Sample Visio – IAM Deployment Process
March 2, 2010The first step in implementing an identity management solution is identifying business objectives, policies and strategies both current and future. next, a complete evaluation of the identity repositories, current identity management implementations (i.e., synchronizing messaging and desktop Ids), political boundaries and current vendor capital investments and loyalty. This is needed to determine the type, value and scope of the solution. Many companies have looked at parts of their IT infrastructure, i.e. Messaging and Network Operating System (NOS), but have not taken a holistic approach, one which includes applications and HR. Business case including Total Cost of Ownership (TCO)/ROI and value analysis should follow.
This should be a holistic approach, but that does not mean the service can not be implemented over time. Because of the magnitude of this task, it is suggested that the following be considered.
· Start small.
· Grow over time.
· Deploy in parallel with existing systems.
· Provide an Enterprise Application Integration (EAI) Solution.
Translating data and commands from the format of one application into the format of another.
There are a number of publications on this topic and most IS/IT departments are well aware of best practices in this area so I will not go into any details here.
Note: Most of the practices that are involved in implementing a Directory Server will apply here since the backbone of all MDS is the Directory Server.
Key issues that are important to note:
· Study Client’s business environment.
· Know corporate structure.
· Survey the enterprise and identify where the data comes from (such as NT or Netware directories,
PBX systems, Human Resources databases, emailsystems, and so forth.
· Locate all the organizations that manage the enterprise’s information.
· For each piece of data, determine who owns the data; that is, who is responsible for ensuring that the data is up-to-date.
· For each piece of data, determine the location where it will be mastered.
· Identify the tools and processes that the enterprise uses to maintain this information.
· The decision about what types of data are maintained in the directory, and when you will start maintaining it there, will be driven by several factors:
· The data required by the various legacy applications (such as existing email applications) as well as the user population.
· The ability of the legacy applications to communicate with an LDAP directory service.
· For each piece of data, determine the name of the attribute that you will use to represent the data in the directory and the object class (the type of entry) that the data will be stored on.
· Determine how centralizing each piece of data will impact the managing organizations.
· Determine what future directory-enabled applications that will be deployed and what their data needs are.
· If a unique identifier is not ubiquitous in the organization, the meta directory service should begin the process of imposing one.
· Obtaining a corporation Object Identifier (OID) Tree from IANA that can be used to uniquely identify attributes and object classes.
· Best practices in directory information tree layout include having as flat a directory tree as possible. Note that this requirement is one of the best reasons why the NOS DIT and the enterprise directory DIT, and therefore directory, need to be different.
Information Gathering
Assessment of Current Business Policies.
The main impediments to implementing a successful Meta Directory solution are the lack of documented access roles based on business functionality and weakly defined procedures for handling users’ changing roles. In order to overcome this potential pitfall you must work closely with a corporations Security group to produce a Security Engineering Plan (SEP) to ensure that the proper procedures are well defined.
Assessment of Corporate Identity Environment
Identity repositories take on many forms. Typical identity repositories are RDMS, NOS and application specific repositories, (i.e., email).
All systems, which require access control, require an identity repository. Most repositories are meant solely for use by the application storing the information. Yet others are used for multiple purposes, such as Directory Servers. Most identity data is redundant. The semantics are the same though the syntax and data definitions vary between systems.
Assessment of Partial Implemented Identity Solutions
As mentioned earlier in this paper there are a number of identity management solutions. One form of identity management that some companies have used is synchronization connectors. Some vendors supply synchronization connectors with their products. These synchronization connectors are applications that know how to recognize changes in one repository and propagate them to another repository. Connectors typically maintain a one-to-one relationship and companies need to have a specific connector for each pair of repositories that will be managed.
It should be noted what systems are currently in place to help address Identity management and who a Meta Directory will interact/replace such a system.
Assessment of Political Boundaries
Because of the number of organizations that can be affected by the directory, it may be helpful to create a directory deployment team that includes representatives from each affected organization. Including representatives from each of these organizations can help to more rapidly perform the survey. More importantly, it always helps to listen to the users. Directly involving all the affected organizations can go a long way to building acceptance for the migration from local data stores to a centralized directory service. This centralization will require adding personnel to some organizations while reducing head count in others. The net reduction in administ
rative task will free employees to move on to more important tasks. They may not realize this at first and be somewhat threatened. It is important to present the opportunities you are opening up for your former administrators.
Analysis of Information
The foundation of all decisions should be based on business and security principles. The analysis should produce a Policies and Security Engineering Plan. Once you have established your business rules and policies, and located all the data important to the enterprise, it must be determined if the data really can or should be stored in the Meta Directory, who is the Master, Peer, or Slave and if any translation is needed.
Sample IAM flow.
Simple_Identity_Management_Flow1.vsd
https://www.bestitdocuments.com/Samples