/15: Extended
Base Attribs in Prod
10/31: Attribs & SAML Profiles
Provided to Harvad
6/15: Gap Analysis, Backlog
Written
12/1: All Changes Complete3/31: HU LDAP
DNS Flip4/1: View for UUID in Prod
6/30: Backlog for UUID Web Svc.4/15: Launch for Internal Use6/30: Wide
Roll-Out5/31: Plan for Adding other OWF Partners
9/30: Onboarding
Wave 1
1/31: Onboarding
Wave 27/1: Sized Backlog3/31: Implement
Reference Model: Dev6/30: Implement
Reference Model: Prod
3/31: Replacement in Prod (in Cloud)
3/31: Replacement in Prod (in Cloud)
6/30: Align with Reference
Model4/15: Complete Planning Phase
6/1: Test Dev Version
9/30: Deploy to Prod
2/28: Define 4 KPIs2/13: V1
Website Live
3/15: Communication Specialist Hired
HUIT Website - IAM
• New IAM External Website to “go-live” on 2/13/14.
– http://projects.iq.harvard.edu/iam
• Call for content!
– Ideas and submissions for content entries
– IAM topics to be spot lighted
– Plans for group videos
– Photo submission
13
Hiring Update
• Interim Community Manager Position filled
– Welcome, Steve King!
• Senior Cloud Engineer selected
– Conditional Offer extended to candidate with expected start date on 2/18/14.
• Wave 1 Positions are Open!
– Software Engineer
– Senior Database Developer
– Lead Software Engineer ($1,000 referral bonus eligible)
– Community Program Manager
– Directory Architect
– Quality Assurance Engineer
– Solutions Architect
– Communications and Reporting Specialist
14
Questions and Answers?
15
Supporting Materials
16
Appendix A: IAM Accomplishments to Date
Simplify the User Experience• Selected and purchased a new identity creation toolset that will lead to improved onboarding experience for all users.• Implemented a new Central Authentication Service for faster, flexible deployment of applications across the University.• Implemented One-Way Federation with the Harvard Medical School to prove the concept that users can select the credentials they would like
to use, to access services.• Implemented Provisioning improvements to set the foundation for the expansion of cloud services, support Active Directory consolidation,
and email migrations.• Integrated a new ID Card Application into IAM that enables the University to handle large-scale replacement of expired cards.
Enable Research and Collaboration• Joined InCommon Federation and enabled authorized Harvard users to access protected resources at Hathitrust.• Enabled access to a planning tool that Harvard researchers can use to assist with compliance of funding requirements specific to grants (e.g.,
NSF, NIH, Gordon and Betty Moore Foundation).
Protect University Resources• Proposed a new Password Policy to the HUIT Security Organization to standardize password strength and expiration requirements for the
University.• Drafted a Cloud Security Architecture with the HUIT Security Organization to provide Level 4 security assurance for application deployments
within Amazon Web Services.• Refreshed the AUTH LDAP software and infrastructure to current, supported versions.
Facilitate Technology Innovation• Created a conceptual architecture for IAM Services to be deployed within the Amazon’s offsite hosting facilities.
17
Appendix B – IAM Business Need
18
Stakeholder Experience Today Imagine If…. Program Benefit
Faculty and Staff
• Faculty and staff use different user names and credentials to access applications and data both internal and external to the University.
• Manual, paper based process for sponsoring and managing user accounts.
• Faculty and staff have no access or are forced to register for accounts to access external sites.
• Faculty and staff could access information and perform research across schools and with other institutions without having to use several sets of credentials.
• Faculty and staff could manage their own accounts and sponsor other through a centralized web applications.
• Simplify Account Management
• Increase Self-Service
• Expand Access to Resources
Students
• Student use different user names and credentials to access applications that cross school boundaries.
• The identity of a student is not consistent throughout the identity lifecycle from acceptance to alumni resulting in interrupted access to services and resources.
• Students could choose to use their home school credentials to login into applications across the University.
• Students could keep using the same set of credentials after they graduate.
• Allow Choice of Credentials
• Ensure Continuity of Identity
Technical Staff
• Reliance on manual user management results poses a security risk.
• Application teams have difficulty integrating identity access management into their solutions creating long implementation timelines and higher costs.
• Automated provisioning reduces the burden on IT staff and increases the security posture of the University.
• Application teams can easily integrate Harvard users with internal and external applications.
• Simplify Application Set-up and Administration
External Users
• External users, such as researchers from other higher education institutions, must obtain a Harvard credential and password to access resources.
• External users can access Harvard applications using credentials native to their home institution.
• Reduce Manual Process for Guest Membership
Appendix C- IAM Vision
19
1. Simplify the User Experience
“Simplify and improve user access to applications and information inside and outside of the University.”
2. Enable Research and Collaboration
“Simplify the ability for faculty, staff, and students to perform research and collaboration within the University and with colleagues from other institutions.”
3. Protect University Resources
“Improve the security stature of the University with a standard approach.”
4. Facilitate Technology Innovation
“Establish a strong foundation for IAM to enable user access regardless of new and/or disruptive technologies.“
Strategic Objectives Guiding Principles Key Performance Indicators
● Harvard Community needs will drive the technology supporting the Identity and Access Management Program
● Tactical project planning will remain aligned with the Program strategic objectives
● Solution design should allow for other Schools to use the foundational to communicate with the IAM system in a consistent, federated fashion
● Communication and socialization of the program are critical to its success
• The number of help desk requests that relate to account management per month.
• The number of registered production applications that use the IAM system per month.
• The number of user logins and access requests through the IAM system per month.
• The number of production systems that the IAM system provisions to per month.
Provide secure access to applications that is easy for the user, application owner, and IT administrative staff with solutions that require fewer login credentials, enable collaboration across Harvard and beyond, and
improve security and auditing.
The Vision for Identity and Access Management (IAM)