150 likes | 310 Views
Identity & Access Management Project. Tom Board February 2006. Presentation Overview. Needs analysis Selection process Implementation plan Post-implementation plan. Needs Analysis. First signs of need: LDAP implementation External signs: Compliance legislation
E N D
Identity & Access Management Project Tom Board February 2006
Presentation Overview • Needs analysis • Selection process • Implementation plan • Post-implementation plan
Needs Analysis • First signs of need: LDAP implementation • External signs: • Compliance legislation • Market maturity and competition • Expansion of technical requirements • Buy versus build? • Recommendation to OVP
Selection Process • Translate needs assessment to RFP • Issue RFP in August 2004 to 18 vendors • List vetted with consulting firms • 12 vendors submitted 9 responses • Three phase process: • Assess ability to execute at our scale • Face-to-face presentations, Q&A • For two finalists: proof-of-concept, license terms, consulting pricing, references
Progress • Aug 2004 – RFP issued • Nov 2004 – First cut to from 9 to 6 • Feb 2005 – Second cut to 2 finalists • Mar 2005 – Proofs of concept • Apr 2005 – Pricing models • Aug 2005 – Negotiations begin • Dec 2005 – Contract signed
Vendor • Sun Microsystems • Java Enterprise Suite pricing • Fully-functional Web Access Management • Market-leading identity management (Waveset) • Closest match to unique SNAP functions, plus flexibility • Four-year contract term
Implementation Plan • Deploy Web SSO • Replace SNAP • Leverage IdM capabilities • Leverage WAM capabilities
1. Deploy Web SSO • Three demonstration systems • SNAP • Web e-mail (?) • TBD • Would like mix of Apache, IIS, and other Web servers • Timeline: 8-10 weeks after hardware ready
2. Replace SNAP • Replicate SNAP functions in more easily maintained software environment • Minimize visible changes for end users • Certify NetID rules and lifecycle with community • Parallel operation and gradual migration • Timeline: 12 months after hardware ready • December 2006 or June 2007
3. Leverage IdM Capabilities • Use IdM workflows to grant access to services • Grant access based upon roles • Workflows and business rules can be based upon what permissions have been granted to a NetID • Provision user profiles within Oracle/PS applications
4. Leverage WAM Capabilities • Web SSO improves security but aggregates risk, so we will need two-factor authentication • Utilize coarse-grained access control • WAM opens the way to federated authentication with other schools and with businesses
Timeline * This timeline is for illustrative purposes only and should not be used in planning – please consult with an experienced professional. The views expressed are those of the author and not those of NUIT. No warranty expressed or implied. YMMV. All bets are off.
Post-Implementation Plan • Two-factor authentication pilot with HRIS (Spring 2006) • In Spring 2007, use IdM workflow for • access approval • user profile creation applications • Coarse-grained access control based upon provisioned access (Spring 2007) • Modify IdM behaviors based upon provisioned access (Spring 2007)