large project identity management guy huntington, president huntington ventures ltd. may 9,2007
TRANSCRIPT
![Page 1: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/1.jpg)
Large Project Identity Management
Guy Huntington, President
Huntington Ventures Ltd.www.authenticationworld.com
May 9,2007
![Page 2: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/2.jpg)
Agenda• Next 20 minutes I’m going
to cover the following:– Large scale identity
projects– Common pitfalls
![Page 3: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/3.jpg)
Who Am I?• Guy Huntington
• Been the lead consultant on numerous large, complicated Fortune 500 identity projects
• I am currently releasing security awareness training products
![Page 4: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/4.jpg)
Why Am I Here?
• I was sitting at a lunch beside Joost who asked me what I did
• After telling him, he asked me if I’d be interested in speaking about my experiences
• I said I would and now…here I am!
![Page 5: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/5.jpg)
My Identity Experience• Boeing single sign on• Capital One identity
architecture• Capital One single sign on• Capital One SarBox
provisioning• Kaiser Permanente WSSO
review• Potash Corp identity
architecture
![Page 6: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/6.jpg)
Boeing• 2001
• 3 million users
• 1,500 web applications
• Multiple identity sources
• 15 different business units each with their own CIO
![Page 7: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/7.jpg)
Boeing• Many different methods of
authentication– AD and Sun directories (uid and
password)– RACF– Proximity badges– Digital certs
![Page 8: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/8.jpg)
Boeing
• RBAC system for airline customers with over 700 roles with complex multi-relationships
• They ran every kind of computing platform known to mankind– AIX, HP-UX, Solaris, Linux and
Windows to name a few
![Page 9: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/9.jpg)
Boeing
• Lots and lots of home-grown applications, proxy servers, etc. in addition to commercial apps like PeopleSoft, etc.
• They also had five separate portal projects each using different portal vendors
![Page 10: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/10.jpg)
Boeing• Lots of problems
– No integrated deployment team– No ranking system of
authentication strength– No one manager in charge of the
program– No factory model for integrating
1,500 applications
![Page 11: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/11.jpg)
Boeing• Lots of problems
– No substantial project documentation
– No change management process in place for the project
![Page 12: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/12.jpg)
Boeing• Lots of problems
– Not enough test servers– Too many promises to quickly
deploy without the wherewithal to deliver
– No transition plan to move away from expensive consultants to Boeing staff
– Not enough budget
![Page 13: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/13.jpg)
What Did I Do?• I took over the project• I re-scoped the project and cut
down the deliverables for the next 6 months
• I re-budgeted the project• I re-staffed the project• I moved the project office• I found over 40 additional
servers to use as a test environment
![Page 14: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/14.jpg)
What Did I Do?• I got the long term Boeing
program manager involved
• I started up mini-teams to focus on specific areas including things like documentation, change management, SSO factory model, testing, authentication strength, problem resolution
![Page 15: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/15.jpg)
What Did I Do?• I put a person in charge of
integrating with the Boeing customized proxy servers
• I staffed up the project with Boeing people to begin a training and transition process
![Page 16: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/16.jpg)
What Did I Do?• I put a person in charge of
integrating with the Boeing RBAC for commercial airlines
• I created daily team meetings
• AND THEN…we worked like hell for six months!
![Page 17: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/17.jpg)
What Did I Do?• I implemented a change
management process
• I implemented a SSO governance process
• I left the project under a successful rollout
• Today, they have integrated approximately 1,500 applications
![Page 18: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/18.jpg)
What Did I Do?• I also laid in place the ground
work for one of the first large scale SAML rollouts
• After I left the team successfully deployed it with Southwest Airlines and then rolled it out to all commercial airline customers
![Page 19: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/19.jpg)
Capital One• Large, credit card company and
bank
• Operate call centers all over the world
• When I appeared they had no identity architecture
![Page 20: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/20.jpg)
Cap One Identity Architecture• No global uid
• No authoritative sources for contractors, consultants, temps
• >70,000 identities in the directory nobody knew if they were current or not
• The directory team was being shredded at the time I showed up
![Page 21: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/21.jpg)
What Did I Do?• Got emergency money to
support the directory team and re-org’d them
• Began discussions with HR on accepting contractors and consultants into PeopleSoft
• Created a global uid
• Then began internal battles to get the global uid implemented
![Page 22: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/22.jpg)
What Did I Do?• Also recommended changes to
the directory DIT and schema
• Created an identity architecture
• Wrote lots of white papers explaining how an identity management system would benefit them
![Page 23: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/23.jpg)
Cap One SSO• It was a disaster when I showed
up
• 2nd effort to deploy it
• The CIO was giving them ten weeks to deploy or else heads would roll
• The project was a subset of a portal project
![Page 24: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/24.jpg)
Cap One SSO• The project manager and team
had no idea of how to deploy SSO
• I also believed the SSO product wouldn’t work
![Page 25: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/25.jpg)
What Did I Do?• I took over the project
• I fought the team
• I put the project back into proof of concept mode
• I then proved over three weeks that the product wouldn’t work
• This lead to lots of discussions!
![Page 26: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/26.jpg)
What Did I Do?• I got the vendor to redesign the
product
• I then got the team to rethink their deployment
• I organized daily meetings
• I got the project successfully rolled out on time while the portal project delayed
![Page 27: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/27.jpg)
Cap One SarBox• I went back to Capital One to
look after six mini identity projects
• On my second day there I wrote a memo to the senior management telling them that their SarBox project was in deep trouble
![Page 28: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/28.jpg)
Cap One SarBox• Problems
– 4 staff– No product chosen– They were reengineering the
business processes for 57 financial applications for 30,000 workers!
![Page 29: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/29.jpg)
Cap One SarBox• Problems
– No one was working on the business processes!
– They had five months to deliver or, the auditors were refusing to sign their financials!
– I believed the Board was going to get very interested in this project
![Page 30: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/30.jpg)
What Did I Do?• I ended up taking over the
project
• I replaced the project manager
• I got over 20 people assigned to the project
• I started daily team meetings
![Page 31: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/31.jpg)
What Did I Do?• I then got a data cleanup team in
place to take care of the >70,000 unknown identity statuses
• I then raced ahead of the team and talked to the business customers, got infrastructure in place, got disaster plans and high availability in place, etc.
• We rolled out successfully!
![Page 32: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/32.jpg)
Federated Identities• Just a footnote that I also got a
SAML pilot going while the provisioning project was underway
![Page 33: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/33.jpg)
Kaiser Permanente• Largest healthcare provider in
the US
• I lead a complete review of their existing web single sign on system
• I found lots of problems
![Page 34: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/34.jpg)
K.P. Problems• There was no data guardian
processes
• They had no high availability systems
• They had a poor disaster recovery process
![Page 35: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/35.jpg)
K.P. Problems• They had no monitoring
specifications
• They didn’t have enough staff
• They didn’t have a single sign on factory model in place to suck up applications and SSO enable them
![Page 36: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/36.jpg)
What Did I Do?• Recommended a new target
architecture
• Recommended high availability and hot disaster recovery
• Recommended monitoring specifications
![Page 37: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/37.jpg)
What Did I Do?• Recommended staff reorgs
• Recommended single sign on factory
• Recommended data monitoring
• Recommended change management processes
• Recommended maintenance budgets
![Page 38: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/38.jpg)
Potash Corporation• I was brought in to recommend an
identity architecture for them
• They had three businesses
• They wanted to move off of NT
![Page 39: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/39.jpg)
My Discovery• I found that they were doing some
web services with their customers but it wasn’t scaleable and I had some security concerns
• I found there was no authoritative source for contractors and consultants
• I mapped out on and off-boarding for employees, contractors, consultants and temps
![Page 40: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/40.jpg)
What Did I Do?• I gave them an Identity Roadmap
• I recommended a directory DIT and schema
• I recommended an authoritative source for contractors
• I recommended a three year plan for implementing SSO, Provisioning, Federated Identities and web services
![Page 41: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/41.jpg)
Comments• Identity projects are
complicated, especially if the project is large and under tight timelines
• Most enterprises don’t have good authoritative sources for non-employees– This is changing but I still
find this to be the weak area in most projects
![Page 42: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/42.jpg)
Comments• Most projects are already
drinking the Kool-aid before they’ve figured out exactly what’s involved in making the Kool-aid first– I have seen provisioning
projects go to the Board for review since they were so badly over budget
– Cost the CIO and Director of Security their jobs
![Page 43: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/43.jpg)
Comments• Most identity projects don’t
have good disaster recovery and high availability
• This is always played down when the projects are starting out
• I tell them that the CEO will get involved if the system goes down
![Page 44: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/44.jpg)
Comments• They usually ignore me
• Several months later I get a call telling me I was right about the CEO calling
• Then they find money and resources to put in a high availability and instant disaster recovery system
![Page 45: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/45.jpg)
Comments• Enterprise identity data
governance is usually poor
• HR usually makes data changes without thinking of the effects throughout the enterprise systems
• I have personally seen this cause the SSO systems to fail
![Page 46: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/46.jpg)
Comments• Enterprises need identity
management governance processes for those identity attributes which are deemed “enterprise”
![Page 47: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/47.jpg)
Scope Creep• Especially with provisioning
projects (and also large scale SSO) scope creep can be deadly
• The benefits are sold before the project has gotten the infrastructure and business processes in place
![Page 48: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/48.jpg)
Politics• Identity projects are full of
this!
• It usually crosses over most departments and business units
• Choose you initial rollout carefully
• Requires strong senior management support
![Page 49: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/49.jpg)
Questions• I’d like to come back and
talk about malware and identities but that’s another topic
• So, what questions do you have?
![Page 50: Large Project Identity Management Guy Huntington, President Huntington Ventures Ltd. May 9,2007](https://reader036.vdocuments.mx/reader036/viewer/2022081414/55142a9a550346dd488b5c9d/html5/thumbnails/50.jpg)
Contact Information• Guy Huntington
• www.authenticationworld.com
• Cell: 604-861-6804
• Office: 604-921-6797