iam methods 2.0 presentation michael nielsen deloitte

Approaching an Identity & Access Governance Project IAM Methods 2.0

November 6th, 2014

Copyright © 2014 Deloitte Development LLC. All rights reserved.

The hidden agenda

1. Change in Deloitte:a) Consultingb) Global player

2. Global IBM – Deloitte Partnership 3. IAM is one of three Strategic business areas


Why I am here

• Michael Nielsen, Partner in Deloitte Denmark, ERS AI• Danish Defense, Arthur Andersen, PwC, IBM, MNSecurity and Deloitte ERS• 30 years of experience with IT• Focus on Role based Security in SAP and Mainframes, IAM and GRC• Swedish assignments over the years: Nobel Biocare, Volvo, Tetra Pak, Ericsson and

Electrolux• IAM: TIM/TAM, Control SA, Omada, FIM, Dell One …….

Michael NielsenPartner | ERS AIDeloitteWeidekampsgade 6, 2300 Copenhagen S, DenmarkPostal address: P.O. Box 1600, 0900 Copenhagen C, DenmarkMobile: +45 24 44 15 31 | Fax: +45 36 10 20 40 [email protected] | www.deloitte.dk

Please consider the environment before printing.

http://www.deloitte.dk/


4© 2014 Deloitte AB

Marcus SörlanderPartnerEnterprise Risk Services+46 752 46 20 00 [email protected]

Albin FinneSenior ManagerEnterprise Risk Services+46 752 46 20 00 [email protected]

My Swedish colleagues

Deloitte ERS Sweden


© 2014 Deloitte AB 5

Some cases from the Swedish IAM team

• Deloitte provides the client with advice on the overall project strategy and providing subject matter expertise for the best use of IAM technologies in terms of functionality, scalability and systems integration.

• The project is a joint collaboration between Sweden and UK..

• New functionality is currently being designed and developed, including audit and attestation processes for critical access governance processes.

• Deloitte provided project manager, identity management architect and delivery of the implementation platform with a team of IAM specialists from Sweden, Norway and UK.

• Deloitte has been drafting the longer term vision, determining the roadmap, launching several implementation projects and relationship-management with the different departments/agencies.

• The solution delivered by Deloitte included consultation and implementation of a comprehensive access management for both students and staff.

• In addition to access management, SSO and federation was setup to provide authentication and authorization services for all user populations across the University.

• The project was delivered by Norwegian, Swedish and UK resources.


What is IAM

”Identity and Access Management (IAM) is the security discipline that enables the right individuals to access the right resources at the right times for the right reasons”


Provisioning conceptual architecture

Resource SORReference SystemsIdentity StoreSystem of Record

Access Certification

Access Request Provisioning

HR System - PeopleSoft

Auditing and Reporting

Enterprise Access Management Services Managed Resources

Standard Interface

Dashboards Policy Enforcement

Certifying Managers and Auditors

On-boarding

Business Applications

Delegated Administration

Manager Requesting and Attesting Access

End Users

Employee and Non-Employee

Activity Monitoring

Self-Service Reconciliation

Connectors

Periodic Review

Review History

Workflow

Interface

Enforce PolicyApproval

Workflows

Process Modeling

Role Management

Role Discovery Lifecycle Mgmt

Role Creation

Role Certification

Administration

Password

Entitlements

Manual Provisioning

LOB

Notification

Workflow-Business Process

Roles

Certification

Customized Interface

Enforce Policy Database

Role Assignment


What is IAM Methods 2.0?

Deloitte IAM Methods is:

Deloitte’s proven method for consistently delivering value on Identity and Access Management strategy, implementation and operation engagements across all industries

A scalable approach that can be applied to projects of different sizes

A set of step-by-step, repeatable tasks with enabling tools, templates, and samples for executing a consistent, high-quality project aligned with standards

A consistent approach that is understood by all professionals on IAM projects

An easy-to-navigate repository for templates and artifacts as it relates to the overall project timeline and structure


1. Getting it right the first time

• Assumes that requirements, design, solution build, test, and deployment phases can run sequentially, resulting in a successful “single pass” implementation

2. Freezing requirements

• Assumes that requirements can be gathered and frozen early in the projects

– Stakeholders validate requirements in User Acceptance Testing, long after interviews and workshops

3. No integration surprises

• Assumes that IAM solution can be built, integrated with managed resources; data migrated with minimal issues

• Assumes implementation schedule and costs can be accurately estimated “up front”

General approach no. 1.Waterfall characteristics and assumptions

• Waterfall Lifecycle addresses highest risks late in project, impacting overall project success:

– Requirements issues

– Data quality issues

– Design issues such as integration and performance

• Schedule delays result in lower client satisfaction and lower project rate per hour

DeploymentTestBuildSolution

Analysis & DesignRequirementsBusiness

Modeling

TIME

Apparent Progress

Highest risks addressed late in project, when cost of changes are highest

Ris

k L

evel

s


With a single-pass implementation, communication errors and misunderstanding may not become apparent until very late in the project life cycle.

General approach no. 1.Stakeholder satisfaction?

As proposed by project sponsor

As produced by the developers

As captured in requirements

As implemented

As designed

What stakeholders wanted


Iterative projects focus on driving down key risks early in the project lifecycle. Business, Technical, and Project risks are addressed as early as possible, rather than postponing risk resolution.

General approach no. 2.Iterative projects to reduce risk

TIME

RIS

K

Risk Reduction

Waterfall

Iterative


Structure of IAM Methods 2.0Showing the path from overall to detailed tools.

Our method structure aligns with industry standards, addresses how the work gets done and uses standard language to drive consistency

DefinitionPhase

Str

ateg

y an

d

Ro

adm

apIm

ple

men

tati

on

Sec

uri

ty

Ap

plic

atio

n

Man

agem

ent

Ser

vice

s

Def

ine

• Planning — Confirm scope and coverage of IAM goals and vision• Current state analysis — Gain an understanding of the current state, including business challenges,

business processes, and existing infrastructure• Target state analysis — Identify required IAM services for the short, medium, and long term. Discuss

business process and technology options to deliver on these IAM needs• Gap analysis — Perform gap analysis of IAM environment from current state to target state. • Strategy and roadmap — Create an IAM strategy with timelines, priority, and costs considered. • Cost analysis — Determine budget requirements and cost analysis for the IAM program

Del

ive

ry

• Planning and analysis — Collect and validate IAM requirements and document desired end states• Design — Workshop and document the solution architecture and design, including functional and non-

functional components and hardware and software requirements. Define and document test plan• Build — Establish solution code base. Develop code and perform configuration according to design

specifications• Test — Perform system integration testing to verify functional correctness, performance testing to verify

non-functional expectations, and support customer User Acceptance Testing• Deploy — Assess production readiness, prepare for production deployment, and develop rollback

strategy. Deploy solution to production and validate deployment• Transition — Conduct knowledge transfer sessions to Operations and Support team

Mai

nta

in

• Planning — Confirm scope, discovery, and high level transition plan• Service enablement — Gain an understanding of the Client’s current IAM processes in terms of

business process, platforms, and key stakeholders through knowledge transfer and shadowing• Service delivery — Deliver the development, support, and platform administration services by

leveraging the processes established during the service enablement phase• Handover — Conduct knowledge transfer sessions and oversee managed transition support

Phase Structure

Pro

ject

Man

agem

ent

-

Gov

erna

nce

-

Org

aniz

atio

n C

hang

e


IAM: Strategy and roadmapShowing the path from overall to detailed tools.

Planning Gap analysisStrategy and

roadmapCurrent state analysis

Target state analysis

Cost analysis

Organizational change management

Project management and governance

Tasks/Activitie

s

• Create project plan for program of work

• Review overall strategy scope and confirm business goals

• Identify and confirm IAM vision

• Identify key stakeholders and schedule meetings

• Agree on final look and scope of key Artifacts

• Obtain documents describing the existing IAM processes

• Conduct stakeholder interviews/focus groups to discuss current IAM challenges

• Perform current state assessment of IAM environment

• Understand business, regulatory, and technology drivers

• Understand information security policies, procedures and map them to IAM system

• Assess maturity of current IAM service areas and IAM governance structure

• Identify business drivers for IAM and prioritize

• Identify IAM services to be provided

• Identify business and governance processes to be provided by IAM

• Define targeted IAM Maturity level

• Conduct IAM workshops, with a focus on business, regulatory, and technology streams

• Define program monitoring, measurement, and reporting

• Define initial set of target state IAM reference architecture options

• Perform gap analysis between current state and target state environments

• Update target state reference architecture options based on findings of gap analysis

• Finalize target state architecture options

• Define IAM services and prioritization order

• Define IAM roadmap for implementation

• Develop IAM program monitoring

• Define vendor selection process

• Select IAM vendor and technology

• Assist with generating or evaluating RFP

• Assist in Proof of concept (POC)

• Prepare executive briefing presentation

• Complete executive briefing on strategy and roadmap

• Define/Confirm organizational budget requirements for IAM Program

• Identify initial and recurring technology costs associated with the IAM program

• Identify people costs associated with IAM program

• Develop multi-year cost analysis for IAM program

Tools

and accelerator

s

• Requirements management tools

• IAM current state analysis template

• IAM Workshop Approach Template

• IAM target state analysis template

• IAM gap analysis template

• IAM Maturity model

• Vendor selection toolkits • IAM Cost Analysis Templates

Artifact

s and Deliverable

s

• Work Plan• IAM vision statement• Project Status Report

• Current State Assessment report

• IAM objectives, goals, and services list

• IAM business and governance process lists

• Target state architecture options

• IAM Roles and Responsibilities Matrix

• Gap analysis report • Maturity Models and Metrics Capabilities/Dashboards

• Vendor selection checklist• IAM strategy and roadmap• Executive briefing

presentation

• IAM Program Cost Model

13

Mainly Deloitte

activities

Mainly Deloitte

activities


PlanningShowing the path from overall to detailed tools.

Current state analysis

Target state analysis

Gap analysisStrategy and

roadmapCost analysisPlanningPlanning

• Understand business goals, stakeholders' priorities, and perspectives• Understand the IAM needs for each IAM Service area• Lead stakeholders to a common understanding of IAM vision.• Establish and maintain agreement with stakeholders on IAM goals.

Objectives

• Create project plan for program of work• Review overall strategy scope and confirm business goals• Identify and confirm IAM vision• Identify key stakeholders and schedule meetings• Agree on final look and scope of key artifacts• Obtain documents describing the existing IAM processes

Tasks/Activities

• IAM vision statement is clearly defined and captures an agreement on the high-level purpose, business scope, and project boundaries.

• Roles and responsibilities are clearly defined and project expectations are set with stakeholders

• Utilize templates, tools, methods and accelerators to gain efficiencies and quality

Key considerations

• Business Process Owners• Project Sponsor• Project Manager• IAM Specialist

Project roles

• Approved Project Plan• Approved Scope statement• Workshops and Interviews Calendar

Exit criteria

• Requirements management tools

Tools/Accelerators

• Work Plan• IAM Vision Statement

Artifacts/Deliverables

Method and approach


Requirements management tools Showing the path from overall to detailed tools.

Method and approach

Switch to IAM Method – Detail documentation

- 1. Planning & Analysis

- Requirements management tools

- Sam_IAMSolutionRequirementsSpecification_Client_A_C.docx


IAM: Implementation

Planning and analysis Test Deploy Design Build Transition

Tasks/Activities

• Define project management plan

• Develop governance plan

• Prepare project plan• Develop communication

plan• Review current

documentation to identify requirements

• Conduct workshops to Identify and validate business requirements

• Identify IAM business modeling for process and organization

• Develop and Define use cases

• Conduct Proof of Concept (POC)

• Conduct workshops to discuss solution architecture and design approach

• Develop solution architecture

• Develop solution design• Prepare test strategy• Prepare training strategy

• Prepare test plan• Prepare test scripts and

data• Establish IAM solution

build repository• Build development

environment• Build IAM solution• Prepare solution build

document• Execute unit testing• Perform solution QA

• Build Pre-production environments

• Migrate IAM solution to pre-production environments

• Perform System Testing• Conduct training• System Integration

Testing• Prepare Training

materials• Performance Testing• User Acceptance Testing• Production readiness

review

• Prepare deployment plan• Perform production

deployment• Go-live activities• Production verification

testing• IAM system go-live• Prepare operational

documentation• Update project

documentation to reflect as-built status

• Prepare and conduct handover sessions with client team

• Handover of IAM solution repository

• Document lessons learned

• Conduct project closure tasks

Tools

and accelerator

s

• Project Contacts list• Project status report• Requirements

traceability matrix

• IAM Test scripts template

• IAM Configuration tracker

• IAM Master code register

• Test Case Tracker • Production cutover plan

• Go-live communication plan

• Post Implementation Review

Artifact

s

• Project Management Plan

• Work Plan• Project governance• Communication plan• Solution Requirements

Specification

• Solution architecture• Solution design

specification• Training strategy• Test Strategy

• Solution code, customizations, and configurations

• Solution build document• Test Plan• Test scripts and test data

• Training materials• Test summary report• Updated project

documentation

• Deployment plan• Live solution• IAM operations manual

• Post Go-Live System Evaluation Plan

• IAM Solution operations transition

• Transition of IAM solution repository

• Project closure



Deloitte and

partner activities


Security Application Management Services

Planning Handover Service enablement Service delivery

Tasks/Activities

• Mobilize onsite and integrate with the current project teams

• Establish Governance– Review GBTs– Define Operations Management

structure– Define the operations scope,

including the responsibilities of the business and IT

• Review Operations– Define SLAs– Review quality and risk plans– Review inflight and planned projects

and plans• Begin Discovery planning

– Delivery Model– Roles and Responsibilities– Knowledge transfer plan– Operations Infrastructure

• Establish onsite/offshore infrastructure– Test communications, connectivity,

and access options• Understand the current IAM security

application management service processes

• Begin onsite shadowing of maintenance support activities

• Finalize maintenance roles, activities, and performance metrics

• Integrate onsite and offshore teams– Establish and test onsite/offshore

integrated maintenance processes– Transition to onsite/offsite team

• Begin transferring application maintenance tasks

• Perform Service Delivery– Deliver enhancements– Provide incident, problem, change,

configuration, and release management services

– Perform service management for platform and product deployments

• Begin performance measurement of service delivery

• Analyze performance metrics for quality, efficiency, schedule, and turnaround time

• Analyze business process efficiencies • Compare and contrast project metrics

with historical metrics • Develop project performance summary

report

• Prepare and conduct handover sessions with client team

• QRM/QAR checkpoint• Handover of IAM solution repository• Document lessons learned• Conduct project closure tasks

Tools

and accelerator

s

• Project contacts list• Project status report

• IAM Playbook • Application Integration Guide• IAM Dashboard and Metrics

• IAM lessons learned

Artifact

s

• Scope Validated• Organization Structure• Discovery Plan• High Level Transition Plan• Roles and Responsibilities Matrix• Escalation Plans and Procedures• Current-State Performance Snapshot

• Service Delivery Infrastructure Established

• Onshore/Offshore Team Established• Knowledge Transfer Complete• Transition Status Reporting• Service Delivery Model

• Service Delivery Operations Launched• Optimized Organization Structure• Updated IAM solution documents• Enhancement cookbooks• Periodic status report and metrics

• IAM Solution operations transition• Transition of IAM solution repository• Project closure report



Deloitte and

partner activities


18© 2014 Deloitte AB

Marcus SörlanderPartnerEnterprise Risk Services+46 752 46 20 00 [email protected]

Albin FinneSenior ManagerEnterprise Risk Services+46 752 46 20 00 [email protected]

Who you gonna call?

Michael NielsenPartnerEnterprise Risk Services+45 2444 1531 [email protected]

iam methods 2.0 presentation michael nielsen deloitte

Software