Presented at the Cloud Identity Summit 2017 (now Identiverse), Dave Shields provides a great overview of some of the biggest IAM challenges he faced while building IAM at OU and wants to share it with other IAM professionals. Focus is Higher Education but the material works for any vertical.
Driving Behavioral Change for Information Management through Data-Driven Gree...
8 Pitfalls of Next Generation IAM Programs
1. 8 PITFALLS OF NEXT
GENERATION IDENTITY
MANAGEMENT
Presented By: Dave Shields,
Managing Director of Identity and Access Management – University of
Oklahoma
2. About OU
• Public funded, research institution in
Oklahoma
• Approximately 37,000 students, 12,000
Faculty/Staff
• Spread across 3 campuses
• Highly decentralized environment
3. IAM Program Reality Check
• Just because you build it, doesn’t mean
they will come…
• Old processes die hard and new
processes die easy.
• Learn to ‘see’ the pitfalls and prepare for
them.
4. Pitfall #1 – Bad Planning
• Bad planning kills new ideas.
• Just because you can buy it doesn’t mean
you should.
• IAM touches too many things to live in a
vacuum.
5. Solution: Build a Roundtable!
• Dedicate at least one person full time to
IAM, more if you can.
• Create a ‘think tank’ with people who have
a stake in IAM. These stakeholders build
buy-in for the program.
• Your Roundtable can help your plans
succeed.
• Tribal knowledge is better than technical
depth.
6. The IAM Roundtable at OU
• Meets every other week and also
maintains email communication outside of
meetings
• Meetings are open to anyone who wants
to listen. (don’t create a wall)
• Consists of Enterprise Architects,
representatives from high impact areas,
and rank and file employees with tribal
knowledge.
7. Why?
• Reduces power struggles, egomania and
‘manic planning.’
• Increases collaboration across the diverse
structure of the university.
• Shows a unified front against a problem
that can’t be ignored.
• Offers a basis for IAM Governance later
on
8. Pitfall #2 – Garbage Processes
• Existing processes may be good but they
can also be part of the problem.
• We don’t always realize a process is
garbage until we examine it.
• No matter how great your next generation
IAM Platform is, it won’t fix a bad process
if you replicate it.
9. Solution: Seek and Destroy
• Spend a lot of time documenting core
identity processes (i.e. how does an
account get from here to there?) with
those who know them best.
• Break out the flow charts!
• Illustrate processes to the owners.
• If garbage is found, destroy (or recycle) it.
12. Why?
• Documenting processes can help you find
issues.
• Many processes have never been
documented and may only live in
someone’s brain.
• Once the process is documented,
converting it to IAM logic will be that much
quicker!
13. Pitfall #3 – Wrong Product Choice
• The best product for your organization
may not be the popular choice.
• Don’t make IAM just a solution looking for
a problem.
• The Gartner Magic Quadrant is not the
final word on what’s best!
14. Solution: Create Business Requirements
• Craft a minimum of 5 Business
Requirements, and hold the vendor(s)
accountable!
• Use your think tank (roundtable) and key
stakeholders to determine what is really
required for your IAM Platform.
• The more feedback you have, the better
the requirements will be.
15. Business Requirements for OU
• We created 10 business requirements for
OU and explained what each of these are:
– BR01: Legacy Replacement
– BR02: Secondary ID Source
– BR03: Triangulation of Trust
– BR04: Role Assignment/Mirroring
– BR05: Integration with Existing Systems
16. Business Requirements for OU
• We created 10 business requirements for
OU and explained what each of these are:
– BR06: Audit and Attestation
– BR07: Platform Location (Cloud vs. On-Prem)
– BR08: Academic Lifecycle of an Identity
– BR09: Web Portal Experience
– BR10: Independent Sustainment of IAM
Platform
17. Example of Requirements:
• BR03:Triangulation of Trust:
– Successfully offer a web portal to request
secondary ID’s
– Successfully accept authentication from
sources such as Facebook, Email, SSO, etc.
– Successfully illustrate trust-based scoring
– Successfully federate with InCommon
– Capable of connecting collected data to AD
accounts
18. Why?
• Creating Business Requirements with the
organization builds support and buy-in
across the university.
• Business requirements can be a
deliverable for IAM.
• If you know what you need, you’ll know
which vendors don’t work for you.
• You can do a ‘mini-RFP’ with your
requirements.
20. Pitfall #4 – Being Future-Blind
• It’s very easy to think of IAM as strictly an
internal process but it isn’t!
• Your users are likely bringing their own
identities and may or may not want to use
them at your organization.
• If your platform can’t do both internal and
external ID management, it will not be
useful.
21. Solution: Design for the Future
• Do not limit your thoughts to just keeping
the status quo… prepare for the future!
• Can a user (or contractor) use your
infrastructure even if they are in another
country?
• Consider the buzzwords: Internet of
Things, Open Authentication, etc.
23. Why?
• IAM is not an application, it’s a platform
• Digital natives seek a truly integrated
approach.
• Greater visibility on a single pane of glass.
• One IAM to rule them all.
24. Pitfall #5 – We Require More Resources
• Too many organizations don’t take IAM
seriously enough from a resource
standpoint.
• Too few staff, stretched too thin.
• Too may responsibilities, not enough
manpower
• Lack of direction and oversight.
• Sorry, no money…
25. Solution: Make an Actual IAM
Team
• Dedicate a team lead and one or two staff
(initially) to IAM.
• Do not try to offer time sharing of
resources.
• Beyond the core team, have a cross
functional team that drives it for the
greater good.
26. OU’s IAM Team Portfolio
Identity
Management
IAM Platform
Active Directory
SSO
(PingFederate)
MFA
(Duo)
Access
Management
Network Access Control (ClearPass)
Cloud DLP
(CloudLock)
Federated Access
(InCommon)
27. Why?
• Overuse of resources causes stagnation.
• Allocating an actual team for the project
ensures that it is staffed and funded.
• If the IAM team has a portfolio of tools, it
makes it easier to get that ‘single pane of
glass’ for IAM.
28. Pitfall #6 – Lack of Engagement
• IAM cannot live in a bubble.
• If you don’t engage your organization’s
stakeholders, the program won’t last long.
• Everybody’s voice needs to be heard or
they won’t hear yours!
29. Solution: Transparency & Communication
• Make sure everybody that will listen to you
knows what is going on!
• An organization is not an organization
without staff, visitors, contractors, etc. …
get them engaged.
• Don’t just ask managers and high-level
employees, the rank and file employees
have lots to share.
30. The Big Show and the IAM Email List
• Consider creating an IAM
Communications email or journal or social
media path.
• Prepare to create a method for governing
your IAM Platform and data use
• Invite your top vendor to offer a ‘big show’
demo where anyone can attend!
31. Why?
• Keeping communication open gives more
people a voice.
• The more people that feel their voice is
heard, the more support you have.
• If one person has a concern about part of
it, they aren’t the only one.
32. Pitfall #7 – Not Planning for the Lifecycle
• It’s easy to focus too much on ‘active’
employees or vendors.
• Sometimes others are ignored.
• You cannot treat each stage the same!
33. Solution: Plan for the Full Lifecycle
• You literally must think about IAM from the
cradle to the grave.
• Each stage in the lifecycle has its own
requirements and needs. Plan for them!
• Document all possible lifecycle stages and
get feedback from someone in each
group.
35. Why?
• An identity changes state many times
throughout the lifecycle.
• The lifecycle of an academic identity is
very different than a corporate one.
• Not just people have identities, so do
devices and systems
36. Pitfall #8 – Not Expecting the
Unexpected
• You cannot predict everything
• The deeper you get into IAM, the more
‘spaghetti’ you will find
• People will be protective of their processes
37. Solution: Keep Things Fluid
• No that it is not ‘if’ or ‘when’ your IAM
scope will change but ‘how many times’
• Add some fluidity to timelines and
deadlines
• Learn when to draw the line without
impacting your goals
• Sometimes small steps are better than big
strides
38. IAM@OU, 2 Years In
• Timeline had to be moved at least 4 times.
• Hidden dependencies added over 1000
hours to development time.
• New systems became critical systems that
were not accounted for in Discovery
• Extensive human hours caused resource
constraints in other departments
39. Why?
• IAM is so large that teams do not always
realize the scope until it’s too late.
• Demanding hard timelines can reduce
success of your IAM deployment
• Innovation may not always appear at the
beginning
• You can’t build IAM alone
40. The New Reality of IAM
• Open walls, processes and
communication.
• Touches everything in your organization.
• Impacts everyone in your organization.
• Can be the best piece of your
organization… or the worst.
• Integral to managing risk and security to
your organization
41. Need more help?
Keep in Touch!
• Slides Available at the
end of this presentation
• Email: dshields@ou.edu
• LinkedIn:
https://www.linkedin.com/i
n/daveshieldsok/
Editor's Notes
Use the power of many to influence the rejection of the few.
Make sure to look for people who you might not normally think of for a ‘governance’ type board but have special skills to help your purpose.
We work through all IAM related activities as a team
If one member of the roundtable has rapport with a specific group, let that person handle that group
Democratically designed
When more people are involved in the decision, as long as they have a combined cause, they tend to fight less over who does what
A roundtable doesn’t lend itself to having one person be ‘the only person’ on a project so IAM doesn’t become “Dave’s Project”
Many more projects at OU than I would like to admit have been the result of manic planning. Your roundtable can share the load and plan different parts together
If you require others to help you reach ‘big decisions’ then you are increasing collaboration across the entire university
When you have several people from all different walks of life working together, your approach becomes more unified and centralized
There is nothing wrong with processes that have stood the test of time. The question is… did they pass the test of time or did everything else follow because it had to?
Processes can be developed over years and decades and sometimes as a result of a firestorm, it may be that it was good when it was made but it needs to be examined for relevance
You can have the most powerful IAM platform ever that spits out processes in realtime but if you feed it garbage, it’s going to spit out garbage.
If your IAM isn’t there to solve problems, why are you building it? You need to document the processes so you can put it into IAM but this may be the time to figure out what you don’t need in the new IAM world
If you are a visual person, diagrams and flowcharts are amazingly useful. You might even be able to show a process owner things about their process they didn’t realize.
Whatever you do, don’t bring the garbage into IAM, it will only make it stink.
After meeting with all stakeholders, this is what we determined was how identities came to be.
Don’t try to stare too hard, you’ll go blind. But this diagram served to show all things about identity and has been infinitely useful
Don’t stare too hard, you’ll go blind!
This diagram taught us how employees get their identities started.
We found an area where things were being hand-keyed and likely causing some issues.
You would be surprised at how many people asked if they could keep copies of these documents because nothing else was documented like this
Those who keep processes in their brain are either going to be happy that you took that load off them or they may be nervous about giving up control of their ‘baby’.
Many of the diagrams we made became the core documents for our IAM POC build and this can be used in the Production build, too.
Everybody has those leaders in the organization who believe that only Gartner (or Forrester) are the best there is
The way they evaluate products is for a much more generalized audience and there are few things that are ‘general’ in Higher Ed
Even Gartner says “Just because it’s in the top right doesn’t mean it’s the best for you!”
Consider putting your product choices in a Matrix and using it to review the material at hand.
Your roundtable knows what is important to certain groups and they can help you decide.
Share the requirements as much as you can with other parts of your university so that you can have lots of feedback.
I picked this one because it was one of the most unique requirements we came up with and it really challenged a number of vendors.
You need buy in to achieve success
If your leadership wants to measure what you are doing, the requirements list or documents can be a great deliverable
Picking the best vendor is much easier when you prepare accordingly.
Explain how we used the requirements matrix to serve as a mini-RFP.
Explain how you checked each vendor and scored them (0, 1, 2)
Total the columns at the bottom and you can see which solution seems to do the most for your organization.
The thing about the future is that it quickly becomes the present and soon the past
IAM has to be able to do things inside your walls and outside
If there is a paradigm shift in the way students communicate (such as Social Media in our time), your IAM may not be control that
Make your platform work for how you work now and how you MAY work in the future.
The future of education rests in the hands of those who are willing to reinvent it. You could be one of them.
Yes, there are security concerns inherent in allowing other countries but that doesn’t mean you must avoid it
The buzzwords of today will become the technology of tomorrow.
What if your IAM future was a fully integrated system that could handle an almost endless list of sources and systems?
Think outside of your university walls just as much as you think within.
If the primary resources for IAM have other commitments, it’s that much easier to ‘kick the can down the road.’