• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Identity and Access Management in a Highly Distributed and Dynamic Global Enterprise
 

Identity and Access Management in a Highly Distributed and Dynamic Global Enterprise

on

  • 1,238 views

How Does IAM Meet the Challenges?

How Does IAM Meet the Challenges?

Statistics

Views

Total Views
1,238
Views on SlideShare
782
Embed Views
456

Actions

Likes
0
Downloads
18
Comments
0

4 Embeds 456

http://www.intigrow.com 377
http://localhost 36
http://intigrow.com 25
http://info.intigrow.com 18

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • DescriptionThis package exposes the ITIM end user API through a web services interface and includes an Eclipse-based Reference UI to illustrate how developers can utilize the web services interface to develop their own custom UI.Click to see more.IBM Tivoli Identity Manager (ITIM) Web Services is a J2EE application that can be co-located on ITIM's Websphere server to provide access to most of the end user (self service) related ITIM API thru a standard web services interface. It can be used by customers who need to communicate with ITIM from an external application or custom User Interface (UI) application. A reference application with source code is included with the ITIM 5 archive files to illustrate the usage of the web services API.

Identity and Access Management in a Highly Distributed and Dynamic Global Enterprise Identity and Access Management in a Highly Distributed and Dynamic Global Enterprise Presentation Transcript

  • Identity and Access Management in a Highly Distributed and Dynamic Global Enterprise
    Shannon Tompkins, MBA, CISSP
    Manager, Global Identity and Access Management
    Yum! Brands, Inc.
    Dan Fitzgerald
    VP, Sales and Marketing
    intiGrow
  • World’s largest restaurant company in terms of the number of restaurant systems
    37,000 restaurants in 110 countries
    1,000,000 associates
    $11 billion in revenue in 2009
    Mix of both equity restaurant systems and franchise restaurant systems
    Primary brands
    A&W, KFC, Long John Silver’s, Pizza Hut, Taco Bell
    Three Operating Segments
    U.S., Yum Restaurants International, China Division
    Leader in international retail development
    In 2009 Yum opened more than four restaurants per day internationally
    On average, China alone opens one new restaurant per day
    Who is Yum! Brands, Inc.?
    2
    IBM Pulse11: Feb. 28, 2011
  • Premier IBM Business Partner
    Focused on IAM
    Operating in the USA and India
    Providing service in South America and Australia
    Became part of Yum! Brands IAM team when IAM expansion took off. Has continued to provide services since 2007.
    Who is intiGrow?
    3
    IBM Pulse11: Feb. 28, 2011
  • Yum’s IAM Journey
    Current Global IAM Drivers
    Meeting the Challenges
    Successes
    Lessons Learned
    Q&A
    Agenda
    4
    IBM Pulse11: Feb. 28, 2011
  • Yum’s IAM Journey
    EarlyU.S. IAM
    2005 - 2007
    Before IAM
    2005
    U.S. > Global IAM
    2007 – Present
    • Provisioning: Now automatically maintain 400k+ accounts (and growing) around the globe for corporate, restaurant, and franchisee identities
    • Access: Controlled Internet access to Web apps
    • Passwords: SSO, password synch, and self-service functions
    • Early IAM Research: Role based access control research to gain administrative efficiencies
    • IAM Business Case Developed: Web-based benefits enrollment enabled for equity-based corporate and restaurant employees
    • Corporate: Standard and unique Active Directory UIDs
    • Restaurants: No individual restaurant identities
    • Administration: Manual administration
    5
    IBM Pulse11: Feb. 28, 2011
  • Yum’s IAM Journey
    Before IAM
    2005
    • All corporate equity employees around the globe received an Active Directory (AD) account and Exchange mailbox
    • Five separate AD domains
    • Global AD account naming convention and naming uniqueness ensured via manual account requests and centralized ID generator application
    • AD integrations for some enterprise applications
    • No individual restaurant accounts; role-based shared accounts only for in-restaurant point of sale and back of house applications
    • Corporate: Standard and unique Active Directory UIDs
    • Restaurants: No individual restaurant identities
    • Administration: Manual administration
    6
    IBM Pulse11: Feb. 28, 2011
  • Yum’s IAM Journey
    Early U.S. IAM
    2005 - 2007
    Before IAM
    2005
    • IAM was being researched for possible role based access control (RBAC) benefits when a business case suddenly developed
    • IT told the U.S. business that it would provide Web-based benefits enrollment
    • Suddenly ALL U.S. equity restaurant employees required an optional centralized account
    • Early IAM Research: Role based access control research to gain administrative efficiencies
    • IAM Business Case Developed: Web-based benefits enrollment enabled for equity-based corporate and restaurant employees
    • Corporate: Standard and unique Active Directory UIDs
    • Restaurants: No individual restaurant identities
    • Administration: Manual administration
    7
    IBM Pulse11: Feb. 28, 2011
  • Yum’s IAM Journey
    8
    U.S. > Global IAM
    2007 – Present
    • Provide Internet access to key internal Portal and other Web applications via Tivoli WebSEAL and IBM Tivoli Access Manager (ITAM)
    • Migrated from multi-domain AD to ITAM LDAP as enterprise application directory, which increased the scope and criticality of user provisioning
    • User provisioning and password synchronizations to third-party hosted Software as a Service (SAAS) Web applications
    • Provision equity and franchisee restaurant crew employee accounts around the globe for access to key, strategic, global applications
    • Provisioning: Now automatically maintain 400k+ accounts (and growing) around the globe for corporate, restaurant, and franchisee identities
    • Access: Controlled Internet access to Web apps
    • Self Service: SSO, password synch, and self-service functions
    IBM Pulse11: Feb. 28, 2011
  • How Did IAM Become Global At Yum?
    9
    Key global Web applications became strategic Yum global initiatives across brands (e.g., learning management, hiring management)
    For the first time, restaurant crew-level associates around the globe required individual identity credentials to access global and brand-based applications
    IBM Pulse11: Feb. 28, 2011
  • The Business Challenges
    10
    Technology to the restaurants
    Strategic global Web applications
    Brand-based Web applications
    Outsource application hosting
    Provide rapid and accurate access to resources
    Reduce costs
    IBM Pulse11: Feb. 28, 2011
  • The Operational Challenges
    11
    Dynamic staffing environments
    Thousands of restaurants around the globe
    Average ~30-40 associates per restaurant
    High restaurant employee turnover
    High franchise-to-equity ownership ratios
    Outsourced application hosting models
    IBM Pulse11: Feb. 28, 2011
  • How Does IAM Meet the Challenges?
    12
    • Automates the creation, modification, and deletion of widely distributed equity and franchisee account data
    • Enables global access to applications
    • Provides one user account and one password per equity and franchise associate
    • Enables password synch, password self-service, and (new) single sign-on services
    IBM Pulse11: Feb. 28, 2011
  • How Do We Do It?
    13
    Ha –
    One of our team whiteboard talks on the “New Hire” process
    IBM Pulse11: Feb. 28, 2011
  • How Do We Do It?
    14
    ITIM Provisions to Managed Endpoints by Policy
    ITIM LDAP
    AD
    ITAM LDAP
    Voice Mail
    Email
    ITIM
    Collab
    App
    Attribute Data
    Market LDAPs
    AppLDAPs
    Learning App
    Hiring App
    = Internally Hosted
    = Externally Hosted
    IBM Pulse11: Feb. 28, 2011
  • How Do We Do It?
    Provisioning Inputs
    Batch Feeds
    Custom throttling applications
    Performance considerations
    Equity HR App Data
    Restaurant Inventory App
    Franchisee Batch Uploads
    SFTP Server
    ITIM
    UP Web Services
    TDIs
    Real-Time 24/7/365
    Various Apply for Access Apps
    = Internally Hosted
    = Externally Hosted
    BOH Real-Time Processing
    = Internal Collection
    International ITIM
    15
    IBM Pulse11: Feb. 28, 2011
  • How Do We Do It?
    Web Services – The Glue That Binds
    • In our early stages of IAM, we provisioned only equity-based user accounts for access to brand-based Portal applications
    • Our HR system was our authoritative source for equity-based corporate and restaurant employee information
    • With the growth of features, function and popularity of our brand-based Portal applications, we suddenly needed a way to grant access to franchisee employees
    • We had no authoritative source for franchisee employee information
    • Java-based Web Services enabled franchisees to submit their data to us through apply-for-access Web applications, batch data feeds, and in-restaurant HR application integrations
    16
    IBM Pulse11: Feb. 28, 2011
  • How Do We Do It?
    Web Services – The Glue That Binds
    • Today, with the growth of Web Services correlating directly with the growth of IAM, custom-built Web Services play a crucial role in our global provisioning environment
    • Creates and tracks a behind-the-scenes “Global Person Number” (GPN) for every individual to follow them indefinitely through rehires and across organizations (separate from their transient logon IDs)
    • Transfers attribute data to attribute data stores
    • Enables password synch and self-service operations
    • Provides over-the-Internet authentication services for third-party hosted Web applications
    • (New) Enables near real-time provisioning services from restaurants to third-party Web Applications
    17
    IBM Pulse11: Feb. 28, 2011
  • How Do We Do It?
    18
    Ha –
    Another One of our team whiteboard talks on the Web Services process
    IBM Pulse11: Feb. 28, 2011
  • How Do We Do It?
    19
    Password Synchronizations
    AD
    ITAM
    Self-Service App
    ITIM
    Web Services
    International ITIM
    Learning App
    = Internally Hosted
    = Externally Hosted
    = Internal Collection
    IBM Pulse11: Feb. 28, 2011
  • How Do We Do It?
    20
    Password Self-Service
    Learning App
    ITIM
    Links to Web App
    Web App with Forgot Password and Challenge Response Questions
    Links to Web App
    Self Service Web App
    ITIM WS
    Wrappers
    Self-Service WS
    Hiring App
    = Internally Hosted
    = Externally Hosted
    = Internal Collection
    IBM Pulse11: Feb. 28, 2011
  • How Do We Do it?
    21
    Access Management
    All ITIM accounts have corresponding ITAM accounts
    WebSEAL/ITAM provides access to internal resources via junctions
    Authentication required
    Authorization to follow junctions occurs via ITAM policies per membership in designated ITAM LDAP groups
    Decentralized WebSEAL/ITAM deployment and support strategy
    IBM Pulse11: Feb. 28, 2011
  • Yum’s IAM Successes
    IAM has enabled automatic user account provisions, password synchronizations, and password self-care operations to hundreds of thousands of clients around the globe which provides 24/7/365 access to key, strategic, global applications
    Very high IAM utilization levels
    Current monthly average metrics:
    27,467 user accounts added
    75,204 user accounts modified
    16,575 user accounts deleted
    Lean and efficient FTE staffing model to support the IAM environment with staff augmentation support as needed
    22
    IBM Pulse11: Feb. 28, 2011
  • Lessons Learned
    Very low downtime tolerance:
    Our IAM processes support core global, strategic initiatives 24/7/365
    Scheduling downtime maintenance windows has become very challenging
    We overlooked early opportunities to lock-in routine maintenance windows. Now we’re reviewing options to increase resiliency even further to lessen our already low downtime occurrences.
    Provisioning:
    Automated provisioning is very logical. To succeed, business partners must be involved in workflow designs.
    Batch provisioning eventually takes too long for the business. Real-time / near real-time provisioning becomes required.
    Password Self-Service:
    Password self-service operations are heavily utilized. Helpdesk calls are substantially reduced.
    But once it’s in place, password self-service must always work. It quickly builds organizational and operational dependencies.
    Password Synch, SSO, Etc.
    Regardless of possible assumptions or directions from project leads to the contrary, every new provisioning project to a third-party hosted application will likely and eventually require a single sign-on, password synch, LDAP integration, or similar service.
    There is becoming an increasingly low tolerance within the organization for multiple passwords per logon account.
    23
    IBM Pulse11: Feb. 28, 2011
  • Closing Comments
    24
    IBM Pulse11: Feb. 28, 2011
  • Questions
    25
    IBM Pulse11: Feb. 28, 2011