IAM Methods 2.0 Presentation Michael Nielsen Deloitte

6,952 views

Published on

Deloitte gave their view on an approach for successful identity and access management governance projects togehter with IBM Security Systems and CrossIdeas, an IBM company.

Published in: Software
0 Comments
8 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
6,952
On SlideShare
0
From Embeds
0
Number of Embeds
69
Actions
Shares
0
Downloads
632
Comments
0
Likes
8
Embeds 0
No embeds

No notes for slide

IAM Methods 2.0 Presentation Michael Nielsen Deloitte

  1. 1. Approaching an Identity & Access Governance Project IAM Methods 2.0 November 6th, 2014
  2. 2. Copyright © 2014 Deloitte Development LLC. All rights reserved. The hidden agenda 1. Change in Deloitte: a) Consulting b) Global player 2. Global IBM – Deloitte Partnership 3. IAM is one of three Strategic business areas
  3. 3. Copyright © 2014 Deloitte Development LLC. All rights reserved. Why I am here • Michael Nielsen, Partner in Deloitte Denmark, ERS AI • Danish Defense, Arthur Andersen, PwC, IBM, MNSecurity and Deloitte ERS • 30 years of experience with IT • Focus on Role based Security in SAP and Mainframes, IAM and GRC • Swedish assignments over the years: Nobel Biocare, Volvo, Tetra Pak, Ericsson and Electrolux • IAM: TIM/TAM, Control SA, Omada, FIM, Dell One ……. Michael Nielsen Partner | ERS AI Deloitte Weidekampsgade 6, 2300 Copenhagen S, Denmark Postal address: P.O. Box 1600, 0900 Copenhagen C, Denmark Mobile: +45 24 44 15 31 | Fax: +45 36 10 20 40 micnielsen@deloitte.dk | www.deloitte.dk Please consider the environment before printing.
  4. 4. © 2014 Deloitte AB 4 Copyright © 2014 Deloitte Development LLC. All rights reserved. Marcus Sörlander Partner Enterprise Risk Services +46 752 46 20 00 msoerlander@deloitte.se Albin Finne Senior Manager Enterprise Risk Services +46 752 46 20 00 alfinne@deloitte.se My Swedish colleagues Deloitte ERS Sweden
  5. 5. Some cases from the Swedish IAM team Copyright © 2014 Deloitte Development LLC. All rights reserved. • Deloitte provides the client with advice on the overall project strategy and providing subject matter expertise for the best use of IAM technologies in terms of functionality, scalability and systems integration. • The project is a joint collaboration between Sweden and UK.. • New functionality is currently being designed and developed, including audit and attestation processes for critical access governance processes. • Deloitte provided project manager, identity management architect and delivery of the implementation platform with a team of IAM specialists from Sweden, Norway and UK. • Deloitte has been drafting the longer term vision, determining the roadmap, launching several implementation projects and relationship-management with the different departments/agencies. • The solution delivered by Deloitte included consultation and implementation of a comprehensive access management for both students and staff. • In addition to access management, SSO and federation was setup to provide authentication and authorization services for all user populations across the University. • The project was delivered by Norwegian, Swedish and UK resources. © 2014 Deloitte AB 5
  6. 6. Copyright © 2014 Deloitte Development LLC. All rights reserved. What is IAM ”Identity and Access Management (IAM) is the security discipline that enables the right individuals to access the right resources at the right times for the right reasons”
  7. 7. Enterprise Access Management Services Managed Resources Auditing and Reporting Access Request Provisioning Copyright © 2014 Deloitte Development LLC. All rights reserved. Provisioning conceptual architecture Access Certification HR System - PeopleSoft Process Modeling System of Record Identity Store Reference Systems Resource SOR Standard Interface Dashboards Policy Enforcement Certifying Managers and Auditors Certification Customized Interface On-boarding Business Applications Manager Requesting and Attesting Access Delegated Administration End Users Employee and Non- Employee Activity Monitoring Self-Service Reconciliation Connectors Periodic Review Review History Workflow Interface Enforce Policy Approval Workflows Role Management Role Discovery Lifecycle Mgmt Role Creation Role Certification Administration Password Entitlements Manual Provisioning LOB Notification Workflow-Business Process Roles Enforce Policy Database Role Assignment
  8. 8. Copyright © 2014 Deloitte Development LLC. All rights reserved. What is IAM Methods 2.0? Deloitte IAM Methods is: Deloitte’s proven method for consistently delivering value on Identity and Access Management strategy, implementation and operation engagements across all industries A scalable approach that can be applied to projects of different sizes A set of step-by-step, repeatable tasks with enabling tools, templates, and samples for executing a consistent, high-quality project aligned with standards A consistent approach that is understood by all professionals on IAM projects An easy-to-navigate repository for templates and artifacts as it relates to the overall project timeline and structure
  9. 9. General approach no. 1. Waterfall characteristics and assumptions Copyright © 2014 Deloitte Development LLC. All rights reserved. • Waterfall Lifecycle addresses highest risks late in project, impacting overall project success: – Requirements issues – Data quality issues – Design issues such as integration and 1. Getting it right the first time • Assumes that requirements, design, solution build, test, and deployment phases can run sequentially, resulting in a successful “single pass” implementation 2. Freezing requirements • Assumes that requirements can be gathered and frozen early in the projects – Stakeholders validate requirements in User Acceptance Testing, long after interviews and workshops 3. No integration surprises • Assumes that IAM solution can be built, integrated with managed resources; data migrated with minimal issues • Assumes implementation schedule and costs can be accurately estimated “up front” performance • Schedule delays result in lower client satisfaction and lower project rate per hour Test Deployment Build Solution Analysis & Design Requirements Business Modeling TIME Apparent Progress Highest risks addressed late in project, when cost of changes are highest Risk Levels
  10. 10. With a single-pass implementation, communication errors and misunderstanding may not become apparent until very late in the project life cycle. Copyright © 2014 Deloitte Development LLC. All rights reserved. General approach no. 1. Stakeholder satisfaction? As proposed by project sponsor As produced by the developers As captured in requirements As implemented As designed What stakeholders wanted
  11. 11. Iterative projects focus on driving down key risks early in the project lifecycle. Business, Technical, and Project risks are addressed as early as possible, rather than postponing risk resolution. Copyright © 2014 Deloitte Development LLC. All rights reserved. General approach no. 2. Iterative projects to reduce risk Waterfall TIME RISK Risk Reduction Iterative
  12. 12. Structure of IAM Methods 2.0 Showing the path from overall to detailed tools. Our method structure aligns with industry standards, addresses how the work gets done and uses standard language to drive consistency Copyright © 2014 Deloitte Development LLC. All rights reserved. Phase Definition Strategy and Roadmap Implementation Security Application Management Services Define Phase Structure • Planning — Confirm scope and coverage of IAM goals and vision • Current state analysis — Gain an understanding of the current state, including business challenges, business processes, and existing infrastructure • Target state analysis — Identify required IAM services for the short, medium, and long term. Discuss business process and technology options to deliver on these IAM needs • Gap analysis — Perform gap analysis of IAM environment from current state to target state. • Strategy and roadmap — Create an IAM strategy with timelines, priority, and costs considered. • Cost analysis — Determine budget requirements and cost analysis for the IAM program Delivery • Planning and analysis — Collect and validate IAM requirements and document desired end states • Design — Workshop and document the solution architecture and design, including functional and non-functional components and hardware and software requirements. Define and document test plan • Build — Establish solution code base. Develop code and perform configuration according to design specifications • Test — Perform system integration testing to verify functional correctness, performance testing to verify non-functional expectations, and support customer User Acceptance Testing • Deploy — Assess production readiness, prepare for production deployment, and develop rollback strategy. Deploy solution to production and validate deployment • Transition — Conduct knowledge transfer sessions to Operations and Support team Maintain • Planning — Confirm scope, discovery, and high level transition plan • Service enablement — Gain an understanding of the Client’s current IAM processes in terms of business process, platforms, and key stakeholders through knowledge transfer and shadowing • Service delivery — Deliver the development, support, and platform administration services by leveraging the processes established during the service enablement phase • Handover — Conduct knowledge transfer sessions and oversee managed transition support Project Management - Governance - Organization Change
  13. 13. Project management and governance Copyright © 2014 Deloitte Development LLC. All rights reserved. IAM: Strategy and roadmap Showing the path from overall to detailed tools. Planning Gap analysis Strategy and roadmap Current state analysis Target state analysis Cost analysis Organizational change management Tasks/Activities • Create project plan for program of work • Review overall strategy scope and confirm business goals • Identify and confirm IAM vision • Identify key stakeholders and schedule meetings • Agree on final look and scope of key Artifacts • Obtain documents describing the existing IAM processes • Conduct stakeholder interviews/focus groups to discuss current IAM challenges • Perform current state assessment of IAM environment • Understand business, regulatory, and technology drivers • Understand information security policies, procedures and map them to IAM system • Assess maturity of current IAM service areas and IAM governance structure • Identify business drivers for IAM and prioritize • Identify IAM services to be provided • Identify business and governance processes to be provided by IAM • Define targeted IAM Maturity level • Conduct IAM workshops, with a focus on business, regulatory, and technology streams • Define program monitoring, measurement, and reporting • Define initial set of target state IAM reference architecture options • Perform gap analysis between current state and target state environments • Update target state reference architecture options based on findings of gap analysis • Finalize target state architecture options • Define IAM services and prioritization order • Define IAM roadmap for implementation • Develop IAM program monitoring • Define vendor selection process • Select IAM vendor and technology • Assist with generating or evaluating RFP • Assist in Proof of concept (POC) • Prepare executive briefing presentation • Complete executive briefing on strategy and roadmap • Define/Confirm organizational budget requirements for IAM Program • Identify initial and recurring technology costs associated with the IAM program • Identify people costs associated with IAM program • Develop multi-year cost analysis for IAM program Tools and accelerators • Requirements management tools • IAM current state analysis template • IAM Workshop Approach Template • IAM target state analysis template • IAM gap analysis template • IAM Maturity model • Vendor selection toolkits • IAM Cost Analysis Templates Artifacts and Deliverables • Work Plan • IAM vision statement • Project Status Report • Current State Assessment report • IAM objectives, goals, and services list • IAM business and governance process lists • Target state architecture options • IAM Roles and Responsibilities Matrix • Gap analysis report • Maturity Models and Metrics Capabilities/Dashboards • Vendor selection checklist • IAM strategy and roadmap • Executive briefing presentation • IAM Program Cost Model 13
  14. 14. Exit criteria Copyright © 2014 Deloitte Development LLC. All rights reserved. Planning Showing the path from overall to detailed tools. Current state analysis Target state analysis Gap analysis Strategy and roadmap PPlalannninnging Cost analysis Objectives • Understand business goals, stakeholders' priorities, and perspectives • Understand the IAM needs for each IAM Service area • Lead stakeholders to a common understanding of IAM vision. • Establish and maintain agreement with stakeholders on IAM goals. Tasks/Activities • Create project plan for program of work • Review overall strategy scope and confirm business goals • Identify and confirm IAM vision • Identify key stakeholders and schedule meetings • Agree on final look and scope of key artifacts • Obtain documents describing the existing IAM processes Key considerations • IAM vision statement is clearly defined and captures an agreement on the high-level purpose, business scope, and project boundaries. • Roles and responsibilities are clearly defined and project expectations are set with stakeholders • Utilize templates, tools, methods and accelerators to gain efficiencies and quality Project roles • Business Process Owners • Project Sponsor • Project Manager • IAM Specialist • Approved Project Plan • Approved Scope statement • Workshops and Interviews Calendar Tools/Accelerators • Requirements management tools Artifacts/Deliverables • Work Plan • IAM Vision Statement Method and approach
  15. 15. Copyright © 2014 Deloitte Development LLC. All rights reserved. Requirements management tools Showing the path from overall to detailed tools. Method and approach Switch to IAM Method – Detail documentation - 1. Planning & Analysis - Requirements management tools - Sam_IAMSolutionRequirementsSpecification_Client_A_C.docx
  16. 16. Project management and governance Copyright © 2014 Deloitte Development LLC. All rights reserved. IAM: Implementation Planning and analysis Design Build Test Deploy Transition Tasks/Activities • Define project management plan • Develop governance plan • Prepare project plan • Develop communication plan • Review current documentation to identify requirements • Conduct workshops to Identify and validate business requirements • Identify IAM business modeling for process and organization • Develop and Define use cases • Conduct Proof of Concept (POC) • Conduct workshops to discuss solution architecture and design approach • Develop solution architecture • Develop solution design • Prepare test strategy • Prepare training strategy • Prepare test plan • Prepare test scripts and data • Establish IAM solution build repository • Build development environment • Build IAM solution • Prepare solution build document • Execute unit testing • Perform solution QA • Build Pre-production environments • Migrate IAM solution to pre-production environments • Perform System Testing • Conduct training • System Integration Testing • Prepare Training materials • Performance Testing • User Acceptance Testing • Production readiness review • Prepare deployment plan • Perform production deployment • Go-live activities • Production verification testing • IAM system go-live • Prepare operational documentation • Update project documentation to reflect as-built status • Prepare and conduct handover sessions with client team • Handover of IAM solution repository • Document lessons learned • Conduct project closure tasks Tools and accelerators • Project Contacts list • Project status report • Requirements traceability matrix • IAM Test scripts template • IAM Configuration tracker • IAM Master code register • Test Case Tracker • Production cutover plan • Go-live communication plan • Post Implementation Review Artifacts • Project Management Plan • Work Plan • Project governance • Communication plan • Solution Requirements Specification • Solution architecture • Solution design specification • Training strategy • Test Strategy • Solution code, customizations, and configurations • Solution build document • Test Plan • Test scripts and test data • Training materials • Test summary report • Updated project documentation • Deployment plan • Live solution • IAM operations manual • Post Go-Live System Evaluation Plan • IAM Solution operations transition • Transition of IAM solution repository • Project closure Organizational change management
  17. 17. Security Application Management Services Project management and governance Planning Service enablement Service delivery Handover Copyright © 2014 Deloitte Development LLC. All rights reserved. Tasks/Activities • Mobilize onsite and integrate with the current project teams • Establish Governance – Review GBTs – Define Operations Management structure – Define the operations scope, including the responsibilities of the business and IT • Review Operations – Define SLAs – Review quality and risk plans – Review inflight and planned projects and plans • Begin Discovery planning – Delivery Model – Roles and Responsibilities – Knowledge transfer plan – Operations Infrastructure • Establish onsite/offshore infrastructure – Test communications, connectivity, and access options • Understand the current IAM security application management service processes • Begin onsite shadowing of maintenance support activities • Finalize maintenance roles, activities, and performance metrics • Integrate onsite and offshore teams – Establish and test onsite/offshore integrated maintenance processes – Transition to onsite/offsite team • Begin transferring application maintenance tasks • Perform Service Delivery – Deliver enhancements – Provide incident, problem, change, configuration, and release management services – Perform service management for platform and product deployments • Begin performance measurement of service delivery • Analyze performance metrics for quality, efficiency, schedule, and turnaround time • Analyze business process efficiencies • Compare and contrast project metrics with historical metrics • Develop project performance summary report • Prepare and conduct handover sessions with client team • QRM/QAR checkpoint • Handover of IAM solution repository • Document lessons learned • Conduct project closure tasks Tools and accelerators • Project contacts list • Project status report • IAM Playbook • Application Integration Guide • IAM Dashboard and Metrics • IAM lessons learned Artifacts • Scope Validated • Organization Structure • Discovery Plan • High Level Transition Plan • Roles and Responsibilities Matrix • Escalation Plans and Procedures • Current-State Performance Snapshot • Service Delivery Infrastructure Established • Onshore/Offshore Team Established • Knowledge Transfer Complete • Transition Status Reporting • Service Delivery Model • Service Delivery Operations Launched • Optimized Organization Structure • Updated IAM solution documents • Enhancement cookbooks • Periodic status report and metrics • IAM Solution operations transition • Transition of IAM solution repository • Project closure report Organizational change management
  18. 18. © 2014 Deloitte AB 18 Copyright © 2014 Deloitte Development LLC. All rights reserved. Marcus Sörlander Partner Enterprise Risk Services +46 752 46 20 00 msoerlander@deloitte.se Albin Finne Senior Manager Enterprise Risk Services +46 752 46 20 00 alfinne@deloitte.se Who you gonna call? Michael Nielsen Partner Enterprise Risk Services +45 2444 1531 micnielsen@deloitte.dk

×