iam methods 2.0 presentation michael nielsen deloitte
DESCRIPTION
Deloitte gave their view on an approach for successful identity and access management governance projects togehter with IBM Security Systems and CrossIdeas, an IBM company.TRANSCRIPT
Approaching an Identity & Access Governance Project IAM Methods 2.0
November 6th, 2014
Copyright © 2014 Deloitte Development LLC. All rights reserved.
The hidden agenda
1. Change in Deloitte:a) Consultingb) Global player
2. Global IBM – Deloitte Partnership 3. IAM is one of three Strategic business areas
Copyright © 2014 Deloitte Development LLC. All rights reserved.
Why I am here
• Michael Nielsen, Partner in Deloitte Denmark, ERS AI• Danish Defense, Arthur Andersen, PwC, IBM, MNSecurity and Deloitte ERS• 30 years of experience with IT• Focus on Role based Security in SAP and Mainframes, IAM and GRC• Swedish assignments over the years: Nobel Biocare, Volvo, Tetra Pak, Ericsson and
Electrolux• IAM: TIM/TAM, Control SA, Omada, FIM, Dell One …….
Michael NielsenPartner | ERS AIDeloitteWeidekampsgade 6, 2300 Copenhagen S, DenmarkPostal address: P.O. Box 1600, 0900 Copenhagen C, DenmarkMobile: +45 24 44 15 31 | Fax: +45 36 10 20 40 [email protected] | www.deloitte.dk
Please consider the environment before printing.
Copyright © 2014 Deloitte Development LLC. All rights reserved.
4© 2014 Deloitte AB
Marcus SörlanderPartnerEnterprise Risk Services+46 752 46 20 00 [email protected]
Albin FinneSenior ManagerEnterprise Risk Services+46 752 46 20 00 [email protected]
My Swedish colleagues
Deloitte ERS Sweden
Copyright © 2014 Deloitte Development LLC. All rights reserved.
© 2014 Deloitte AB 5
Some cases from the Swedish IAM team
• Deloitte provides the client with advice on the overall project strategy and providing subject matter expertise for the best use of IAM technologies in terms of functionality, scalability and systems integration.
• The project is a joint collaboration between Sweden and UK..
• New functionality is currently being designed and developed, including audit and attestation processes for critical access governance processes.
• Deloitte provided project manager, identity management architect and delivery of the implementation platform with a team of IAM specialists from Sweden, Norway and UK.
• Deloitte has been drafting the longer term vision, determining the roadmap, launching several implementation projects and relationship-management with the different departments/agencies.
• The solution delivered by Deloitte included consultation and implementation of a comprehensive access management for both students and staff.
• In addition to access management, SSO and federation was setup to provide authentication and authorization services for all user populations across the University.
• The project was delivered by Norwegian, Swedish and UK resources.
Copyright © 2014 Deloitte Development LLC. All rights reserved.
What is IAM
”Identity and Access Management (IAM) is the security discipline that enables the right individuals to access the right resources at the right times for the right reasons”
Copyright © 2014 Deloitte Development LLC. All rights reserved.
Provisioning conceptual architecture
Resource SORReference SystemsIdentity StoreSystem of Record
Access Certification
Access Request Provisioning
HR System - PeopleSoft
Auditing and Reporting
Enterprise Access Management Services Managed Resources
Standard Interface
Dashboards Policy Enforcement
Certifying Managers and Auditors
On-boarding
Business Applications
Delegated Administration
Manager Requesting and Attesting Access
End Users
Employee and Non-Employee
Activity Monitoring
Self-Service Reconciliation
Connectors
Periodic Review
Review History
Workflow
Interface
Enforce PolicyApproval
Workflows
Process Modeling
Role Management
Role Discovery Lifecycle Mgmt
Role Creation
Role Certification
Administration
Password
Entitlements
Manual Provisioning
LOB
Notification
Workflow-Business Process
Roles
Certification
Customized Interface
Enforce Policy Database
Role Assignment
Copyright © 2014 Deloitte Development LLC. All rights reserved.
What is IAM Methods 2.0?
Deloitte IAM Methods is:
Deloitte’s proven method for consistently delivering value on Identity and Access Management strategy, implementation and operation engagements across all industries
A scalable approach that can be applied to projects of different sizes
A set of step-by-step, repeatable tasks with enabling tools, templates, and samples for executing a consistent, high-quality project aligned with standards
A consistent approach that is understood by all professionals on IAM projects
An easy-to-navigate repository for templates and artifacts as it relates to the overall project timeline and structure
Copyright © 2014 Deloitte Development LLC. All rights reserved.
1. Getting it right the first time
• Assumes that requirements, design, solution build, test, and deployment phases can run sequentially, resulting in a successful “single pass” implementation
2. Freezing requirements
• Assumes that requirements can be gathered and frozen early in the projects
– Stakeholders validate requirements in User Acceptance Testing, long after interviews and workshops
3. No integration surprises
• Assumes that IAM solution can be built, integrated with managed resources; data migrated with minimal issues
• Assumes implementation schedule and costs can be accurately estimated “up front”
General approach no. 1.Waterfall characteristics and assumptions
• Waterfall Lifecycle addresses highest risks late in project, impacting overall project success:
– Requirements issues
– Data quality issues
– Design issues such as integration and performance
• Schedule delays result in lower client satisfaction and lower project rate per hour
DeploymentTestBuildSolution
Analysis & DesignRequirementsBusiness
Modeling
TIME
Apparent Progress
Highest risks addressed late in project, when cost of changes are highest
Ris
k L
evel
s
Copyright © 2014 Deloitte Development LLC. All rights reserved.
With a single-pass implementation, communication errors and misunderstanding may not become apparent until very late in the project life cycle.
General approach no. 1.Stakeholder satisfaction?
As proposed by project sponsor
As produced by the developers
As captured in requirements
As implemented
As designed
What stakeholders wanted
Copyright © 2014 Deloitte Development LLC. All rights reserved.
Iterative projects focus on driving down key risks early in the project lifecycle. Business, Technical, and Project risks are addressed as early as possible, rather than postponing risk resolution.
General approach no. 2.Iterative projects to reduce risk
TIME
RIS
K
Risk Reduction
Waterfall
Iterative
Copyright © 2014 Deloitte Development LLC. All rights reserved.
Structure of IAM Methods 2.0Showing the path from overall to detailed tools.
Our method structure aligns with industry standards, addresses how the work gets done and uses standard language to drive consistency
DefinitionPhase
Str
ateg
y an
d
Ro
adm
apIm
ple
men
tati
on
Sec
uri
ty
Ap
plic
atio
n
Man
agem
ent
Ser
vice
s
Def
ine
• Planning — Confirm scope and coverage of IAM goals and vision• Current state analysis — Gain an understanding of the current state, including business challenges,
business processes, and existing infrastructure• Target state analysis — Identify required IAM services for the short, medium, and long term. Discuss
business process and technology options to deliver on these IAM needs• Gap analysis — Perform gap analysis of IAM environment from current state to target state. • Strategy and roadmap — Create an IAM strategy with timelines, priority, and costs considered. • Cost analysis — Determine budget requirements and cost analysis for the IAM program
Del
ive
ry
• Planning and analysis — Collect and validate IAM requirements and document desired end states• Design — Workshop and document the solution architecture and design, including functional and non-
functional components and hardware and software requirements. Define and document test plan• Build — Establish solution code base. Develop code and perform configuration according to design
specifications• Test — Perform system integration testing to verify functional correctness, performance testing to verify
non-functional expectations, and support customer User Acceptance Testing• Deploy — Assess production readiness, prepare for production deployment, and develop rollback
strategy. Deploy solution to production and validate deployment• Transition — Conduct knowledge transfer sessions to Operations and Support team
Mai
nta
in
• Planning — Confirm scope, discovery, and high level transition plan• Service enablement — Gain an understanding of the Client’s current IAM processes in terms of
business process, platforms, and key stakeholders through knowledge transfer and shadowing• Service delivery — Deliver the development, support, and platform administration services by
leveraging the processes established during the service enablement phase• Handover — Conduct knowledge transfer sessions and oversee managed transition support
Phase Structure
Pro
ject
Man
agem
ent
-
Gov
erna
nce
-
Org
aniz
atio
n C
hang
e
Copyright © 2014 Deloitte Development LLC. All rights reserved.
IAM: Strategy and roadmapShowing the path from overall to detailed tools.
Planning Gap analysisStrategy and
roadmapCurrent state analysis
Target state analysis
Cost analysis
Organizational change management
Project management and governance
Tasks/Activitie
s
• Create project plan for program of work
• Review overall strategy scope and confirm business goals
• Identify and confirm IAM vision
• Identify key stakeholders and schedule meetings
• Agree on final look and scope of key Artifacts
• Obtain documents describing the existing IAM processes
• Conduct stakeholder interviews/focus groups to discuss current IAM challenges
• Perform current state assessment of IAM environment
• Understand business, regulatory, and technology drivers
• Understand information security policies, procedures and map them to IAM system
• Assess maturity of current IAM service areas and IAM governance structure
• Identify business drivers for IAM and prioritize
• Identify IAM services to be provided
• Identify business and governance processes to be provided by IAM
• Define targeted IAM Maturity level
• Conduct IAM workshops, with a focus on business, regulatory, and technology streams
• Define program monitoring, measurement, and reporting
• Define initial set of target state IAM reference architecture options
• Perform gap analysis between current state and target state environments
• Update target state reference architecture options based on findings of gap analysis
• Finalize target state architecture options
• Define IAM services and prioritization order
• Define IAM roadmap for implementation
• Develop IAM program monitoring
• Define vendor selection process
• Select IAM vendor and technology
• Assist with generating or evaluating RFP
• Assist in Proof of concept (POC)
• Prepare executive briefing presentation
• Complete executive briefing on strategy and roadmap
• Define/Confirm organizational budget requirements for IAM Program
• Identify initial and recurring technology costs associated with the IAM program
• Identify people costs associated with IAM program
• Develop multi-year cost analysis for IAM program
Tools
and accelerator
s
• Requirements management tools
• IAM current state analysis template
• IAM Workshop Approach Template
• IAM target state analysis template
• IAM gap analysis template
• IAM Maturity model
• Vendor selection toolkits • IAM Cost Analysis Templates
Artifact
s and Deliverable
s
• Work Plan• IAM vision statement• Project Status Report
• Current State Assessment report
• IAM objectives, goals, and services list
• IAM business and governance process lists
• Target state architecture options
• IAM Roles and Responsibilities Matrix
• Gap analysis report • Maturity Models and Metrics Capabilities/Dashboards
• Vendor selection checklist• IAM strategy and roadmap• Executive briefing
presentation
• IAM Program Cost Model
13
Mainly Deloitte
activities
Mainly Deloitte
activities
Copyright © 2014 Deloitte Development LLC. All rights reserved.
PlanningShowing the path from overall to detailed tools.
Current state analysis
Target state analysis
Gap analysisStrategy and
roadmapCost analysisPlanningPlanning
• Understand business goals, stakeholders' priorities, and perspectives• Understand the IAM needs for each IAM Service area• Lead stakeholders to a common understanding of IAM vision.• Establish and maintain agreement with stakeholders on IAM goals.
Objectives
• Create project plan for program of work• Review overall strategy scope and confirm business goals• Identify and confirm IAM vision• Identify key stakeholders and schedule meetings• Agree on final look and scope of key artifacts• Obtain documents describing the existing IAM processes
Tasks/Activities
• IAM vision statement is clearly defined and captures an agreement on the high-level purpose, business scope, and project boundaries.
• Roles and responsibilities are clearly defined and project expectations are set with stakeholders
• Utilize templates, tools, methods and accelerators to gain efficiencies and quality
Key considerations
• Business Process Owners• Project Sponsor• Project Manager• IAM Specialist
Project roles
• Approved Project Plan• Approved Scope statement• Workshops and Interviews Calendar
Exit criteria
• Requirements management tools
Tools/Accelerators
• Work Plan• IAM Vision Statement
Artifacts/Deliverables
Method and approach
Copyright © 2014 Deloitte Development LLC. All rights reserved.
Requirements management tools Showing the path from overall to detailed tools.
Method and approach
Switch to IAM Method – Detail documentation
- 1. Planning & Analysis
- Requirements management tools
- Sam_IAMSolutionRequirementsSpecification_Client_A_C.docx
Copyright © 2014 Deloitte Development LLC. All rights reserved.
IAM: Implementation
Planning and analysis Test Deploy Design Build Transition
Tasks/Activities
• Define project management plan
• Develop governance plan
• Prepare project plan• Develop communication
plan• Review current
documentation to identify requirements
• Conduct workshops to Identify and validate business requirements
• Identify IAM business modeling for process and organization
• Develop and Define use cases
• Conduct Proof of Concept (POC)
• Conduct workshops to discuss solution architecture and design approach
• Develop solution architecture
• Develop solution design• Prepare test strategy• Prepare training strategy
• Prepare test plan• Prepare test scripts and
data• Establish IAM solution
build repository• Build development
environment• Build IAM solution• Prepare solution build
document• Execute unit testing• Perform solution QA
• Build Pre-production environments
• Migrate IAM solution to pre-production environments
• Perform System Testing• Conduct training• System Integration
Testing• Prepare Training
materials• Performance Testing• User Acceptance Testing• Production readiness
review
• Prepare deployment plan• Perform production
deployment• Go-live activities• Production verification
testing• IAM system go-live• Prepare operational
documentation• Update project
documentation to reflect as-built status
• Prepare and conduct handover sessions with client team
• Handover of IAM solution repository
• Document lessons learned
• Conduct project closure tasks
Tools
and accelerator
s
• Project Contacts list• Project status report• Requirements
traceability matrix
• IAM Test scripts template
• IAM Configuration tracker
• IAM Master code register
• Test Case Tracker • Production cutover plan
• Go-live communication plan
• Post Implementation Review
Artifact
s
• Project Management Plan
• Work Plan• Project governance• Communication plan• Solution Requirements
Specification
• Solution architecture• Solution design
specification• Training strategy• Test Strategy
• Solution code, customizations, and configurations
• Solution build document• Test Plan• Test scripts and test data
• Training materials• Test summary report• Updated project
documentation
• Deployment plan• Live solution• IAM operations manual
• Post Go-Live System Evaluation Plan
• IAM Solution operations transition
• Transition of IAM solution repository
• Project closure
Organizational change management
Project management and governance
Deloitte and
partner activities
Copyright © 2014 Deloitte Development LLC. All rights reserved.
Security Application Management Services
Planning Handover Service enablement Service delivery
Tasks/Activities
• Mobilize onsite and integrate with the current project teams
• Establish Governance– Review GBTs– Define Operations Management
structure– Define the operations scope,
including the responsibilities of the business and IT
• Review Operations– Define SLAs– Review quality and risk plans– Review inflight and planned projects
and plans• Begin Discovery planning
– Delivery Model– Roles and Responsibilities– Knowledge transfer plan– Operations Infrastructure
• Establish onsite/offshore infrastructure– Test communications, connectivity,
and access options• Understand the current IAM security
application management service processes
• Begin onsite shadowing of maintenance support activities
• Finalize maintenance roles, activities, and performance metrics
• Integrate onsite and offshore teams– Establish and test onsite/offshore
integrated maintenance processes– Transition to onsite/offsite team
• Begin transferring application maintenance tasks
• Perform Service Delivery– Deliver enhancements– Provide incident, problem, change,
configuration, and release management services
– Perform service management for platform and product deployments
• Begin performance measurement of service delivery
• Analyze performance metrics for quality, efficiency, schedule, and turnaround time
• Analyze business process efficiencies • Compare and contrast project metrics
with historical metrics • Develop project performance summary
report
• Prepare and conduct handover sessions with client team
• QRM/QAR checkpoint• Handover of IAM solution repository• Document lessons learned• Conduct project closure tasks
Tools
and accelerator
s
• Project contacts list• Project status report
• IAM Playbook • Application Integration Guide• IAM Dashboard and Metrics
• IAM lessons learned
Artifact
s
• Scope Validated• Organization Structure• Discovery Plan• High Level Transition Plan• Roles and Responsibilities Matrix• Escalation Plans and Procedures• Current-State Performance Snapshot
• Service Delivery Infrastructure Established
• Onshore/Offshore Team Established• Knowledge Transfer Complete• Transition Status Reporting• Service Delivery Model
• Service Delivery Operations Launched• Optimized Organization Structure• Updated IAM solution documents• Enhancement cookbooks• Periodic status report and metrics
• IAM Solution operations transition• Transition of IAM solution repository• Project closure report
Organizational change management
Project management and governance
Deloitte and
partner activities
Copyright © 2014 Deloitte Development LLC. All rights reserved.
18© 2014 Deloitte AB
Marcus SörlanderPartnerEnterprise Risk Services+46 752 46 20 00 [email protected]
Albin FinneSenior ManagerEnterprise Risk Services+46 752 46 20 00 [email protected]
Who you gonna call?
Michael NielsenPartnerEnterprise Risk Services+45 2444 1531 [email protected]