iam-1091a: bnsf railway’s move from oracle/sun to ibm identity and access management
TRANSCRIPT
© 2014 IBM Corporation
Oracle-to-IBM IAM Migration BNSF Case Study
Chris Fields VP – Security Strategy
1
Agenda
Who is BNSF Who is PathMaker Group BNSF Challenges with Oracle Sun IAM Oracle to IBM IAM Migration Approach Benefits of IBM IAM Solution Next Steps Questions
2
Who is BNSF
3
Who is BNSF
U.S. Railroad Company (Burlington Northern + Santa Fe) – 160 years in business – Combination of nearly 400 railroad companies – Serves Western two-thirds of U.S., portions of Canada & Mexico
4
Who is PathMaker Group
5
Specialized Security and IAM Integrator – IBM Premier Level partner
Nearly 20 years delivering IT projects
Strong project management expertise
Successful track record with long, complex engagements
Methodology-driven practices
Who is PathMaker Group?
6
BNSF Challenges with Oracle IAM
7
Oracle Waveset Identity Manager – Early poster-child customer – Handles base provisioning to all
core systems and apps
Oracle Sun Access Manager – Early poster-child customer – Handles Web SSO to 60+ apps
Oracle OpenSSO
– Handles Federated SSO to 15 apps
Oracle Sun Directory Server – Enterprise LDAP – Provides authentication services
to 100s of apps
BNSF Oracle IAM Environment
Windows AD RACF SAP LDAP AIX (~100) Solaris Unix (~100) RedHat Linux (~400) Teradata Natural Office 365 IVR Office Communicator
50,000+ users 1.5 Million+ accounts
8
Frozen Product Functionality – Esp. managed endpoint currency
Performance issues – Wait times accessing account
data – HR feed processing times
BNSF Challenges with Oracle IAM
Too Many Customizations – Lots of Java code
Missing Key IdM functions – Reconciling of account data – Role management – Segregation of duties – Privileged Identity Mgmt
9
Oracle to IBM IAM Migration Approach
10
New Product was Unavoidable – Starting over either way
No “Magic Pill” to Migrate
Out of Box Capabilities
Focus on Current and Future Needs Synergy with existing IBM products
IBM Support
Why BNSF Chose IBM
11
Oracle to IBM IAM Migration Approach – Phase 1
Step 1
Extract Oracle Objects into Current State Repository
Category Type Description
AttributeDefinition AttributeDefinition Definition of Sun IdM user identity attributes 6
LoginApp
Login applications define a collection of login module groups, which further define the set and order of login modules that will be used when a user logs in to Identity Manager. Each login application comprises one or more login module groups.
8
Login Module Groups
The login module group list shows:
* Each login module group* The individual login modules that make up a login module group* Whether a login module group contains constraint rules
5
Login Configuration
Login Configuration defines parameters that are used if Sun IdM is to use the resource for pass-through authentication.
1
OW Objects
Authentication
# of Analyzed Objects
40+ IdM Object Types Analyzed
Start with Sun IAM frame of reference
Automated utility to extract data
Store data in central DB
12
Oracle to IBM IAM Migration Approach – Phase 1
Step 1
Extract Oracle Objects into Current State Repository
Step 2
Review Object Mapping & Counts
Automated, Semi-automated and Manual object migrations
Very few objects fit auto migration
Counts are key decision criteria
Category Type Description
Account Policy
Account Policy establishes user, password, and authentication policy options and constraints. (e.g. authentication questions, password expiration rules)
Identity Policy for Userid generation (In addition with some Global properties) Manual Represent via Identity Policy
Password and Account ID Policy
Policies set length rules, character type rules, and allowed words and attribute values.
Password Policy (could be Global or per Service ) Manual
Use custom password rule. No dictionary functionality in place
ResourceResource objects store information about how to connect to a resource or system on which accounts are provisioned Service configuration
Semi-automated
Auto create basic service objects and information either directly in ITIM or in a staging area with manual augmentation before automating the creation in ITIM
ResourceAction
Resource actions are scripts that run within the context of a managed resource, if native support exists for scripted actions. For example, on a system with a UNIX operating system, actions are sequences of UNIX shell commands.
PostExec script on the Adapter Manual
Leverage scripts via ITIM AD Adapter Post-Exec actions with minor modifications f necessary
Role Role
A role is a Sun IdM object that represents Identity Manager user types and allows resources to be grouped and assigned to users
Role (Dynamic and Static Role) N/A
Not being used other than the AppAdmin role
User User Sun IdM user objectPerson Entity and the ITIM Account Automated
Include auto decryption/registration of existing challenge questions and IdM password
Resource
OW ObjectsMigration CommentsISIM Objects
Policy
Migration Approach
13
Oracle to IBM IAM Migration Approach – Phase 1
Step 1
Extract Oracle Objects into Current State Repository
Step 2
Review Object Mapping & Counts
Step 3
Build Req’s Summary & Review/ Refine
Automated Req’s Definition
120 Use Cases Able to ignore 35% of
existing configuration
UC-M2 Sun IdM Administrators manually append user's Unix "comments" to the "comments" attribute of user's IdM account (User Interactive)
Sun IdM Administrators manually append "comments" of user's Unix account to the "comments" attribute of user's IdM account
One time usage N
UC-M1 Sun IdM Administrators manually bulk disable users accounts (User Interactive)
Sun IdM Administrators manually bulk disable users' accounts. Whoever launches the action is able to select list of users and to-be-disabled resource accounts, also enter comments (and populate to AD, RACF).
Use Case #
Use Case Name Use Case DescriptionIn Use(Y/N)
Y
Notes
Whoever launches the action is able to select list of users and to-be-disabled resource accounts (or All resource accounts), also enter comments (and populate to AD, RACF).
User could specify the target user list from a file by using Sun IdM OTB “Launch Bulk Action”.
This Use Case is used for: 1. Bulk-process dormant AD user(s) or RACF user(s) clean-up 2. Daily bulk disable
(f HR ll
ISIM Solutions
For daily HR bulk disable process, Will design an automatic workflow to replace the populating comment process. Comments will be automatically populated by ITIM workflow.
For dormant RACF disable, Will read the user list from a csv file, this option will be used for dormant RACF disable. No comment is required for dormant RACF disable.
For dormant AD disable,Will use a “to-be-disabled” AD groups, design an ITIM kfl b lk di bl h b l
14
Oracle to IBM IAM Migration Approach – Phase 1
Step 1
Extract Oracle Objects into Current State Repository
Step 2
Review Object Mapping & Counts
Step 3
Build Req’s Summary & Review/ Refine
Step 4
Document Gaps & Review
Detailed review of current functions to identify gaps
Opportunity to take advantage of new features
User interface gaps / differences were key
15
Oracle to IBM IAM Migration Approach – Phase 1
Step 1
Extract Oracle Objects into Current State Repository
Step 2
Review Object Mapping & Counts
Step 3
Build Req’s Summary & Review/ Refine
Step 4
Document Gaps & Review
Step 5
Finalize Conversion Rules & Approach
Req’s doc created
Review with key teams
Updates / revisions
TABLE OF CONTENTS
1 INTRODUCTION .................................................................................................................................................................................................4 1.1 BACKGROUND ..............................................................................................................................................................................................4 1.2 SCOPE .........................................................................................................................................................................................................4
3 FUNCTIONALITY REQUIREMENTS .................................................................................................................................................................5 3.1 SUMMARY OF FUNCTIONALITY REQUIREMENTS ............................................................................................................................................5 3.2 BACKEND USE CASES ..................................................................................................................................................................................5 3.3 USER INTERACTIVE USE CASES ...................................................................................................................................................................7 3.4 SELF-SERVICES USE CASES ......................................................................................................................................................................13 3.5 FUTURE USE CASES ..................................................................................................................................................................................13 3.6 NOTIFICATION ............................................................................................................................................................................................14 3.7 AUDIT.........................................................................................................................................................................................................17 3.8 REPORTS ...................................................................................................................................................................................................17
4 INTEGRATION REQUIREMENTS ...................................................................................................................................................................20 4.1 USER FEEDS ..............................................................................................................................................................................................20 4.2 CONNECTED RESOURCES ..........................................................................................................................................................................22 4.3 INDIRECT RESOURCES ...............................................................................................................................................................................36
5 SECURITY REQUIREMENTS ..........................................................................................................................................................................37 5.1 IDM ADMINISTRATION .................................................................................................................................................................................37 5.2 DATA SECURITY .........................................................................................................................................................................................38 5.3 IDM AUTHENTICATION ................................................................................................................................................................................38 5.4 IDM ORGANIZATION ...................................................................................................................................................................................40 5.5 ACCOUNT ID POLICY ..................................................................................................................................................................................41 5.6 PASSWORD POLICIES .................................................................................................................................................................................41
16
Oracle to IBM IAM Migration Approach – Phase 1
Step 1
Extract Oracle Objects into Current State Repository
Step 2
Review Object Mapping & Counts
Step 3
Build Req’s Summary & Review/ Refine
Step 4
Document Gaps & Review
Step 5
Finalize Conversion Rules & Approach
Step 6
Conc. Design & Impl Est.
Design Approach concrete
Implementation estimate created
Customer teams impacted & resource requirements
TABLE OF CONTENTS
1 INTRODUCTION .................................................................................................................................................................................................8 1.1 BACKGROUND ..............................................................................................................................................................................................8 1.2 SCOPE .........................................................................................................................................................................................................8
2 GUIDING PRINCIPLES ......................................................................................................................................................................................8 2.1 CONCEPTUAL DESIGN SIGN OFF ..................................................................................................................................................................8 2.2 MINIMIZE CUSTOMIZATIONS ..........................................................................................................................................................................8 2.3 MINIMIZE RISK..............................................................................................................................................................................................8
3 ITIM SYSTEM ARCHITECTURE OVERVIEW ..................................................................................................................................................9 3.1 ITIM SYSTEM ARCHITECTURE OVERVIEW DIAGRAM PRODUCTION AND TRIAL...............................................................................................9 3.2 ITIM SYSTEM ARCHITECTURE OVERVIEW DIAGRAM DEVELOPMENT ...........................................................................................................10 3.3 PRODUCTION ENVIRONMENT ......................................................................................................................................................................11 3.4 TRIAL ENVIRONMENT..................................................................................................................................................................................12 3.5 DEVELOPMENT ENVIRONMENT ...................................................................................................................................................................13 3.6 SSL / CERTIFICATES ..................................................................................................................................................................................13
4 ITIM PLATFORM REQUIREMENTS ...............................................................................................................................................................14 4.1 ITIM MINIMUM SERVER HARDWARE SPECIFICATIONS .................................................................................................................................14 4.2 HIGH AVAILABILITY .....................................................................................................................................................................................14
6 REQUIREMENTS USE CASE MAPPING .......................................................................................................................................................15 6.1 OVERVIEW .................................................................................................................................................................................................15 6.2 BACKEND USE CASES ................................................................................................................................................................................15 6.1 USER INTERACTIVE USE CASES .................................................................................................................................................................17 6.2 SELF-SERVICES USE CASES ......................................................................................................................................................................20 6.3 FUTURE USE CASES ..................................................................................................................................................................................20
7 ORGANIZATION TREE ....................................................................................................................................................................................21 7.1 CONTAINERS: .............................................................................................................................................................................................21
8 ROLES...............................................................................................................................................................................................................21 8.1 PERSON DYNAMIC ROLES ..........................................................................................................................................................................21 8.2 STATIC ROLES: ..........................................................................................................................................................................................22 8.3 ROLE OWNERS ..........................................................................................................................................................................................24
17
Oracle to IBM IAM Migration Approach – Phase 2
Step 7
Detailed Design
Step 8
Configuration / Development
Step 9
Test Planning & Execution
Step 10
Cutover Planning & Migration
Step 11
Post-Migration Support
Transition to Typical IAM Implementation Detailed Testing is a Must
– Ability to validate results in parallel (side by side)
Big Bang vs. Mixed Rollout Strategy – Temporary interfaces can be costly – Back-out strategy is key consideration
Cutover Planning & Coordination is Critical – Early infrastructure integration in upper environments is key
18
Benefits of IBM Solution
19
Move towards out of box configuration vs. customizations More robust adapter integration Better performance (esp. SSO) Integrated role management and compliance Better admin UI experience
Easy Mapping of Product Components
Oracle Product IBM Product
Oracle Waveset Identity Manager IBM Security Identity Manager
Oracle Sun Access Manager IBM Security Access Manager for Web
Oracle OpenSSO IBM Federated Identity Manager
Oracle Sun Directory Server IBM Security Directory Server
Oracle Virtual Directory Server IBM Security Directory Integrator
20
Next Steps for BNSF
21
Next Steps – It’s a Jungle out There!
Extend integrations with existing targets Leverage new IAM platform capabilities Expand SSO capabilities to mobile platforms
IBM IAM Migration
Enterprise Roles &
Recert Pilot
Privileged Identity Mgmt
Enterprise Roles &
Recert P2
Mobile SSO
22
Questions ?????
Chris Fields VP – Security Strategy [email protected] 817-704-3644 x110 Office 972-523-8620 Cell