Upload
korobert
View
64
Download
2
Tags:
Embed Size (px)
Citation preview
© IBM Corporation 2007
San Francisco, CA May 7-10, 2007
®
F12
Thomas L. Brooks, PMP
IBM Tivoli Identity Manager Best Practices
®
IBM Software Group
© 2007 IBM Corporation
IBM Tivoli Identity Manager Best Practices
IBM Software Group | Tivoli software
3
AgendaIntroduction
Lifecycle of an ITIM Implementation ProjectPrior to Project StartProject Initiation and PlanningProject Execution, Control, and Closure
Deployment Expectations and Pitfalls to Avoid
Steady State Considerations
Supplemental MaterialsComponent View vs. Logical ViewIdentity Management PyramidBest Practice Deployment ApproachWho Does What and When?Steady State Backup
IBM Software Group | Tivoli software
4
Introduction
What makes an ITIM Implementation different?
Complexity of identity management business needs
Required level of commitment from the customer
Misconceptions about the ITIM solution
Range of skills needed to implement an ITIM solution
Limited pool of experienced ITIM solution implementers
Maturity of the ITIM solution
IBM Software Group | Tivoli software
5
Introduction (cont.)
What skills, knowledge, and experience does an ITIM implementer need?
Possess a working knowledge of the product itself, the middleware components of the solution, and the foundational skills needed to install and configure it
Know what tools, templates, and other intellectual capital are available for ITIM solutions and learn how to use them properly
Know who the contacts are in various IBM organizations and teams to get help when you need it
Strongly recommend participating in at least one ITIM implementation being managed or led by an experienced resource before attempting one on your own
Must have good negotiating skills for expectation and satisfaction management and for getting and holding on to the resources you need
Must have a strong project manager
IBM Software Group | Tivoli software
6
Lifecycle of an ITIM Implementation Project
Prior to Project StartThe timeframe before the software is sold and/or before a contract for services is signed when the team is supporting the sales cycle and helping to close the deal. Focus is on gathering information to produce scope, cost, and time estimates and setting expectations.
Project Initiation and Planning
The timeframe between the signing of a contract for services and the establishment of a baseline project plan. Focus is on establishing the project team and assessing and/or resetting expectations as needed to get the project started properly.
Project Execution, Control, and ClosureThe timeframe following the establishment of a baseline project plan when the work of the project is proceeding and the change control and issues management processes are being executed through the controlled closure of the project. Focus is on monitoring the status of project activities, taking corrective action as needed, and leading the team through the successful implementation of the ITIM solution to meet the business needs.
IBM Software Group | Tivoli software
7
Prior to Project Start
Understanding Requirements
Several key high level questions must be addressed– Do you have clear business needs and goals?– Does the responsibility for achieving these goals rest with a specific group?– How does the identity management business need fit into the “big picture”?– What are the “real” constraints that will affect the implementation?
Most customers will not have all the answers at this point
Drive information gathering to be specific and focus on the critical areas
Take advantage of tools, templates, and other intellectual capital available
IBM Software Group | Tivoli software
8
Prior to Project Start (cont.)
Setting Expectations
This timeframe is when you have the most power to shape perceptions
Guide the stakeholders towards a phased implementation
Look for opportunities to create some early “wins”
Try to avoid full scale implementation and/or customization in the first phase
You can’t win them all – when you don’t, document thoroughly
Improper expectations can disrupt every aspect of an implementation
IBM Software Group | Tivoli software
9
Prior to Project Start (cont.)
Performing a Proof of Concept (PoC)
Should be treated as a tool, not an exercise – use it to your advantage
Limit scope to simple platforms, configs, and functions – no customizations!
Ensure that very specific objectives are defined with completion criteria
Stick to the basics – this is not the time to try new stuff or push the envelope
Do not get held up by details – note questions and issues and move on
Conclude with a demo to the key customer stakeholders – make it an event!
A successful Proof of Concept does not need to eliminate all doubts or
answer all questions – it just needs to reassure the stakeholders that it can
work in their environment
IBM Software Group | Tivoli software
10
Prior to Project Start (cont.)
ITIM Implementation Estimation and SizingTime, Cost, Functionality
– What is the timeline? Are there multiple phases? When are key milestones?– Will the services be time and materials or fixed price? What are the rates?– What will be in scope for each phase and overall?
Resource Planning– What is the size and composition of the implementation team?– What resources will various stakeholders provide for the implementation?
Hardware Sizing– What capacity does the solution need to accommodate?
Defining Initial Architecture– Do you have enough info to define an initial architecture with stakeholder approval?
Factor in all the information you have and allow for missing dataTake advantage of tools, templates, and other intellectual capital availableHave a more experienced implementer review estimates and discuss feedback
IBM Software Group | Tivoli software
11
Prior to Project Start (cont.)
ITIM Implementation Statement of WorkScopeBe as specific and thorough as possible. This serves as the basis for all project activities. In the strictest sense, if it is not listed here, it should not be done without a formal change order.
AssumptionsUse this section to cover any areas where you do not have enough information or where you want to confirm that your understanding of something matches other stakeholders’.
Responsibilities – both Contractor and CustomerClearly define what the contractor project team will do versus what the customer project team will do.
Deliverables and Completion CriteriaMake sure that all deliverables are concrete and specific and all completion criteria is finite and within your control.
Change Control and Issues Management ProcessesEnsure that these sections are clearly defined and tailored to the specific project. Structure them so that they can be followed as a natural aspect of the implementation.
Take advantage of tools, templates, and other intellectual capital available
IBM Software Group | Tivoli software
12
Project Initiation and Planning
Before You Get Started on Project Tasks
Understanding the History– Review everything that has taken place up to this point– You want to be prepared to be fully productive on the first day of the project
Engaging the IBM Account Team or IBM Advocate– Especially important if they were not involved in the pre-sales activities– Involving them from the start improves your position when issues arise
Securing Project Team Resources– You need to make sure you have the right resources with the right skills when you
need them– Allow enough time for other commitments to be wrapped up before planning to
have resources in place
IBM Software Group | Tivoli software
13
Project Initiation and Planning (cont.)Beginning Project Tasks
Assessing Your Position– Especially critical if you were not involved in the pre-sales activities– Needs to be a natural part of the project startup– You need to make sure the stakeholders do not feel like they are rehashing– Should be comprehensive
Resetting Expectations As Needed– Should be done as soon as you complete assessment of your position and have
recommendations to present– Everyone who was involved in setting the original expectations needs to be part of
resetting them– Make this a positive experience
Developing the Initial Project Plan– Build this around key project milestones and keep it high level– Be sure to factor in all of the information you have available– Avoid allowing stakeholders to lock you into this initial plan – no commitments yet
IBM Software Group | Tivoli software
14
Project Initiation and Planning (cont.)
Project Kickoff Meeting
Should schedule during first two weeks of starting project, but not too soon!
Critical that all key stakeholders participate in the meeting
Use this as an opportunity to gauge stakeholder “investment” in the project
Observe how the stakeholders interact with each other – look for the “power”
Try to sense the internal politics – look for factions and try to discern their
support of the project
Seek additional information and details that you have not obtained yet
Schedule follow up discussions with stakeholders as needed
Be confident, but realistic and end the meeting on a positive note
IBM Software Group | Tivoli software
15
Project Initiation and Planning (cont.)
Baselining the Project PlanBuild on the initial project plan by applying what you learn from the project kickoff meeting and follow up discussions
Do not make the project plan too detailed – some abstraction gives you flexibility to deal with minor events
Solicit input from the whole team
Avoid overloading resources right from the start
Plan for unexpected delays and think about how tasks that are not on the critical path can be rearranged if necessary
Finalize the project plan that you are confident you can meet and get the right stakeholder to sign it to indicate their acceptance. This is your baseline!
IBM Software Group | Tivoli software
16
Project Initiation and Planning (cont.)
Initiating Change Control and Issues Management ProcessesOnce you baseline the project plan, it is critical that you enforce the Change Control Process right from the start
Make sure all of the project stakeholders are aware of these processes from the beginning
The project manager is the judge of whether minor events or requests are adding up enough to have an impact on the baseline – if so, they should get a change request
Thoroughly documented change requests and issues will help prevent drifting expectations and misunderstandings as the project proceeds
The results of change requests are reflected as updated project plan baselines and the status of issues are reflected in a running issues log
IBM Software Group | Tivoli software
17
Project Execution, Control, and Closure
Status Tracking and ReportingPlan to be engaged enough to keep track of everything going on
Include the project manager in as many technical meetings and discussions as possible
If your project manager is not busy with project management duties, they should spend time learning more about the product
Your project manager should be positioned as the status reporting interface between your team and the other stakeholders
Arrange status discussions and meetings for various audiences at regular intervals
Your goal is to be prepared to respond to any question the stakeholders may pose at any time in a way that inspires confidence and the sense that everything is under control
IBM Software Group | Tivoli software
18
Project Execution, Control, and Closure (cont.)
Ongoing Expectation ManagementStakeholder expectations should be monitored constantly – assume nothing!
Use status meetings and status reports to help guide expectations
Be aware of how factors outside your project may be influencing stakeholder expectations
Enlist the aid of resources who demonstrate a good understanding of the project scope and who are realistic and supportive of your plans
Make sure that communication is occurring consistently with all levels of stakeholders
Make a special effort to create and maintain an open channel of communication with the sponsor and/or executive management
Enforce the change control and issues management processes
IBM Software Group | Tivoli software
19
Project Execution, Control, and Closure (cont.)
Managing Changes and Issues and Avoiding CritSitsChanges and issues are a natural aspect of the project – if it was easy, nobody would pay for consultants to do it!
Be passionate, but not emotional when dealing with changes and issues
Set a good example – be positive and keep morale up
Even when the stakeholders are friendly and cooperative, document everything thoroughly
Gather as much information as possible before contacting Technical Support
Learn to escalate issues effectively – use it, but don’t abuse it
Develop a network of “go to” people throughout the organization who you can turn to for assistance in dealing with stumbling blocks
Being responsive and demonstrating progress can sometimes be thedifference between a significant issue and a CritSit
IBM Software Group | Tivoli software
20
Project Execution, Control, and Closure (cont.)
Preparing To Be Self SufficientThe overall objective in an ITIM implementation project is to obtain the maximum benefit from the solution you have invested in
The quote, “Give a man a fish; you have fed him for today. Teach a man to fish; and you have fed him for a lifetime.” sums it up
The preparation should begin from the first day of the project and continued throughout – effective knowledge transfer is a critical success factor!
Consider this goal when developing all project documentation anddeliverables – the more thorough, the better
Share tips and techniques about how to troubleshoot the solution and deal with unexpected behaviors and results
The solution operation resources should be both technically prepared and psychologically comfortable assuming operational control of the solution
IBM Software Group | Tivoli software
21
Project Execution, Control, and Closure (cont.)
Controlled Closing
Verifying the Deliverables and Exit Criteria– Review all deliverables produced by your team for contract compliance– Confirm that all exit criteria are satisfied and get stakeholder signoff as appropriate
Releasing Resources– Make sure you get all of the work products from the resources before they leave– Plan the orderly release of project resources to allow them to transition to the next
project in a timely fashion
Identifying Follow On Opportunities with Stakeholders– Arrange a meeting with stakeholders specifically to discuss “next steps”– Try to time discussions to capitalize on current project success and/or momentum
IBM Software Group | Tivoli software
22
Steady State Considerations
Level of Effort (LOE) or Full Time Equivalents (FTEs) required to operate and maintain an ITIM solution are dependent upon many factors. The most important of these factors are:
The functionality of the solution that has been deployed
The complexity of the enterprise in terms of identities, organizations, managed targets, roles, policies, workflows, etc.
The volume and frequency of change to the configuration elements
The maturity of the business logic the solution is based upon
The quality of the identity and account data that is being managed
The extent to which the out of the box solution has been customized
The skill levels and experience of the operation and administration staff
Central vs. Distributed Security Administration Model
IBM Software Group | Tivoli software
23
Steady State Considerations (cont.)
Regardless of the quantities, there are certain aspects of operation and maintenance that are almost universal. Planning early in the project to ensure that there will be coverage for all of these aspects is the most effective way to avoid problems down the road. These aspects are:
Thorough documentation of the decisions made during the solution design and implementation
Detailed understanding of the configurations and any customizations made to the solution
Staff with the proper foundational skills and training to operate and maintain the solution
Detailed processes and procedures for operation and maintenance scenarios
An individual or team that clearly owns the solution
Complete socialization of the solution throughout the enterprise
IBM Software Group | Tivoli software
24
Steady State Considerations (cont.)
The resources responsible for operating and maintaining the ITIMsolution should have an administrative-level understanding and working knowledge and skills in the following areas:
The operating system(s) that the ITIM solution is running on (i.e. Windows, AIX, Solaris, HPUX, Linux)
The relevant database platforms (i.e. DB2, Oracle, MS SQL Server)
The relevant directory server (i.e. IBM Directory Server, Sun ONE)
The relevant application server (i.e. WebSphere, WebLogic)
The IBM Tivoli Identity Manager application itself
TCP/IP Networking configuration and troubleshooting
Information gathering, documentation, and communication with IBM Tivoli Customer Support
IBM Software Group | Tivoli software
25
As customer scale and complexity increase, implementation work increases but not in strictly linear fashion. As a rough rule of thumb, a "typical" customer implementation with medium/high complexity, and 100,000+ users, will likely range 10-18 months duration an require an IBM project team of 3-5 resources. This estimated duration and team size could be higher based on actual solution design results - the range varies based on the following factors:
1. Complexity and heterogeneity of the customer specific OS/application/hardware IT environment2. The customer's unique business and technical requirements 3. Number, skill level and types of customer resources that will be applied to the project. 4. Customer's project standards and security and IT process maturity.
All IT deployments require:
Project management
Solution design
Detailed project planning
Internal process and standards design and definition
Data loading and migration
Configuration of entitlements (org unit, access control, Workflow, password & identity polices, etc.)
Some level of customization
Test environment implementation
Change control and QA process
Production roll out implementation
Documentation
Training
In general, the more organized, prepared, educated, and committed the customer is, the more efficient is the deployment. IBM can significantly assist here by supplying highly skilled, seasoned ITIM deployment resources (PM, Architect, Consultants) to assist the customer with their ITIM deployment.
Deployment Expectations – General Information
IBM Software Group | Tivoli software
26
By themselves, data points like number of users, number of agents, number of platforms/applications, number of roles/policies, and number of project team members are not necessarily indicative of size or complexity of an identity management solution deploymentSize and complexity is more often driven by the variety and intricacy of the business logic that is to be implemented in the solutionFor a given time and effort, the number of systems that can be implemented can skew widely based on whether those systems are platforms or applications and in the case of applications, whether the underlying user account data store is proprietary, database, LDAP, etc.The most effective way to level the skewing factors to arrive at a meaningful data point in terms of time and effort is by deriving the number of unique user account data stores for which a solution needs to be implementedDetermining the number of unique user account data stores usually requires a detailed discovery effort
Pitfalls to Avoid – Planning and Estimating Lessons Learned
IBM Software Group | Tivoli software
27
The two most common challenges in identity management solution deployment projects are vague requirements and unstable scopeThe most rapid and successful deployments begin with adequate analysis and detailed design, tend to focus on the platforms vs. applications, and aim to establish basic functionality that can be expanded on and improved in subsequent project phases When there are many unknowns or complex targets are part of the first phase scope, fewer targets decreases risk and improves chance of successMore project team members do not generally result in a faster deployment – there is an optimal project team sizeThe combined IBM and customer project team gets more efficient in deploying targets and estimating time and effort with each successive phase – the IBM resources understand the customer environment better and the customer resources understand the capabilities and limitations of the solution better
Pitfalls to Avoid – Planning and Estimating Lessons Learned
IBM Software Group | Tivoli software
28
The majority of detailed solution design effort must take place at the beginning stages of the project, not “design as we go”Following a pre-defined and agreed upon deployment roadmap is instrumental to recognize successCustomer executive support and sponsorship must exist for a project to be successfulA teaming approach between the customer and IBM will greatly smooth out the engagementAll members of the team, both customer and IBM, should be aware of the entire project scope and goalsAny decisions that affect change on the project should be communicated to all team membersProject issues and problems should be approached with a goal of resolution, not blame placementCustomer education and knowledge transfer must start at the beginning of the project Proper project management principals must be followed throughout the life of the project
Pitfalls to Avoid – General Project Lessons Learned
IBM Software Group | Tivoli software
29
Supplemental Materials
IBM Software Group | Tivoli software
30
Application Installation Process – Component View
J2EE Application Server
ITIMApplication
ITIMWorkflowDatabase
Web User Interface
Web User Interface
Administrator
End User
mainframe
RDBMS
ITIM Directory Data
LDAP v3
XML over SSL
XML over SSL
agent
agent
if policy.getMember()s
then Accounts.set…()
Java Application
IIOP
ExistingIdentityStore
HR Application
JDBC
DSMLv2 over SSL
IDI
DSMLv2Server &Notifier
IBM Software Group | Tivoli software
31
Organizational Structure
C o n t a i n
ITIM Data – Logical ViewIdentities
Locations
Accountsroot Administrator
ownRoles
managerdeveloper
assigned to
Policies
new employee
Workflowsstart
appl
y to
Services
unix windows
depl
oy
apply to
Locations
OrganizationalUnits
Organizations
IBM Software Group | Tivoli software
32
Integrated Identity Management Pyramid
Productivity: Enforce security policies proactively
Competitive Advantage: Extend security automation to business partners
Scale: Support large, distributed user base
Compliance: Ease support of audits
Productivity: Speed accurate account creationRisk: Eliminate Backdoor Access
ROI: Cut Helpdesk Costs by 40%Fundamental: Administer web and legacy environments consistently
Security: Consistent Authentication and Authorization to all Resources
Integration: Meta view of Enterprise Data Assets
Access Controlled Systems
Data Integration Layer
Self-Regulating Access Controls
Across Organizations
Access Control Policy Automation
Distributed Administration
Access Request Audit Trails
Access Request Approval Process Automation
Orphan Account Control
Password Management
Connectors to Access Control Systems
IBM Software Group | Tivoli software
33
Phase 1 Phase 2 Phase 3 Phase 4 Phase 5
Foundation & Password Management
• Out of the box supported applications/systems (5)
• Baseline reporting• Covers large or small
user target• HR Feed established • Orphan Account Control• Single action to close/
suspend a user accounts
• Password Management: synchronisation, Reset and Self Service across managed platforms
• Organizational tree established
• Eliminate Risks from ‘Backdoor’ access.
• Necessary reporting available
• High visibility of the solution
• Large benefits gained among the end-users and in the central user administration and support desk
• Compact delivery time
Custom Agents & Extension• Custom developed agent• Start program to extend
RBAC to cover all companies
• No unauthorised administration of user accounts outside of ITIM
• Workflow supports authorisation mgmt
• User registration is automatically updated
• Reduced Admin• Necessary reporting for
external parties • Consolidation of users• Organisational Structure• HR Feed creating new
users
• High visibility of the solution
• Large benefits gained among the end-users and in the central user administration
• Higher security and lower license cost
Auto Provision Std Accounts & workflow
• Consistent GUI for Admin
• Consistent Account creation
• Full Audi Trail• Simple Workflow
introduced• Start Road to RBAC
• Templates for later roll-out established
• All significant applications covered
• Time consuming tasks replaced by automation
• Large benefits gained by the application owners
• Delegated admin possible• Improved control from
detailed reporting
Maturity• Customer able to
repeat new instances of agent installs and integrate into appropriate policies.
• Able to self maintain ITIM to reflect changing business demands.
• Role-based access control fully enabled.
• Only ‘run-out’applications excluded – if any.
Role based account management• Rule-set for automated
creation and deletion of user accounts
• Rule-set for org. changes• Full workflow for account
management• Focused on small community
• HR-Feed for managing user accounts – high demands on data quality.
• Organisational chart may need refining
• Administration by Role management introduced
• Requires input and buy-in from application/system owners
• One interface for ALL user administration.• Scheduled re-organisations with shorter non-
productive time for the end-user• Fast activation and deactivation of user• Time consuming tasks replaced by automation
Scop
eFe
atur
eBe
nefit
Best Practice Deployment Approach - Phased Approach to Implementation
IBM Software Group | Tivoli software
34
Best Practice Deployment Approach – Deployment Strategy
Phase 4CustomAgents
Phase 5
Maturity
Phase 3Policies and Roles Defined
RBAC
Phase 2Auto Provisioning &
Workflow forInfrastructure Accts
Phase A : Business Analysis Roles and PoliciesPhase 1
Password Management
Repeat Phase 1 and 2 for additional Systemsand Apps as requirements are defined
Phase 1 : Infrastructure Foundation Orphan Accounts Identified, Adopted and otherwise Cleaned Up Self Service Forgotten and Reset Password
Foundation : Infrastructure Systems
Phase 2 : Automatic Provisioning for Infrastructure Accounts Infrastructure Accounts Provisioned Automatically Dynamically Driven by Attribute Evaluation
Org Unit, Job Title, Business Role etcAutomatically Initiated Approval/RFI Workflows as Needed
Repeat Phases 1 and 2 for Additional Systems and Applications
Non Infrastructure Systems and Applications
IBM Software Group | Tivoli software
35
Best Practice Deployment Approach – Deployment Strategy
Phase 4CustomAgents
Phase 5
Maturity
Phase 3Policies and Roles Defined
RBAC
Phase 2Auto Provisioning &
Workflow forInfrastructure Accts
Phase A : Business Analysis Roles and PoliciesPhase 1
Password Management
Repeat Phase 1 and 2 for additional Systemsand Apps as requirements are defined
Phase 3 : RBAC for Out of the Box Services and Apps Analysis of Business Role Requirements completedMapping of Business Roles to Access rights Define Roles and Policies (Roles may be Static or Dynamic) Culminating in the Automatic Role Driven Provisioning and De-provisioning of Access Rights
Foundation : Infrastructure Systems Non Infrastructure Systems and Applications
Phase 4 : Develop Custom AgentsTools: IDI, LDAP-X, RDBMS-X, CLI-X
Phase 5 : Maturity All Access Rights are now ControlledRefine Roles and Policies as Required
IBM Software Group | Tivoli software
36
Best Practice Deployment Approach – Deployment Strategy
Phase 4CustomAgents
Phase 5
Maturity
Phase 3Policies and Roles Defined
RBAC
Phase 2Auto Provisioning &
Workflow forInfrastructure Accts
Phase A : Business Analysis Roles and PoliciesPhase 1
Password Management
Repeat Phase 1 and 2 for additional Systemsand Apps as requirements are defined
Foundation : Infrastructure Systems Non Infrastructure Systems and Applications
5 – 7 Months
3 - 4 Months
Timelines for Phases 3+ cannot be determined without knowing:Details behind business requirementsDetails behind the number of systems/apps for which access rights are to be managedDetails behind the targets that will require custom agents vs out of the boxHow complex the role matrix will be
TBD Based on Business Requirement Analysis
IBM Software Group | Tivoli software
37
Best Practice Deployment Approach – Business Pain Led Realization of ROIBusiness/Technology Focus
Business Process
IntegrationEmployees
Customers Partners
Suppliers
Business Portals
Application
Connectivity
ApplicationDevelopment
Operating Systems
Applications
Infrastructure
Data
Applications
Applications
Applications
“Bottom Up” DeploymentHigh Coverage, Well Defined Deliverables, Early ROI, High Visibility, High Impact
“Top Down” DeploymentTactical Coverage, Restricted Deliverables, Late ROI, Low Impact, Higher Deployment costs
IBM Software Group | Tivoli software
38
Best Practice Deployment Approach - Strategy Options
Phase 4 : Custom Agents
Phase 5 : Maturity
Phase 3 : Roles and Policies Refined - RBAC
Phase 2 : Auto provisioning and
workflow of standard accounts
Phase A : Business Analysis Roles and Policies
Phase 1 : Foundation - Password Management
Customer Repeats Phase 1 and 2
Option 1 : Bottom Up
Option 2 : Top Down
Phase 5 : Maturity
Roles and Policies
Business Analysis for Roles and Policies
Custom Agent
Password Management & Reconciliation
Auto Provision & Workflow
IBM Software Group | Tivoli software
39
Best Practice Deployment Approach – For and Against
Option 1 – Bottom Up
For:User and business awareness of product and benefits are visible from and early stage.
Many manual processes can be replaced by automation.
Password management can be implemented for a large number of users.
No development of agents required in phase 1.
Broadens skills and understanding within your organisation at the first phase.
Eases ITIM gently into the business.
Against:Organisational structure may have to be altered at a later phase.
Medium to high impact on system owners etc, co-operation required.
Driven by Infrastructure, not Business.
Option 2 – Top Down
For:Focused use of resources from the individual target.
First implementation will be showcase of what can be done.
Deep coverage of an application once implementation has finished.
Low impact on operation and maintenance resources.
Against:Limited coverage in the first phases, minimal % of user accounts managed.
Potentially custom agents will have to be developed at an early stage.
Minimal benefit to support and overall business.
Higher implementation cost.
IBM Software Group | Tivoli software
40
Who Does What and When? – Tivoli Security Engagement Model
IBM Software Group | Tivoli software
41
Project Team Training
Tech
Ed
Determine Scope and Approach
Develop and Maintain Work Plan
Tech
nica
l In
stal
latio
n Install and Test E/S
Data Loading
Impl
emen
tatio
n
Develop To-Be Process Maps
Configure Provisioning Policies and Entitlements
Document As-Is Process Maps
Technology Architecture Drawing and Solution Design
Develop Provisioning Policies and Entitlements
Perform Pre-Production Testing
Configure Organization Structure
and Roles
Schedule Training Help Desk Support Training
Install and Test Agents
Verify Client Environment
Administrator Training
Configure ITIM Groups and ACIs
Develop Automated Processes
Proj
ect
Mgm
t.
Configure Account Management Forms
Design ITIM Groups and ACIs
Design Security Administration Workflows & Procedures
Project Wrap-up Activities
Reconciliation and Orphan Account
Cleanup
Data Files PreparationData File Design
Design Testing Strategy and Scripts
Perform System Tuning
PREPARATION andPLANNING FRAMEWORK CONFIGURATION DEPLOY TO
PRODUCTIONDESIGN
Design Account Management Forms
End User Training
Org
/ C
onf
Grp
/ A
CI
Polic
yW
ork-
Flow
Aut
o
Document Installation History
Enable Chosen Workflows and
Procedures
Budget and Actuals Tracking
Configure Security Administration Workflows & Procedures
Monitoring and Reporting ActivitiesPerform Readiness Assessment
Who Does What and When? – Implementation
IBM Software Group | Tivoli software
42
Who Does What and When? – Typical Deliverables by Implementation Phases
Preparation and Planning
Sales andPre-Planning
Project Management
Work Plan, Budget and Actuals Tracking, Project Status Reporting
Scoping, Planning and Documenting
Project Wrap-up Activities
Handoff from Sales
Documented Scope and project success requirements/goals
Documented as-is process maps
Training plan
Technology Architecture Drawing
Solution Design
Client Environment Verification
Documented Work Plan
Project Team training delivered
Installation of E/S and Agents complete
Documented Data File design
Organization Structure Configured in EnRole
Documented to-be process maps
Documented Automated Processes
Administrator Training delivered
Data File Preparation Complete
Design Documentation for Account Management Forms
Design Documentation for ITIM Groups and ACIs
Design Documentation for Provisioning Policies and Entitlements
Documented security administration workflows & procedures
Unit Test Scripts
Business Integration Test Scripts
Help Desk Training delivered
Account Management forms configuration complete
Groups and ACIs configuration complete
Password Policy and Identity Policies
Provisioning Policies and Entitlements configured in ITIM
Security administration workflows & procedures configured
Unit Test results documentation
End User Training delivered
Documented Installation History
Data loading complete
Initial Reconciliation and Data Cleansing complete
Business Integration Test results documented
Final project Sign-off
DEPLOY TOPRODUCTIONCONFIGURATIONDESIGNFRAMEWORKPREPARATION and
PLANNING
IBM Software Group | Tivoli software
43
Steady State Backup – Case Studies – Customer #1Customer’s Project Goal: Create single user interface (UI) for identity and access management and true
Roles Based Access Control (RBAC) environment.Products Implemented: TIMNumber of Users Managed: 25,000Number of “out of the box” Agents: 4 – Tivoli Access Manager (TAM), Sybase, Clarify, RACFNumber of “custom” Agents: 4 – Universal Provisioning Agent (UPA) (3 apps done) and Generic Service
Provider for Applications (4 apps done)Number of Unique Account Data Stores: 11Number of Organizational Roles: 300+ (out of 1400 total roles identified; adding about 100 per week)Number of Provisioning Policies: 300+ (there is one policy per role in this environment)Project Timeline: 24 mos. total, 2 phases of 12 mos. each -- separate 2 yr. RBAC project completed prior
to start of this projectPhase Focuses: Installation and configuration, initial data load, out of the box targets, custom reports,
limited Production // Expand Production to UPA and Custom Service Provider ApplicationsAverage Lifecycle Duration for Agents: 2 mos. for simple agents and 8 mos. for the most complex agentsIBM Project Staff: 5 FT (Project Manager, Architect/Tech Lead, Customization Consultant, and
2 Implementers) Customer Project Staff: 4 FT and 2 PT (Project Manager, Technical Lead, 2 FT Application
Administrators, and 2 PT Application Administrators)Major Project Work Products: Solution Design, Installation, Configuration, Customization,
Implementation DocumentationProject Challenges: Enterprise complexity, product issuesProject Strengths: RBAC project completed in advance, clear requirements, excellent relationship with the
customer, strong customer executive sponsor, experienced project management, assistance from Tivoli Development and quick fixes
Transition to Operations: Formal product training, extensive direct knowledge transferOperations Staff: ~12 FTEs – Central team of 4 FT Application Administrators and a distributed team of
PT Security Administrators
IBM Software Group | Tivoli software
44
Steady State Backup – Case Studies – Customer #2Customer’s Project Goal: Reduce security admin costs and eliminate annual recertification audit findings.Products Implemented: TIM, IDINumber of Users Managed: 13,000 (3,500 internal and 9,500 external)Number of “out of the box” Agents: 7 – AIX, Solaris, HPUX, NT, Lotus Notes, Oracle, SybaseNumber of “custom” Agents: 2 – Generic Service Provider for Null Services, IDI Agent to Provision to LDAPNumber of Unique Account Data Stores: 9Number of Organizational Roles: 100+Number of Provisioning Policies: 160+Project Timeline: 18 mos. total, 3 phases 7/5/6 mos. -- 4th phase plannedPhase Focuses: Detailed solution design, installation and configuration, custom agents/utilities/reports,
testing and validation // Operational readiness and limited Production // Improve automation and expand Production // 4th phase planned to put additional targets in Production
Average Lifecycle Duration for Agents: 1 mo. for out of the box agents and 2 mos. for custom agentsIBM Project Staff: 6 FT (Project Manager, Architect/Tech Lead, Customization Consultant,
Trainer/Technical Writer, and 2 Implementers) Customer Project Staff: 4 FT and 2 PT (Project Manager, Technical Lead, 2 FT Application
Administrators, and 2 PT Technical Subject Matter Experts (SMEs))Major Project Work Products: Solution Design, Installation, Configuration, Customization,
Implementation and Operations Documentation, TrainingProject Challenges: Enterprise complexity, lack of requirements, customer skillsProject Strengths: Excellent relationship with the customer, strong customer executive sponsor,
experienced project managementTransition to Operations: Custom in-house training, direct knowledge transfer, detailed documentationOperations Staff: ~7 FTEs – Central team of 6 FT Security Administrators and a team of PT Technical SMEs
IBM Software Group | Tivoli software
45
Steady State Backup – Case Studies – Customer #3Customer’s Project Goal: Save time/money with password self service, easily manage 450,000 user ids
for their portal applications, and easily detect/suspend noncompliant accounts.Products Implemented: TIM, IDINumber of Users Managed: 450,000Number of “out of the box” Agents: NoneNumber of “custom” Agents: 1 – IDI Agent to Provision to LDAP (Customer Internal Portal)Number of Unique Account Data Stores: 1Number of Organizational Roles: 40 (30 static, 10 dynamic)Number of Provisioning Policies: 60Project Timeline: 16 mos. total, 2 phases of 8 mos. each -- 3rd phase plannedPhase Focuses: Installation and configuration, custom UI for password self service, initial data load,
and limited Production // Improve automation and expand Production // 3rd phase planned to put Unix targets in Production
Average Lifecycle Duration for Agents: 1 mo.IBM Project Staff: 1 PT Project Manager, 1 FT Implementer (assisted by Tivoli Support and Development) Customer Project Staff: 1 PT Project Manager, 1 FT Application Administrator, and a team of PT
Technical SMEsMajor Project Work Products: Solution Design, Installation, Configuration, Customization,
Implementation and Operations Documentation, TrainingProject Challenges: Changing requirements, hardware allocationProject Strengths: Excellent relationship with the customer, aid from Tivoli Support and DevelopmentTransition to Operations: Formal product training, direct knowledge transfer, detailed documentationOperations Staff: 2 FTEs – 2 FT Application Administrators (strong troubleshooting skills and Unix, TIM,
IDI, IBM Directory Server (IDS), WebSphere Application Server (WAS), and scripting skills)
IBM Software Group | Tivoli software
46
Steady State Backup – Case Studies – Customer #4Customer’s Project Goal: Provide secure access to data for external users.Products Implemented: TAM, IDI, TIMNumber of Users Managed: 30,000Number of “out of the box” Agents: 1 – TAMNumber of “custom” Agents: 1 – Generic Service Provider for Applications (3 apps done)Number of Unique Account Data Stores: 4Number of Organizational Roles: 10Number of Provisioning Policies: 3Project Timeline: 18 mos. total, 3 phases of 6 mos. each, 6 mos. for TAM/IDI and 12 mos. for TIMPhase Focuses: TAM/IDI in Production // TIM test and validation // TIM in ProductionAverage Lifecycle Duration for Agents: 1 mo. for TAM and 6 mos. for Generic Service ProviderIBM Project Staff: 1 PT Project Manager, 1 PT Architect, 1 FT Implementer Customer Project Staff: 1 FT Application Administrator, 2 PT Technical SMEs (Java, Middleware)Major Project Work Products: Solution Design, Installation, Configuration, Customization,
Implementation and Operations Documentation, TrainingProject Challenges: Changing requirements, customer skills, product knowledge, product issuesProject Strengths: Services team commitment, assistance from Tivoli Development and quick fixesTransition to Operations: Formal product training, direct knowledge transfer, detailed documentationOperations Staff: 1.5 FTE – 1 FT Application Administrator, 1 PT Technical SME (Java, Middleware)
IBM Software Group | Tivoli software
47
Steady State Backup – Side-by-Side Comparisons
Project Goals
Users Managed
No. of Data Stores
No. of Roles
No. of Policies
Project Timeline
Agent Timeline
Project Staff Size
Ops. Staff Size
Customer #4
Secure access to data for external
users
4
30,000
10
3
18 mo. – 3 phases
1 – 6 mo.
2 FT + 4 PT
1.5 FTE
Customer #3
Save time/money with password self service,
manage users for portal apps, detect and suspend non-
compliant accounts
1
450,000
40
60
16 mo. – 2 phases
1 mo.
2 FT + 2 PT
2 FTE
Customer #2
Reduce security admin costs and eliminate annual
recertification audit findings
9
13,000
100+
160+
18 mo. – 3 phases
1 – 2 mo.
10 FT + 2 PT
~7 FTE
Customer #1
Create single UI for identity and access
management and true RBAC environment
11
25,000
300+
300+
24 mo. – 2 phases
2 – 8 mo.
9 FT + 2 PT
~12 FTE
IBM Software Group | Tivoli software
48
Q & A
IBM Software Group | Tivoli software
49
For More InformationTivoli User GroupsYou can get even more out of Tivoli software by participating in independently run Tivoli User Groups around the world; learn about online and in-person opportunities near you at www.tivoli-ug.org
Tivoli TrainingIBM offers technical training and education services to help you acquire, maintain and optimize your IT skills. For a complete Tivoli Course Catalog and Certification Exams visit www.ibm.com/software/tivoli/education
Tivoli ServicesWith IBM Software Services for Tivoli, you get the most knowledgeable experts on Tivoli technology to accelerate your implementation. For a complete list of Services Offerings visit www.ibm.com/software/tivoli/services
Tivoli SupportIBM Software Premium Support provides an extra layer of proactive support, skills sharing and problem management, personalized to your environment.Visit www.ibm.com/software/support/premium/ps_enterprise.html