IAM Methods 2.0 Presentation Michael Nielsen Deloitte

Approaching an Identity & Access
Governance Project
IAM Methods 2.0
November 6th, 2014

Copyright © 2014 Deloitte Development LLC. All rights reserved.
The hidden agenda
1. Change in Deloitte:
a) Consulting
b) Global player
2. Global IBM – Deloitte Partnership
3. IAM is one of three Strategic business areas

Why I am here
• Michael Nielsen, Partner in Deloitte Denmark, ERS AI
• Danish Defense, Arthur Andersen, PwC, IBM, MNSecurity and Deloitte ERS
• 30 years of experience with IT
• Focus on Role based Security in SAP and Mainframes, IAM and GRC
• Swedish assignments over the years: Nobel Biocare, Volvo, Tetra Pak, Ericsson and
Electrolux
• IAM: TIM/TAM, Control SA, Omada, FIM, Dell One …….
Michael Nielsen
Partner | ERS AI
Deloitte
Weidekampsgade 6, 2300 Copenhagen S, Denmark
Postal address: P.O. Box 1600, 0900 Copenhagen C, Denmark
Mobile: +45 24 44 15 31 | Fax: +45 36 10 20 40
micnielsen@deloitte.dk | www.deloitte.dk
Please consider the environment before printing.

© 2014 Deloitte AB 4
Marcus Sörlander
Partner
Enterprise Risk Services
+46 752 46 20 00
msoerlander@deloitte.se
Albin Finne
Senior Manager
+46 752 46 20 00
alfinne@deloitte.se
My Swedish colleagues
Deloitte ERS Sweden

Some cases from the Swedish IAM team
• Deloitte provides the client with
advice on the overall project strategy
and providing subject matter
expertise for the best use of IAM
technologies in terms of functionality,
scalability and systems integration.
• The project is a joint collaboration
between Sweden and UK..
• New functionality is currently being
designed and developed, including
audit and attestation processes for
critical access governance
processes.
• Deloitte provided project manager,
identity management architect and
delivery of the implementation
platform with a team of IAM
specialists from Sweden, Norway
and UK.
• Deloitte has been drafting the longer
term vision, determining the
roadmap, launching several
implementation projects and
relationship-management with the
different departments/agencies.
• The solution delivered by Deloitte
included consultation and
implementation of a comprehensive
access management for both
students and staff.
• In addition to access management,
SSO and federation was setup to
provide authentication and
authorization services for all user
populations across the University.
• The project was delivered by
Norwegian, Swedish and UK
resources.

What is IAM
”Identity and Access Management (IAM) is the security discipline that enables
the right individuals to access the right resources at the right times for the
right reasons”

Enterprise Access Management Services Managed Resources
Auditing and Reporting
Access Request Provisioning
Provisioning conceptual architecture
Access Certification
HR System - PeopleSoft
Process
Modeling
System of Record Identity Store Reference Systems Resource SOR
Standard Interface
Dashboards Policy Enforcement
Certifying
Managers
and Auditors
Certification
Customized Interface
On-boarding
Business
Applications
Manager
Requesting and
Attesting Access
Delegated
Administration
End Users
Employee and Non-
Employee
Activity Monitoring
Self-Service Reconciliation
Connectors
Periodic Review
Review History
Workflow
Interface
Enforce Policy
Approval
Workflows
Role Management
Role Discovery Lifecycle Mgmt
Role Creation
Role Certification
Administration
Password
Entitlements
Manual Provisioning
LOB
Notification
Workflow-Business
Process
Roles
Enforce Policy Database
Role Assignment

What is IAM Methods 2.0?
Deloitte IAM Methods is:
Deloitte’s proven method for consistently delivering value on Identity and Access
Management strategy, implementation and operation engagements across all
industries
A scalable approach that can be applied to projects of different sizes
A set of step-by-step, repeatable tasks with enabling tools, templates, and
samples for executing a consistent, high-quality project aligned with standards
A consistent approach that is understood by all professionals on IAM projects
An easy-to-navigate repository for templates and artifacts as it relates to the
overall project timeline and structure

General approach no. 1.
Waterfall characteristics and assumptions
• Waterfall Lifecycle addresses highest risks
late in project, impacting overall project
success:
– Requirements issues
– Data quality issues
– Design issues such as integration and
1. Getting it right the
first time
• Assumes that requirements, design, solution build, test, and deployment
phases can run sequentially, resulting in a successful “single pass”
implementation
2. Freezing
requirements
• Assumes that requirements can be gathered and frozen early in the projects
– Stakeholders validate requirements in User Acceptance Testing, long after
interviews and workshops
3. No integration
surprises
• Assumes that IAM solution can be built, integrated with managed resources;
data migrated with minimal issues
• Assumes implementation schedule and costs can be accurately estimated
“up front”
performance
• Schedule delays result in lower client
satisfaction and lower project rate per hour
Test Deployment
Build
Solution
Analysis &
Design
Requirements
Business
Modeling
TIME
Apparent Progress
Highest risks
addressed late in
project, when cost of
changes are highest
Risk Levels

With a single-pass implementation, communication errors and misunderstanding
may not become apparent until very late in the project life cycle.
Stakeholder satisfaction?
As proposed by
project sponsor
As produced by
the developers
As captured in
requirements
As implemented
As designed
What
stakeholders
wanted

Iterative projects focus on driving down key risks early in the project lifecycle.
Business, Technical, and Project risks are addressed as early as possible, rather
than postponing risk resolution.
Iterative projects to reduce risk
Waterfall
TIME
RISK
Risk Reduction
Iterative

Structure of IAM Methods 2.0
Showing the path from overall to detailed tools.
Our method structure aligns with industry standards, addresses how the
work gets done and uses standard language to drive consistency
Phase Definition
Strategy and
Roadmap
Implementation
Security
Application
Management
Services
Define
Phase Structure
• Planning — Confirm scope and coverage of IAM goals and vision
• Current state analysis — Gain an understanding of the current state, including business challenges,
business processes, and existing infrastructure
• Target state analysis — Identify required IAM services for the short, medium, and long term. Discuss
business process and technology options to deliver on these IAM needs
• Gap analysis — Perform gap analysis of IAM environment from current state to target state.
• Strategy and roadmap — Create an IAM strategy with timelines, priority, and costs considered.
• Cost analysis — Determine budget requirements and cost analysis for the IAM program
Delivery
• Planning and analysis — Collect and validate IAM requirements and document desired end states
• Design — Workshop and document the solution architecture and design, including functional and
non-functional components and hardware and software requirements. Define and document test plan
• Build — Establish solution code base. Develop code and perform configuration according to design
specifications
• Test — Perform system integration testing to verify functional correctness, performance testing to
verify non-functional expectations, and support customer User Acceptance Testing
• Deploy — Assess production readiness, prepare for production deployment, and develop rollback
strategy. Deploy solution to production and validate deployment
• Transition — Conduct knowledge transfer sessions to Operations and Support team
Maintain
• Planning — Confirm scope, discovery, and high level transition plan
• Service enablement — Gain an understanding of the Client’s current IAM processes in terms of
business process, platforms, and key stakeholders through knowledge transfer and shadowing
• Service delivery — Deliver the development, support, and platform administration services by
leveraging the processes established during the service enablement phase
• Handover — Conduct knowledge transfer sessions and oversee managed transition support
Project Management - Governance - Organization Change

Project management and governance
IAM: Strategy and roadmap
Planning Gap analysis
Strategy and
roadmap
Current state analysis
Target state
analysis
Cost analysis
Organizational change management
Tasks/Activities
• Create project plan for
program of work
• Review overall strategy
scope and confirm
business goals
• Identify and confirm IAM
vision
• Identify key stakeholders
and schedule meetings
• Agree on final look and
scope of key Artifacts
• Obtain documents
describing the existing IAM
processes
• Conduct stakeholder
interviews/focus groups to
discuss current IAM
challenges
• Perform current state
assessment of IAM
environment
• Understand business,
regulatory, and technology
drivers
• Understand information
security policies,
procedures and map them
to IAM system
• Assess maturity of
current IAM service
areas and IAM
governance structure
• Identify business drivers
for IAM and prioritize
• Identify IAM services to be
provided
• Identify business and
governance processes to
be provided by IAM
• Define targeted IAM
Maturity level
• Conduct IAM workshops,
with a focus on business,
regulatory, and technology
streams
• Define program
monitoring, measurement,
and reporting
• Define initial set of target
state IAM reference
architecture options
• Perform gap analysis
between current state and
target state environments
• Update target state
reference architecture
options based on findings
of gap analysis
• Finalize target state
architecture options
• Define IAM services and
prioritization order
• Define IAM roadmap for
implementation
• Develop IAM program
monitoring
• Define vendor selection
process
• Select IAM vendor and
technology
• Assist with generating or
evaluating RFP
• Assist in Proof of concept
(POC)
• Prepare executive briefing
presentation
• Complete executive
briefing on strategy and
roadmap
• Define/Confirm
organizational budget
requirements for IAM
Program
• Identify initial and recurring
technology costs
associated with the IAM
program
• Identify people costs
associated with IAM
program
• Develop multi-year cost
analysis for IAM program
Tools and
accelerators
• Requirements
management tools
• IAM current state
analysis template
• IAM Workshop Approach
Template
• IAM target state analysis
template
• IAM gap analysis
template
• IAM Maturity model
• Vendor selection toolkits • IAM Cost Analysis
Templates
Artifacts and
Deliverables
• Work Plan
• IAM vision statement
• Project Status Report
• Current State Assessment
report
• IAM objectives, goals, and
services list
• IAM business and
governance process lists
• Target state architecture
options
• IAM Roles and
Responsibilities Matrix
• Gap analysis report • Maturity Models and
Metrics
Capabilities/Dashboards
• Vendor selection checklist
• IAM strategy and roadmap
• Executive briefing
presentation
• IAM Program Cost Model
13

Exit criteria
Planning
Current
state analysis
Target
state analysis
Gap analysis
Strategy and
roadmap
PPlalannninnging Cost analysis
Objectives
• Understand business goals, stakeholders' priorities, and perspectives
• Understand the IAM needs for each IAM Service area
• Lead stakeholders to a common understanding of IAM vision.
• Establish and maintain agreement with stakeholders on IAM goals.
Tasks/Activities
• Create project plan for program of work
• Review overall strategy scope and confirm business goals
• Identify and confirm IAM vision
• Identify key stakeholders and schedule meetings
• Agree on final look and scope of key artifacts
• Obtain documents describing the existing IAM processes
Key considerations
• IAM vision statement is clearly defined and captures
an agreement on the high-level purpose, business
scope, and project boundaries.
• Roles and responsibilities are clearly defined and
project expectations are set with stakeholders
• Utilize templates, tools, methods and accelerators to
gain efficiencies and quality
Project roles
• Business Process Owners
• Project Sponsor
• Project Manager
• IAM Specialist
• Approved Project Plan
• Approved Scope statement
• Workshops and Interviews Calendar
Tools/Accelerators
• Requirements management tools
Artifacts/Deliverables
• Work Plan
• IAM Vision Statement
Method and approach

Requirements management tools
Method and approach
Switch to IAM Method – Detail documentation
- 1. Planning & Analysis
- Requirements management tools
- Sam_IAMSolutionRequirementsSpecification_Client_A_C.docx

IAM: Implementation
Planning and analysis Design Build Test Deploy Transition
Tasks/Activities
• Define project
management plan
• Develop governance
plan
• Prepare project plan
• Develop communication
plan
• Review current
documentation to identify
requirements
• Conduct workshops to
Identify and validate
business requirements
• Identify IAM business
modeling for process
and organization
• Develop and Define use
cases
• Conduct Proof of
Concept (POC)
• Conduct workshops to
discuss solution
architecture and design
approach
• Develop solution
architecture
• Develop solution design
• Prepare test strategy
• Prepare training strategy
• Prepare test plan
• Prepare test scripts and
data
• Establish IAM solution
build repository
• Build development
environment
• Build IAM solution
• Prepare solution build
document
• Execute unit testing
• Perform solution QA
• Build Pre-production
environments
• Migrate IAM solution to
pre-production
environments
• Perform System Testing
• Conduct training
• System Integration
Testing
• Prepare Training
materials
• Performance Testing
• User Acceptance Testing
• Production readiness
review
• Prepare deployment
plan
• Perform production
deployment
• Go-live activities
• Production verification
testing
• IAM system go-live
• Prepare operational
documentation
• Update project
documentation to reflect
as-built status
• Prepare and conduct
handover sessions with
client team
• Handover of IAM
solution repository
• Document lessons
learned
• Conduct project closure
tasks
Tools and
accelerators
• Project Contacts list
• Project status report
• Requirements
traceability matrix
• IAM Test scripts
template
• IAM Configuration
tracker
• IAM Master code
register
• Test Case Tracker • Production cutover
plan
• Go-live communication
plan
• Post Implementation
Review
Artifacts
• Project Management
Plan
• Work Plan
• Project governance
• Communication plan
• Solution Requirements
Specification
• Solution architecture
• Solution design
specification
• Training strategy
• Test Strategy
• Solution code,
customizations, and
configurations
• Solution build document
• Test Plan
• Test scripts and test
data
• Training materials
• Test summary report
• Updated project
documentation
• Deployment plan
• Live solution
• IAM operations manual
• Post Go-Live System
Evaluation Plan
• IAM Solution operations
transition
• Transition of IAM
solution repository
• Project closure

Security Application Management Services
Planning Service enablement Service delivery Handover
Tasks/Activities
• Mobilize onsite and integrate with the
current project teams
• Establish Governance
– Review GBTs
– Define Operations Management
structure
– Define the operations scope,
including the responsibilities of the
business and IT
• Review Operations
– Define SLAs
– Review quality and risk plans
– Review inflight and planned projects
and plans
• Begin Discovery planning
– Delivery Model
– Roles and Responsibilities
– Knowledge transfer plan
– Operations Infrastructure
• Establish onsite/offshore infrastructure
– Test communications, connectivity,
and access options
• Understand the current IAM security
application management service
processes
• Begin onsite shadowing of
maintenance support activities
• Finalize maintenance roles, activities,
and performance metrics
• Integrate onsite and offshore teams
– Establish and test onsite/offshore
integrated maintenance processes
– Transition to onsite/offsite team
• Begin transferring application
maintenance tasks
• Perform Service Delivery
– Deliver enhancements
– Provide incident, problem, change,
configuration, and release
management services
– Perform service management for
platform and product deployments
• Begin performance measurement of
service delivery
• Analyze performance metrics for
quality, efficiency, schedule, and
turnaround time
• Analyze business process efficiencies
• Compare and contrast project metrics
with historical metrics
• Develop project performance summary
report
• Prepare and conduct handover
sessions with client team
• QRM/QAR checkpoint
• Handover of IAM solution repository
• Document lessons learned
• Conduct project closure tasks
Tools and
accelerators
• Project contacts list
• Project status report
• IAM Playbook • Application Integration Guide
• IAM Dashboard and Metrics
• IAM lessons learned
Artifacts
• Scope Validated
• Organization Structure
• Discovery Plan
• High Level Transition Plan
• Roles and Responsibilities Matrix
• Escalation Plans and Procedures
• Current-State Performance Snapshot
• Service Delivery Infrastructure
Established
• Onshore/Offshore Team Established
• Knowledge Transfer Complete
• Transition Status Reporting
• Service Delivery Model
• Service Delivery Operations Launched
• Optimized Organization Structure
• Updated IAM solution documents
• Enhancement cookbooks
• Periodic status report and metrics
• IAM Solution operations transition
• Transition of IAM solution repository
• Project closure report

Marcus Sörlander
Partner
+46 752 46 20 00
msoerlander@deloitte.se
Albin Finne
Senior Manager
+46 752 46 20 00
alfinne@deloitte.se
Who you gonna call?
Michael Nielsen
Partner
+45 2444 1531
micnielsen@deloitte.dk

IAM Methods 2.0 Presentation Michael Nielsen Deloitte

More Related Content

What's hot (20)

Similar to IAM Methods 2.0 Presentation Michael Nielsen Deloitte (20)

More from IBM Sverige (20)

Recently uploaded (20)

IAM Methods 2.0 Presentation Michael Nielsen Deloitte