Identity Summit 2015: EnerNOC Case Study: The Transformation of IAM for EnerNOC’s Next Generation Architecture

The Transformation of IAM for EnerNOC’s Next Generation Architecture

Per Gyllstrom, Chief Architect, EnerNOC Inc.

Mike Woodburne, IAM Architect, Identropy Inc.

About EnerNOC

Proven Customer Track Record• 72,000+ sites for 4,400+ EIS customer• 15,200+ sites for 6,500+ demand response

customers• 52 utility and 14 grid operator customers• > $1 billion in customer savings to date• >$15 billion enterprise energy spend under

management• Simple, risk-free commercial agreements

Copyright © Identity Summit 2015, all rights reserved.

Full Value and Technology Offering• Energy intelligence application platform addresses

demand and supply side, connects energy usage to dollars in real time

• Combines technology, managed services, and market access

• Nearly $200 million invested to date in technology• 24/7/365 Network Operations Center, real-time

metering and web-based monitoring from any device

World-Class Team and Resources• Over 1,300 employees and growing fast – multiple

“top places to work” awards• Publicly traded on the U.S. NASDAQ (ENOC)

EnerNOC’s Energy Intelligence Software


Our solutions focus on the three energy cost drivers

How you buy itBudgets and Procurement• Develop accurate energy budgets

• Track cost

• Manage exposure to real-time prices

• Procure energy through auctions

Utility Bill Management (UBM)• Collect historical utility bills

• Track trends in utility usage & cost

• Discover & report billing errors

• Streamline accounts payable

How much you useVisibility and Reporting• Track trends in energy use & carbon impact

• Visualize energy data (consumption patterns)

• Automate ENERGY STAR reporting

• Track actual consumption & demand costs

Facility Optimization• Benchmark & compare facilities

• Analyze meter data to identify cost saving

• Prioritize actions across a portfolio

Project Tracking• Track the impact of measures

When you use itDemand Response• Earn revenue to fund your energy

projects• Measure and manage

DR event performance• Track payment history

Demand Management• Alert on demand thresholds• Quantify cost impact of demand peaks• Forecast new facility and system peaks• Alert on real-time and

day-ahead index prices


100%

PLAN

BUILD

RUN

EnerNOC IAM Growth Challenges


• Delegated Administration• User Provisioning• International Expansion• Self Service

Customer Growth• Delegated Administration• User Provisioning• International Expansion• Self Service

Acquisitions

• Federation• Unified IAM• Single Identity Store

Financial Focus

• Financial transaction• Audit requirements• Strong security

IAM Skillset

• IAM Training• Consulting Expertise• Hire IAM Architect

Integration• Federation

• External SAML - Internal CD SSO• WebServices Security• Protected Resources

Performance & Scale

• Low Authorization overhead• 1 Million+ Users

Product Flexibility• Product Packaging• Many new protected resources• Complex user roles• Fine Grained Access Ctrl

IAMDecision: Replace

proprietary IAM with Industry Standard IAM

Rapi

d Ela

sticit

y

HA - Aut

o Re

cove

r

Mon

itor

Reso

urce

Mgm

t

Capa

biliti

esOrch

estra

tion

Virtua

l Ser

vers

…DNS

Rout

e

Firew

all

Elasti

c IP

Bloc

k Sto

rage

Load

Bala

ncer

VPN

…

Com

puting

, Net

workin

g, St

orag

e

Profi

ling

Perfo

rman

ceCa

lculati

ons

Action

M

anag

em

ent

DR

Notific

ation

s

Utilities

Authe

ntica

tion

Deman

d Man

agem

ent /

EIS

Inte

rval

Data

Node

Tree

Base

lines

MV&P Cu

stom

er

Cont

acts

…

Autho

rizati

on

Data S

ervic

es

Alertin

g

Asset

M

eta

Data

Com

mon

Biz

…

UBM

Tariff

EnerNOC Multi-Cloud Architecture


Distributed Globally

Dem

andS

mar

tC

&I

Insi

ght

Met

er…

C&

I Pro

vide

rs

Dem

andS

mar

tU

tiliti

es

Util

ities

Inte

rnal

Dem

and

Mgm

t

Enab

lem

ent

Cus

tom

er

Adm

in

Use

r Ad

min

Rol

e Ad

min

AMC

Actio

n W

F

Mon

itorin

gPr

edic

tive

Anal

ytic

s M

odel

s

EIS SaaSApplications

(Assemble/Build)

NGP – PaaSMicroServices(Build/Lease)

IaaS Cloud(Lease)

SaaSApplications

(Lease)

Internal Users

Web / MobileAccess from

anywhere

Composite Applicationsusing

Components & Services

DeployedIn the Cloud

Web / Mobile App Access from anywhere

Energy Intelligence External Users

Starting Point

Simple Proprietary IAM• Security Manager• User Manager• Role Manager• Oracle Identity Store• Proprietary• Simple, course grained, read-only access

control

Limitations• Very limited authorization model• User provisioning - labor intensive• Limited self service• Maintenance issue• Design and code evolved over time• No support for standard federation protocols


Initial As-Is Architecture

Full Roadmap


Do Now• Strong AuthN using OpenAM/OpenDJ• SSO in support of UBM integration • Deploy directory based Identity repository on OpenDJ• Design AuthZ Data Model and provide initial AuthZ • Provide basic user management use cases (OpenIDM)• Design and Implements a Hybrid AuthN/AuthZ Solution

Do Next• Provide improved AuthZ capabilities (towards fine grained access)• Shift User Provisioning From Security Manager to ForgeRock• Enhance OpenIDM workflows to provide delegated administration

capabilities• Deploy Self-Service Password Management• Adopt and implement a WebServices API Security Standard

Do Later• Retire Security Manager – convert applications to new security solution• Replace federated internal security with a common centralized IAM• Provide IAM Reporting capabilities• Drive entitlements from contracts and product agreements in ECRM (SalesForce)

Hybrid AuthN, AuthZ SSO support

Delegated Admin, fine-grained AuthZ,

customer self-service, API security

SalesForce integration, Security Manager retirement

High Level Architecture


Cluster

Cluster

Cluster

Security Manager

OpenDJ

OpenAMOpenIDM

EnerNOC Application

EnerNOC Application

Load Balancer

RESTful AuthN/AuthZ

Elastic Load Balancer

Future API Location

Future ForgeRock Architecture Location

OpenAM Cloud

OpenDJ Cloud

OpenIDM Cloud

EnerNOC Application

Data Sync to OpenDJ and

OpenIDM

Boston Data

Center

Amazon Web

Services

Authentication and Session Management

• Multiple applications pending transition to Next Generation Platform (NGP)

• NGP applications support Security Manager sessions

• API layer abstracts session management for NGP applications

• User authentication action returns a token (OpenAM) and a ticket (Security Manager)

• API layer handles token and ticket management


EnerNOC Application

ERAAS Api

Security Manager

OpenAM

OpenDJ

Authorization

• Complex entitlement model doesn’t align well with OpenAM

– Database identity repository could have been option

• Data model created in Oracle to hold users and supporting data for authorization

• RESTful endpoint created in OpenIDM to provide authorization decisions

• Security Manager session refreshes via API layer


NGP Application

ERAAS Api

Security Manager

OpenIDM Database

OpenIDM

Hybrid Authentication and Authorization


Security Manager

OpenDJ

OpenIDM Database

OpenAM

OpenIDM

ERAAS APICommon Login

Legacy Application

NGP Application

Authorization

Authentication

User Provisioning – Phase One

• Users and entitlements exist within data repository for Security Manager

• Some applications will remain on Security Manager

• One time bulk load of users and entitlements

• LiveSync for synchronization to OpenIDM/OpenDJ

• ScriptedSQL connector communicating with Oracle 11 database

• Short term strategy


Security Manager

OpenDJOpenIDM

OpenIDM Database

User Management Tool

User Provisioning – Phase Two

• New user management interface deployed and old interface retired

• New UI leverages custom RESTful endpoints

• User provisioning direct to OpenIDM database and OpenDJ

• LiveSync for synchronization to Security Manager

• Transparent to consumers of EnerNOC applications


Security Manager

OpenDJOpenIDM

OpenIDM Database

User Management Tool

Single Sign-On


• 3 flavors of single sign-on:

1. Agent• Quick integration for acquired applications

2. RESTful• Next Generation Platform applications

3. SAML• Partners

• Custom Agent developed for IIS to interface with ERAAS API layer

Security Manager

OpenDJ

OpenAM

Agent Based Application

NGP Application

ERAAS API

Partners/Customers

SAML

DevOps

• Environments scripted via Chef– Easily portable to AWS

• IAM Components are Microservices • Failure detection and service discovery

– Consul, ZooKeeper– Improved health checks developed for each system– Investigating self-healing solutions for use when deploying to AWS

• Splunking of log files for reporting• Automated testing of all components using Cucumber and

SoapUI


Next Up

• AuthN and SSO – Go Live (July)• Delegated Administration• Integration with ECRM (Salesforce) for User Provisioning• Retire Security Manager

– Gradual migration of legacy applications to new IAM

• Deployment in AWS• Enhanced access control

– Integrate AuthZ model with EnerNOC’s business context model (graph DB)

• Integrated Acquisitions to leverage a centralized Identity Store• Will bring # of users close to 1M


Q &A
