IAM EXECUTIVE STATUS DASHBOARD
Transcription
IAM EXECUTIVE STATUS DASHBOARD
IAM EXECUTIVE STATUS DASHBOARD | Jan. 27, 2015 PROGRAM NARRATIVE KEY NO SIGNIFICANT CONCERNS SIGNIFICANT CONCERNS/RISKS; NEEDS IMMEDIATE ATTENTION RISKS IDENTIFIED; MITIGATION FEASIBLE AND UNDER REVIEW MAJOR RISKS TO DELIVERABLES/ MILESTONES; NO PLAN YET EXECUTIVE ATTENTION NEEDED Accomplishments include retiring PIN3 (on track for end of Jan), an upgraded PIN hashing algorithm (to maintain InCommon Bronze status) and enhancements to the Identity APIs used by SIS and for Alumni onboarding. Major ongoing efforts in this PI, which ends Feb. 25, include supporting Alumni provisioning (by April); initial requirements to support FAS provisioning (by June); and modernizing/migrating to the cloud key IAM databases. Dedicating full-time IAM resource to HMS requirements analysis. Vendor consulting on user-facing components of Provisioning projects begins at the end of Jan. Issue: Onboarding of new schools will expose duplicate login names that must be resolved. Description: Resolution of duplicates will be a sensitive topic for users and likely require careful negotiation with customers. Mitigation: IAM team proposes to facilitate the resolution process, but to leave decisions with the schools themselves. IAM will manage end user communication and the actual data cleanup tasks. CRITICAL SUCCESS FACTORS Executive Sponsorship Transition Planning Budget Planning Resource Planning Community & School Engagement Cross-Program Collaboration • Executive Committee to review proposal for managing resolution of duplicate login names before we start bringing all new populations • Executive Committee to review proposed adjustments to overall program plan reflecting evolution of IAM strategy in first year of program execution • Release calendar now in use across IAM teams to track production deployments • Cross-team master deployment schedule, owned by Transition Manager, will be used for PI-3 deliverables • El El See progress: Automated dev and QA environments complete (QA demo held 1/23) • Agreement with SOC to keep savings realized by cloud migration projects in IAM budget through June of 2015; future migrations will not reduce the chargeback cost for IAM application hosting • New staff: Mark Bombalicki (Program Coordinator), Graydon Corpian (QA Engineer, transition from contract), Marj Minnigh (Products and Services Support Specialist, transition to FTE), Donny Nyamweya-Omosa (DevOps Engineer) • Interviews ongoing for contract QA position • Worked with PIN3 owners to successfully migrate all webgates • Program update emails via Salesforce • Meetings to “socialize” HarvardKey with HKS, HLS, HSPH, HMS, GSE, FAS, and Alumni • Continued SEAS work (currently minimal requirements of IAM) • Continued meetings with UC to discuss program deliverables and dependencies, to better align schedules • Participating in cross-program discussions with other Strategic Program teams to align (and combine when applicable) communication strategies PROJECT PLAN SUMMARY, STATUS, AND MILESTONES KEY 2014 PROGRAM PROJECT STATUS NEAR-TERM MILESTONES Q1 Jan Alumni data model delivered on time at end of PI-1. Team is on track to complete API work to manage Alumni data at end of PI-2. Dedicating full-time IAM resource to HMS requirements analysis. March: Deploy APIs for managing Alumni data and capturing/storing Alumni attributes. Complete HMS analysis. June: Support provisioning and account self-service for FAS users. June: Support provisioning and account self-service for Alumni users. Completed upgrade to IdP encryption to meet new standard for InCommon Bronze certification. April: Improve end-user privacy by letting them know what data is shared when they use Harvard credentials for third-party apps. New cloud-hosted Harvard LDAP has been implemented in nonProduction environments, and integration testing is underway. Feb: Boost convenience for HUIT dev teams that use IAM data by providing a data-layer web service interface that supports searching, user create/update, and a variety of read operations. App Owner Support No near-term milestones. No near-term milestones. One-Way Fed No near-term milestones. Provisioning Federation Directory Services Mar Apr May Jun Jul Aug Q4 Sep Oct Nov Readiness Q1 Dec Jan Feb Q2 Mar Apr May Jul Aug Alumni Q4 Sep Oct Nov Q1 Dec Jan Feb Mar Apr Q3 May Account Claiming Self-Service Jun Jul Aug Q4 Sep Oct Nov Q1 Dec Jan Feb Q2 Mar Apr May Jun Sponsored Account Self-Service Expansion (Office 365) Waveset 2017 Q2 FIM Replacement for O365 Foundation NOT STARTED 2016 Q3 Jun UNDER DEVELOPMENT Expand Provisioning Targets Decommission Waveset PIN/AD Credential Management idP Functionality Expansion External Partner Enhanced idP Functionality for Privacy InCommon Bronze Self-Certification Preparation (AD, PIN/CAS) Federation for Hospitals LDAP Updates (HU/Auth) New Cloud LDAP (HU and AUTH LDAP) LDAP Functional Enhancement LDAP Attribute Expansion Decommission FAS AD UUID Enhancement AD Migration (FAS/Central) Identity APIs Customer Test Data Federation Updates Application Usage Statistics IAM Reference Implementations No near-term milestones. July: Reduce the risk profile for all users by truncating SSN, ensuring that this PII is no longer stored in places where it is not absolutely needed. Authentication Enhancements PIN3 retired Jan, 25; all PINintegrated apps now using the most up-to-date authentication service. Feb: Support Alumni user authentication. Authorization Enhancements SIS wave 1 work is ongoing, using IAM API. All identified issues have been resolved for SIS team. July: Enable SIS to benefit from IAM data by granting data access in production. Aug: Make authorization admin tasks easier by enabling creation of user groups. No near-term milestones. No near-term milestones. FIM/IdDB sync for HMS now in Prod. No near-term milestones. Three major efforts underway: PIN migration, IdDB migration, and new LDAP. Feb: Move LDAP to the cloud, saving costs and improving performance. Feb: Migrate PIN to the cloud, keeping it current with other IAM infrastructure improvements while reducing costs. Cloud Migration Feb 2015 Q3 Application Registration Identity Access No near-term milestones. Governance External Directories Expanded Provisioning Q2 RELEASE COMPLETED OWF Onboarding for HBS Program-Level KPI Reporting IAM Service Usage & Access Reporting IAM External-Facing Website Refine Privacy Protocols Metric Dashboard Identity Analytics & Risk Assessment SSN Truncation Automated Alerting and Monitoring Decommission PIN3 Multifactor Authentication Identity Proofing Cloud Authentication Bring Your Own Identity Desktop & Mobile Native Apps Coarse-Grained Authorization Expand Groups Connections Update Connections UI Improvements FIM Support Stand Up Cloud-Based LDAP Connections Migration Adaptive Access SIS Wave 2 Group Management Cloud Architectural Reference Model Business Intelligence Tool Set CAS Bridge SIS Wave 0 Add Data to Warehouse School-Level KPI Reporting Yellow Pages Improvements Authenticable Credentials for Machines Retire Legacy LDAP IdDB Migration and Database Export/View Migration Self-Service Migration PIN/CAS Migration SailPoint Migration MIDAS Migration Phonebook & Public LDAP Cloud Migration IAM EXECUTIVE STATUS DASHBOARD | Jan. 27, 2015 KEY NO SIGNIFICANT CONCERNS SIGNIFICANT CONCERNS/RISKS; NEEDS IMMEDIATE ATTENTION RISKS IDENTIFIED; MITIGATION FEASIBLE AND UNDER REVIEW MAJOR RISKS TO DELIVERABLES/ MILESTONES; NO PLAN YET STRATEGY AND PLANNING: TOPICS & TREND LINES PI-2 (scheduled to end February 25) is underway, with 2 of 10 features delivered so far and all others on track for completion. The scope of PI-2 prioritizes development for FAS and Alumni provisioning and account self-service, database platform investments to speed future development, analysis and discovery for HMS, and an ongoing commitment to meet customer-driven timelines for external teams and applications. A vendor, Isobar, has been engaged to support the interaction design for all end user-facing tools, with particular focus on interaction design within Account Management. Schedule Budget Scope Reporting Staffing Community Outreach Release Management FUNCTIONAL STATUS: TOPICS & TREND LINES The team is fully engaged with functional requirements for Alumni and FAS/CA account management and collaborating with the technical teams on development; work includes an identity data interface (used to import data about Alumni and from SIS), the user self-service account management interface, a new LDAP instance, and several new provisioning connectors. A new version of PeopleSoft import was deployed successfully in December. PIN3 webgates were retired as planned. HMS requirements analysis is well underway, as is planning for the next PI. The Accounts Management and IDM teams are preparing to work with consultants on user interaction design and confirming foundation in SailPoint IIQ, both critical for HarvardKey implementation. Policy Governance Service Support Documentation Requirements Assessment Service Definition Quality Assurance Service Transition TECHNICAL STATUS: TOPICS & TREND LINES The team is accelerating the migration of IAM applications to the cloud in order to be ready for the rollout of HarvardKey and on-boarding of schools. Apart from realizing the productivity and testing benefits of moving to the cloud, we also require the added ability to scale the infrastructure to meet the additional traffic and throughput needs. Migrations include SailPoint IIQ, IdDB, FindPerson/CreateID API, and PIN, as well as the new Harvard LDAP that will house HarvardKey. Identity Management Cloud Migration Access Management Infrastructure Directory Services Data User Experience COMMUNITY OUTREACH: HARVARD UNITS & TREND LINES Communication with PIN3 application owners resulted in successful migration of all applications (except DCE) off the service by early January. Successful deployment of SHA-2 also depended upon good communication with app owners. Attended meetings with HR Focus Group to update them on progress. Alumni, SIS, SEAS, FAS, and HMS work progresses, with ongoing outreach efforts to keep them informed. Discovery sessions with HKS and HLS continue. Continuing to work on best processes for coordinating planning, particularly timing and dependencies, between UC and IAM. Faculty of Arts and Sciences Graduate School of Design Harvard School of Public Health 2000 2000 1700 1400 1100 800 500 1400 1100 800 1700 1400 1100 800 TLT Kennedy School of Government 1400 1400 Campus Services 4 4 Harvard School of Dental Medicine Harvard Law School 1100 1100 FSS 3 3 Harvard Divinity School Harvard Medical School 800 800 Human Resources IAM Incidents as Percent of Total 1700 Alumni Affairs 500 Oct Nov JanDec Feb Apr May AugJulSep Oct Nov Dec OctDec Nov JanMar Feb Mar AprJun MayJulJun Aug Sep Oct Nov Dec 13 14 13 14 2 2 1 1 0 Total Authentication Services Registrations Total Identities in SailPoint IIQ 1800 1800 1800 650000650000 35000 35000 6 6 6 1700 1700 1700 640000640000 28000 28000 5 5 5 1600 1600 1600 4 4 4 630000630000 21000 21000 1500 1500 1500 620000620000 14000 14000 1400 1400 1400 1300 1300 1300 610000610000 7000 7000 3 3 2 2 1 1 1 Registered Registered Applications Registered Applications Applications IAM Percentage IAM Percentage IAM ofPercentage Totalof Totalof Total We expect a reduction in IAM incidents over time as a percentage of total ServiceNow incidents. (55386 originally (55386 originally populated) (55386 originally populated) populated) 35000 35000 35000 28000 28000 28000 Jan 15 Number of registrations is expected to fluctuate over time — but grow overall — based upon new applications added and removal of unused applications. 10 10 10 9 9 9 8 8 8 600000 600000 July 14 July 14 Aug Sept Aug SeptOct OctNov NovDec Jan 15 Jan 15 Dec Number of Identities Number of Identities 0 Feb 14 0 1500 Unified Communications Other HUIT Departments (55386 originally populated) (55386 originally populated) Mar Feb Apr Mar May Apr Jun May July Jun Aug July Sep Aug Oct Sep Nov Oct Dec Nov Jan Dec Jan 15 14 15 Create/Update (WS) (WS) Create/Update Create/Update (IIQ) (IIQ) Create/Update The number of identities illustrated will increase over time as migration from Waveset to SailPoint IIQ progresses. 1700 1600 1600 Monthly Provisioning Transactions 7 2 1700 IAM Percentage of Totalof Total IAM Percentage 7 3 1800 1800 Registrars 0 Oct Nov JanDec Feb Apr May AugJulSep Oct Nov Dec OctDec Nov JanMar Feb Mar AprJun MayJulJun Aug Sep Oct Nov Dec 13 14 13 14 7 Account Account Management Account Management Management Help Desk HelpRequests Desk HelpRequests Desk Requests 640000640000640000 SIS Division of Continuing Education 500 500 0 0 0 1200 1200 1200 Oct Nov Oct DecNov Jan Oct Dec Feb Nov Jan Mar Dec Feb Apr Jan Mar May Feb Apr Jun Mar May Jul Apr Jun Aug May Jul Sep Jun Aug Oct JulSep Nov Aug Oct Dec Sep Nov Oct Dec Nov Dec Oct Nov Oct DecNov Jan Oct Dec Feb Nov Jan Mar Dec Feb Apr Jan Mar May Feb Apr Jun Mar May Jul Apr Jun Aug May Jul Sep Jun Aug Oct JulSep Nov Aug Oct Dec Sep Nov Oct Dec Nov Dec Feb Mar Feb Apr Mar FebMay Apr MarJun May AprJul Jun MayAug Jul JunSep Aug JulOct Sep AugNov Oct SepDec Nov OctJan Dec Nov Jan Dec 13 13 14 13 14 14 13 13 14 13 14 14 14 14 14 15 15 Aside from academic-year cyclical trends, we expect a decline in requests as self-service functionality is 650000650000650000 introduced, offset by the increase in user population. 5 School of Engineering & Applied Sciences Account Management Help Desk Account Management HelpRequests Desk Requests Account Management Help Desk Requests 1700 6 5 Harvard Business School KEY PERFORMANCE INDICATORS 2000 2000 6 Graduate School of Education 1700 Radcliffe Institute for Advanced Study 7 Graduate School of Arts and Sciences 500 2000 Harvard Library 7 Deprovision (WS) (WS) Deprovision Deprovision (IIQ) (IIQ) Deprovision Distribution is expected to shift from Waveset to SailPoint IIQ over time, with outlier data points due to bulk migrations or other isolated changes. 1500 1400 1400 1300 1300 1200 1200 Feb 14