Your SlideShare is downloading. ×
Pulse2014 1091
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Pulse2014 1091

195
views

Published on

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
195
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. © 2014 IBM Corporation Oracle-to-IBM IAM Migration BNSF Case Study Chris Fields VP – Security Strategy
  • 2. 1 Agenda  Who is BNSF  Who is PathMaker Group  BNSF Challenges with Oracle Sun IAM  Oracle to IBM IAM Migration Approach  Benefits of IBM IAM Solution  Next Steps  Questions
  • 3. 2 Who is BNSF
  • 4. 3 Who is BNSF  U.S. Railroad Company (Burlington Northern + Santa Fe) – 160 years in business – Combination of nearly 400 railroad companies – Serves Western two-thirds of U.S., portions of Canada & Mexico
  • 5. 4 Who is PathMaker Group
  • 6. 5  Specialized Security and IAM Integrator – IBM Premier Level partner  Nearly 20 years delivering IT projects  Strong project management expertise  Successful track record with long, complex engagements  Methodology-driven practices Who is PathMaker Group?
  • 7. 6 BNSF Challenges with Oracle IAM
  • 8. 7  Oracle Waveset Identity Manager – Early poster-child customer – Handles base provisioning to all core systems and apps  Oracle Sun Access Manager – Early poster-child customer – Handles Web SSO to 60+ apps  Oracle OpenSSO – Handles Federated SSO to 15 apps  Oracle Sun Directory Server – Enterprise LDAP – Provides authentication services to 100s of apps BNSF Oracle IAM Environment  Windows AD  RACF  SAP  LDAP  AIX (~100)  Solaris Unix (~100)  RedHat Linux (~400)  Teradata  Natural  Office 365  IVR  Office Communicator  50,000+ users  1.5 Million+ accounts
  • 9. 8  Frozen Product Functionality – Esp. managed endpoint currency  Performance issues – Wait times accessing account data – HR feed processing times BNSF Challenges with Oracle IAM  Too Many Customizations – Lots of Java code  Missing Key IdM functions – Reconciling of account data – Role management – Segregation of duties – Privileged Identity Mgmt
  • 10. 9 Oracle to IBM IAM Migration Approach
  • 11. 10  New Product was Unavoidable – Starting over either way  No “Magic Pill” to Migrate  Out of Box Capabilities  Focus on Current and Future Needs  Synergy with existing IBM products  IBM Support Why BNSF Chose IBM
  • 12. 11 Oracle to IBM IAM Migration Approach – Phase 1 Step 1 Extract Oracle Objects into Current State Repository Category Type Description AttributeDefinition AttributeDefinition Definition of Sun IdMuser identity attributes 6 LoginApp Login applications define a collection of login module groups, which further define the set and order of login modules that will be used when a user logs in to Identity Manager. Each login application comprises one or more login module groups. 8 Login Module Groups The login module group list shows: * Each login module group * The individual login modules that make up a login module group * Whether a login module group contains constraint rules 5 Login Configuration Login Configuration defines parameters that are used if Sun IdMis to use the resource for pass-through authentication. 1 OW Objects Authentication # of Analyzed Objects  40+ IdM Object Types Analyzed  Start with Sun IAM frame of reference  Automated utility to extract data  Store data in central DB
  • 13. 12 Oracle to IBM IAM Migration Approach – Phase 1 Step 1 Extract Oracle Objects into Current State Repository Step 2 Review Object Mapping & Counts  Automated, Semi-automated and Manual object migrations  Very few objects fit auto migration  Counts are key decision criteria Category Type Description Account Policy Account Policy establishes user, password, and authentication policy options and constraints. (e.g. authentication questions, password expiration rules) Identity Policy for Userid generation (In addition with some Global properties) Manual Represent via Identity Policy Password and Account ID Policy Policies set length rules, character type rules, and allowed words and attribute values. Password Policy (could be Global or per Service ) Manual Use custom password rule. No dictionary functionality in place Resource Resource objects store information about how to connect to a resource or system on which accounts are provisioned Service configuration Semi- automated Auto create basic service objects and information either directly in ITIMor in a staging area with manual augmentation before automating the creation in ITIM ResourceAction Resource actions are scripts that run within the context of a managed resource, if native support exists for scripted actions. For example, on a system with a UNIX operating system, actions are sequences of UNIX shell commands. PostExec script on the Adapter Manual Leverage scripts via ITIMAD Adapter Post-Exec actions with minor modifications f necessary Role Role A role is a Sun IdMobject that represents Identity Manager user types and allows resources to be grouped and assigned to users Role (Dynamic and Static Role) N/A Not being used other than the AppAdmin role User User Sun IdMuser object Person Entity and the ITIM Account Automated Include auto decryption/registration of existing challenge questions and IdM password Resource OW Objects Migration CommentsISIM Objects Policy Migration Approach
  • 14. 13 Oracle to IBM IAM Migration Approach – Phase 1 Step 1 Extract Oracle Objects into Current State Repository Step 2 Review Object Mapping & Counts Step 3 Build Req’s Summary & Review/ Refine  Automated Req’s Definition  120 Use Cases  Able to ignore 35% of existing configuration UC-M2 Sun IdMAdministrators manually append user's Unix "comments" to the "comments" attribute of user's IdMaccount (User Interactive) Sun IdMAdministrators manually append "comments" of user's Unix account to the "comments" attribute of user's IdMaccount One time usage N UC-M1 Sun IdMAdministrators manually bulk disable users accounts (User Interactive) Sun IdMAdministrators manually bulk disable users' accounts. Whoever launches the action is able to select list of users and to-be-disabled resource accounts, also enter comments (and populate to AD, RACF). Use Case # Use Case Name Use Case Description In Use (Y/N) Y Notes Whoever launches the action is able to select list of users and to-be-disabled resource accounts (or All resource accounts), also enter comments (and populate to AD, RACF). User could specify the target user list from a file by using Sun IdMOTB “Launch Bulk Action”. This Use Case is used for: 1. Bulk- process dormant AD user(s) or RACF user(s) clean-up 2. Daily bulk disable (f HR ll ISIM Solutions For daily HR bulk disable process, Will design an automatic workflow to replace the populating comment process. Comments will be automatically populated by ITIM workflow. For dormant RACF disable, Will read the user list from a csv file, this option will be used for dormant RACF disable. No comment is required for dormant RACF disable. For dormant AD disable, Will use a “to-be-disabled” AD groups, design an ITIM kfl b lk di bl h b l
  • 15. 14 Oracle to IBM IAM Migration Approach – Phase 1 Step 1 Extract Oracle Objects into Current State Repository Step 2 Review Object Mapping & Counts Step 3 Build Req’s Summary & Review/ Refine Step 4 Document Gaps & Review  Detailed review of current functions to identify gaps  Opportunity to take advantage of new features  User interface gaps / differences were key
  • 16. 15 Oracle to IBM IAM Migration Approach – Phase 1 Step 1 Extract Oracle Objects into Current State Repository Step 2 Review Object Mapping & Counts Step 3 Build Req’s Summary & Review/ Refine Step 4 Document Gaps & Review Step 5 Finalize Conversion Rules & Approach  Req’s doc created  Review with key teams  Updates / revisions TABLE OF CONTENTS 1 INTRODUCTION.................................................................................................................................................................................................4 1.1 BACKGROUND ..............................................................................................................................................................................................4 1.2 SCOPE .........................................................................................................................................................................................................4 3 FUNCTIONALITY REQUIREMENTS.................................................................................................................................................................5 3.1 SUMMARY OF FUNCTIONALITY REQUIREMENTS ............................................................................................................................................5 3.2 BACKEND USE CASES..................................................................................................................................................................................5 3.3 USER INTERACTIVE USE CASES ...................................................................................................................................................................7 3.4 SELF-SERVICES USE CASES......................................................................................................................................................................13 3.5 FUTURE USE CASES ..................................................................................................................................................................................13 3.6 NOTIFICATION ............................................................................................................................................................................................14 3.7 AUDIT.........................................................................................................................................................................................................17 3.8 REPORTS ...................................................................................................................................................................................................17 4 INTEGRATION REQUIREMENTS...................................................................................................................................................................20 4.1 USER FEEDS..............................................................................................................................................................................................20 4.2 CONNECTED RESOURCES ..........................................................................................................................................................................22 4.3 INDIRECT RESOURCES ...............................................................................................................................................................................36 5 SECURITY REQUIREMENTS..........................................................................................................................................................................37 5.1 IDM ADMINISTRATION.................................................................................................................................................................................37 5.2 DATA SECURITY.........................................................................................................................................................................................38 5.3 IDM AUTHENTICATION ................................................................................................................................................................................38 5.4 IDM ORGANIZATION ...................................................................................................................................................................................40 5.5 ACCOUNT ID POLICY ..................................................................................................................................................................................41 5.6 PASSWORD POLICIES.................................................................................................................................................................................41
  • 17. 16 Oracle to IBM IAM Migration Approach – Phase 1 Step 1 Extract Oracle Objects into Current State Repository Step 2 Review Object Mapping & Counts Step 3 Build Req’s Summary & Review/ Refine Step 4 Document Gaps & Review Step 5 Finalize Conversion Rules & Approach Step 6 Conc. Design & Impl Est.  Design Approach concrete  Implementation estimate created  Customer teams impacted & resource requirements TABLE OF CONTENTS 1 INTRODUCTION.................................................................................................................................................................................................8 1.1 BACKGROUND ..............................................................................................................................................................................................8 1.2 SCOPE .........................................................................................................................................................................................................8 2 GUIDING PRINCIPLES ......................................................................................................................................................................................8 2.1 CONCEPTUAL DESIGN SIGN OFF..................................................................................................................................................................8 2.2 MINIMIZE CUSTOMIZATIONS..........................................................................................................................................................................8 2.3 MINIMIZE RISK..............................................................................................................................................................................................8 3 ITIM SYSTEM ARCHITECTURE OVERVIEW ..................................................................................................................................................9 3.1 ITIM SYSTEM ARCHITECTURE OVERVIEW DIAGRAM PRODUCTION AND TRIAL...............................................................................................9 3.2 ITIM SYSTEM ARCHITECTURE OVERVIEW DIAGRAM DEVELOPMENT ...........................................................................................................10 3.3 PRODUCTION ENVIRONMENT......................................................................................................................................................................11 3.4 TRIAL ENVIRONMENT..................................................................................................................................................................................12 3.5 DEVELOPMENT ENVIRONMENT ...................................................................................................................................................................13 3.6 SSL / CERTIFICATES..................................................................................................................................................................................13 4 ITIM PLATFORM REQUIREMENTS ...............................................................................................................................................................14 4.1 ITIM MINIMUM SERVER HARDWARE SPECIFICATIONS.................................................................................................................................14 4.2 HIGH AVAILABILITY.....................................................................................................................................................................................14 6 REQUIREMENTS USE CASE MAPPING .......................................................................................................................................................15 6.1 OVERVIEW .................................................................................................................................................................................................15 6.2 BACKEND USE CASES................................................................................................................................................................................15 6.1 USER INTERACTIVE USE CASES .................................................................................................................................................................17 6.2 SELF-SERVICES USE CASES......................................................................................................................................................................20 6.3 FUTURE USE CASES ..................................................................................................................................................................................20 7 ORGANIZATION TREE....................................................................................................................................................................................21 7.1 CONTAINERS:.............................................................................................................................................................................................21 8 ROLES...............................................................................................................................................................................................................21 8.1 PERSON DYNAMIC ROLES..........................................................................................................................................................................21 8.2 STATIC ROLES: ..........................................................................................................................................................................................22 8.3 ROLE OWNERS ..........................................................................................................................................................................................24
  • 18. 17 Oracle to IBM IAM Migration Approach – Phase 2 Step 7 Detailed Design Step 8 Configuration / Development Step 9 Test Planning & Execution Step 10 Cutover Planning & Migration Step 11 Post-Migration Support  Transition to Typical IAM Implementation  Detailed Testing is a Must – Ability to validate results in parallel (side by side)  Big Bang vs. Mixed Rollout Strategy – Temporary interfaces can be costly – Back-out strategy is key consideration  Cutover Planning & Coordination is Critical – Early infrastructure integration in upper environments is key
  • 19. 18 Benefits of IBM Solution
  • 20. 19  Move towards out of box configuration vs. customizations  More robust adapter integration  Better performance (esp. SSO)  Integrated role management and compliance  Better admin UI experience Easy Mapping of Product Components Oracle Product IBM Product Oracle Waveset Identity Manager IBM Security Identity Manager Oracle Sun Access Manager IBM Security Access Manager for Web Oracle OpenSSO IBM Federated Identity Manager Oracle Sun Directory Server IBM Security Directory Server Oracle Virtual Directory Server IBM Security Directory Integrator
  • 21. 20 Next Steps for BNSF
  • 22. 21 Next Steps – It’s a Jungle out There!  Extend integrations with existing targets  Leverage new IAM platform capabilities  Expand SSO capabilities to mobile platforms IBM IAM Migration Enterprise Roles & Recert Pilot Privileged Identity Mgmt Enterprise Roles & Recert P2 Mobile SSO
  • 23. 22 Questions ????? Chris Fields VP – Security Strategy chris.fields@pathmaker-group.com 817-704-3644 x110 Office 972-523-8620 Cell