Tivoli Identity Manager at the Commonwealth Bank Presenter: Jon Davies (jon.davies@cba.com.au) 3 August 2006
Today s Topic CBA has been implementing TIM for the last 2 years We have had quite a few lessons learnt in that time Today I ll address some of the challenges when implementing an identity management solution I m going to focus on the integration of business and technology This will not be a list of bugs or limitations in the TIM product
How Do We Use Tivoli Identity Manager TIM (iam) enables the Bank to efficiently activate, maintain and audit the permissions that all Bank users have to other systems PeopleSoft HR = source of truth Security policies are enforced each time an employee event or organisational change is made User Lifecycle Management Audit & Report Management iam captures and reports on user system access rights and any changes made to the user. Self-service facility for Bank Staff to reset their own password Passwords are automatically synchronised iam Credentials Role & Policy Management Management Automatic creation and manage user accounts based on employee s role Customer self service facility for Line Managers to adjust staff permissions Configurable workflow framework
About our Implementation? 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Live Dec 04 Manage 31,000 internal employees and contractors Line managers setup access and adjust permissions 1% 1% 2% 7% 11% 24% 39% 45% 54% 65% 71% 74% 78% 84% 84% 89% 89% 91% 91% Jan-05 Feb-05 Mar-05 Apr-05 May-05 Jun-05 Jul-05 Aug-05 Sep-05 Oct-05 Nov-05 Dec-05 Jan-06 Feb-06 Mar-06 Apr-06 May-06 Jun-06 Jul-06 2005 2006 PeopleSoft HR triggers provisioning events Integrated with Active Directory Provision over 70 systems 9,000 Password resets per week Monthly release cycles + 18 + 30
Some Challenges with a large Identity Management Implementation Give access, remove access surely you just tick a box. Its easy right? 1. The balance between security and the customer experience 2. TIM is highly integrated with other systems 3. TIM is highly integrated with core bank processes 4. Getting the right people involved
1. The balance between security and the customer experience Challenges: Is there such a thing as perfect security? Functionality is about making it happen; Security is about stopping it happening Some elements of good IT Security: Access will be removed immediately Passwords should be as strong as possible You must verify the user before a password reset Do not send passwords in clear text Two factor authentication But If your customers don t use the new system and processes, they will go back to old habits
Example: How we implemented Password Self Service Passwords can be reset by answering a random selection of predefined secret answers. Here is the answer setup screen:
1. The balance between security and the customer experience Suggestions: Recognise and consider the balance wear many hats and understand all your stakeholders Are there simple but effective security alternatives? Sell and explain the reasons Use policy to drive change Block the old paths and back doors
2. TIM is highly integrated with other systems Challenges: Creating and identifying people and accounts across many systems A data change can cause a flood down stream How clean is the data? Where is the source of truth? What is the best means to integrate? How much should we integrate?
Example: the Provisioning Events & Integration Points End User Line Manager / HR Line Manager / Centralised Support PeopleSoft HR iam New Hire? Active Directory Web Services Application Roles vox Mail Shared Drives Status Tracker New Apps Identity Attributes Job Roles Workflow Job change? Department change? Agent Interface Citrix Policies Termination? ICOM Manual + 50
Role design and the complexity of integration Not all access privileges need to provisioned by TIM. This example shows how complex integration can become Branch Area Manager LAN Account Email Teller App Reporting App Create Reports Read Service Rpts Sales Rpts Branch 1 Assigned by TIM? Branch 2 Branch 3 Assigned within the Application
2. TIM is highly integrated with other systems Promote standard design patterns This will help reduce the cost of integration Don t only consider full integration as the answer While design is important, experience is critical keep your designs and development agile Build relationships with other system owners you never know when you will need a favour Understand system changes across the whole environment get the heads up when there could be an impact Don t blame recover, understand, adapt
3. TIM is highly integrated with core bank processes Challenges Identity management is integral to a lot of core processes A broken process can have dire consequences. Loss of access to systems I had to complete which form? But the person is here now! Separation of duties - If you have access to this, then you should not have access to that That s not the way I used to do it
Identity management is integral to a lot of core processes HR Manage entitlements throughout the employee lifecycle Risk & Audit Finance Recruit & Select Candidates Hire Staff Probation Manage Deployment Change Employee Details Extended Leave Manage Departure Security Business Processes
An Example Process improving the New Hire Process Process Improvement Framework: 1 Define the Problem or Idea 2 Assess the Current Process 3 Design & Select Options 4 Do it... Implement 5 Measure & Review Our Aim: Ensure an Employee has the right access to do their job on day 1 The problem: Most staff do not have an Employee ID when they start Need to align processes: Traditionally recruitment sits with HR & access provisioning with IT
An Example Focus on New Hire Process Step 2 1 Define the Problem or Idea 2 Assess the Current Process 3 Design & Select Options 4 Do it... Implement 5 Measure & Review iam People Services Line Manager Help Desk iam HR CommSee Help Desk Employee record not created until offer received by HR Opportunity: Create employee record ASAP
An Example Focus on New Hire Process Step 3 1 Define the Problem or Idea 2 Assess the Current Process 3 Design & Select Options 4 Do it... Implement 5 Measure & Review Recruit Offer Request Access Access Created / Given Employee Starts When should the Employee ID be created?
3. TIM is highly integrated with core bank processes Suggestions: Focus on both process improvement and system improvement Look at all the exceptions these can create stumbling blocks and workarounds can lead to duplicate accounts Target consistency across business units this will make automation easier and less costly Business Analysts are critical Get all the process owners involved Communicate more
4. Getting the right people invovled Challenges: Huge number of stakeholders with varying interests Very large customer base Many process integration points Many help desks and support teams Strong technical and business skills required: BAs, Java, TIM workflow, integration, DB2 etc. Suggestions: Value your team Collaborate and build relationships whenever you can Setup appropriate forums with interested parties Seek expert advice Leverage the IBM / Tivoli community
Questions