pulse2014 1091

© 2014 IBM Corporation

Oracle-to-IBM IAM Migration BNSF Case Study

Chris Fields VP – Security Strategy

1

Agenda

Who is BNSF Who is PathMaker Group BNSF Challenges with Oracle Sun IAM Oracle to IBM IAM Migration Approach Benefits of IBM IAM Solution Next Steps Questions

2

Who is BNSF

3

Who is BNSF

U.S. Railroad Company (Burlington Northern + Santa Fe) – 160 years in business – Combination of nearly 400 railroad companies – Serves Western two-thirds of U.S., portions of Canada & Mexico

4

Who is PathMaker Group

5

Specialized Security and IAM Integrator – IBM Premier Level partner

Nearly 20 years delivering IT projects

Strong project management expertise

Successful track record with long, complex engagements

Methodology-driven practices

Who is PathMaker Group?

6

BNSF Challenges with Oracle IAM

7

Oracle Waveset Identity Manager – Early poster-child customer – Handles base provisioning to all

core systems and apps

Oracle Sun Access Manager – Early poster-child customer – Handles Web SSO to 60+ apps

Oracle OpenSSO

– Handles Federated SSO to 15 apps

Oracle Sun Directory Server – Enterprise LDAP – Provides authentication services

to 100s of apps

BNSF Oracle IAM Environment

Windows AD RACF SAP LDAP AIX (~100) Solaris Unix (~100) RedHat Linux (~400) Teradata Natural Office 365 IVR Office Communicator

50,000+ users 1.5 Million+ accounts

8

Frozen Product Functionality – Esp. managed endpoint currency

Performance issues – Wait times accessing account

data – HR feed processing times

BNSF Challenges with Oracle IAM

Too Many Customizations – Lots of Java code

Missing Key IdM functions – Reconciling of account data – Role management – Segregation of duties – Privileged Identity Mgmt

9

Oracle to IBM IAM Migration Approach

10

New Product was Unavoidable – Starting over either way

No “Magic Pill” to Migrate

Out of Box Capabilities

Focus on Current and Future Needs Synergy with existing IBM products

IBM Support

Why BNSF Chose IBM

11

Oracle to IBM IAM Migration Approach – Phase 1

Step 1

Extract Oracle Objects into Current State Repository

Category Type Description

AttributeDefinition AttributeDefinition Definition of Sun IdM user identity attributes 6

LoginApp

Login applications define a collection of login module groups, which further define the set and order of login modules that will be used when a user logs in to Identity Manager. Each login application comprises one or more login module groups.

8

Login Module Groups

The login module group list shows:

* Each login module group* The individual login modules that make up a login module group* Whether a login module group contains constraint rules

5

Login Configuration

Login Configuration defines parameters that are used if Sun IdM is to use the resource for pass-through authentication.

1

OW Objects

Authentication

# of Analyzed Objects

40+ IdM Object Types Analyzed

Start with Sun IAM frame of reference

Automated utility to extract data

Store data in central DB

12


Step 1


Step 2

Review Object Mapping & Counts

Automated, Semi-automated and Manual object migrations

Very few objects fit auto migration

Counts are key decision criteria

Category Type Description

Account Policy

Account Policy establishes user, password, and authentication policy options and constraints. (e.g. authentication questions, password expiration rules)

Identity Policy for Userid generation (In addition with some Global properties) Manual Represent via Identity Policy

Password and Account ID Policy

Policies set length rules, character type rules, and allowed words and attribute values.

Password Policy (could be Global or per Service ) Manual

Use custom password rule. No dictionary functionality in place

ResourceResource objects store information about how to connect to a resource or system on which accounts are provisioned Service configuration

Semi-automated

Auto create basic service objects and information either directly in ITIM or in a staging area with manual augmentation before automating the creation in ITIM

ResourceAction

Resource actions are scripts that run within the context of a managed resource, if native support exists for scripted actions. For example, on a system with a UNIX operating system, actions are sequences of UNIX shell commands.

PostExec script on the Adapter Manual

Leverage scripts via ITIM AD Adapter Post-Exec actions with minor modifications f necessary

Role Role

A role is a Sun IdM object that represents Identity Manager user types and allows resources to be grouped and assigned to users

Role (Dynamic and Static Role) N/A

Not being used other than the AppAdmin role

User User Sun IdM user objectPerson Entity and the ITIM Account Automated

Include auto decryption/registration of existing challenge questions and IdM password

Resource

OW ObjectsMigration CommentsISIM Objects

Policy

Migration Approach

13


Step 1


Step 2


Step 3

Build Req’s Summary & Review/ Refine

Automated Req’s Definition

120 Use Cases Able to ignore 35% of

existing configuration

UC-M2 Sun IdM Administrators manually append user's Unix "comments" to the "comments" attribute of user's IdM account (User Interactive)

Sun IdM Administrators manually append "comments" of user's Unix account to the "comments" attribute of user's IdM account

One time usage N

UC-M1 Sun IdM Administrators manually bulk disable users accounts (User Interactive)

Sun IdM Administrators manually bulk disable users' accounts. Whoever launches the action is able to select list of users and to-be-disabled resource accounts, also enter comments (and populate to AD, RACF).

Use Case #

Use Case Name Use Case DescriptionIn Use(Y/N)

Y

Notes

Whoever launches the action is able to select list of users and to-be-disabled resource accounts (or All resource accounts), also enter comments (and populate to AD, RACF).

User could specify the target user list from a file by using Sun IdM OTB “Launch Bulk Action”.

This Use Case is used for: 1. Bulk-process dormant AD user(s) or RACF user(s) clean-up 2. Daily bulk disable

(f HR ll

ISIM Solutions

For daily HR bulk disable process, Will design an automatic workflow to replace the populating comment process. Comments will be automatically populated by ITIM workflow.

For dormant RACF disable, Will read the user list from a csv file, this option will be used for dormant RACF disable. No comment is required for dormant RACF disable.

For dormant AD disable,Will use a “to-be-disabled” AD groups, design an ITIM kfl b lk di bl h b l

14


Step 1


Step 2


Step 3


Step 4

Document Gaps & Review

Detailed review of current functions to identify gaps

Opportunity to take advantage of new features

User interface gaps / differences were key

15


Step 1


Step 2


Step 3


Step 4


Step 5

Finalize Conversion Rules & Approach

Req’s doc created

Review with key teams

Updates / revisions

TABLE OF CONTENTS

1 INTRODUCTION .................................................................................................................................................................................................4 1.1 BACKGROUND ..............................................................................................................................................................................................4 1.2 SCOPE .........................................................................................................................................................................................................4

3 FUNCTIONALITY REQUIREMENTS .................................................................................................................................................................5 3.1 SUMMARY OF FUNCTIONALITY REQUIREMENTS ............................................................................................................................................5 3.2 BACKEND USE CASES ..................................................................................................................................................................................5 3.3 USER INTERACTIVE USE CASES ...................................................................................................................................................................7 3.4 SELF-SERVICES USE CASES ......................................................................................................................................................................13 3.5 FUTURE USE CASES ..................................................................................................................................................................................13 3.6 NOTIFICATION ............................................................................................................................................................................................14 3.7 AUDIT.........................................................................................................................................................................................................17 3.8 REPORTS ...................................................................................................................................................................................................17

4 INTEGRATION REQUIREMENTS ...................................................................................................................................................................20 4.1 USER FEEDS ..............................................................................................................................................................................................20 4.2 CONNECTED RESOURCES ..........................................................................................................................................................................22 4.3 INDIRECT RESOURCES ...............................................................................................................................................................................36

5 SECURITY REQUIREMENTS ..........................................................................................................................................................................37 5.1 IDM ADMINISTRATION .................................................................................................................................................................................37 5.2 DATA SECURITY .........................................................................................................................................................................................38 5.3 IDM AUTHENTICATION ................................................................................................................................................................................38 5.4 IDM ORGANIZATION ...................................................................................................................................................................................40 5.5 ACCOUNT ID POLICY ..................................................................................................................................................................................41 5.6 PASSWORD POLICIES .................................................................................................................................................................................41

16


Step 1


Step 2


Step 3


Step 4


Step 5

Finalize Conversion Rules & Approach

Step 6

Conc. Design & Impl Est.

Design Approach concrete

Implementation estimate created

Customer teams impacted & resource requirements

TABLE OF CONTENTS

1 INTRODUCTION .................................................................................................................................................................................................8 1.1 BACKGROUND ..............................................................................................................................................................................................8 1.2 SCOPE .........................................................................................................................................................................................................8

2 GUIDING PRINCIPLES ......................................................................................................................................................................................8 2.1 CONCEPTUAL DESIGN SIGN OFF ..................................................................................................................................................................8 2.2 MINIMIZE CUSTOMIZATIONS ..........................................................................................................................................................................8 2.3 MINIMIZE RISK..............................................................................................................................................................................................8

3 ITIM SYSTEM ARCHITECTURE OVERVIEW ..................................................................................................................................................9 3.1 ITIM SYSTEM ARCHITECTURE OVERVIEW DIAGRAM PRODUCTION AND TRIAL...............................................................................................9 3.2 ITIM SYSTEM ARCHITECTURE OVERVIEW DIAGRAM DEVELOPMENT ...........................................................................................................10 3.3 PRODUCTION ENVIRONMENT ......................................................................................................................................................................11 3.4 TRIAL ENVIRONMENT..................................................................................................................................................................................12 3.5 DEVELOPMENT ENVIRONMENT ...................................................................................................................................................................13 3.6 SSL / CERTIFICATES ..................................................................................................................................................................................13

4 ITIM PLATFORM REQUIREMENTS ...............................................................................................................................................................14 4.1 ITIM MINIMUM SERVER HARDWARE SPECIFICATIONS .................................................................................................................................14 4.2 HIGH AVAILABILITY .....................................................................................................................................................................................14

6 REQUIREMENTS USE CASE MAPPING .......................................................................................................................................................15 6.1 OVERVIEW .................................................................................................................................................................................................15 6.2 BACKEND USE CASES ................................................................................................................................................................................15 6.1 USER INTERACTIVE USE CASES .................................................................................................................................................................17 6.2 SELF-SERVICES USE CASES ......................................................................................................................................................................20 6.3 FUTURE USE CASES ..................................................................................................................................................................................20

7 ORGANIZATION TREE ....................................................................................................................................................................................21 7.1 CONTAINERS: .............................................................................................................................................................................................21

8 ROLES...............................................................................................................................................................................................................21 8.1 PERSON DYNAMIC ROLES ..........................................................................................................................................................................21 8.2 STATIC ROLES: ..........................................................................................................................................................................................22 8.3 ROLE OWNERS ..........................................................................................................................................................................................24

17


Step 7

Detailed Design

Step 8

Configuration / Development

Step 9

Test Planning & Execution

Step 10

Cutover Planning & Migration

Step 11

Post-Migration Support

Transition to Typical IAM Implementation Detailed Testing is a Must

– Ability to validate results in parallel (side by side)

Big Bang vs. Mixed Rollout Strategy – Temporary interfaces can be costly – Back-out strategy is key consideration

Cutover Planning & Coordination is Critical – Early infrastructure integration in upper environments is key

18

Benefits of IBM Solution

19

Move towards out of box configuration vs. customizations More robust adapter integration Better performance (esp. SSO) Integrated role management and compliance Better admin UI experience

Easy Mapping of Product Components

Oracle Product IBM Product

Oracle Waveset Identity Manager IBM Security Identity Manager

Oracle Sun Access Manager IBM Security Access Manager for Web

Oracle OpenSSO IBM Federated Identity Manager

Oracle Sun Directory Server IBM Security Directory Server

Oracle Virtual Directory Server IBM Security Directory Integrator

20

Next Steps for BNSF

21

Next Steps – It’s a Jungle out There!

Extend integrations with existing targets Leverage new IAM platform capabilities Expand SSO capabilities to mobile platforms

IBM IAM Migration

Enterprise Roles &

Recert Pilot

Privileged Identity Mgmt

Enterprise Roles &

Recert P2

Mobile SSO

22

Questions ?????

Chris Fields VP – Security Strategy [email protected] 817-704-3644 x110 Office 972-523-8620 Cell

mailto:[email protected]

pulse2014 1091

Technology

iam oracle

extract oracle objects

ibm corporation oracle

objects authentication

apps oracle opensso

password policy

identity policy password

login module group list