ESS-403

Lessons Learned fromLessons Learned from IAM Deployments Across the Globethe Globe Kevin P. Murphy CA, Inc. 04/24/09 | Session ID: ESS-40304/24/09 | Session ID: ESS 403 Session Classification: Intermediate Agenda Study Overview Lessons LearnedLessons Learned S f l P j t P filSuccessful Project Profiles Pitfalls and Practical Application 2 Study OverviewStudy Overview Why is this study important? • IAM projects are extremely complex • IAM space is reaching maturity (finally!) – Analyze and document proven best practices • Organizations are revisiting initial IAM initiatives – Apply best practices • Compare real-world to analysts’ papers – For the most part – analysts are getting it right – Results helped prioritize lessons learned 4 Study Method • IAM – very broad space. What did we study?y – Web Access Management – Server Access Management Id i M ( i ll i i i )– Identity Management (especially user provisioning) • Questionnaires completed by CA Services architects and project managersServices architects and project managers • Interviews – project teams, support, sales • Study limitation – vendor point-of-viewStudy limitation vendor point of view 5 Study Scope • Final sample size – 35 projects, numerous interviews – Worldwide sample pool – User provisioning focus E l d d ff i– Excluded staff augmentation – (5 very blunt support managers!) • Verticals: Finance governmentVerticals: Finance, government, health care • Typical managed users: 10,000 – 20,000 – Range from 100 people – 20 million 6 Lessons LearnedLessons Learned IAM Program Initiation Governance VisionGovernance Vision Metrics Biz Requirements 8 Metrics q POC and Vendor Selection Don’t change i th iddlin the middle of POC Use cases POC lab Success/fail defined and fixed ready upon vendor arrival criteria defined 9 Project Scope • Phased implementations • Align goals with available personnel skillsets Focus• Impact of other projects • Allow for “overhead” – Focus allocate sufficient time for required activities – Testing – Remediation – Go-live 10 Project Size and Scope • About 70% were approx. 6 month projects6 month projects • All but 1 (one) Identity Mgmt project had U seMgmt project had customization • Average staffing: ers Average staffing: – Customer – 3 full time, 5 part time Months – Vendor or SI - 2- 4 full time 11 Risk Levels Affected Users Risk Solution Type Server Web Identity Risk Server Protection Web Access Mgmt Identity Mgmt 12 Your Project Team Composition • Education and training for team membersteam members • Dedicated resources Balanced Team• Balance between business and technical resources G t QA b d l Need the Balanced Team – Get QA resources on-board early • Plan for team turnover best project manager – 1/3 of projects reported difficulty • Strong project manager p j g from your organization 13 Requirements • Define the “To-Be” Vision – Develop associated maturity model • Define your identity data model P t t i li Sign-Off• Prototyping aligns capabilities and expectations • Your staff should be very involved Sign Off • Your staff should be very involved • Document all types of requirements Functional non functional UI constraints– Functional, non-functional, UI, constraints • Obtain sign-off 14 Development, Testing, Remediation • Select capable product version • Data cleanup – often overlooked • Customization takes time – Follow SDLC; source code control • Automate Testingg – You will run your test suite many times! 15 Testing • Comprehensive Successful Test Plan DeploymentTest Plan Deployment • Types of testing performed by project teams 100% f d f ti l– 100% performed functional – 50% performed performance 16 Deployment and Maintenance • Staff formally educated on IAM technologies • Go-live responsibilities – generally mix of vendor and customer staff • Don’t underestimate maintenance requirements – Cost of staying current with vendor roadmap O– Outside projects will drive changes to IAM • Configure monitoring of solution 17 SuccessfulSuccessful Project Profiles Project #1 – Initial IM Effort Establish Program B li d t i d t d d t il d– Baselined metrics, documented detailed use cases, dedicated resources, identified “decision maker” Define ScopeDefine Scope – Data cleanup, feed from authoritative sources, provisioning of basic user information to 1-3 endpoints, basic reporting O ti l i lt l i i ff t– Optional – simultaneous role engineering effort Realistic Project Plan – Prototyping, ample time for remediation work Detailed Test Plan 19 Project #2 – Build Capabilities Builds on Established Program O f l b i i l t ti d b lt– One successful, basic implementation under belt Scope A 0 100 l id ifi d– Approx. 50-100 roles identified – Deployment of additional OOTB and custom connectors – Workflow approvalsWorkflow approvals – Mixture of manual and automated provisioning Primarily led by organization staffPrimarily led by organization staff – Use partners to guide customization efforts 20 PracticalPractical Application of L L dLessons Learned Avoiding Pitfalls 1. Simultaneous deployment with new ERP 2. Problems in test / QA not planned for 3. 100% OOTB expectations3. 100% OOTB expectations 4. Initial rollout scope - entire organization 5 Ski f d t t ti5. Skip performance and user acceptance testing 6. No dedicated internal resources assigned 22 Applying in Your Organization • Establish a vision • Use the checklist included in conference memory stickmemory stick – Perform regular “health checks” • If you don’t have a governance model, create one!create one! 23