Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Matthew Collinson
Why are we here today?
Account Credentials:
• Login ID and password
• SecurID card, other strong authentication factors
Common Profiles:
• Job Functional Roles
• Business Unit
• Office Location
• Manager/Supervisor
New in Window
Entitlements:
Limited Contri- Full
Read Design SharePoint Services
Access* bute Control
(version 3)?
Update Personal Web
Parts ü ü ü No
Add/Remove Personal
ü ü ü No
Approve Items
ü ü New
View Versions
ü
ü
ü
ü
ü
ü
ü
New
New
Cancel Checkout
ü ü No
Open Items
ü ü ü ü New
View Items
ü ü ü ü No
Delete Items
ü ü ü No
• Identity Federation
– Standards-based method of
exchanging identity information
across autonomous security
domains (organizations) Vendor
• Identity and Access Management (IAM) is a set of business processes, information, and
technology for the creation, maintenance and use of people’s digital identities within
the bank and eventual termination of that identity in a controlled and secure manner.
Reduced Sign-On, Consistent security policy Improved service levels User productivity cost
registration and password enforcement and (user management and savings due to:
self-services for internal automated controls provisioning) and Quicker provisioning
users (protection of customer good quality of service processes
Consistent and data) Streamlined security Reduced time for
streamlined user Identity lifecycle administration & reporting password re-sets
provisioning processes administration (accurate Flexible infrastructure for Single Sign-On
with automated workflow and timely terminations rapid deployment of Reduced cost of:
(escalation and approval and access management) applications (enablement User Administration
points) Improved privacy and of shared services and and Provisioning
Business integration and regulatory compliance Service-Oriented Helpdesk (password
large technology roll-outs Effective logging, Architecture) management)
comprehensive auditing Security Administration
and timely reporting (auditing, reporting)
Avoiding uncoordinated
and overlapping
application development
efforts.
Federated Sign-On • Some potential for cost savings, mostly in application delivery Medium
Access Management
which includes $2M of one-time process/application integration costs and $0.9M of annual run costs.
Provisioning software will be required for 50,000 users at $25 per user
Software 1.3 (based on industry average price)
2.2
Non-Capital
Integration Costs 2.0 Application integration and process integration will require involvement of
internal staff outside of the project team, estimated at 8 FTEs.
One-time Total 7.0
Hardware & Software Hardware maintenance cost is estimated at 10% of Hardware Cost and
0.3
Annual
Operational Run Costs 0.9 Annual hardware capitalization and overhead are estimated at 55% of total
hardware costs. Plus 4 FTE’s at $150K/year for ongoing support.
Annual Total 1.2
costs, due to the automation in access provisioning, password management and access administration.
Annual Incremental Benefits
Cost Component Value ($M) Benefits Calculations / Assumptions
Assumptions
At a minimum, 1 day of delay can be eliminated by implementing an automated provisioning
system resulting in an on-going productivity savings of $1.5M/year.
User Productivity Cost Approximately 13,475 non-retail employees are transferred or hired every year and on-
Savings (faster on- 1.5 – 4.5 boarding takes approximately 5-21 days.
Provisioning
While 50% of the time spent by new employees and transferees is on reviewing
boarding) manuals, training, orientation, etc., the remaining 50% are assumed to be unproductive.
Average employee salary is assumed to be $30 per hour.
Reduction of Vendor With the implementation of the provisioning solution, services provided by 4 FTEs (access
services at Vendor, including login ID creation) would not be required.
FTEs (Access 0.6 Currently, access provisioning team at Vendor includes 18-20 FTE’s.
Provisioning) Average fully loaded salary of Vendor staff (if billed to Client directly) is $150,000 p.a.
Using self-service password reset functionality, the request volume for help desk password
resets would reduce by 90%. This will yield approximately $2M/year in cash flow savings.
User Management
Reduction of Vendor Approximately 168,000 password reset requests per year are processed by Vendor for
Workload (Password 2.0 – 2.2 Active Directory, Email, Host, Novell, RLAN and Web Based Applications.
Average cost of processing one password request is $15.
Management) It is assumed that the benefit realization will be 50% for the first year and 75% for the
second year. From year 3 the benefit realization is assumed to be 100%.
Reduction of Vendor With the implementation of the Delegated Administration, services provided by 1 FTEs
FTEs (Access 0.2 (access administration at Vendor) would not be required.
Administration) Average fully loaded salary of Vendor (if billed to Client directly) is $150,000 per annum.
and Net Present Value of cash flow is estimated at $3.4M, as the most conservative estimate.
Notes:
1. The Weighted Cost of Capital is assumed to be 7%
2. Ranges are based on low and high estimate projections. The lower end represents a conservative approach and the higher end represents a
more optimistic calculation.
Qualitative Benefits
Faster on-boarding process leading to improved user experience and productivity.
User Increased end-user productivity and better user experience (due to delegation and self-service)
Experience
Reduced cost of tactical solutions development and avoiding unnecessary support costs.
Improved compliance and risk management posture due to automated and effective controls for
identity life cycle administration (timely de-provisioning).
Improved application access controls due to more accurate and timely role/group assignment in
applications.
then proceed with the Password Self-service and continue with the Role-based Access Provisioning and Delegated
Administration.
Implementation Roadmap
Integration with (connectors to): Password synchronization for all Job codes from PeopleSoft are Administrative roles are defined
ACF2 connected platforms, initiated mapped to enterprise roles. to allow for multiple tiers of
AD from the provisioning engine. Multiple BU-specific roles are administration.
Scope
ED Password change Self-service. defined and mapped to specific Delegated Administration UI.
Novell Password re-set Self-service access entitlements (e.g. AD Access controls are defined to all
Feed from PeopleSoft (events) (forgotten password function). groups, ED groups, etc.). delegated administrators to
Basic workflows, basic roles Identity Self-service to update Complex workflows for approval, manage only users (and
UI only for Administrators basic attributes (contact info). RFI and notification attributes) in their scope.
User Management Service Multiple applications require User Profile & Group Management capabilities. Role-based Access
Delegated Identity Control is strategic vision at Client.
Administration Self-service Business units want to control assignment of roles/groups to their users, hence require
Password delegated administration.
Self-Service
Federated Sign-On Over 150 external applications deliver some sensitive data that can be accessed from home
Access Management
Web Access Management Seamless authentication and access control mechanisms are required to provide granular and
selective access to Intranet and web resources.
Authentication Authorization Intranet Portal roadmap requires SSO and Access Management
Monitoring & Secure Simplified Sign-On from desktop is a business requirement for many application projects.
Reporting Token Svc
compelling costs benefits and already have alternative strategies in place to address the priority needs.
Web Access Management Cost Savings – • The current strategy is to use One Time - $2.7M
Kerberos/SPNEGO. Annual Run - $0.6M
Authentication Authorization User Productivity – • The Intranet Portal strategy will be able
Application Integration
to provide access control to Web
Risk / Compliance – - $1.1M
applications and resources at the
Monitoring & Secure
portal level.
Reporting Token Svc
System
Internet
– Roles based on Job Title – eg. - Roles based on Job Function eg.
– Supervisor Role – Approve Invoices Role
– Service Associate Role – Monitor Staff Role
– Analyst Role – Report Status Role
– Example: Many Users to One Job Role – Example: Many Users to Many Function
Roles
Approve
User 1 User A
Invoices
Report
User 3 User C
Status
Process 1 Permissions
Today’s
Process 2
Access Control:
Request
by process Process 3
User(s) Direct
Permissions
Tomorrow’s
Access Control: Role(s)
Request
RBAC
User(s)
Privileges
Application IT Audit
Owners
Users
Enterprise
Business
Architecture
Owners
Human
Resources
Help Desk
IT
Operations
Support User
Administration
Staff
Maintainers
Administrators
30 "The Time Has Come" © 2008 Deloitte Touche Tohmatsu
What are the
benefits?
In the Board Room…
ü $
Regulatory Governance Increased Increased Business
Compliance & Security Productivity Service Level Facilitation
• SOD • Consistent & Cost • User self
• Reach global
requirements security policy Reduction service
• Immediate customers
• Role-based • Focused,
system-wide • Eliminate
access personalized • Tighter
access redundant
• Least privilege content supplier
updates administration
access tasks • Delegated relationships
• Real-time • Consistent Administration
identity data • Reduce • More
visibility and helpdesk • Comprehensive productive
disclosure • Automated risk profile view
burden partnerships
• Basic mitigation • Password
• Fast employee
compliance • Enterprise SoD management
ramp-up
reporting
Before After
and finally…
It’s a Journey – you’ll learn along the way!
3 Development
4
development
2
Role Validation
Jumpstart Design RM4E processes & Approval
Design technology solution
Begin RM4E Test roles, processes and
implementation Provide training technology
Understand LOB functions Identify exception
and system access Finalize roles with all
Initiate role design appropriate individuals and
groups
Select technology (Role
Engineering, Role Lifecycle Obtain approval on roles
Management)
1 5
Initial
Deployment
Activities
Set stage for RBAC Deploy enterprise roles
implementation
Deploy RBAC processes,
Gather and review LOB Methodology procedures, and guidelines
information
Deploy technology
Gather, review & assess
Finalize LOB RBAC
LOB system access
implementation
information