Identity and Access Management in a Highly Distributed and Dynamic Global Enterprise<br />Shannon Tompkins, MBA, CISSP<br ...
World’s largest restaurant company in terms of the number of restaurant systems<br />37,000 restaurants in 110 countries<b...
Premier IBM Business Partner <br />Focused on IAM<br />Operating in the USA and India<br />Providing service in South Amer...
Yum’s IAM Journey<br />Current Global IAM Drivers<br />Meeting the Challenges<br />Successes<br />Lessons Learned<br />Q&A...
Yum’s IAM Journey<br />EarlyU.S. IAM<br />2005 - 2007<br />Before IAM<br />2005<br />U.S. > Global IAM<br />2007 – Present...
Access: Controlled Internet access to Web apps
Passwords: SSO, password synch, and self-service functions
Early IAM Research: Role based access control research to gain administrative efficiencies
IAM Business Case Developed: Web-based benefits enrollment enabled for equity-based corporate and restaurant employees
Corporate: Standard and unique Active Directory UIDs
Restaurants: No individual restaurant identities
Administration: Manual administration</li></ul>5<br />IBM Pulse11: Feb. 28, 2011<br />
Yum’s IAM Journey<br />Before IAM<br />2005<br /><ul><li>All corporate equity employees around the globe received an Activ...
Five separate AD domains
Global AD account naming convention and naming uniqueness ensured via manual account requests and centralized ID generator...
AD integrations for some enterprise applications
No individual restaurant accounts; role-based shared accounts only for in-restaurant point of sale and back of house  appl...
Corporate: Standard and unique Active Directory UIDs
Restaurants: No individual restaurant identities
Administration: Manual administration</li></ul>6<br />IBM Pulse11: Feb. 28, 2011<br />
Yum’s IAM Journey<br />Early U.S. IAM<br />2005 - 2007<br />Before IAM<br />2005<br /><ul><li>IAM was being researched for...
IT told the U.S. business that it would provide Web-based benefits enrollment
Suddenly ALL U.S. equity restaurant employees required an optional centralized account
Early IAM Research: Role based access control research to gain administrative efficiencies
IAM Business Case Developed: Web-based benefits enrollment enabled for equity-based corporate and restaurant employees
Upcoming SlideShare
Loading in...5
×

Identity and Access Management in a Highly Distributed and Dynamic Global Enterprise

1,285

Published on

How Does IAM Meet the Challenges?

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,285
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • DescriptionThis package exposes the ITIM end user API through a web services interface and includes an Eclipse-based Reference UI to illustrate how developers can utilize the web services interface to develop their own custom UI.Click to see more.IBM Tivoli Identity Manager (ITIM) Web Services is a J2EE application that can be co-located on ITIM&apos;s Websphere server to provide access to most of the end user (self service) related ITIM API thru a standard web services interface. It can be used by customers who need to communicate with ITIM from an external application or custom User Interface (UI) application. A reference application with source code is included with the ITIM 5 archive files to illustrate the usage of the web services API.
  • Identity and Access Management in a Highly Distributed and Dynamic Global Enterprise

    1. 1. Identity and Access Management in a Highly Distributed and Dynamic Global Enterprise<br />Shannon Tompkins, MBA, CISSP<br />Manager, Global Identity and Access Management<br />Yum! Brands, Inc.<br />Dan Fitzgerald<br />VP, Sales and Marketing<br />intiGrow<br />
    2. 2. World’s largest restaurant company in terms of the number of restaurant systems<br />37,000 restaurants in 110 countries<br />1,000,000 associates<br />$11 billion in revenue in 2009<br />Mix of both equity restaurant systems and franchise restaurant systems<br />Primary brands<br />A&W, KFC, Long John Silver’s, Pizza Hut, Taco Bell<br />Three Operating Segments<br />U.S., Yum Restaurants International, China Division<br />Leader in international retail development<br />In 2009 Yum opened more than four restaurants per day internationally<br />On average, China alone opens one new restaurant per day<br />Who is Yum! Brands, Inc.?<br />2<br />IBM Pulse11: Feb. 28, 2011<br />
    3. 3. Premier IBM Business Partner <br />Focused on IAM<br />Operating in the USA and India<br />Providing service in South America and Australia<br />Became part of Yum! Brands IAM team when IAM expansion took off. Has continued to provide services since 2007.<br />Who is intiGrow?<br />3<br />IBM Pulse11: Feb. 28, 2011<br />
    4. 4. Yum’s IAM Journey<br />Current Global IAM Drivers<br />Meeting the Challenges<br />Successes<br />Lessons Learned<br />Q&A<br />Agenda<br />4<br />IBM Pulse11: Feb. 28, 2011<br />
    5. 5. Yum’s IAM Journey<br />EarlyU.S. IAM<br />2005 - 2007<br />Before IAM<br />2005<br />U.S. > Global IAM<br />2007 – Present<br /><ul><li>Provisioning: Now automatically maintain 400k+ accounts (and growing) around the globe for corporate, restaurant, and franchisee identities
    6. 6. Access: Controlled Internet access to Web apps
    7. 7. Passwords: SSO, password synch, and self-service functions
    8. 8. Early IAM Research: Role based access control research to gain administrative efficiencies
    9. 9. IAM Business Case Developed: Web-based benefits enrollment enabled for equity-based corporate and restaurant employees
    10. 10. Corporate: Standard and unique Active Directory UIDs
    11. 11. Restaurants: No individual restaurant identities
    12. 12. Administration: Manual administration</li></ul>5<br />IBM Pulse11: Feb. 28, 2011<br />
    13. 13. Yum’s IAM Journey<br />Before IAM<br />2005<br /><ul><li>All corporate equity employees around the globe received an Active Directory (AD) account and Exchange mailbox
    14. 14. Five separate AD domains
    15. 15. Global AD account naming convention and naming uniqueness ensured via manual account requests and centralized ID generator application
    16. 16. AD integrations for some enterprise applications
    17. 17. No individual restaurant accounts; role-based shared accounts only for in-restaurant point of sale and back of house applications
    18. 18. Corporate: Standard and unique Active Directory UIDs
    19. 19. Restaurants: No individual restaurant identities
    20. 20. Administration: Manual administration</li></ul>6<br />IBM Pulse11: Feb. 28, 2011<br />
    21. 21. Yum’s IAM Journey<br />Early U.S. IAM<br />2005 - 2007<br />Before IAM<br />2005<br /><ul><li>IAM was being researched for possible role based access control (RBAC) benefits when a business case suddenly developed
    22. 22. IT told the U.S. business that it would provide Web-based benefits enrollment
    23. 23. Suddenly ALL U.S. equity restaurant employees required an optional centralized account
    24. 24. Early IAM Research: Role based access control research to gain administrative efficiencies
    25. 25. IAM Business Case Developed: Web-based benefits enrollment enabled for equity-based corporate and restaurant employees
    26. 26. Corporate: Standard and unique Active Directory UIDs
    27. 27. Restaurants: No individual restaurant identities
    28. 28. Administration: Manual administration</li></ul>7<br />IBM Pulse11: Feb. 28, 2011<br />
    29. 29. Yum’s IAM Journey<br />8<br />U.S. > Global IAM<br />2007 – Present<br /><ul><li>Provide Internet access to key internal Portal and other Web applications via Tivoli WebSEAL and IBM Tivoli Access Manager (ITAM)
    30. 30. Migrated from multi-domain AD to ITAM LDAP as enterprise application directory, which increased the scope and criticality of user provisioning
    31. 31. User provisioning and password synchronizations to third-party hosted Software as a Service (SAAS) Web applications
    32. 32. Provision equity and franchisee restaurant crew employee accounts around the globe for access to key, strategic, global applications
    33. 33. Provisioning: Now automatically maintain 400k+ accounts (and growing) around the globe for corporate, restaurant, and franchisee identities
    34. 34. Access: Controlled Internet access to Web apps
    35. 35. Self Service: SSO, password synch, and self-service functions</li></ul>IBM Pulse11: Feb. 28, 2011<br />
    36. 36. How Did IAM Become Global At Yum?<br />9<br />Key global Web applications became strategic Yum global initiatives across brands (e.g., learning management, hiring management)<br />For the first time, restaurant crew-level associates around the globe required individual identity credentials to access global and brand-based applications<br />IBM Pulse11: Feb. 28, 2011<br />
    37. 37. The Business Challenges<br />10<br />Technology to the restaurants<br />Strategic global Web applications<br />Brand-based Web applications<br />Outsource application hosting<br />Provide rapid and accurate access to resources<br />Reduce costs<br />IBM Pulse11: Feb. 28, 2011<br />
    38. 38. The Operational Challenges<br />11<br />Dynamic staffing environments<br />Thousands of restaurants around the globe<br />Average ~30-40 associates per restaurant <br />High restaurant employee turnover<br />High franchise-to-equity ownership ratios<br />Outsourced application hosting models<br />IBM Pulse11: Feb. 28, 2011<br />
    39. 39. How Does IAM Meet the Challenges?<br />12<br /><ul><li>Automates the creation, modification, and deletion of widely distributed equity and franchisee account data
    40. 40. Enables global access to applications
    41. 41. Provides one user account and one password per equity and franchise associate
    42. 42. Enables password synch, password self-service, and (new) single sign-on services</li></ul>IBM Pulse11: Feb. 28, 2011<br />
    43. 43. How Do We Do It?<br />13<br />Ha – <br />One of our team whiteboard talks on the “New Hire” process<br />IBM Pulse11: Feb. 28, 2011<br />
    44. 44. How Do We Do It?<br />14<br />ITIM Provisions to Managed Endpoints by Policy<br />ITIM LDAP<br />AD<br />ITAM LDAP<br />Voice Mail<br />Email<br />ITIM<br />Collab<br />App<br />Attribute Data<br />Market LDAPs<br />AppLDAPs<br />Learning App<br />Hiring App<br />= Internally Hosted<br />= Externally Hosted<br />IBM Pulse11: Feb. 28, 2011<br />
    45. 45. How Do We Do It?<br />Provisioning Inputs<br />Batch Feeds<br />Custom throttling applications<br />Performance considerations<br />Equity HR App Data<br />Restaurant Inventory App<br />Franchisee Batch Uploads<br />SFTP Server<br />ITIM<br />UP Web Services<br />TDIs<br />Real-Time 24/7/365<br />Various Apply for Access Apps<br />= Internally Hosted<br />= Externally Hosted<br />BOH Real-Time Processing<br />= Internal Collection<br />International ITIM<br />15<br />IBM Pulse11: Feb. 28, 2011<br />
    46. 46. How Do We Do It?<br />Web Services – The Glue That Binds<br /><ul><li>In our early stages of IAM, we provisioned only equity-based user accounts for access to brand-based Portal applications
    47. 47. Our HR system was our authoritative source for equity-based corporate and restaurant employee information
    48. 48. With the growth of features, function and popularity of our brand-based Portal applications, we suddenly needed a way to grant access to franchisee employees
    49. 49. We had no authoritative source for franchisee employee information
    50. 50. Java-based Web Services enabled franchisees to submit their data to us through apply-for-access Web applications, batch data feeds, and in-restaurant HR application integrations</li></ul>16<br />IBM Pulse11: Feb. 28, 2011<br />
    51. 51. How Do We Do It?<br />Web Services – The Glue That Binds<br /><ul><li>Today, with the growth of Web Services correlating directly with the growth of IAM, custom-built Web Services play a crucial role in our global provisioning environment
    52. 52. Creates and tracks a behind-the-scenes “Global Person Number” (GPN) for every individual to follow them indefinitely through rehires and across organizations (separate from their transient logon IDs)
    53. 53. Transfers attribute data to attribute data stores
    54. 54. Enables password synch and self-service operations
    55. 55. Provides over-the-Internet authentication services for third-party hosted Web applications
    56. 56. (New) Enables near real-time provisioning services from restaurants to third-party Web Applications</li></ul>17<br />IBM Pulse11: Feb. 28, 2011<br />
    57. 57. How Do We Do It?<br />18<br />Ha – <br />Another One of our team whiteboard talks on the Web Services process<br />IBM Pulse11: Feb. 28, 2011<br />
    58. 58. How Do We Do It?<br />19<br />Password Synchronizations<br />AD<br />ITAM<br />Self-Service App<br />ITIM<br />Web Services<br />International ITIM<br />Learning App<br />= Internally Hosted<br />= Externally Hosted<br />= Internal Collection<br />IBM Pulse11: Feb. 28, 2011<br />
    59. 59. How Do We Do It?<br />20<br />Password Self-Service<br />Learning App<br />ITIM<br />Links to Web App<br />Web App with Forgot Password and Challenge Response Questions<br />Links to Web App<br />Self Service Web App<br />ITIM WS<br />Wrappers<br />Self-Service WS<br />Hiring App<br />= Internally Hosted<br />= Externally Hosted<br />= Internal Collection<br />IBM Pulse11: Feb. 28, 2011<br />
    60. 60. How Do We Do it?<br />21<br />Access Management<br />All ITIM accounts have corresponding ITAM accounts<br />WebSEAL/ITAM provides access to internal resources via junctions<br />Authentication required<br />Authorization to follow junctions occurs via ITAM policies per membership in designated ITAM LDAP groups<br />Decentralized WebSEAL/ITAM deployment and support strategy<br />IBM Pulse11: Feb. 28, 2011<br />
    61. 61. Yum’s IAM Successes<br />IAM has enabled automatic user account provisions, password synchronizations, and password self-care operations to hundreds of thousands of clients around the globe which provides 24/7/365 access to key, strategic, global applications <br />Very high IAM utilization levels<br />Current monthly average metrics:<br />27,467 user accounts added<br />75,204 user accounts modified<br />16,575 user accounts deleted<br />Lean and efficient FTE staffing model to support the IAM environment with staff augmentation support as needed<br />22<br />IBM Pulse11: Feb. 28, 2011<br />
    62. 62. Lessons Learned<br />Very low downtime tolerance:<br />Our IAM processes support core global, strategic initiatives 24/7/365 <br />Scheduling downtime maintenance windows has become very challenging<br />We overlooked early opportunities to lock-in routine maintenance windows. Now we’re reviewing options to increase resiliency even further to lessen our already low downtime occurrences. <br />Provisioning:<br />Automated provisioning is very logical. To succeed, business partners must be involved in workflow designs.<br />Batch provisioning eventually takes too long for the business. Real-time / near real-time provisioning becomes required. <br />Password Self-Service:<br />Password self-service operations are heavily utilized. Helpdesk calls are substantially reduced. <br />But once it’s in place, password self-service must always work. It quickly builds organizational and operational dependencies. <br />Password Synch, SSO, Etc.<br />Regardless of possible assumptions or directions from project leads to the contrary, every new provisioning project to a third-party hosted application will likely and eventually require a single sign-on, password synch, LDAP integration, or similar service. <br />There is becoming an increasingly low tolerance within the organization for multiple passwords per logon account.<br />23<br />IBM Pulse11: Feb. 28, 2011<br />
    63. 63. Closing Comments<br />24<br />IBM Pulse11: Feb. 28, 2011<br />
    64. 64. Questions<br />25<br />IBM Pulse11: Feb. 28, 2011<br />
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×