Lessons Learned fromLessons Learned from
IAM Deployments Across
the Globethe Globe
Kevin P. Murphy
CA, Inc.
04/24/09 | Session ID: ESS-40304/24/09 | Session ID: ESS 403
Session Classification: Intermediate
Agenda
Study Overview
Lessons LearnedLessons Learned
S f l P j t P filSuccessful Project Profiles
Pitfalls and Practical Application
2
Study OverviewStudy Overview
Why is this study important?
• IAM projects are extremely complex
• IAM space is reaching maturity (finally!)
– Analyze and document proven best practices
• Organizations are revisiting initial IAM initiatives
– Apply best practices
• Compare real-world to analysts’ papers
– For the most part – analysts are getting it right
– Results helped prioritize lessons learned
4
Study Method
• IAM – very broad space. What did we
study?y
– Web Access Management
– Server Access Management
Id i M ( i ll i i i )– Identity Management (especially user provisioning)
• Questionnaires completed by CA
Services architects and project managersServices architects and project managers
• Interviews – project teams, support, sales
• Study limitation – vendor point-of-viewStudy limitation vendor point of view
5
Study Scope
• Final sample size – 35 projects,
numerous interviews
– Worldwide sample pool
– User provisioning focus
E l d d ff i– Excluded staff augmentation
– (5 very blunt support managers!)
• Verticals: Finance governmentVerticals: Finance, government,
health care
• Typical managed users: 10,000 –
20,000
– Range from 100 people – 20 million
6
Lessons LearnedLessons Learned
IAM Program Initiation
Governance VisionGovernance Vision
Metrics Biz Requirements
8
Metrics q
POC and Vendor Selection
Don’t change
i th iddlin the middle
of POC
Use cases POC lab Success/fail
defined
and fixed
ready upon
vendor arrival
criteria
defined
9
Project Scope
• Phased implementations
• Align goals with available
personnel skillsets
Focus• Impact of other projects
• Allow for “overhead” –
Focus
allocate sufficient time for required activities
– Testing
– Remediation
– Go-live
10
Project Size and Scope
• About 70% were approx.
6 month projects6 month projects
• All but 1 (one) Identity
Mgmt project had
U
seMgmt project had
customization
• Average staffing:
ers
Average staffing:
– Customer – 3 full time, 5 part
time Months
– Vendor or SI - 2- 4 full time
11
Risk Levels
Affected Users
Risk
Solution Type
Server Web Identity
Risk
Server
Protection
Web
Access
Mgmt
Identity
Mgmt
12
Your Project Team Composition
• Education and training for
team membersteam members
• Dedicated resources
Balanced Team• Balance between business and
technical resources
G t QA b d l Need the
Balanced Team
– Get QA resources on-board early
• Plan for team turnover best
project manager
– 1/3 of projects reported difficulty
• Strong project manager
p j g
from your
organization
13
Requirements
• Define the “To-Be” Vision
– Develop associated maturity model
• Define your identity
data model
P t t i li Sign-Off• Prototyping aligns
capabilities and expectations
• Your staff should be very involved
Sign Off
• Your staff should be very involved
• Document all types of requirements
Functional non functional UI constraints– Functional, non-functional, UI, constraints
• Obtain sign-off
14
Development, Testing, Remediation
• Select capable product version
• Data cleanup – often overlooked
• Customization takes time
– Follow SDLC; source code control
• Automate Testingg
– You will run your test suite many times!
15
Testing
• Comprehensive Successful
Test Plan DeploymentTest Plan Deployment
• Types of testing performed by project teams
100% f d f ti l– 100% performed functional
– 50% performed performance
16
Deployment and Maintenance
• Staff formally educated on IAM technologies
• Go-live responsibilities – generally mix of vendor
and customer staff
• Don’t underestimate maintenance requirements
– Cost of staying current with vendor roadmap
O– Outside projects will drive changes to IAM
• Configure monitoring of solution
17
SuccessfulSuccessful
Project Profiles
Project #1 – Initial IM Effort
Establish Program
B li d t i d t d d t il d– Baselined metrics, documented detailed use cases,
dedicated resources, identified “decision maker”
Define ScopeDefine Scope
– Data cleanup, feed from authoritative sources, provisioning
of basic user information to 1-3 endpoints, basic reporting
O ti l i lt l i i ff t– Optional – simultaneous role engineering effort
Realistic Project Plan
– Prototyping, ample time for remediation work
Detailed Test Plan
19
Project #2 – Build Capabilities
Builds on Established Program
O f l b i i l t ti d b lt– One successful, basic implementation under belt
Scope
A 0 100 l id ifi d– Approx. 50-100 roles identified
– Deployment of additional OOTB and custom connectors
– Workflow approvalsWorkflow approvals
– Mixture of manual and automated provisioning
Primarily led by organization staffPrimarily led by organization staff
– Use partners to guide customization efforts
20
PracticalPractical
Application of
L L dLessons Learned
Avoiding Pitfalls
1. Simultaneous deployment with new ERP
2. Problems in test / QA not planned for
3. 100% OOTB expectations3. 100% OOTB expectations
4. Initial rollout scope - entire organization
5 Ski f d t t ti5. Skip performance and user acceptance testing
6. No dedicated internal resources assigned
22
Applying in Your Organization
• Establish a vision
• Use the checklist
included in conference
memory stickmemory stick
– Perform regular “health
checks”
• If you don’t have a
governance model,
create one!create one!
23