IAMS at IRD

1
IAMS at IRD

• Identity Management of Internal Users at IRD
• GOVIS May 2005

2
Agenda

• History Background
• Key Infrastructure
• IAMS Basics
• IAMS Drivers Vision
• IAMS at IRD today
• Policy Manager
• Realities Lessons

3
ETA IAMS History

• ETA History
• ETA project Dec 2002
• key infrastructure acquisition May 2003 through
  Feb 2004
• ETA Group set-up late July 2004
• ETA Vision is to establish a technology
  environment which strives to
• be responsive to the business.
• maximise the use of information technology
  components.
• ensure informed and consistent technology
  decision making.
• TOGAF
• IAMS identified as key infrastructure component

4
More History - Architecture Principles

• Business Continuity
• Grow Capability
• Component Re-use
• Re-use vs Acquire vs Build
• Technical Standardisation
• Architecture Compliance
• SOE Compliance
• Open Standards
• Linkage to Business
• Reference Architecture

5
ETA Core Objective Re-Use
6
Key Infrastructure

• RSA and THOR selected in February 2004
• Combined RFP for EAI and IMS issued November 2003
• Proof-of-Concept (December 2003 to February 2004)
• Acquisition May 2003 through Feb 2004
• RFI May 2003
• RFP (inc. PoC) Nov 2003 thru Feb 2004
• Acquire / deploy April 2004 onwards
• Enterprise Identity Store
• Directory vs Database Directory picked in July
  2004
• Novells eDirectory August 2005, (re-use)
• Policy Manager
• Need identified November 2004

7
Identity Access Management System

• Centralised management of
• Identity (persona before the event)
• Who are they personal attributes
• What can they do - entitlements
• Access (run time)
• Authentication who they claim they are
• Authorisation do what they ask for
• Accessed (after the event)
• Logging
• Audit

8
Internal Drivers for IAMS

• Increasing deployment of packages
• SAP, Call Recording, Workforce Mgmt, Case Mgmt
• Increase in the number of user accounts
• Typically 4 accounts LAN, FIRST, Timesheet,
  Payroll
• Where are the business rules ?
• Increasing re-usable Business Objects (BOBs)
• Consistent enforcement of business rules
• Re-use of existing rules another ETA
  Architecture Goal
• Give rapid effect to new rules
• New Technology
• Telecommunications Review Project new network
• Increasing numbers of remote and mobile users
• PDAs
• Wireless networks
• OLACS legacy IAMS for green screen environment

9
IAMS Vision

• Single Account
• Reduced Logon few usercodes passwords
• Single Logon the same usercode password
  everywhere
• Single Sign-on log on once (mainly for web)
• One central system determines what a user may do
• Devolved management e.g. users team leaders
• Reset password
• Apply for and/or grant additional access
• All applications will either
• Access IAMS for authentication authorisation,
  by
• Interfacing with IAMS at runtime, or
• Accessing the data repository where IAMS stores
  its information
• Have its user management module managed by IAMS
• Users will be provisioned from IAMS
• Only valid authorised transactions get to
  applications.
• Centralised Auditing

10
Internal IAMS Today

• OLACS
• Still controls access to main tax system
• Numerous silo applications with their own user
  repositories
• Novell/eDirectory
• Enterprise Identity repository
• Directory over Database July 2004
• RSA/ClearTrust
• Runtime authentication, and
• Simple runtime authorisation
• THOR/Xellerate
• Provisioning tool
• Policy Manager
• IRD specific runtime authorisation
• Detail design complete partially deployed
• Logging Vault via EAI Service

11
IAMS Support

• Various user administration groups
• IAMS Competency Centre formed in July 2004
• Detailed design
• Implement deploy IAMS capability
• PSS support
• ETA group formed late July 2004
• High level design

12
Policy Manager

• Responsible for IRD specific rules that do not
  fit well within an off-the-shelf access control
  product like RSA/ClearTrust
• Separates application logic from access rules
• Decoupling allows rules and logic to change
  without impacting each other
• Decouples IRD specific rules from RSA/ClearTrust
• Supports JAAS interface
• Decoupled enterprise architecture

13
Policy Manager
14
Realities

• Provisioning, Xellerate, the current focus
• purchasing packages with their own repositories
• No ClearTrust for access control
• no significant in-house development
• OLACS replacement will see ClearTrust deployed
• Data cleansing required in existing applications
• As their user repositories come under IAMS
  provisioning
• Reconciling differing identity management
  policies, and establishing an Enterprise policy
• Usercode formats
• Password policies
• Management processes
• E.g. suspend verses deleting accounts

15
Lessons Learnt

• Dedicated Effort
• Communication and Consultation
• Readiness versus Capability Gap
• A is Authentication and Authorisation
• Internal vs External IAMS have different drivers

16
Questions