IAM EXECUTIVE STATUS DASHBOARD

Transcription

IAM EXECUTIVE STATUS DASHBOARD
IAM EXECUTIVE STATUS DASHBOARD | Jan. 27, 2015
PROGRAM NARRATIVE
KEY
NO SIGNIFICANT CONCERNS
SIGNIFICANT CONCERNS/RISKS;
NEEDS IMMEDIATE ATTENTION
RISKS IDENTIFIED; MITIGATION
FEASIBLE AND UNDER REVIEW
MAJOR RISKS TO DELIVERABLES/
MILESTONES; NO PLAN YET
EXECUTIVE ATTENTION NEEDED
Accomplishments include retiring PIN3 (on track for end of Jan), an upgraded PIN hashing algorithm (to maintain InCommon Bronze status) and
enhancements to the Identity APIs used by SIS and for Alumni onboarding. Major ongoing efforts in this PI, which ends Feb. 25, include supporting Alumni
provisioning (by April); initial requirements to support FAS provisioning (by June); and modernizing/migrating to the cloud key IAM databases. Dedicating
full-time IAM resource to HMS requirements analysis. Vendor consulting on user-facing components of Provisioning projects begins at the end of Jan.
Issue: Onboarding of new schools will expose duplicate login names that must be resolved.
Description: Resolution of duplicates will be a sensitive topic for users and likely require careful negotiation with customers.
Mitigation: IAM team proposes to facilitate the resolution process, but to leave decisions with the schools themselves. IAM will manage end user
communication and the actual data cleanup tasks.
CRITICAL SUCCESS FACTORS
Executive Sponsorship
Transition Planning
Budget Planning
Resource Planning
Community & School Engagement
Cross-Program Collaboration
• Executive Committee to review proposal for
managing resolution of duplicate login names
before we start bringing all new populations
• Executive Committee to review proposed
adjustments to overall program plan
reflecting evolution of IAM strategy in first
year of program execution
• Release calendar now in use across IAM
teams to track production deployments
• Cross-team master deployment schedule,
owned by Transition Manager, will be used
for PI-3 deliverables
• El El See progress: Automated dev and QA
environments complete (QA demo held
1/23)
• Agreement with SOC to keep savings realized
by cloud migration projects in IAM budget
through June of 2015; future migrations
will not reduce the chargeback cost for IAM
application hosting
• New staff: Mark Bombalicki (Program
Coordinator), Graydon Corpian (QA Engineer,
transition from contract), Marj Minnigh
(Products and Services Support Specialist,
transition to FTE), Donny Nyamweya-Omosa
(DevOps Engineer)
• Interviews ongoing for contract QA position
• Worked with PIN3 owners to successfully
migrate all webgates
• Program update emails via Salesforce
• Meetings to “socialize” HarvardKey with HKS,
HLS, HSPH, HMS, GSE, FAS, and Alumni
• Continued SEAS work (currently minimal
requirements of IAM)
• Continued meetings with UC to discuss
program deliverables and dependencies, to
better align schedules
• Participating in cross-program discussions
with other Strategic Program teams to
align (and combine when applicable)
communication strategies
PROJECT PLAN SUMMARY, STATUS, AND MILESTONES
KEY
2014
PROGRAM
PROJECT STATUS
NEAR-TERM MILESTONES
Q1
Jan
Alumni data model delivered on
time at end of PI-1. Team is on
track to complete API work to
manage Alumni data at end of PI-2.
Dedicating full-time IAM resource to
HMS requirements analysis.
March: Deploy APIs for managing Alumni
data and capturing/storing Alumni
attributes. Complete HMS analysis.
June: Support provisioning and account
self-service for FAS users.
June: Support provisioning and account
self-service for Alumni users.
Completed upgrade to IdP
encryption to meet new standard
for InCommon Bronze certification.
April: Improve end-user privacy by letting
them know what data is shared when they
use Harvard credentials for third-party apps.
New cloud-hosted Harvard LDAP
has been implemented in nonProduction environments, and
integration testing is underway.
Feb: Boost convenience for HUIT dev
teams that use IAM data by providing
a data-layer web service interface that
supports searching, user create/update,
and a variety of read operations.
App Owner
Support
No near-term milestones.
No near-term milestones.
One-Way Fed
No near-term milestones.
Provisioning
Federation
Directory
Services
Mar
Apr
May
Jun
Jul
Aug
Q4
Sep
Oct
Nov
Readiness
Q1
Dec
Jan
Feb
Q2
Mar
Apr
May
Jul
Aug
Alumni
Q4
Sep
Oct
Nov
Q1
Dec
Jan
Feb
Mar
Apr
Q3
May
Account Claiming Self-Service
Jun
Jul
Aug
Q4
Sep
Oct
Nov
Q1
Dec
Jan
Feb
Q2
Mar
Apr
May
Jun
Sponsored Account Self-Service
Expansion (Office 365)
Waveset
2017
Q2
FIM Replacement for O365
Foundation
NOT STARTED
2016
Q3
Jun
UNDER DEVELOPMENT
Expand Provisioning Targets
Decommission Waveset
PIN/AD Credential Management
idP Functionality Expansion
External Partner
Enhanced idP Functionality for Privacy
InCommon Bronze Self-Certification Preparation (AD, PIN/CAS)
Federation for Hospitals
LDAP Updates (HU/Auth)
New Cloud LDAP (HU and AUTH LDAP)
LDAP Functional Enhancement
LDAP Attribute Expansion
Decommission FAS AD
UUID Enhancement
AD Migration (FAS/Central)
Identity APIs
Customer Test Data
Federation Updates
Application Usage Statistics
IAM Reference Implementations
No near-term milestones.
July: Reduce the risk profile for all users
by truncating SSN, ensuring that this PII
is no longer stored in places where it is
not absolutely needed.
Authentication
Enhancements
PIN3 retired Jan, 25; all PINintegrated apps now using the most
up-to-date authentication service.
Feb: Support Alumni user authentication.
Authorization
Enhancements
SIS wave 1 work is ongoing, using
IAM API. All identified issues have
been resolved for SIS team.
July: Enable SIS to benefit from IAM data by
granting data access in production.
Aug: Make authorization admin tasks easier by
enabling creation of user groups.
No near-term milestones.
No near-term milestones.
FIM/IdDB sync for HMS now in Prod.
No near-term milestones.
Three major efforts underway: PIN
migration, IdDB migration, and new
LDAP.
Feb: Move LDAP to the cloud, saving costs
and improving performance.
Feb: Migrate PIN to the cloud, keeping
it current with other IAM infrastructure
improvements while reducing costs.
Cloud
Migration
Feb
2015
Q3
Application Registration
Identity Access
No near-term milestones.
Governance
External
Directories
Expanded
Provisioning
Q2
RELEASE COMPLETED
OWF Onboarding for HBS
Program-Level KPI Reporting
IAM Service Usage & Access Reporting
IAM External-Facing Website
Refine Privacy Protocols
Metric Dashboard
Identity Analytics & Risk Assessment
SSN Truncation
Automated Alerting and Monitoring
Decommission PIN3
Multifactor Authentication
Identity Proofing
Cloud Authentication
Bring Your Own Identity
Desktop & Mobile Native Apps
Coarse-Grained Authorization
Expand Groups
Connections Update
Connections UI Improvements
FIM Support
Stand Up Cloud-Based LDAP
Connections Migration
Adaptive Access
SIS Wave 2
Group Management
Cloud Architectural Reference Model
Business Intelligence Tool Set
CAS Bridge
SIS Wave 0
Add Data to Warehouse
School-Level KPI Reporting
Yellow Pages Improvements
Authenticable Credentials for Machines
Retire Legacy LDAP
IdDB Migration and Database Export/View Migration
Self-Service Migration
PIN/CAS Migration
SailPoint Migration
MIDAS Migration
Phonebook & Public LDAP Cloud Migration
IAM EXECUTIVE STATUS DASHBOARD | Jan. 27, 2015
KEY
NO SIGNIFICANT CONCERNS
SIGNIFICANT CONCERNS/RISKS;
NEEDS IMMEDIATE ATTENTION
RISKS IDENTIFIED; MITIGATION
FEASIBLE AND UNDER REVIEW
MAJOR RISKS TO DELIVERABLES/
MILESTONES; NO PLAN YET
STRATEGY AND PLANNING: TOPICS & TREND LINES
PI-2 (scheduled to end February 25) is underway, with 2 of 10 features delivered so far and all others on track for completion. The scope of PI-2 prioritizes development for FAS and Alumni
provisioning and account self-service, database platform investments to speed future development, analysis and discovery for HMS, and an ongoing commitment to meet customer-driven
timelines for external teams and applications. A vendor, Isobar, has been engaged to support the interaction design for all end user-facing tools, with particular focus on interaction design
within Account Management.
Schedule
Budget
Scope
Reporting
Staffing
Community Outreach
Release Management
FUNCTIONAL STATUS: TOPICS & TREND LINES
The team is fully engaged with functional requirements for Alumni and FAS/CA account management and collaborating with the technical teams on development; work includes an identity data
interface (used to import data about Alumni and from SIS), the user self-service account management interface, a new LDAP instance, and several new provisioning connectors. A new version
of PeopleSoft import was deployed successfully in December. PIN3 webgates were retired as planned. HMS requirements analysis is well underway, as is planning for the next PI. The Accounts
Management and IDM teams are preparing to work with consultants on user interaction design and confirming foundation in SailPoint IIQ, both critical for HarvardKey implementation.
Policy Governance
Service Support
Documentation
Requirements Assessment
Service Definition
Quality Assurance
Service Transition
TECHNICAL STATUS: TOPICS & TREND LINES
The team is accelerating the migration of IAM applications to the cloud in order to be ready for the rollout of HarvardKey and on-boarding of schools. Apart from realizing the productivity and
testing benefits of moving to the cloud, we also require the added ability to scale the infrastructure to meet the additional traffic and throughput needs. Migrations include SailPoint IIQ, IdDB,
FindPerson/CreateID API, and PIN, as well as the new Harvard LDAP that will house HarvardKey.
Identity Management
Cloud Migration
Access Management
Infrastructure
Directory Services
Data
User Experience
COMMUNITY OUTREACH: HARVARD UNITS & TREND LINES
Communication with PIN3 application owners resulted in successful migration of all
applications (except DCE) off the service by early January. Successful deployment
of SHA-2 also depended upon good communication with app owners. Attended
meetings with HR Focus Group to update them on progress. Alumni, SIS, SEAS,
FAS, and HMS work progresses, with ongoing outreach efforts to keep them
informed. Discovery sessions with HKS and HLS continue. Continuing to work on
best processes for coordinating planning, particularly timing and dependencies,
between UC and IAM.
Faculty of Arts and Sciences
Graduate School of Design
Harvard School of Public Health
2000 2000
1700
1400
1100
800
500
1400
1100
800
1700
1400
1100
800
TLT
Kennedy School of Government
1400 1400
Campus Services
4
4
Harvard School of Dental Medicine
Harvard Law School
1100
1100
FSS
3
3
Harvard Divinity School
Harvard Medical School
800
800
Human Resources
IAM Incidents as Percent of Total
1700
Alumni Affairs
500
Oct Nov
JanDec
Feb
Apr
May
AugJulSep
Oct
Nov
Dec
OctDec
Nov
JanMar
Feb
Mar
AprJun
MayJulJun
Aug
Sep
Oct
Nov Dec
13
14
13
14
2
2
1
1
0
Total Authentication Services Registrations
Total Identities in SailPoint IIQ
1800
1800
1800
650000650000
35000 35000
6
6
6
1700
1700
1700
640000640000
28000 28000
5
5
5
1600
1600
1600
4
4
4
630000630000
21000 21000
1500
1500
1500
620000620000
14000 14000
1400
1400
1400
1300
1300
1300
610000610000
7000 7000
3
3
2
2
1
1
1
Registered
Registered
Applications
Registered
Applications
Applications
IAM Percentage
IAM Percentage
IAM
ofPercentage
Totalof Totalof Total
We expect a reduction in IAM incidents over time as a
percentage of total ServiceNow
incidents.
(55386 originally
(55386 originally
populated)
(55386 originally
populated)
populated)
35000 35000 35000
28000 28000 28000
Jan
15
Number of registrations is expected to fluctuate over
time — but grow overall — based upon new applications
added
and
removal
of unused applications.
10
10
10
9
9
9
8
8
8
600000
600000
July 14 July 14
Aug
Sept
Aug
SeptOct
OctNov
NovDec
Jan 15 Jan 15
Dec
Number
of Identities
Number
of Identities
0
Feb
14
0
1500
Unified Communications
Other HUIT Departments
(55386 originally
populated)
(55386 originally
populated)
Mar
Feb Apr
Mar May
Apr Jun
May July
Jun Aug
July Sep
Aug Oct
Sep Nov
Oct Dec
Nov Jan
Dec Jan
15
14
15
Create/Update
(WS) (WS)
Create/Update
Create/Update
(IIQ) (IIQ)
Create/Update
The number of identities illustrated will increase
over time as migration from Waveset to
SailPoint IIQ progresses.
1700
1600 1600
Monthly Provisioning Transactions
7
2
1700
IAM Percentage
of Totalof Total
IAM Percentage
7
3
1800 1800
Registrars
0
Oct Nov
JanDec
Feb
Apr
May
AugJulSep
Oct
Nov
Dec
OctDec
Nov
JanMar
Feb
Mar
AprJun
MayJulJun
Aug
Sep
Oct
Nov Dec
13
14
13
14
7
Account
Account
Management
Account
Management
Management
Help Desk
HelpRequests
Desk
HelpRequests
Desk Requests
640000640000640000
SIS
Division of Continuing Education
500
500
0
0
0
1200 1200 1200
Oct Nov
Oct
DecNov
Jan
Oct
Dec
Feb
Nov
Jan
Mar
Dec
Feb
Apr
Jan
Mar
May
Feb
Apr
Jun
Mar
May
Jul
Apr
Jun
Aug
May
Jul
Sep
Jun
Aug
Oct
JulSep
Nov
Aug
Oct
Dec
Sep
Nov
Oct
Dec
Nov Dec
Oct Nov
Oct
DecNov
Jan
Oct
Dec
Feb
Nov
Jan
Mar
Dec
Feb
Apr
Jan
Mar
May
Feb
Apr
Jun
Mar
May
Jul
Apr
Jun
Aug
May
Jul
Sep
Jun
Aug
Oct
JulSep
Nov
Aug
Oct
Dec
Sep
Nov
Oct
Dec
Nov Dec
Feb Mar
Feb Apr
Mar
FebMay
Apr
MarJun
May
AprJul
Jun
MayAug
Jul
JunSep
Aug
JulOct
Sep
AugNov
Oct
SepDec
Nov
OctJan
Dec
Nov Jan
Dec
13
13
14
13
14
14
13
13
14
13
14
14
14
14
14
15
15
Aside from academic-year cyclical trends, we expect
a decline in requests as self-service functionality is
650000650000650000
introduced,
offset by the increase in user population.
5
School of Engineering & Applied Sciences
Account
Management
Help Desk
Account
Management
HelpRequests
Desk Requests
Account Management Help Desk Requests
1700
6
5
Harvard Business School
KEY PERFORMANCE INDICATORS
2000 2000
6
Graduate School of Education
1700
Radcliffe Institute for Advanced Study
7
Graduate School of Arts and Sciences
500
2000
Harvard Library
7
Deprovision
(WS) (WS)
Deprovision
Deprovision
(IIQ) (IIQ)
Deprovision
Distribution is expected to shift from Waveset to
SailPoint IIQ over time, with outlier data points due
to bulk migrations or other isolated changes.
1500
1400 1400
1300
1300
1200
1200
Feb
14