identity summit 2015: enernoc case study: the transformation of iam for enernoc’s next generation...
Post on 25-Jul-2015
910 Views
Preview:
TRANSCRIPT
The Transformation of IAM for EnerNOC’s Next Generation Architecture
Per Gyllstrom, Chief Architect, EnerNOC Inc.
Mike Woodburne, IAM Architect, Identropy Inc.
About EnerNOC
Proven Customer Track Record• 72,000+ sites for 4,400+ EIS customer• 15,200+ sites for 6,500+ demand response
customers• 52 utility and 14 grid operator customers• > $1 billion in customer savings to date• >$15 billion enterprise energy spend under
management• Simple, risk-free commercial agreements
Copyright © Identity Summit 2015, all rights reserved.
Full Value and Technology Offering• Energy intelligence application platform addresses
demand and supply side, connects energy usage to dollars in real time
• Combines technology, managed services, and market access
• Nearly $200 million invested to date in technology• 24/7/365 Network Operations Center, real-time
metering and web-based monitoring from any device
World-Class Team and Resources• Over 1,300 employees and growing fast – multiple
“top places to work” awards• Publicly traded on the U.S. NASDAQ (ENOC)
EnerNOC’s Energy Intelligence Software
Copyright © Identity Summit 2015, all rights reserved.
Our solutions focus on the three energy cost drivers
How you buy itBudgets and Procurement• Develop accurate energy budgets
• Track cost
• Manage exposure to real-time prices
• Procure energy through auctions
Utility Bill Management (UBM)• Collect historical utility bills
• Track trends in utility usage & cost
• Discover & report billing errors
• Streamline accounts payable
How much you useVisibility and Reporting• Track trends in energy use & carbon impact
• Visualize energy data (consumption patterns)
• Automate ENERGY STAR reporting
• Track actual consumption & demand costs
Facility Optimization• Benchmark & compare facilities
• Analyze meter data to identify cost saving
• Prioritize actions across a portfolio
Project Tracking• Track the impact of measures
When you use itDemand Response• Earn revenue to fund your energy
projects• Measure and manage
DR event performance• Track payment history
Demand Management• Alert on demand thresholds• Quantify cost impact of demand peaks• Forecast new facility and system peaks• Alert on real-time and
day-ahead index prices
Copyright © Identity Summit 2015, all rights reserved.
100%
PLAN
BUILD
RUN
EnerNOC IAM Growth Challenges
Copyright © Identity Summit 2015, all rights reserved.
• Delegated Administration• User Provisioning• International Expansion• Self Service
Customer Growth• Delegated Administration• User Provisioning• International Expansion• Self Service
Acquisitions
• Federation• Unified IAM• Single Identity Store
Financial Focus
• Financial transaction• Audit requirements• Strong security
IAM Skillset
• IAM Training• Consulting Expertise• Hire IAM Architect
Integration• Federation
• External SAML - Internal CD SSO• WebServices Security• Protected Resources
Performance & Scale
• Low Authorization overhead• 1 Million+ Users
Product Flexibility• Product Packaging• Many new protected resources• Complex user roles• Fine Grained Access Ctrl
IAMDecision: Replace
proprietary IAM with Industry Standard IAM
Rapi
d Ela
sticit
y
HA - Aut
o Re
cove
r
Mon
itor
Reso
urce
Mgm
t
Capa
biliti
esOrch
estra
tion
Virtua
l Ser
vers
…DNS
Rout
e
Firew
all
Elasti
c IP
Bloc
k Sto
rage
Load
Bala
ncer
VPN
…
Com
puting
, Net
workin
g, St
orag
e
Profi
ling
Perfo
rman
ceCa
lculati
ons
Action
M
anag
em
ent
DR
Notific
ation
s
Utilities
Authe
ntica
tion
Deman
d Man
agem
ent /
EIS
Inte
rval
Data
Node
Tree
Base
lines
MV&P Cu
stom
er
Cont
acts
…
Autho
rizati
on
Data S
ervic
es
Alertin
g
Asset
M
eta
Data
Com
mon
Biz
…
UBM
Tariff
EnerNOC Multi-Cloud Architecture
Copyright © Identity Summit 2015, all rights reserved.
Distributed Globally
Dem
andS
mar
tC
&I
Insi
ght
Met
er…
C&
I Pro
vide
rs
Dem
andS
mar
tU
tiliti
es
Util
ities
Inte
rnal
Dem
and
Mgm
t
Enab
lem
ent
Cus
tom
er
Adm
in
Use
r Ad
min
Rol
e Ad
min
AMC
Actio
n W
F
Mon
itorin
gPr
edic
tive
Anal
ytic
s M
odel
s
EIS SaaSApplications
(Assemble/Build)
NGP – PaaSMicroServices(Build/Lease)
IaaS Cloud(Lease)
SaaSApplications
(Lease)
Internal Users
Web / MobileAccess from
anywhere
Composite Applicationsusing
Components & Services
DeployedIn the Cloud
Web / Mobile App Access from anywhere
Energy Intelligence External Users
Starting Point
Simple Proprietary IAM• Security Manager• User Manager• Role Manager• Oracle Identity Store• Proprietary• Simple, course grained, read-only access
control
Limitations• Very limited authorization model• User provisioning - labor intensive• Limited self service• Maintenance issue• Design and code evolved over time• No support for standard federation protocols
Copyright © Identity Summit 2015, all rights reserved.
Initial As-Is Architecture
Full Roadmap
Copyright © Identity Summit 2015, all rights reserved.
Do Now• Strong AuthN using OpenAM/OpenDJ• SSO in support of UBM integration • Deploy directory based Identity repository on OpenDJ• Design AuthZ Data Model and provide initial AuthZ • Provide basic user management use cases (OpenIDM)• Design and Implements a Hybrid AuthN/AuthZ Solution
Do Next• Provide improved AuthZ capabilities (towards fine grained access)• Shift User Provisioning From Security Manager to ForgeRock• Enhance OpenIDM workflows to provide delegated administration
capabilities• Deploy Self-Service Password Management• Adopt and implement a WebServices API Security Standard
Do Later• Retire Security Manager – convert applications to new security solution• Replace federated internal security with a common centralized IAM• Provide IAM Reporting capabilities• Drive entitlements from contracts and product agreements in ECRM (SalesForce)
Hybrid AuthN, AuthZ SSO support
Delegated Admin, fine-grained AuthZ,
customer self-service, API security
SalesForce integration, Security Manager retirement
High Level Architecture
Copyright © Identity Summit 2015, all rights reserved.
Cluster
Cluster
Cluster
Security Manager
OpenDJ
OpenAMOpenIDM
EnerNOC Application
EnerNOC Application
Load Balancer
RESTful AuthN/AuthZ
Elastic Load Balancer
Future API Location
Future ForgeRock Architecture Location
OpenAM Cloud
OpenDJ Cloud
OpenIDM Cloud
EnerNOC Application
Data Sync to OpenDJ and
OpenIDM
Boston Data
Center
Amazon Web
Services
Authentication and Session Management
• Multiple applications pending transition to Next Generation Platform (NGP)
• NGP applications support Security Manager sessions
• API layer abstracts session management for NGP applications
• User authentication action returns a token (OpenAM) and a ticket (Security Manager)
• API layer handles token and ticket management
Copyright © Identity Summit 2015, all rights reserved.
EnerNOC Application
ERAAS Api
Security Manager
OpenAM
OpenDJ
Authorization
• Complex entitlement model doesn’t align well with OpenAM
– Database identity repository could have been option
• Data model created in Oracle to hold users and supporting data for authorization
• RESTful endpoint created in OpenIDM to provide authorization decisions
• Security Manager session refreshes via API layer
Copyright © Identity Summit 2015, all rights reserved.
NGP Application
ERAAS Api
Security Manager
OpenIDM Database
OpenIDM
Hybrid Authentication and Authorization
Copyright © Identity Summit 2015, all rights reserved.
Security Manager
OpenDJ
OpenIDM Database
OpenAM
OpenIDM
ERAAS APICommon Login
Legacy Application
NGP Application
Authorization
Authentication
User Provisioning – Phase One
• Users and entitlements exist within data repository for Security Manager
• Some applications will remain on Security Manager
• One time bulk load of users and entitlements
• LiveSync for synchronization to OpenIDM/OpenDJ
• ScriptedSQL connector communicating with Oracle 11 database
• Short term strategy
Copyright © Identity Summit 2015, all rights reserved.
Security Manager
OpenDJOpenIDM
OpenIDM Database
User Management Tool
User Provisioning – Phase Two
• New user management interface deployed and old interface retired
• New UI leverages custom RESTful endpoints
• User provisioning direct to OpenIDM database and OpenDJ
• LiveSync for synchronization to Security Manager
• Transparent to consumers of EnerNOC applications
Copyright © Identity Summit 2015, all rights reserved.
Security Manager
OpenDJOpenIDM
OpenIDM Database
User Management Tool
Single Sign-On
Copyright © Identity Summit 2015, all rights reserved.
• 3 flavors of single sign-on:
1. Agent• Quick integration for acquired applications
2. RESTful• Next Generation Platform applications
3. SAML• Partners
• Custom Agent developed for IIS to interface with ERAAS API layer
Security Manager
OpenDJ
OpenAM
Agent Based Application
NGP Application
ERAAS API
Partners/Customers
SAML
DevOps
• Environments scripted via Chef– Easily portable to AWS
• IAM Components are Microservices • Failure detection and service discovery
– Consul, ZooKeeper– Improved health checks developed for each system– Investigating self-healing solutions for use when deploying to AWS
• Splunking of log files for reporting• Automated testing of all components using Cucumber and
SoapUI
Copyright © Identity Summit 2015, all rights reserved.
Next Up
• AuthN and SSO – Go Live (July)• Delegated Administration• Integration with ECRM (Salesforce) for User Provisioning• Retire Security Manager
– Gradual migration of legacy applications to new IAM
• Deployment in AWS• Enhanced access control
– Integrate AuthZ model with EnerNOC’s business context model (graph DB)
• Integrated Acquisitions to leverage a centralized Identity Store• Will bring # of users close to 1M
Copyright © Identity Summit 2015, all rights reserved.
Q &A
Copyright © Identity Summit 2015, all rights reserved.
top related