CIO Council Project Completion Report. University Identity and Access Management (UIAM)

Transcription

1 CIO Council Project Completion Report University Identity and Access Management (UIAM) Report to CIO Council May 1, 2017

2 Project Completion Summary - Identity and Access Management Summary Metrics Budget: Overall project delivered on budget ($380k transferred to Collaboration Program 6/14) Green = less than 10%, Yellow = between 10% and 20%, Red = more than 20% Schedule: Overall project delivered on time Green = less than 10%, Yellow = between 10% and 20%, Red = more than 20% Award: $12.9M Reforecast: $12.5M Spent: $12.3M Start: 02/13 End: 06/17 Major Benefits Achieved Simplified Experience: One login for life has replaced an average of over 6 logins per user Security: University-wide adoption of standardized and improved passwords with associated two factor authentication dramatically increases security Improved Access: All schools across Harvard are integrated with common user identities that enable University , HarvardPhone, and over 2,000 other applications Efficiencies: 100k+ alumni use IAM identity data preventing redundant data, experience, and system costs; provisioning expansion to additional schools ongoing Key Success Factors Adaptability: Flexible processes allowed for successful incorporation of new scope (Alumni & Duo) Strategic Alignment: Original strategic plan (1/14) provided direction and vision throughout program Usability & Outreach: Focus areas of outreach and User Experience accelerated adoption Areas for Improvement (see lessons learned) Usability & Outreach: Continually improving throughout the program, required focus sooner Stronger Integration with Schools: Dedicated communications staff helped, better model is possible Scope Management: Additional scope impacted roadmap, additional impact analysis necessary Page 2 2

3 The Vision for the Objectives Program ( Guiding Principles Key Performance Indicators Page 3

4 UIAM Program Timeline Key Program Objectives Simplify the User Experience Enable Research and Collaboration Protect University Resources Facilitate Technology Innovation FY 13 FY 14 FY 15 FY 16 FY 17 FY 18+ UIAM Project Launched IAM Strategy Published FAS / Central Provisioning Updated HarvardKey Released Two Step Mandate Continued expansion & support ITCRB Funded Project 4

5 Achieved Goals and Impact IAM Strategic Objectives Impact Less passwords to remember... Simplify the User Experience One login for life has replaced an average of over 6 logins per user across Harvard Improved access to university resources... Enable Research and Collaboration All schools across Harvard are integrated with common user identities that enable University , HarvardPhone, and over 2,000 other applications Better security... Protect University Resources University-wide adoption of standardized and improved passwords with associated two factor authentication dramatically increases security Improved participation in higher education community... Facilitate Technology Innovation Improved sponsored guest accounts and external federation allow external researchers and university staff to collaborate quickly 5

6 Imagine If At the onset of the IAM program, we imagined a list of key ideas that represented an ideal state for our stakeholder groups. This is how we did: Stakeholder Imagine If Outcome Solution Implemented Faculty and Staff Faculty and staff could access information and perform research across schools and with other institutions without having to use several sets of credentials. Faculty and staff could manage their own accounts and sponsor others through a centralized web applications. COMPLETE Harvard has Federated with InCommon to allow for resource access across other Higher Ed institutions using Harvard credentials Sponsored Account process automated and distributed across the University to allow for self-service management of Harvard partners Students Students could choose to use their home school credentials to login into applications across the University. Students could keep using the same set of credentials after they graduate. COMPLETE HarvardKey credentials aligned to University affiliations with ability to choose login name One HarvardKey for life for all Harvard affiliates including Students / Alumni Technical Staff Automated provisioning could reduce the burden on IT staff and increases the security posture of the University. Application teams could easily integrate Harvard users with internal and external applications. COMPLETE Automatic provisioning of access based on users University affiliations Over 2000 applications integrated with HarvardKey External Users External users could access Harvard applications using credentials native to their home institution. COMPLETE External access to Harvard resources based with either federated login or sponsored accounts 6

7 Evolving Program Focus ACTUAL ~ Effort to Completion Office365 Integration KEY Box size represents approximate (~) effort to completion Alumni Provisioning and Support Planned Project PROJECTED ~ Effort to Completion Two-Step Authentication and Security Improvements Additional Project Provisioning Federation Provisioning Directory Services Federation Directory Services ~ 600k users ~ 150k users App Owner Portal Identity Governance Authentication Enhancements Authorization Enhancements External Directories Identity Governance Authentication Enhancements Authorization Enhancements External Directories Expanded Provisioning Cloud Migrations Expanded Provisioning Cloud Migrations COMPLETE App Owner Portal POSTPONED 7

8 Transition Ongoing Governance (to be established) IAM Product Advisory Group Sponsor Schools Campus Services Library ATS AT ITS Service Owner Product Owners Middleware Workgroup Engagement Councils IAM Data Workgroup (w/ SIS) Directory Services Steering Com Ongoing Support Jane Hill continues as IAM Service Owner / Product Manager IAM organization: End User Services and Integration Services (IT Provider Services) FY 18 will serve as a transition year from program to steady operating state Communication and Engagement Regular meetings between schools and IAM in partnership with HUIT Account Management going forward Twice Yearly IAM Town Halls to provide general updates on IAM roadmap progress Grouper Clinics to provide specific service/functionality overview Evaluating the possibility of an IT Academy course to increase IAM awareness 8

9 Lessons Learned - Scope & Planning Surprises IAM had several starts before the UIAM program gained traction Project timeline was primarily focused on delivery activities and could have benefited from increased time for team norming and stabilization Data cleanup activities were critical to success and require significant effort Alumni integration effort required far more effort than anticipated Agile requires constant attention and tweaking to fit culture and business needs Best Practices Define a clear program vision to set multi-year roadmap, ensure alignment and allow for leadership/team transitions Ensure appropriate time and resources allocated to data conversion efforts If running a multiyear agile progress consider using Program Increment Planning Strategic Plan > Program Increment Objectives (3 months) > Sprints (2 weeks) Ensure agile is tuned to delivering value to the organization Consider a staffing approach that accommodates team normalization (trust building, process acceptance, buy-in) Involve security early in designs and approach to minimize rework 9

10 Lessons Learned - Engagement Surprises The complexity of the IAM ecosystem is difficult to communicate to stakeholders The IAM Program staffed for communications but not engagement as fully as the program required at the start When developing an enterprise service you have to factor in time for each unique school and environment, not assume economies of scale Work being completed in the year before establishing HarvardKey brand was difficult to communicate to individuals outside of the program Best Practices Dedicate staff to engagement with the University, not just communicating updates/status; partner with school communications personnel Be transparent and honest with technical teams to ensure alignment of developer s work to the Why value statements for the organization Knowledge transfer early and consistently with support teams that will respond to customer requests A clean and concise website is valuable to both internal and external audiences Define a brand as early as possible in a project and relate program efforts back to that unifying identity 10

11 Lessons Learned - Governance, Budget & Staffing Surprises Balancing strategic program work against lower value tactical work is an ongoing struggle The classic definition of a Product Owner is challenging to map effectively to Harvard s many stakeholders The value provided by external vendors was very limited Two groups established early in the program didn t continue throughout the program due to difficulty in maintaining effective cross-university working groups Best Practices Track both strategic & tactical priorities to understand when one impacts another Define goals/objectives of various committees and revisit those goals regularly Consider integrating team with other similar teams (AD, Collaboration, Accounts) YearUp provides a valuable pipeline of resources but requires dedicated management Diversity matters; different experiences & backgrounds makes everyone stronger Consider dedicated DevOps and Release Management roles to increase agility 11

12 Lessons Learned - Technical Surprises Adoption and migration to the cloud required dedicated resources, team focus, and new models of support/testing/integration A focus by individuals on a particular product or technology creates siloed knowledge and limits creative problem solving New development follows cycles of innovation and stability. Windows for stability tend to be minimized which can lead to change fatigue and decreased ability to decommission legacy technology IAM was not a technical change but an organizational change effort Best Practices Choose a cloud first approach, even when vendors caution against it, work to mitigate their concerns Do not align teams by products but by functionality and solutions (e.g. Auth) Manage the number of deliverables for a given quarter to align efforts and simplify messaging Utilize best of breed industry software, follow other Harvard use cases, and standardize use (GitHub, Jenkins, Cloud Formation, Slack, Wiki, SharePoint, etc.) Establish Lunch and Learns to share knowledge and experiences across teams 12

13 Lessons Learned - Discussion From your perspective, it would be really helpful to capture input on the project and product, to help inform how we a.) deliver services in the coming years and b.) design future projects of similar magnitude and complexity What should HUIT Keep Doing Start Doing Stop Doing 13