GLOCO. Enterprise Single Sign-On Plus Solution

Transcription

1 GLOCO Enterprise Single Sign-On Plus Solution ALM Capstone Project Spring 2011 Submitted By: Matthew Boudreau Ryan Field John Fitch Michael Kwapniewski Ikramul Wadud

2 Table of Contents EXECUTIVE SUMMARY... 1 CLIENT... 1 VENDOR... 1 BUSINESS PROBLEM... 1 PROPOSED SOLUTION... 1 BUSINESS BENEFITS... 2 PART 1: BUSINESS REQUIREMENTS... 3 BUSINESS PROBLEM... 3 BUSINESS OBJECTIVES AND FUNCTIONAL REQUIREMENTS... 3 PROPOSED SOLUTION... 4 STAKEHOLDERS... 4 SCOPE... 4 USE CASES... 4 Use Case 1: Consolidate Application Access... 4 Use Case 2: Streamline Password Reset... 5 Use Case 3: Enhance Auditing, Reporting and Record Keeping... 7 BUSINESS BENEFITS AND SUCCESS MEASURES... 7 Overall Business Impact... 7 Business Value Metrics... 7 Business Driver I: Increased user productivity... 8 Business Driver II: Reduced help desk costs... 8 Business Driver III: Reduced development time and costs... 9 Business Driver IV: Security policies compliance and auditing... 9 PART 2: TECHNICAL SPECIFICATIONS ARCHITECTURAL OVERVIEW SOFTWARE OVERVIEW ESSO Vendor Selection Oracle ESSO+ and GLOCO Business Requirements SOFTWARE COMPONENTS SOFTWARE PLATFORM TECHNICAL CONSIDERATIONS i

3 Deployment Model Performance Scalability Redundancy Security INTEGRATION Application Integration Example: Use Cases 2 and SOLUTION DEMONSTRATION PART 3: IMPLEMENTATION PLAN ROAD MAP FOR ESSO INITIATIVE Application Analysis and Prioritization for Phase PROJECT MANAGEMENT METHODOLOGY Stakeholder Responsibilities Deployment Roll Back PROJECT TIMELINE / HIGH LEVEL WBS Project Plan & Milestones Incident, Change & Release Management RISKS & MITIGATION TESTING TRAINING SUCCESS CRITERIA REFERENCES APPENDICES APPENDIX A: PROPOSAL RESEARCH APPENDIX B: SUCCESS METRIC CALCULATION ASSUMPTIONS APPENDIX C: ISO ABSTRACT APPENDIX D: GARTNER MAGIC QUADRANT FOR ENTERPRISE SINGLE SIGN ON APPENDIX E: GARTNER MARKET SCOPE RATING FRAMEWORK APPENDIX F: ORACLE ESSO SUITE SUPPORTED SOFTWARE LIST APPENDIX G: GARTNER MAGIC QUADRANT FOR IDENTITY MANAGEMENT SYSTEM VENDORS APPENDIX H: COMPLETE LISTING OF STANDARD REPORTS APPENDIX I: ESSO INTEGRATION MATRIX SUMMARY APPENDIX J: SOFTWARE DEMONSTRATION FOR SCENARIO ii

4 APPENDIX K: SOFTWARE DEMONSTRATION FOR SCENARIO APPENDIX L: SOFTWARE DEMONSTRATION FOR SCENARIO APPENDIX M: SOFTWARE DEMONSTRATION FOR SCENARIO APPENDIX N: COMPLETE ORACLE IDENTITY MANAGEMENT SOLUTION APPENDIX O: TESTING CRITERIA APPENDIX P: WORK BREAKDOWN STRUCTURE APPENDIX Q: EVALUATION QUESTIONNAIRE APPENDIX R: ESSO+ TIMELINE END NOTES iii

5 Executive Summary Client GLOCO is a privately held multi-national, medical equipment manufacturing company based in Cambridge, Massachusetts. It has manufacturing plants, distribution facilities, and a network of sales and service centers across North and South America, the Asia-Pacific region, and Europe. GLOCO s strategy of fueling growth by investing internally while expanding via acquisition of competitors has positioned the company as an industry leader. Since its founding in 1988, GLOCO has grown steadily with currently 29,000 employees at 110 global sites and FY2010 worldwide revenue totaling $7B USD. Vendor Strategic Information Access Management Consulting (SIAM) is an Information Technology consulting firm based in Cambridge, Massachusetts. Founded by Harvard University Extension School alumni, SIAM specializes in enterprise identity management solutions. SIAM helps clients plan, design, and implement new identity based infrastructures as well as extend existing identity management systems in order to maximize clients IT investment. Business Problem As a result of GLOCO s rapid growth and expansion around the world, systems and processes have become decentralized and increasingly costly to maintain and secure. To protect its assets, streamline processes, and contain the security risks associated with aggressive global expansions, GLOCO has identified the need to integrate the application access management processes across all its global sites. SIAM identified these actionable business goals with GLOCO through preliminary management meetings and company research: Empower end users to manage their own credentials to reduce help desk costs and keep users productive Reduce the operational and support costs of system access security Reduce software development costs and implementation times of application access modules Streamline compliance through improved auditing, reporting, and record keeping Proposed Solution To address the above mentioned business goals, SIAM Consulting and GLOCO s Information Technology and Communications (ICT) group have agreed on a partnership to implement an Enterprise 1

6 Single Sign-On (ESSO) solution. This solution offers high return on investment by offering non-intrusive and comparatively inexpensive integration with GLOCO s legacy and future enterprise applications. Business Benefits SIAM s ESSO solution will have a direct impact on GLOCO s employee productivity and effectiveness, as well as the company s financial costs. The implementation will decrease the number of password reset and access related issues, thereby resulting in cost savings with regard to help desk and IT support services. GLOCO s password reset requests make up approximately 47% of service desk calls. The reduction in time spent resolving access related issues will help increase employee productivity; productivity losses have been estimated by GLOCO to be approximately 70,000 hours. SIAM s ESSO solution will also help GLOCO achieve regulatory compliance by centralizing application access logs for improved auditing and record keeping. 2

7 Part 1: Business Requirements Business Problem Systems and processes have become decentralized and increasingly costly to maintain and secure due to GLOCO s rapid growth and expansion around the world. To protect its increasing assets, streamline processes, and contain the security risks associated with aggressive global expansions, GLOCO has identified the need to consolidate and streamline the application access management processes for its 29,000 employees at 110 global sites. Business Objectives and Functional Requirements GLOCO desires an enterprise level system access solution that will allow customers and employees quick and easy access to new and legacy business applications via a simple user authentication and authorization process. The SIAM team has developed business requirements with GLOCO s management team and grouped them into four primary Business Drivers categories. From each of these business drivers the following individual functional requirements were derived. Figure 1 - Business Driver and Functional Requirements Mapping 3

8 Proposed Solution To address the above mentioned business goals, SIAM will work with GLOCO s ICT group to implement an Enterprise Single Sign-On (ESSO) solution. ESSO applications enable users to be authenticated via their credentials once, and then subsequently login automatically without re-supplying credentials to other target systems when accessed by that user. The tools manage the authentication interactions with the target systems (including password change requests and some post sign-on automation tasks) seamlessly without modifying the target systems. (Kreizman) Stakeholders SIAM and GLOCO agree that the ESSO initiative is a joint partnership. In order to make the partnership successful, specific success deliverables, objectives, GLOCO GLOCO Project Sponsor GLOCO Management GLOCO Project Management SIAM SIAM Management SIAM Project Management GLOCO ICT SIAM Implementation Team indicators and metrics must be agreed GLOCO System Users upon by all project stakeholders. This includes representatives from both GLOCO and SIAM. Table 1: Project Stakeholders Scope The proposed ESSO solution will be implemented in a phased approach to ensure seamless integration. This approach allows issues identified in earlier phases to be corrected during subsequent implementations. The phases will involve a milestone review where both GLOCO and SIAM evaluate the progress of the previous phase s success indicators and then mutually identify and agree to the next phase s scope, timeframe, and deliverables. The number of end users, volume of authentication helpdesk calls, and relative significance of each system will be used to prioritize the scope and sequencing of each phase. This process will be described in more detail in Part 3: The Implementation Plan. Use Cases Use Case 1: Consolidate Application Access As-Is Process: GLOCO employees log into their Windows desktop with username and password credentials. On average, once logged in they require eight additional sets of unique credentials to access additional business applications. These applications vary and include clients, Java applications, host and mainframe applications, custom business applications, and enterprise applications. 4

9 Figure 2 - As-Is Application Login Process 1 Problem: Employees find maintaining eight sets of unique user names and passwords with different strength and lifespan requirements frustrating. Employees feel productivity is negatively impacted through lost time due to logging in multiple times to additional applications. This issue is compounded as new applications are deployed, introducing additional new credential requirements. To-Be Process: GLOCO employees will maintain only one set of login credentials. They will sign onto their desktop with these credentials and be able to access the various business critical applications without re-authenticating. The ESSO solution will automatically handle additional business application authorization and authentication. Figure 3 - To-be Application Login Process Functional Requirements Met: FR.1, FR.2, FR.4 and FR.5. Additionally Use Case 1 satisfies Business Driver I and Business Driver III Use Case 2: Streamline Password Reset As-Is Process: GLOCO employees with authentication issues open a help desk ticket to reset their Windows or application password. Help Desk personnel then file an Inter Departmental Request (IDR) with the ICT or business application support team for user verification. Once the support team validates the user s credentials, the Help Desk personnel create a Password Reset Request (PRR) ticket with the account administration group to reset the user s password or unlock the user s account. Once the account administrator resets the password or account, the initial help desk ticket is finally set to resolved. 5

10 Figure 4 - As-Is Password Reset Process Problem: Resetting passwords for desktops and business applications is a multi-step, cumbersome process. Lack of efficiency and backlogs often make the reset process longer than expected, keeping employees from having access to business critical applications, directly impacting productivity. To-Be Process: GLOCO employees will have the option to reset their passwords directly from the Windows logon prompt on their locked-out workstations. Figure 5 - To-Be Password Reset Process Functional Requirements Met: FR.3, and satisfies Business Driver II and Business Driver III. 6

11 Use Case 3: Enhance Auditing, Reporting and Record Keeping As-Is Process: The ICT audit group contacts different individuals from siloed application support teams for information such as access logs and account maintenance activity for auditing and compliance. No mechanisms exist that allow the ICT audit group to independently access this application information. Additionally the required information requested from each support team is not standardized. Problem: The ICT audit group is responsible for ensuring that corporate information security policies are being enforced. Reaching out to individual application support teams for audit requests often causes significant delays resulting in security and compliance risks. Reporting and analysis of the information gathered is a labor intensive process because of the various formats and types of information provided. Lack of standardization prevents timely analysis, identification, and response to audit issues. To-Be Process: ICT will be able to centrally record detailed enterprise wide user account and application access information resulting in better auditing and compliance capabilities. Additionally, standardized data formats will give ICT the flexibility to rapidly generate customized reports and analysis. Functional Requirements Met: FR.6 and FR.7, and satisfies Business Driver IV. Business Benefits and Success Measures Overall Business Impact SIAM ESSO implementations typically fall into line with industry standards provided by Gartner. On average, implementations run for 3 to 6 months with a scope of 10 to 20 applications and approximately 2000 users. The average cost of such an implementation is $300,000 with $50,000 per year in service fees. With this level of engagement, companies usual recoup their costs in 2 years. Because GLOCO currently does not have an enterprise-wide identity management system, the business benefits will likely exceed this standard rate of return on investment. Business Value Metrics At the outset of the ESSO project, SIAM will work directly with GLOCO business managers to develop a business value scorecard. This scorecard will capture key pre-esso business metrics that will then be compared to their corresponding values captured post-esso implementation. The resulting scorecard will represent a hard measure for calculating the ESSO product's actual business value, providing a tangible reflection of the success of the project. A sample GLOCO ESSO value scorecard is represented below. 1 1 See Appendix B for supporting calculations 7

12 Figure 6 - GLOCO ESSO Business Value Scorecard Business Driver I: Increased user productivity Maintaining multiple login credentials contributes to employee productivity losses over the course of a year. Currently, GLOCO employees collectively spend 29,000 work hours per year in password management to comply with a mandatory 60 day password reset policy. Moreover, GLOCO employees also spend a combined 48,000 working hours per year due to forgotten passwords and account lockout related issues. GLOCO can achieve user productivity gains with the implementation of ESSO by effectively eliminating over 70,000 hours per year in user productivity losses. The expected success measure after implementation of ESSO will be an 85% reduction in wasted productivity hours related to login issues. Business Driver II: Reduced help desk costs An ESSO solution will reduce the management of multiple passwords and allows the delegation of administration functions to the user and user group level. This will drastically reduce the number of password related help desk calls, directly reducing the subsequent costs for supporting these calls. Analysis has shown that GLOCO s portion of password related calls is 47%, well above the industry 8

13 standard percentage of 40%. (Gartner) On average, GLOCO s cost for handling these calls is $30 per call. With a typical ESSO installation, help desks costs are reduced by 35-45%. At GLOCO, the expected success measure post ESSO implementation will be a 40% reduction in call volume that would result in approximately $870,000 USD in savings per year. Business Driver III: Reduced development time and costs ESSO is a non-intrusive and comparatively inexpensive solution to deploy which enables rapid application development. GLOCO application development teams spend on average 1,440 development hours per 12 week software development project. Among these development hours, approximately 250 hours are spent on designing, developing, and testing user account and login related functionalities. With a successful ESSO installation, developers will be able to leverage the standardized account access process, potentially reducing average development time by 18%. A standardized account process does not currently exist because a software solution is required to integrate the login functionality across applications. This expected success measure will account for an approximate $10,000 in cost savings per 12 week development project. Business Driver IV: Security policies compliance and auditing To comply with ISO and other standard industry security policies, GLOCO must clearly define, implement, and audit all application access procedures including access logs and account maintenance activity. This represents substantial investment and additional administration costs for GLOCO. GLOCO s current manual audit process consists of two components; time spent gathering data and time spent analyzing data. Typically at GLOCO the average time allocated to both components is 40 hours. The introduction of near real time auditing with an ESSO implementation is expected to reduce the gathering time per audit by 90%. Additionally, with standardized data and pre-defined reports, the analysis time will be reduced by 60%. As a result, the excepted success measure the company will experience is at least a 75% reduction in audit costs. 2 See Appendix C for abstract. 9

14 Part 2: Technical Specifications Architectural Overview GLOCO s ESSO implementation will be the key first step towards a complete and integrated enterprise identity management solution. The ESSO solution will address the functional requirements described above in Part 1 while specifically focusing on streamlined application authentication, password reset functionality, and audit reporting. Software Overview Figure 7 - ESSO Architecture Overview ESSO Vendor Selection Based on our comprehensive research and analysis, SIAM Consulting recommends the Oracle Enterprise Single Sign-On Plus (Oracle ESSO+) Suite for GLOCO s ESSO solution. Gartner has identified Oracle ESSO+ as a leader in the ESSO market and for standardizing application access, authentication, and password management processes. 3 (Gartner 2008) SIAM s ESSO vendor comparison grid below (see Table 2) illustrates the primary criteria considered when evaluating vendor offerings, confirming Gartner s conclusions about Oracle ESSO+. Table 2 - SIAM ESSO Vendor Analysis 3 See Appendix D: Gartner Magic Quadrant for ESSO and Appendix E: Gartner Market Scope Rating Framework 10

15 SIAM recommends Oracle ESSO+ for several reasons specific to GLOCO s environment. Oracle ESSO+ is fundamentally based on client side architecture. The utility residing on the client rather than the target application means the ESSO+ footprint at GLOCO will be minimal and isolated, reducing integration issues and modification to existing applications. Oracle ESSO+ components can be implemented as either stand alone applications or integrated components as part of the Oracle Identity Management application stack. This allows functionality to be incorporated on GLOCO s timetable and facilitates a phased approach based on GLOCO s comfort level and priorities. Oracle ESSO+ also uses the first password to log on to the network and other applications for authentication purposes, which fits with GLOCO s current login practices. Moreover, Oracle ESSO+ allows GLOCO system administrators to extend their current reporting and auditing capabilities at both the application and user levels. Fundamentally, Oracle ESSO+ is a user enablement focused solution that will create a standardized user experience across GLOCO from both the password management and system administration perspective. Oracle ESSO+ supports multiple directories, databases, leading portals, application servers, enterprise applications, 4 and operating systems, complimenting GLOCO s heterogeneous IT environment. The Oracle ESSO+ Anywhere installation strategy discussed in detail later in this document will facilitate GLOCO s deployment process while allowing centralized software updates and rollback functionalities. This will achieve the overall business objective of improving the GLOCO ICT System Administrator team s performance and efficiency on various configuration and administrative tasks. Oracle ESSO+ and GLOCO Business Requirements The core functionalities of the ESSO+ solution will address GLOCO s business drivers outlined in Part 1 of this document as follows. User Authentication and Administration: Once a user logs into their desktop via their primary logon/authentication method (Windows username/password), the ESSO+ Logon Manger components (Admin Console, Agent) will complete access requests to participating password protected GLOCO applications. This will eliminate the need for manually re-entering credentials for each application. GLOCO staff can also use ESSO+ Logon Manger with additional personal accounts for non-participating applications and web sites. Additionally, ESSO+ Logon Manger centralizes administration by allowing GLOCO administrators to create and manage both user accounts and logon credentials concurrently through a single console. 4 See Appendix F for Oracle ESSO supported software list 11

16 Password Reset Management: The ESSO+ Password Reset component provides GLOCO users with self-service password reset abilities. This enables users to reset their GLOCO Windows domain passwords without the involvement of help desk personnel and/or system administrators, resulting in significant administrative time and cost reductions. Users will initially answer required and optional security questions in the form of an enrollment interview. The answers to this enrollment interview (referred to as a reset quiz ) are then used to identify the user when resetting a lost or forgotten password. ICT administrators will have the ability to set the number of questions for a reset quiz. The GLOCO administrator will also configure the password reset process to first provide the users with a temporary password that the end user can use to login to his/her Windows workstation in order to create a new permanent password. Reporting and Compliance: The ESSO+ Reporting component will help GLOCO meet compliance requirements by extending audit and reporting capabilities to include user sign-on information. GLOCO ICT administrators will use the component to create, configure, run, edit, save, schedule, , and preview custom reports generated using ESSO+ event records logged in GLOCO s reporting databases. Administrators have a choice to customize different report outputs (tables, graphs, and charts) with various configuration parameters (e.g. User ID, time interval, date range, application template names, etc.) Reduced Development Time and Costs: Oracle ESSO+ will not address GLOCO s goal of reducing development time and costs. After reviewing the scope of the project, the phased implementation of GLOCO s overall Identity Management strategy, and the gains to be realized by ESSO+, GLOCO and SIAM agreed to address this business goal in a later phase of the overall Identity Management project. Software Components As discussed previously, one of the benefits of Oracle s ESSO+ Suite is the number of integrated components that can be implemented to customize a specific solution to meet GLOCO s needs. For phase one, SIAM recommends the following components (in yellow) of Oracle ESSO+ Suite (See Figure 8). Figure 8 - GLOCO ORACLE ESSO+ Architecture 12

17 Oracle Enterprise Single Sign-On Logon Manager Agent (ESSO-LM Agent) This is the base client component that will be installed on each GLOCO user s desktop. It will run as a background application on the user s system (accessible from the system tray) and is capable of performing varying levels of interaction with application sign-on authentication. ESSO-LM Agent will populate the appropriate forms and fields in Windows, web, Java, and mainframe GLOCO applications based on centrally stored templates, auto detected sign-on prompts, and locally stored authentication information. Field information such as username and password will either be filled in manually by end-users during first time use or by GLOCO ICT administrators via the ESSO+ provisioning server for the user s account information. Subsequent logons to those applications are then automatically handled by ESSO-LM Agent. Oracle Enterprise Single Sign-On Administration Console (ESSO-LM Admin) This component will enable GLOCO administration of the ESSO+ environment and creation of application templates. An application template is a set of configuration options specified by GLOCO administrators that instruct the ESSO-LM Agent on each user s desktop how to interact with application windows and the forms they contain. Templates are created and posted to GLOCO s existing Active Directory (AD), SQL database, or TDS central repository. The settings for how frequently ESSO-LM Agents synchronize with the repository will also be defined here as part of its configuration according to GLOCO s needs. ESSO-LM Admin is considered the core administrator tool for ESSO+, and any additional components GLOCO chooses to implement function as plug-ins for the ESSO-LM Admin component. Oracle Enterprise Single Sign-On Provisioning Gateway (ESSO-PG) The ESSO-PG Admin Console component is a plug-in for ESSO-LM Administrative Console that provides GLOCO administrators the capability to manage provisioning rights for specific applications and users. The ESSO-PG client is a plug-in configuration for ESSO-LM Agent. Both the Admin Console and client connect with the ESSO-PG server to synchronize the user s ESSO-LM rights and permissions. This means GLOCO administrators will add, modify, and delete IDs and passwords for particular applications within the provisioning system and have those changes reflected in the user s ESSO-LM. GLOCO administrators can use this component for employee terminations to delete a user s credentials in ESSO- LM Agent to eliminate that user s access to any or all protected GLOCO applications. Oracle Enterprise Single Sign-On Anywhere (ESSO Anywhere) This plug-in component for ESSO- LM Admin Console will simplify GLOCO s deployment of Oracle ESSO-LM Agent to client desktops. It will allow GLOCO administrators to build deployment packages that can be posted to the central GLOCO intranet portal. From here users will download and install the ESSO-LM Agent application themselves. This simple and efficient deployment method will be utilized for any ESSO-LM maintenance including 13

18 updates, rollbacks, and version control. For the GLOCO implementation, Logon Manager Agent (ESSO- LM Agent) and Provisioning Gateway (ESSO-PG) will be deployed to users via ESSO Anywhere. Oracle Enterprise Single Sign-On Password Reset (ESSO-PR) This component will reduce GLOCO s helpdesk costs and improve user experience by enabling self-service of users Windows accounts. ESSO-PR provides users a desktop interface to reset Windows passwords and unlock Windows accounts in their current or any other trusted network domain. Once ESSO-PR is deployed on the user desktop, the ESSO-PR client connects to a secure web server to build a customized personal reset quiz. The user will answer standard enterprise and personal questions, each of which is assigned positive and negative values for correct or incorrect answers. If the user reaches an administrator defined confidence threshold score they are allowed to reset their Windows password. If the user hits a negative threshold score they are locked out and alerts and help desk tickets are automatically generated. In addition to the ESSO-PR user client, there is an ESSO-PR Administration component which connects to.net web services running on the ESSO application server. GLOCO administrators will use this to configure quiz questions, point values, and threshold scores. The rules and questions are written in plain spoken language, and up to 12 different languages are available to make international distribution across the GLOCO enterprise customizable by region. Oracle Enterprise Single Sign-On Reporting (ESSO-Reporting) This ESSO+ component will consist of two main elements when deployed at GLOCO. The first element will be a centralized reporting database that stores logs of all GLOCO specified event information from all other deployed ESSO+ components. The second element will be a web-based Reporting Administrative Console for the creation, schedule management, and viewing of GLOCO usage, security, and audit reports derived from the logs. Additionally, the Admin Console will allow GLOCO administrators to enable/disable reporting and configure GLOCO specific database options for performance tuning such as cache limits and batch sizes. Appendix H details the full list of standard reports and logged events. Among the standard reports available to GLOCO out of the box are: Account Reconciliation; Application Credentials Added; Application Usage by User; Failed Authentication Events; First Time Use; Password Change; Pause & Shutdown; Shared Application User IDs; User Activity; and User Credentials Provisioned. Among the types of events available for GLOCO to log include: Credential Use Events support for Logons, manual password changes and automatic password changes; Credential Change Events add credentials, delete credentials, change credentials, copy credentials, etc.; Global Credential Events backup, restore, synchronize, etc; Platform Events startup, shutdown, etc.; System Events Logon Manager, Settings, Help, About, etc. application name, application username, application third field, date, time, etc. 14

19 Software Platform At its core, Oracle ESSO+ is designed as an intermediary application that sits between the user, existing user directory services, and enterprise applications. As such, a boiler plate SIAM implantation of Oracle ESSO+ consists of two logical server configurations as highlighted in Figure 9. The first is a load balanced set of web application servers, each running ESSO-Anywhere, ESSO-PR, ESSO-PG, Figure 9 - GLOCO ESSO Server Topology and ESSO-LM Administration Console. The second is an independent reporting server for ESSO-Reporting. The specific technical software requirements for each component of ESSO+ are listed in Appendix I. These system specifications are minimum system requirements for installing Oracle ESSO+ and should not be considered recommendations by SIAM for new hardware configurations. Specific implementation considerations concerning the architecture topology are discussed in the following section. Technical Considerations Although Oracle ESSO+ is advertised as a plug and play solution, SIAM has found that each unique enterprise environment introduces nuances and customizations that must be addressed. The GLOCO implementation will be no exception. Some of the issues that must be addressed are outlined below. A successful ESSO+ deployment involves changes that can affect GLOCO network domains. o A PMSERVICE account needs to be a member of the local administrator s group on the IIS Server that houses the Oracle server-side components for ESSO-PG s server-side component to function properly. o Directory services distributed across multiple domains must be designated as trusted domains to enable open access and communication. Therefore, specialized policies, trust, inheritance issues, and intra- and inter-site replication dependencies particular to GLOCO s network must be carefully analyzed. SIAM will provide known standards and specific guidelines/best practices for software vendors for review with GLOCO. For example, Microsoft IIS and Oracle ESSO+ components should be installed on Domain member servers and not installed on Domain Controllers. 15

20 The ESSO+ suite is a 32-bit application requiring Microsoft IIS6 with Microsoft.Net Framework enabled. More recent versions of Microsoft IIS are viable so long as their backward compatibility IIS6 configurations are enabled. ESSO-PR rules, quiz questions, and corresponding answers are saved in a centralized GLOCO SQL Server or Oracle database or directory service repositories such as Active Directory or ADAM. The GLOCO implementation can also be customized to use GLOCO specific validators (written in.net 2.0) which can connect to additional GLOCO data sources such as a PeopleSoft to validate on social security number. SIAM has found it common to have several separate business units in large enterprises configured to run independent ESSO+ implementations. Conceptually this topology is similar to Figure 9 for each business unit. This opens up a myriad of synchronization and integration options such as: o Implementing independent ESSO reporting servers in each ESSO+ environment. These can either write to independent files that are imported into a central reporting database or to write to independent databases that are synchronized as part of nightly processing. o Depending on auditing requirements, user s access between the systems can be individually identified or granted access through a common business unit global user. The settings that define how ESSO-LM Agent behaves, including synchronization, are controlled by a combination of local and administrative settings. Local settings are controlled and managed by the desktop user. Administrative settings are defined by GLOCO administrators and downloaded from a central repository. They are encrypted in a local tamper-proof cache so they can t be changed by the local user. GLOCO policies must be carefully scrutinized because fewer administrative settings mean more efficient synchronization but a less restricted desktop. Deployment Model ESSO+ Logon Manager Agent (ESSO-LM) and the corresponding Provisioning Gateway (ESSO-PG) plug-in are client components that users will download as an ESSO install package from the internal GLOCO intranet download site. This package will include all the pre-defined GLOCO connection settings and synchronization rules making the end user installation a simple download and click. The remaining client component, ESSO+ Password Reset, as well as the core administrative component (ESSO-LM Admin Console) and admin plug-ins (ESSO-PG, Anywhere, and PR) will be installed to user desktops by ICT Desktop Support using their current standard BMC BladeLogic push install procedures. Performance As noted above, the main client program (ESSO-LM) will run on each user's desktop and synchronizes the local encrypted credentials file with centralized GLOCO data stores based on administrator defined 16

21 rules. The encrypted file is extremely small and would not be noticeable by users in terms of latency or performance. Additionally, the use of local storage credentials allows for faster access delivery than server-based systems. Through the synchronization of encrypted credentials, GLOCO users can also perform their work from any computer in the domain. The only notable performance difference may be a small uptick in load on servers hosting directory services because each initial application load will validate user authentication through directory services. Scalability The GLOCO Oracle ESSO+ Suite implementation can be increased in scope for subsequent phases with little to no effect on performance or reliability. The initial phase is a small sample of applications, but will be designed with enterprise considerations. This means the core topology, architecture, and configurations will be established in this initial deployment. The intent is that this will serve as a foundation for expansion of additional applications and user populations in later phases. Additionally, servers can be added to the existing clusters as needed to handle added load and performance issues. Redundancy Because Oracle ESSO+ functions as an intermediary application there are only two points of failure from the end user perspective. The first is a local desktop application failure that wouldn t result in a loss of application access or outages. It simply means the automated login is not available but manual sign-on will be. The second failure point would be an error in the synchronization of the local user credential file. In this case the user would still be able to access their applications using the local machine s (possibly out of date) copy of encrypted credentials. Other web application and database level redundancy concerns would fall under the typical GLOCO policies of load balanced configurations, standard back up practices, and enterprise disaster recovery plans. Security ESSO+ will enhance security at GLOCO through the use of ESSO+ by eliminating poor end user password management and by properly securing the system environment on the backend. An ESSO+ encrypted credentials file will be stored within the application data directory of the user profile. Credentials will be encrypted at all times with GLOCO compliant encryption (3DES, AES etc.); specific credentials are only decrypted on the fly. Soft token-based, two factor authentication protects and prevents unauthorized users from accessing enterprise applications. Communication to the enterprise ESSO+ IIS servers from client and administrative interfaces will be configured to run over SSL using 128-bit encryption. The SIAM recommended SSL implementation is 17

22 using an X.509 SSL certificate using Microsoft Certificate Services. By default, the ESSO-PG Web service uses 3DES encryption. To increase security, GLOCO may opt to change encryption to AES. GLOCO s security will also increase through the ESSO+ option of managing application password changes via ESSO-LM. Target passwords will be changed based on GLOCO specific password requirements every 30 days for designated applications. This eliminates the risk of poor password selection as well as password management by users. As an added layer of security, the centralized reporting and self-reset options of ESSO+ will prohibit an attacker from locking the user out and/or going undetected for a prolonged period of time. The centralized reporting will provide monitoring around unusual account activity through alerts based on specific events. Finally, the self-reset capability allows the user to reset passwords to avoid account lock outs. To address a common misconception, multiple passwords replaced by one Single Sign-On process will not reduce the security of the network or applications. An employee with 20 different passwords is more likely to select a single simple password that works for as many applications as possible and write down the remaining more complex passwords. In such a case, the easy to remember passwords will typically be vulnerable to rainbow tables or other brute force attacks and written down passwords are unsecure for reasons too numerous to mention. As a result, the user with a single extremely complex password is arguably much more secure. There may be one key to the kingdom, but the key is much more secure. Integration Oracle ESSO+ s client side based architecture will help eliminate or significantly mitigate integration efforts with GLOCO applications. SIAM reviewed GLOCO s target applications and identified: 85% as easily integrated using standard ESSO+ pre-configuration or wizard auto-identification 10% requiring low-moderate effort using ESSO+ utilities or custom coding and scripting 5% as difficult to integrate because they feature Rich Interface Applications like Flash, Silverlight, and AJAX or home-grown legacy applications with exceedingly disparate interfaces Because easier to integrate applications offer a greater return on investment, the 15% outliers will be considered the lowest priority for integration. In addition to these application integration needs, ESSO+ components will require special integration considerations for touch points with the existing GLOCO infrastructure. Again, the client side based architecture will minimize integration concerns and the modularity of the ESSO+ Suite also provides GLOCO overall integration flexibility and scalability, but the following items must be addressed during implementation: 18

23 ESSO Integration Points LM PR PG Anywhere Reporting Sync with central credential data source X X X Sync with ESSO specific data elements X X X Sync with other ESSO components X X X X Sync with external data sources X X X Administration rights to write files to local X X X X machine Network connections with web servers/services X X X X X Table 3 - ESSO+ components integration touch points with GLOCO infrastructure Synchronization with central credential data sources connections to existing GLOCO Active Directory, ADAM, LDAP databases, file servers, and other directory services Synchronization with ESSO specific data elements connections to data stores for application templates, rules, questions, and answers for reset quizzes, text for help desk s for password reset exceptions Synchronization with other ESSO components PG and LM Synchronization with external data sources PG connecting to external sources(peoplesoft) Administration rights to write files to local machines download reports, write encrypted credential files, install LM, PG, and PR Network connections with web servers/services all ESSO+ components linking with Reporting, linking to servers for alerts and exceptions Application Integration Example: Use Cases 2 and 3 GLOCO s use cases #2 and #3 consist of user streamlined password reset and enhanced auditing and reporting. In this example the GLOCO user clicks on the tab from the Windows logon screen to initiate ESSO-PR. From this point the local PR client will connect over a secure network link and via a secure PR user account to retrieve the user s specific security questions stored in the central repository (AD, LDAP, etc.). Once authenticated, the GLOCO user can select a new password and automatically synchronize the encrypted password file using LM and PG with the server once again. Meanwhile, all ESSO application level activity will be logged via ESSO+ Reporting web services into the ESSO+ reporting database. ESSO+ Reporting services will also monitor incoming events, and if needed initiate alerts and messages should any events meet GLOCO determined rules. Events will also be made 19

24 available from ESSO+ Reporting via a network connection directly to the ESSO+ Reporting web interface, or through reports automatically distributed via . Solution Demonstration The table below contains four scenarios that summarize GLOCO s primary use cases covered in the scope of GLOCO s ESSO Solution. Scenario 1 Employee Sets User Credentials for Desktop Applications (pre-defined by System Administrator) Use Case Use Case 1: Consolidate Application Access Description GLOCO employees can use Windows login username and password (already setup in AD/LDAP/HR database) and log into ESSO and password reset enabled desktop. Using Oracle ESSO-LM primary Logon Setup wizard, user can then select Windows Logon as his/her Primary Logon Method. ESSO-LM then stores Windows logon credential in AD Directory. User then sets up the credentials for all predefined desktop applications. Screenshot Refer to Appendix J for visual illustration of this scenario demonstration Scenario 2 Employee Single Sign On into Desktop Applications Use Case Use Case 1: Consolidate Application Access Description Once a GLOCO employee logs into his/her Windows machine, whenever the user tries to access a password protected application that is part of the ESSO enabled desktop application for the user, ESSO Logon Manger will identify the client (the application), fill in the user s credentials, (specific username and password for that application) and execute the sign in process. Screenshot Refer to Appendix K for visual illustration of this scenario demonstration Scenario 3 Self Service Password Reset Enrollment Use Case Use Case 2: Streamline Password Reset Description GLOCO employees can enroll for self-service password reset by accessing Password Reset web service. Employee enters his address to start the enrollment process. Then the employee is asked to answer and complete a list of required security questions (set by admin) in order to enable Self Service Password reset. Screenshot Refer to Appendix L for visual illustration of this scenario demonstration Scenario 4 GLOCO Employee resets Desktop Password through Self Service process Use Case Use Case 2: Streamline Password Reset Description GLOCO employees can click on the Oracle Forgot your password tab on the Windows logon prompt. This will take him to Oracle ESSO Password Reset Wizard where the user will be asked to answer a set of predefined security questions (a reset quiz ). The answers provided by the user will be verified against user s original answers to the questions during the enrollment process. Once all the answers match, the user s password will be reset. Table 4 - ESSO+ Software Prototype and Demos 20

25 Part 3: Implementation Plan Road Map for ESSO Initiative SIAM s ESSO solution will be implemented in a phased approach. Each phase will involve a milestone review as well as a project status review. During the reviews both GLOCO and SIAM must: 1) agree the previous deliverables have been achieved; 2) agree on the clear deliverables and timelines for the upcoming phase; 3) agree on the work schedule, distribution, and resources allocations for the upcoming schedule; 4) sign contracts obligating each party to complete their responsibilities. This review process allows issues identified in previous phases such as the pilot groups to be corrected. It also provides GLOCO with a holistic view of the identity management strategy and illustrates how ESSO+ is simply a foundation on which the GLOCO identity management strategy will be built. The proposed phases are: Phase #1 - Initial pilot with intranet deployment of Logon Manger (LM) with Provisioning Gateway (PG) for a small group of local Windows users using ESSO-Anywhere. The pilot will also include deployment of the basic Reporting component enabling additional logging and reporting for events as well as deployment of the Password Reset component for the same group of users Phase #2 Implement enhanced reporting capabilities and expand the number of users beyond the pilot group Phase #3 Expand the number of applications beyond the pilot group Phase #4 Roll out the application across the enterprise incrementally Add-on Expand to implement Kiosk manager and Authentication Manager for additional logon methods (smart cards and biometrics) for manufacturing departments and lab sites Add-on Roll out other IAM solutions like Oracle Identity Management, Oracle Access Manager and Federated Sign On solutions GLOCO and SIAM have agreed to proceed with Phase 1 as outlined above for this engagement. Application Analysis and Prioritization for Phase 1 While Oracle ESSO+ is designed to be a plug and play solution, GLOCO s IT infrastructure will require significant configuration and customization. During the first phase of the solution, SIAM has facilitated the development of GLOCO s cohesive ESSO+ strategy and governing ESSO+ policies. To complete the analysis and planning phase, SIAM worked with GLOCO to complete a comprehensive evaluation of all of their business applications. 5 Among the applications reviewed were large mainframehosted applications, thick-client computational applications, and web-based applications. The applications 5 See Appendix Q for the application questionnaire used to review applications. 21

26 covered business processes from Customer Relationship Management, Service Operation, Enterprise Resource Planning, Supply Chain Management, Business Intelligence, and Communication and Collaboration systems such as , calendaring, social software, and web conferencing. Due to GLOCO s recent mergers and acquisitions, many systems are used in varying regional offices with different hardware and software stacks to handle the same business processes. From this analysis all parties agreed that the opportunities to address the core business requirements of this initial ESSO+ phase (improve employee productivity by facilitating application access and password management; decreasing support costs by reducing password related help desk calls; and achieving compliance via improved auditing, reporting, and record keeping) were abundant. GLOCO and SIAM stakeholders also agreed that the key to success in this initial phase will be not over-reaching when selecting viable pilot applications. To concentrate the scope of the initial project, SIAM focused on key criteria such as the number of corporate wide application users, the geographic distribution of users, volume of authentication helpdesk calls, the existing application access processes, the centrality and accessibility of the user authorization information, the maturity of the application and the supporting development team, and the sophistication of the current business processes around user provisioning and maintenance, the network location, and the application platform. Based on SIAM s recommendation, GLOCO prioritized all the potential candidates and identified four applications for their initial pilot ESSO+ launch. These four applications 1) are all physically located at corporate headquarters in Cambridge, MA; 2) are all centralized on one network location; 3) are all deemed business critical to the functionality of GLOCO s daily operation; 5) can all potential be expanded/rolled out to other locations; and 5) all generate a significant volume of password/access related help desk tickets. The pilot applications will be: 1. Rumba - Back-end manufacturing inventory management 2. PeopleSoft - Human Resources 3. Outlook Web Access Hyperion - Reporting Project Management Methodology A phased approach will be taken in implementing ESSO+. Because of the modular service oriented architectural style of ESSO+, the installation of each individual component follows a similar pattern. Each component will be rolled out and tested in turn, allowing lessons learned from each prior module 22