Business Case for Identity Management

1
(No Transcript)
2
Building a Business Case for Identity
Management
Mark Ford Jeremy Britton Deloitte.
Security Services
3

• Three Keys are Business Alignment, Executive
  Involvement, Proven Progress
• Get all aspects of your business involved
• Demonstrate ROI to Executives in language they
  understand and believe
• Become (or create) a hero that delivers real
  returns

4
Parts of Organization that are INVOLVED -- WHO
ARE YOU?

• Audit (security control and risk reduction)
• Financial Dept (cost savings / ROI)
• IT Infrastructure (efficiency and centralization)
• Network Manager (consolidation, single
  infrastructure, management)
• Support (ease of administration)
• Platform Owner (Reduced administration and single
  sign-on)
• Help Desk (Reduced calls)
• Application owner for SAP/JDE (Ease of use,
  integration, security)
• Strategy (platform and foundation for centralized
  services)
• Business Unit (Tactical requirements, improved
  security)

5

• What is Stopping YOU from Doing a Successful
  Identity Management Project?
• Lack of technology? Were Surrounded by Great
  Technology!
• Lack of BUDGET, BUY-IN, and PROVEN EXPERIENCE
• This is the same all over the world.
• Well show you how Deloitte helps clients get
  past the wiz-bang technology, and successfully
  implement Identity Management organizations
  throughout the US and around the world.
• Real Case Study
• Business Case
• Implementation Plan
• Using an ROI Tool
• ID Accelerator -- a joint IBM/Deloitte solution

6
Case Study Company XYZ

• Real Case Study

• The Problem
• The Solution
• The Costs Cost Savings
• Business Benefits

7
Our Clients Situation

• Real Case Study

• Company XYZ Corporate looking to implement
  Directory Services across their organization
• intent on developing an enterprise directory,
• providing a process for managing identity data,
  and
• reducing sign-on across the organization.
• Broader solution with strategic context of
  Identity Management
• the identity directory, Web access management,
  authoritative source integration, user account
  provisioning, role base access control, and
  protection across the organization.
• We investigated the following.
• The security infrastructure used by each business
  unit.
• The direction units taking related to Directory
  deployments.
• The current state and future needs related to the
  ID Mgmt components.
• Data to support a business case for pursing ID
  Mgmt, inclusive of a directory component.
• Our goal was document findings and build a case
  for an Id Mgmt strategy project to
• define the solution, determine actual cost, and
  provide an implementation plan.

8

• Real Case Study

Summary of Pain Points

• Currently Company XYZ Corporate is concentrating
  on one aspect of identity management, while
  individual business units are each attempting to
  address different components of identity
  management specific to their needs.

Corporate Focus
User Provisioning
Authoritative Source
Identity Repository
Platform / Applications
PS v8
LDAP v3 Directory
Cust
Data Transformation
Business Events/Triggers
BP
AuthN
AuthZ
Access Management
Protection
Role Based Access Controls (RBAC)
France Brighton Germany
Holland England Spain
iMAAP
9
The Issue

• Real Case Study

• Despite having an enterprise-wide architecture,
  each Line Of Business (LOB) is promoting silo
  security authentication, admin and development
  efforts.
• New applications imply designing new application
  specific security solutions.
• Redundant solutions, technologies and procedures.
• Inconsistent security administration and
  architecture.
• Increased vulnerabilities due to unmanageable and
  disparate user accounts.
• Increased costs (e.g., development, hardware,
  administration).

10

• Real Case Study

Summary of Common Pain Points
XYX.com
Spain
Distribution
France
England
Germany
11

• Real Case Study

Summary of Common Pain Points
XYX.com
Distribution
France
Spain
Germany
England
12
The Solution

• Real Case Study

• Business Requirements
• Solution Architecture
• Implementation Roadmap

13
Business requirements - Key Drivers for Building
Strategy

• Real Case Study

• The Company XYZ ID Mgmt solution should
• Simplify the user process
• Improve user account management
• Streamline the administration and approval
  processes
• Reduce costs
• Increase user productivity
  
• Provide a common solution
• Facilitate integration
• Provide trusted collaboration
• Reduce the exposure of security vulnerabilities

• through
  self registration and delegated admin of user
  accounts.
• 
  through role based access control.
• 
  using
  workflow.
• through centralized
  management of user accounts.
• through
  reduced sign-on and cross platform password
  management and synchronisation.
• for
  Corporate, Business Units, Partners and Customer
  web-based authentication and authorisation.
• of Company XYZ
  business units as well as other business
  partners.
• 
  between business partners.
• 
  through the management
  of identities and corporate assets (applications,
  systems and people).

14
Solution Architecture - Example

• Real Case Study

• An identity centric model such as this one
  provides a common single secure infrastructure to
  be leveraged across Company XYZs business units

Account and Password Management
Web-Based Authentication/ Authorisation
ACCESS MANAGEMENT
USER ACCOUNT PROVISIONING
IDENTITY REPOSITORY
INFORMATION SECURITY ARCHITECTURE
15
Typical Identity Management Roadmap - Its a
phased approach

• Real Case Study

Phase 1 (2 3 Months)
Phase 2 ( 4 6 Months)
Phase 3 ( 6 8 Months)
Phase 4 ( 5 6 Months)

• Identity Management
• Strategy
• As-Is Assessment
• To-Be Architecture
• Implementation Plan

• Establish Common Infrastructure
• Align Unique Identifiers
• Establish Architecture
• User Repository

• Extend Common Infrastructure
• Provisioning Integration
• Decentralised Administration
• Centralised Management

• Directory Alignment
• Tree Design
• Enterprise Alignment
• Schema Extension

• Directory Alignment
• Provisioning Integration
• RBAC Integration

• Web Access Management Base Line
• Pilot integration of 3 5 apps
• Define Strong Authentication
• User Delegated and Self-Service

• Extend Web Access Management
• Enable Web Single-Sign
• Leverage RBAC
• Client and Business Partner Integration

• Provisioning Baseline
• Authoritative Source Integration
• 3 5 Key Systems
• Workflow and Self Service

• Extend Provisioning
• Password Management
• Extend Workflow
• Leverage RBAC

• RBAC Baseline
• Design Enterprise Structure
• Integration with Identity Management

16
The Costs Cost Savings

• Real Case Study

• Security Administration and identity Management
  Costs
• Identity Management Costs Savings

17
Security Administration and Identity Management
Costs - Model

• Real Case Study

JUMP TO LIVE ROI

• Company data and base assumptions used in the
  following costs include

based on industry experience
18
Security Administration and Identity Management
Implementation Costs

• Real Case Study

• Direct costs represent the costs associated with
  managing, administering and development of
  applications and systems

based on industry experience
19
Security Administration and Identity Management
Costs - Model

• Real Case Study

• Productivity costs represent the costs associated
  with users unable to perform work due to a work
  stoppage or unavailable resources. Additional
  costs are associated with incorporating new
  business units, managing non-employees, security
  breaches, and compromise of trade secrets.

based on industry standards Doesnt include
Acquisition Costs
20

• Real Case Study

Identity Management Costs Savings - Model
Amounts in 1,000
21
Benefits

• Real Case Study

22
Benefits

• Real Case Study

• A common single secure infrastructure with
  integration to Company XYZ business units
  provides four major benefits.

• Provides a common security authentication and
  authorisation mechanism
• to enable Access Management for Web Based
  applications
• administer security authentication rights for
  legacy applications
• provide Company XYZ branding and
• enable deployment of strong authentication.
• Provides a common security administration
  mechanism for user account provisioning. Can
  leverage HR Application as an authoritative
  source, provide directory management of user
  data, self-service functionality, delegated
  administration, and password management
• Repository that can be used for
• internal and external user authentication
  purposes,
• a centralized repository of identity information
  of all entities interacting with Company
  XYZ.
• a Meta-directory concept, separate directories
  can be deployed feeding a master directory.
• Single control point for protection and risk
  avoidance of the security infrastructure
  providing policies and procedures, security
  baselines, vulnerability assessments, and
  intrusion detection.

Common Security Infrastructure
ACCESS MANAGEMENT
USER ACCOUNT PROVISIONING
PROTECTION
IDENTITY REPOSITORY
PROTECTION
23

• Real Case Study

Benefits Addressing the Pain Points
Common Security Architecture Component
XYX.com
Distribution
France
Germany
England
Pain Point
Spain
24

• Real Case Study

Benefits Addressing the Pain Points
Common Security Architecture Component
XYX.com
Distribution
France
Germany
England
Pain Point
Spain
25
Next Steps

• Real Case Study

• Identity Management Strategy
• Summary of Key Benefits
• Demonstrating ROI using ID Accelerator

26
Identity Management Strategy

• Real Case Study

• Conduct an Identity Management strategy project
  which will do the following.
• Provide project management and quality assurance
• Assess, review, and evaluate existing vendors or
  custom built applications for Id Mgmt
• Identify and interview stakeholders (business
  units, IT, IS, and application development)
  directly linked to the applications being
  integrated with the Id Mgmt solution
• Assess authentication and authorisation
  capabilities and integration for future web
  applications (data and technology) to determine
  integration of the central repository and
  provisioning mechanism
• Assess the current and future use of Current
  Directory (tree structure, data and identities)
• Assess authoritative source(s) integration (data,
  process, application, and technology)
• Evaluate role-based access control activities and
  integration with other ID Mgmt components
• Assess resource provisioning and
• Prepare enterprise Id Mgmt detailed business
  case, strategy, architecture and plan.

27
Identity Management Strategy

• Real Case Study

• The deliverables to be produced from this
  strategy include
• Project Scope A summary of the project scope
  and activities completed.
• As-Is Assessment An as-is assessment and
  inventory of existing products or plans related
  to the Id Mgmt components described above
• Business Requirements and Case A summary of the
  business goals/requirements that drive the need
  for an ID Mgmt solution. These requirements will
  include business value proposition and critical
  success factors needed to undertake an ID Mgmt
  solution. Additionally, a business case would be
  developed with Company XYZ specific cost
  elements
• Architecture (blueprint) An architecture for
  the enterprise Id Mgmt solution for employees,
  business partners, and customers. The
  architecture will include all the components of
  an Id Mgmt solution and the process, technology,
  and data implications, specific to Company XYZ .
  Additionally, a detailed directory design and
  structure will be included and
• Implementation Plan A high-level implementation
  plan that breaks the components of the solution
  into manageable implementation phases, which will
  deliver the highest benefits with the easiest
  integration. This plan will include timing and
  estimated costs to complete the entire project.
• This proposed project is estimated to be
  completed over a six to eight week time frame.

28
Identity Management Strategy

• Real Case Study

• The deliverables to be produced from this
  strategy include
• Project Scope summary of the project scope and
  activities completed
• As-Is Assessment assessment and inventory of
  existing products or plans
• Business Requirements and Case business
  goals/requirements that drive ID Mgmt
• Architecture (blueprint) architecture for the
  enterprise Id Mgmt including the process,
  technology, and data implications and detailed
  directory design and structure specific to
  Company XYZ and
• Implementation Plan Implementation plan
  breaking down components of the solution into
  manageable implementation phases, deliver the
  highest benefits with the easiest integration..
• This proposed project is estimated to be
  completed over a six to eight week time frame.

29
Business Case ROI for Identity Management Summary

• Real Case Study

• Tangible Benefits
• Reducing help desk calls for password resets.
• Reducing the number of admin staff needed to
  create/ manage accounts.
• Reducing the number of user licences.
• Waiting time for new users to get access to
  accounts.
• Automating process of removing people once they
  leave.
• Single infrastructure to manage and secure.
• Non-Tangible Benefits
• Improved control over secure access to resources.
• Security audit findings reduced.
• User experience improved.
• Centralised administration for audit and control
  mechanisms.
• Single view of users and mappings to resources.
• Number of unused accounts reduced.

End of Case Study
30
ID Accelerator Become (or Create) A Hero
ID Accelerator

• Joint IBM DT solution packaging services and
  technology that combines proven provisioning
  technology and implementation services.
• Designed to protect client investments, deliver a
  rapid ROI, demonstrate ID Management
  capabilities, and prove Results.

• The solution is
• Repeatable
• Fixed Price for Software and Services
• Fixed Scope
• Fixed Timeline

31
(No Transcript)
32
ID Accelerator Scope
ID Accelerator
Bundled set of Provisioning Software and Services

• Manageable entry-cost and rapid ROI
• Fixed cost lt 195K
• Provisioning license
• 1,500 users on ITIM Enterprise Server
• 3 ITIM Services (Managed Resources)
• Operating System (Unix, Novell, 1 Windows Domain)
• Email (Exchange, ccmail, or GroupWise)
• 1 Initial User Data Feed (DSML service)
• Enterprise-level Project Management to ensure
  efficient implementation

• Baseline Provisioning functionality
• User Self Service Password Reset
• Basic Solution Components
• Org chart (up to 50 containers)
• Email notification setup
• System look-and-feel (logos, icons and colors)
• Provisioning Policies (password naming)
• ID Roles (Admin, HelpDesk, Supervisor, User)
• Policies for above to support auto-provisioning
• 2 Workflows (ITIM, OS)
• Access Control Rules (top level only)
• Input Forms customization
• Reports (password change, account activities,
  orphaned/suspended accounts)

Provides a foundation for Enterprise-Wide
Identity Management
33
Summary

• Get all aspects of your business involved
• in this case, broadening the scope makes it
  easier to succeed
• Demonstrate ROI to Executives in language they
  understand and believe
• demonstrate real cost savings, business
  efficiencies, and business unit buy in
• Become (or create) a hero that delivers real
  returns
• Try it on a manageable department or group

34
(No Transcript)