GLOCO. Enterprise Single Sign-On Plus Solution

Transcription

1 GLOCO Enterprise Single Sign-On Plus Solution ALM Capstone Project Spring 2011 Submitted By: Matthew Boudreau Ryan Field John Fitch Michael Kwapniewski Ikramul Wadud

2 Table of Contents EXECUTIVE SUMMARY... 1 CLIENT... 1 VENDOR... 1 BUSINESS PROBLEM... 1 PROPOSED SOLUTION... 1 BUSINESS BENEFITS... 2 PART 1: BUSINESS REQUIREMENTS... 3 BUSINESS PROBLEM... 3 BUSINESS OBJECTIVES AND FUNCTIONAL REQUIREMENTS... 3 PROPOSED SOLUTION... 4 STAKEHOLDERS... 4 SCOPE... 4 USE CASES... 4 Use Case 1: Consolidate Application Access... 4 Use Case 2: Streamline Password Reset... 5 Use Case 3: Enhance Auditing, Reporting and Record Keeping... 7 BUSINESS BENEFITS AND SUCCESS MEASURES... 7 Overall Business Impact... 7 Business Value Metrics... 7 Business Driver I: Increased user productivity... 8 Business Driver II: Reduced help desk costs... 8 Business Driver III: Reduced development time and costs... 9 Business Driver IV: Security policies compliance and auditing... 9 PART 2: TECHNICAL SPECIFICATIONS ARCHITECTURAL OVERVIEW SOFTWARE OVERVIEW ESSO Vendor Selection Oracle ESSO+ and GLOCO Business Requirements SOFTWARE COMPONENTS SOFTWARE PLATFORM TECHNICAL CONSIDERATIONS i

3 Deployment Model Performance Scalability Redundancy Security INTEGRATION Application Integration Example: Use Cases 2 and SOLUTION DEMONSTRATION PART 3: IMPLEMENTATION PLAN ROAD MAP FOR ESSO INITIATIVE Application Analysis and Prioritization for Phase PROJECT MANAGEMENT METHODOLOGY Stakeholder Responsibilities Deployment Roll Back PROJECT TIMELINE / HIGH LEVEL WBS Project Plan & Milestones Incident, Change & Release Management RISKS & MITIGATION TESTING TRAINING SUCCESS CRITERIA REFERENCES APPENDICES APPENDIX A: PROPOSAL RESEARCH APPENDIX B: SUCCESS METRIC CALCULATION ASSUMPTIONS APPENDIX C: ISO ABSTRACT APPENDIX D: GARTNER MAGIC QUADRANT FOR ENTERPRISE SINGLE SIGN ON APPENDIX E: GARTNER MARKET SCOPE RATING FRAMEWORK APPENDIX F: ORACLE ESSO SUITE SUPPORTED SOFTWARE LIST APPENDIX G: GARTNER MAGIC QUADRANT FOR IDENTITY MANAGEMENT SYSTEM VENDORS APPENDIX H: COMPLETE LISTING OF STANDARD REPORTS APPENDIX I: ESSO INTEGRATION MATRIX SUMMARY APPENDIX J: SOFTWARE DEMONSTRATION FOR SCENARIO ii

4 APPENDIX K: SOFTWARE DEMONSTRATION FOR SCENARIO APPENDIX L: SOFTWARE DEMONSTRATION FOR SCENARIO APPENDIX M: SOFTWARE DEMONSTRATION FOR SCENARIO APPENDIX N: COMPLETE ORACLE IDENTITY MANAGEMENT SOLUTION APPENDIX O: TESTING CRITERIA APPENDIX P: WORK BREAKDOWN STRUCTURE APPENDIX Q: EVALUATION QUESTIONNAIRE APPENDIX R: ESSO+ TIMELINE END NOTES iii

5 Executive Summary Client GLOCO is a privately held multi-national, medical equipment manufacturing company based in Cambridge, Massachusetts. It has manufacturing plants, distribution facilities, and a network of sales and service centers across North and South America, the Asia-Pacific region, and Europe. GLOCO s strategy of fueling growth by investing internally while expanding via acquisition of competitors has positioned the company as an industry leader. Since its founding in 1988, GLOCO has grown steadily with currently 29,000 employees at 110 global sites and FY2010 worldwide revenue totaling $7B USD. Vendor Strategic Information Access Management Consulting (SIAM) is an Information Technology consulting firm based in Cambridge, Massachusetts. Founded by Harvard University Extension School alumni, SIAM specializes in enterprise identity management solutions. SIAM helps clients plan, design, and implement new identity based infrastructures as well as extend existing identity management systems in order to maximize clients IT investment. Business Problem As a result of GLOCO s rapid growth and expansion around the world, systems and processes have become decentralized and increasingly costly to maintain and secure. To protect its assets, streamline processes, and contain the security risks associated with aggressive global expansions, GLOCO has identified the need to integrate the application access management processes across all its global sites. SIAM identified these actionable business goals with GLOCO through preliminary management meetings and company research: Empower end users to manage their own credentials to reduce help desk costs and keep users productive Reduce the operational and support costs of system access security Reduce software development costs and implementation times of application access modules Streamline compliance through improved auditing, reporting, and record keeping Proposed Solution To address the above mentioned business goals, SIAM Consulting and GLOCO s Information Technology and Communications (ICT) group have agreed on a partnership to implement an Enterprise 1

6 Single Sign-On (ESSO) solution. This solution offers high return on investment by offering non-intrusive and comparatively inexpensive integration with GLOCO s legacy and future enterprise applications. Business Benefits SIAM s ESSO solution will have a direct impact on GLOCO s employee productivity and effectiveness, as well as the company s financial costs. The implementation will decrease the number of password reset and access related issues, thereby resulting in cost savings with regard to help desk and IT support services. GLOCO s password reset requests make up approximately 47% of service desk calls. The reduction in time spent resolving access related issues will help increase employee productivity; productivity losses have been estimated by GLOCO to be approximately 70,000 hours. SIAM s ESSO solution will also help GLOCO achieve regulatory compliance by centralizing application access logs for improved auditing and record keeping. 2

7 Part 1: Business Requirements Business Problem Systems and processes have become decentralized and increasingly costly to maintain and secure due to GLOCO s rapid growth and expansion around the world. To protect its increasing assets, streamline processes, and contain the security risks associated with aggressive global expansions, GLOCO has identified the need to consolidate and streamline the application access management processes for its 29,000 employees at 110 global sites. Business Objectives and Functional Requirements GLOCO desires an enterprise level system access solution that will allow customers and employees quick and easy access to new and legacy business applications via a simple user authentication and authorization process. The SIAM team has developed business requirements with GLOCO s management team and grouped them into four primary Business Drivers categories. From each of these business drivers the following individual functional requirements were derived. Figure 1 - Business Driver and Functional Requirements Mapping 3

8 Proposed Solution To address the above mentioned business goals, SIAM will work with GLOCO s ICT group to implement an Enterprise Single Sign-On (ESSO) solution. ESSO applications enable users to be authenticated via their credentials once, and then subsequently login automatically without re-supplying credentials to other target systems when accessed by that user. The tools manage the authentication interactions with the target systems (including password change requests and some post sign-on automation tasks) seamlessly without modifying the target systems. (Kreizman) Stakeholders SIAM and GLOCO agree that the ESSO initiative is a joint partnership. In order to make the partnership successful, specific success deliverables, objectives, GLOCO GLOCO Project Sponsor GLOCO Management GLOCO Project Management SIAM SIAM Management SIAM Project Management GLOCO ICT SIAM Implementation Team indicators and metrics must be agreed GLOCO System Users upon by all project stakeholders. This includes representatives from both GLOCO and SIAM. Table 1: Project Stakeholders Scope The proposed ESSO solution will be implemented in a phased approach to ensure seamless integration. This approach allows issues identified in earlier phases to be corrected during subsequent implementations. The phases will involve a milestone review where both GLOCO and SIAM evaluate the progress of the previous phase s success indicators and then mutually identify and agree to the next phase s scope, timeframe, and deliverables. The number of end users, volume of authentication helpdesk calls, and relative significance of each system will be used to prioritize the scope and sequencing of each phase. This process will be described in more detail in Part 3: The Implementation Plan. Use Cases Use Case 1: Consolidate Application Access As-Is Process: GLOCO employees log into their Windows desktop with username and password credentials. On average, once logged in they require eight additional sets of unique credentials to access additional business applications. These applications vary and include clients, Java applications, host and mainframe applications, custom business applications, and enterprise applications. 4

9 Figure 2 - As-Is Application Login Process 1 Problem: Employees find maintaining eight sets of unique user names and passwords with different strength and lifespan requirements frustrating. Employees feel productivity is negatively impacted through lost time due to logging in multiple times to additional applications. This issue is compounded as new applications are deployed, introducing additional new credential requirements. To-Be Process: GLOCO employees will maintain only one set of login credentials. They will sign onto their desktop with these credentials and be able to access the various business critical applications without re-authenticating. The ESSO solution will automatically handle additional business application authorization and authentication. Figure 3 - To-be Application Login Process Functional Requirements Met: FR.1, FR.2, FR.4 and FR.5. Additionally Use Case 1 satisfies Business Driver I and Business Driver III Use Case 2: Streamline Password Reset As-Is Process: GLOCO employees with authentication issues open a help desk ticket to reset their Windows or application password. Help Desk personnel then file an Inter Departmental Request (IDR) with the ICT or business application support team for user verification. Once the support team validates the user s credentials, the Help Desk personnel create a Password Reset Request (PRR) ticket with the account administration group to reset the user s password or unlock the user s account. Once the account administrator resets the password or account, the initial help desk ticket is finally set to resolved. 5

10 Figure 4 - As-Is Password Reset Process Problem: Resetting passwords for desktops and business applications is a multi-step, cumbersome process. Lack of efficiency and backlogs often make the reset process longer than expected, keeping employees from having access to business critical applications, directly impacting productivity. To-Be Process: GLOCO employees will have the option to reset their passwords directly from the Windows logon prompt on their locked-out workstations. Figure 5 - To-Be Password Reset Process Functional Requirements Met: FR.3, and satisfies Business Driver II and Business Driver III. 6

11 Use Case 3: Enhance Auditing, Reporting and Record Keeping As-Is Process: The ICT audit group contacts different individuals from siloed application support teams for information such as access logs and account maintenance activity for auditing and compliance. No mechanisms exist that allow the ICT audit group to independently access this application information. Additionally the required information requested from each support team is not standardized. Problem: The ICT audit group is responsible for ensuring that corporate information security policies are being enforced. Reaching out to individual application support teams for audit requests often causes significant delays resulting in security and compliance risks. Reporting and analysis of the information gathered is a labor intensive process because of the various formats and types of information provided. Lack of standardization prevents timely analysis, identification, and response to audit issues. To-Be Process: ICT will be able to centrally record detailed enterprise wide user account and application access information resulting in better auditing and compliance capabilities. Additionally, standardized data formats will give ICT the flexibility to rapidly generate customized reports and analysis. Functional Requirements Met: FR.6 and FR.7, and satisfies Business Driver IV. Business Benefits and Success Measures Overall Business Impact SIAM ESSO implementations typically fall into line with industry standards provided by Gartner. On average, implementations run for 3 to 6 months with a scope of 10 to 20 applications and approximately 2000 users. The average cost of such an implementation is $300,000 with $50,000 per year in service fees. With this level of engagement, companies usual recoup their costs in 2 years. Because GLOCO currently does not have an enterprise-wide identity management system, the business benefits will likely exceed this standard rate of return on investment. Business Value Metrics At the outset of the ESSO project, SIAM will work directly with GLOCO business managers to develop a business value scorecard. This scorecard will capture key pre-esso business metrics that will then be compared to their corresponding values captured post-esso implementation. The resulting scorecard will represent a hard measure for calculating the ESSO product's actual business value, providing a tangible reflection of the success of the project. A sample GLOCO ESSO value scorecard is represented below. 1 1 See Appendix B for supporting calculations 7

12 Figure 6 - GLOCO ESSO Business Value Scorecard Business Driver I: Increased user productivity Maintaining multiple login credentials contributes to employee productivity losses over the course of a year. Currently, GLOCO employees collectively spend 29,000 work hours per year in password management to comply with a mandatory 60 day password reset policy. Moreover, GLOCO employees also spend a combined 48,000 working hours per year due to forgotten passwords and account lockout related issues. GLOCO can achieve user productivity gains with the implementation of ESSO by effectively eliminating over 70,000 hours per year in user productivity losses. The expected success measure after implementation of ESSO will be an 85% reduction in wasted productivity hours related to login issues. Business Driver II: Reduced help desk costs An ESSO solution will reduce the management of multiple passwords and allows the delegation of administration functions to the user and user group level. This will drastically reduce the number of password related help desk calls, directly reducing the subsequent costs for supporting these calls. Analysis has shown that GLOCO s portion of password related calls is 47%, well above the industry 8

13 standard percentage of 40%. (Gartner) On average, GLOCO s cost for handling these calls is $30 per call. With a typical ESSO installation, help desks costs are reduced by 35-45%. At GLOCO, the expected success measure post ESSO implementation will be a 40% reduction in call volume that would result in approximately $870,000 USD in savings per year. Business Driver III: Reduced development time and costs ESSO is a non-intrusive and comparatively inexpensive solution to deploy which enables rapid application development. GLOCO application development teams spend on average 1,440 development hours per 12 week software development project. Among these development hours, approximately 250 hours are spent on designing, developing, and testing user account and login related functionalities. With a successful ESSO installation, developers will be able to leverage the standardized account access process, potentially reducing average development time by 18%. A standardized account process does not currently exist because a software solution is required to integrate the login functionality across applications. This expected success measure will account for an approximate $10,000 in cost savings per 12 week development project. Business Driver IV: Security policies compliance and auditing To comply with ISO and other standard industry security policies, GLOCO must clearly define, implement, and audit all application access procedures including access logs and account maintenance activity. This represents substantial investment and additional administration costs for GLOCO. GLOCO s current manual audit process consists of two components; time spent gathering data and time spent analyzing data. Typically at GLOCO the average time allocated to both components is 40 hours. The introduction of near real time auditing with an ESSO implementation is expected to reduce the gathering time per audit by 90%. Additionally, with standardized data and pre-defined reports, the analysis time will be reduced by 60%. As a result, the excepted success measure the company will experience is at least a 75% reduction in audit costs. 2 See Appendix C for abstract. 9

14 Part 2: Technical Specifications Architectural Overview GLOCO s ESSO implementation will be the key first step towards a complete and integrated enterprise identity management solution. The ESSO solution will address the functional requirements described above in Part 1 while specifically focusing on streamlined application authentication, password reset functionality, and audit reporting. Software Overview Figure 7 - ESSO Architecture Overview ESSO Vendor Selection Based on our comprehensive research and analysis, SIAM Consulting recommends the Oracle Enterprise Single Sign-On Plus (Oracle ESSO+) Suite for GLOCO s ESSO solution. Gartner has identified Oracle ESSO+ as a leader in the ESSO market and for standardizing application access, authentication, and password management processes. 3 (Gartner 2008) SIAM s ESSO vendor comparison grid below (see Table 2) illustrates the primary criteria considered when evaluating vendor offerings, confirming Gartner s conclusions about Oracle ESSO+. Table 2 - SIAM ESSO Vendor Analysis 3 See Appendix D: Gartner Magic Quadrant for ESSO and Appendix E: Gartner Market Scope Rating Framework 10

15 SIAM recommends Oracle ESSO+ for several reasons specific to GLOCO s environment. Oracle ESSO+ is fundamentally based on client side architecture. The utility residing on the client rather than the target application means the ESSO+ footprint at GLOCO will be minimal and isolated, reducing integration issues and modification to existing applications. Oracle ESSO+ components can be implemented as either stand alone applications or integrated components as part of the Oracle Identity Management application stack. This allows functionality to be incorporated on GLOCO s timetable and facilitates a phased approach based on GLOCO s comfort level and priorities. Oracle ESSO+ also uses the first password to log on to the network and other applications for authentication purposes, which fits with GLOCO s current login practices. Moreover, Oracle ESSO+ allows GLOCO system administrators to extend their current reporting and auditing capabilities at both the application and user levels. Fundamentally, Oracle ESSO+ is a user enablement focused solution that will create a standardized user experience across GLOCO from both the password management and system administration perspective. Oracle ESSO+ supports multiple directories, databases, leading portals, application servers, enterprise applications, 4 and operating systems, complimenting GLOCO s heterogeneous IT environment. The Oracle ESSO+ Anywhere installation strategy discussed in detail later in this document will facilitate GLOCO s deployment process while allowing centralized software updates and rollback functionalities. This will achieve the overall business objective of improving the GLOCO ICT System Administrator team s performance and efficiency on various configuration and administrative tasks. Oracle ESSO+ and GLOCO Business Requirements The core functionalities of the ESSO+ solution will address GLOCO s business drivers outlined in Part 1 of this document as follows. User Authentication and Administration: Once a user logs into their desktop via their primary logon/authentication method (Windows username/password), the ESSO+ Logon Manger components (Admin Console, Agent) will complete access requests to participating password protected GLOCO applications. This will eliminate the need for manually re-entering credentials for each application. GLOCO staff can also use ESSO+ Logon Manger with additional personal accounts for non-participating applications and web sites. Additionally, ESSO+ Logon Manger centralizes administration by allowing GLOCO administrators to create and manage both user accounts and logon credentials concurrently through a single console. 4 See Appendix F for Oracle ESSO supported software list 11

16 Password Reset Management: The ESSO+ Password Reset component provides GLOCO users with self-service password reset abilities. This enables users to reset their GLOCO Windows domain passwords without the involvement of help desk personnel and/or system administrators, resulting in significant administrative time and cost reductions. Users will initially answer required and optional security questions in the form of an enrollment interview. The answers to this enrollment interview (referred to as a reset quiz ) are then used to identify the user when resetting a lost or forgotten password. ICT administrators will have the ability to set the number of questions for a reset quiz. The GLOCO administrator will also configure the password reset process to first provide the users with a temporary password that the end user can use to login to his/her Windows workstation in order to create a new permanent password. Reporting and Compliance: The ESSO+ Reporting component will help GLOCO meet compliance requirements by extending audit and reporting capabilities to include user sign-on information. GLOCO ICT administrators will use the component to create, configure, run, edit, save, schedule, , and preview custom reports generated using ESSO+ event records logged in GLOCO s reporting databases. Administrators have a choice to customize different report outputs (tables, graphs, and charts) with various configuration parameters (e.g. User ID, time interval, date range, application template names, etc.) Reduced Development Time and Costs: Oracle ESSO+ will not address GLOCO s goal of reducing development time and costs. After reviewing the scope of the project, the phased implementation of GLOCO s overall Identity Management strategy, and the gains to be realized by ESSO+, GLOCO and SIAM agreed to address this business goal in a later phase of the overall Identity Management project. Software Components As discussed previously, one of the benefits of Oracle s ESSO+ Suite is the number of integrated components that can be implemented to customize a specific solution to meet GLOCO s needs. For phase one, SIAM recommends the following components (in yellow) of Oracle ESSO+ Suite (See Figure 8). Figure 8 - GLOCO ORACLE ESSO+ Architecture 12

17 Oracle Enterprise Single Sign-On Logon Manager Agent (ESSO-LM Agent) This is the base client component that will be installed on each GLOCO user s desktop. It will run as a background application on the user s system (accessible from the system tray) and is capable of performing varying levels of interaction with application sign-on authentication. ESSO-LM Agent will populate the appropriate forms and fields in Windows, web, Java, and mainframe GLOCO applications based on centrally stored templates, auto detected sign-on prompts, and locally stored authentication information. Field information such as username and password will either be filled in manually by end-users during first time use or by GLOCO ICT administrators via the ESSO+ provisioning server for the user s account information. Subsequent logons to those applications are then automatically handled by ESSO-LM Agent. Oracle Enterprise Single Sign-On Administration Console (ESSO-LM Admin) This component will enable GLOCO administration of the ESSO+ environment and creation of application templates. An application template is a set of configuration options specified by GLOCO administrators that instruct the ESSO-LM Agent on each user s desktop how to interact with application windows and the forms they contain. Templates are created and posted to GLOCO s existing Active Directory (AD), SQL database, or TDS central repository. The settings for how frequently ESSO-LM Agents synchronize with the repository will also be defined here as part of its configuration according to GLOCO s needs. ESSO-LM Admin is considered the core administrator tool for ESSO+, and any additional components GLOCO chooses to implement function as plug-ins for the ESSO-LM Admin component. Oracle Enterprise Single Sign-On Provisioning Gateway (ESSO-PG) The ESSO-PG Admin Console component is a plug-in for ESSO-LM Administrative Console that provides GLOCO administrators the capability to manage provisioning rights for specific applications and users. The ESSO-PG client is a plug-in configuration for ESSO-LM Agent. Both the Admin Console and client connect with the ESSO-PG server to synchronize the user s ESSO-LM rights and permissions. This means GLOCO administrators will add, modify, and delete IDs and passwords for particular applications within the provisioning system and have those changes reflected in the user s ESSO-LM. GLOCO administrators can use this component for employee terminations to delete a user s credentials in ESSO- LM Agent to eliminate that user s access to any or all protected GLOCO applications. Oracle Enterprise Single Sign-On Anywhere (ESSO Anywhere) This plug-in component for ESSO- LM Admin Console will simplify GLOCO s deployment of Oracle ESSO-LM Agent to client desktops. It will allow GLOCO administrators to build deployment packages that can be posted to the central GLOCO intranet portal. From here users will download and install the ESSO-LM Agent application themselves. This simple and efficient deployment method will be utilized for any ESSO-LM maintenance including 13

18 updates, rollbacks, and version control. For the GLOCO implementation, Logon Manager Agent (ESSO- LM Agent) and Provisioning Gateway (ESSO-PG) will be deployed to users via ESSO Anywhere. Oracle Enterprise Single Sign-On Password Reset (ESSO-PR) This component will reduce GLOCO s helpdesk costs and improve user experience by enabling self-service of users Windows accounts. ESSO-PR provides users a desktop interface to reset Windows passwords and unlock Windows accounts in their current or any other trusted network domain. Once ESSO-PR is deployed on the user desktop, the ESSO-PR client connects to a secure web server to build a customized personal reset quiz. The user will answer standard enterprise and personal questions, each of which is assigned positive and negative values for correct or incorrect answers. If the user reaches an administrator defined confidence threshold score they are allowed to reset their Windows password. If the user hits a negative threshold score they are locked out and alerts and help desk tickets are automatically generated. In addition to the ESSO-PR user client, there is an ESSO-PR Administration component which connects to.net web services running on the ESSO application server. GLOCO administrators will use this to configure quiz questions, point values, and threshold scores. The rules and questions are written in plain spoken language, and up to 12 different languages are available to make international distribution across the GLOCO enterprise customizable by region. Oracle Enterprise Single Sign-On Reporting (ESSO-Reporting) This ESSO+ component will consist of two main elements when deployed at GLOCO. The first element will be a centralized reporting database that stores logs of all GLOCO specified event information from all other deployed ESSO+ components. The second element will be a web-based Reporting Administrative Console for the creation, schedule management, and viewing of GLOCO usage, security, and audit reports derived from the logs. Additionally, the Admin Console will allow GLOCO administrators to enable/disable reporting and configure GLOCO specific database options for performance tuning such as cache limits and batch sizes. Appendix H details the full list of standard reports and logged events. Among the standard reports available to GLOCO out of the box are: Account Reconciliation; Application Credentials Added; Application Usage by User; Failed Authentication Events; First Time Use; Password Change; Pause & Shutdown; Shared Application User IDs; User Activity; and User Credentials Provisioned. Among the types of events available for GLOCO to log include: Credential Use Events support for Logons, manual password changes and automatic password changes; Credential Change Events add credentials, delete credentials, change credentials, copy credentials, etc.; Global Credential Events backup, restore, synchronize, etc; Platform Events startup, shutdown, etc.; System Events Logon Manager, Settings, Help, About, etc. application name, application username, application third field, date, time, etc. 14

19 Software Platform At its core, Oracle ESSO+ is designed as an intermediary application that sits between the user, existing user directory services, and enterprise applications. As such, a boiler plate SIAM implantation of Oracle ESSO+ consists of two logical server configurations as highlighted in Figure 9. The first is a load balanced set of web application servers, each running ESSO-Anywhere, ESSO-PR, ESSO-PG, Figure 9 - GLOCO ESSO Server Topology and ESSO-LM Administration Console. The second is an independent reporting server for ESSO-Reporting. The specific technical software requirements for each component of ESSO+ are listed in Appendix I. These system specifications are minimum system requirements for installing Oracle ESSO+ and should not be considered recommendations by SIAM for new hardware configurations. Specific implementation considerations concerning the architecture topology are discussed in the following section. Technical Considerations Although Oracle ESSO+ is advertised as a plug and play solution, SIAM has found that each unique enterprise environment introduces nuances and customizations that must be addressed. The GLOCO implementation will be no exception. Some of the issues that must be addressed are outlined below. A successful ESSO+ deployment involves changes that can affect GLOCO network domains. o A PMSERVICE account needs to be a member of the local administrator s group on the IIS Server that houses the Oracle server-side components for ESSO-PG s server-side component to function properly. o Directory services distributed across multiple domains must be designated as trusted domains to enable open access and communication. Therefore, specialized policies, trust, inheritance issues, and intra- and inter-site replication dependencies particular to GLOCO s network must be carefully analyzed. SIAM will provide known standards and specific guidelines/best practices for software vendors for review with GLOCO. For example, Microsoft IIS and Oracle ESSO+ components should be installed on Domain member servers and not installed on Domain Controllers. 15

20 The ESSO+ suite is a 32-bit application requiring Microsoft IIS6 with Microsoft.Net Framework enabled. More recent versions of Microsoft IIS are viable so long as their backward compatibility IIS6 configurations are enabled. ESSO-PR rules, quiz questions, and corresponding answers are saved in a centralized GLOCO SQL Server or Oracle database or directory service repositories such as Active Directory or ADAM. The GLOCO implementation can also be customized to use GLOCO specific validators (written in.net 2.0) which can connect to additional GLOCO data sources such as a PeopleSoft to validate on social security number. SIAM has found it common to have several separate business units in large enterprises configured to run independent ESSO+ implementations. Conceptually this topology is similar to Figure 9 for each business unit. This opens up a myriad of synchronization and integration options such as: o Implementing independent ESSO reporting servers in each ESSO+ environment. These can either write to independent files that are imported into a central reporting database or to write to independent databases that are synchronized as part of nightly processing. o Depending on auditing requirements, user s access between the systems can be individually identified or granted access through a common business unit global user. The settings that define how ESSO-LM Agent behaves, including synchronization, are controlled by a combination of local and administrative settings. Local settings are controlled and managed by the desktop user. Administrative settings are defined by GLOCO administrators and downloaded from a central repository. They are encrypted in a local tamper-proof cache so they can t be changed by the local user. GLOCO policies must be carefully scrutinized because fewer administrative settings mean more efficient synchronization but a less restricted desktop. Deployment Model ESSO+ Logon Manager Agent (ESSO-LM) and the corresponding Provisioning Gateway (ESSO-PG) plug-in are client components that users will download as an ESSO install package from the internal GLOCO intranet download site. This package will include all the pre-defined GLOCO connection settings and synchronization rules making the end user installation a simple download and click. The remaining client component, ESSO+ Password Reset, as well as the core administrative component (ESSO-LM Admin Console) and admin plug-ins (ESSO-PG, Anywhere, and PR) will be installed to user desktops by ICT Desktop Support using their current standard BMC BladeLogic push install procedures. Performance As noted above, the main client program (ESSO-LM) will run on each user's desktop and synchronizes the local encrypted credentials file with centralized GLOCO data stores based on administrator defined 16

21 rules. The encrypted file is extremely small and would not be noticeable by users in terms of latency or performance. Additionally, the use of local storage credentials allows for faster access delivery than server-based systems. Through the synchronization of encrypted credentials, GLOCO users can also perform their work from any computer in the domain. The only notable performance difference may be a small uptick in load on servers hosting directory services because each initial application load will validate user authentication through directory services. Scalability The GLOCO Oracle ESSO+ Suite implementation can be increased in scope for subsequent phases with little to no effect on performance or reliability. The initial phase is a small sample of applications, but will be designed with enterprise considerations. This means the core topology, architecture, and configurations will be established in this initial deployment. The intent is that this will serve as a foundation for expansion of additional applications and user populations in later phases. Additionally, servers can be added to the existing clusters as needed to handle added load and performance issues. Redundancy Because Oracle ESSO+ functions as an intermediary application there are only two points of failure from the end user perspective. The first is a local desktop application failure that wouldn t result in a loss of application access or outages. It simply means the automated login is not available but manual sign-on will be. The second failure point would be an error in the synchronization of the local user credential file. In this case the user would still be able to access their applications using the local machine s (possibly out of date) copy of encrypted credentials. Other web application and database level redundancy concerns would fall under the typical GLOCO policies of load balanced configurations, standard back up practices, and enterprise disaster recovery plans. Security ESSO+ will enhance security at GLOCO through the use of ESSO+ by eliminating poor end user password management and by properly securing the system environment on the backend. An ESSO+ encrypted credentials file will be stored within the application data directory of the user profile. Credentials will be encrypted at all times with GLOCO compliant encryption (3DES, AES etc.); specific credentials are only decrypted on the fly. Soft token-based, two factor authentication protects and prevents unauthorized users from accessing enterprise applications. Communication to the enterprise ESSO+ IIS servers from client and administrative interfaces will be configured to run over SSL using 128-bit encryption. The SIAM recommended SSL implementation is 17

22 using an X.509 SSL certificate using Microsoft Certificate Services. By default, the ESSO-PG Web service uses 3DES encryption. To increase security, GLOCO may opt to change encryption to AES. GLOCO s security will also increase through the ESSO+ option of managing application password changes via ESSO-LM. Target passwords will be changed based on GLOCO specific password requirements every 30 days for designated applications. This eliminates the risk of poor password selection as well as password management by users. As an added layer of security, the centralized reporting and self-reset options of ESSO+ will prohibit an attacker from locking the user out and/or going undetected for a prolonged period of time. The centralized reporting will provide monitoring around unusual account activity through alerts based on specific events. Finally, the self-reset capability allows the user to reset passwords to avoid account lock outs. To address a common misconception, multiple passwords replaced by one Single Sign-On process will not reduce the security of the network or applications. An employee with 20 different passwords is more likely to select a single simple password that works for as many applications as possible and write down the remaining more complex passwords. In such a case, the easy to remember passwords will typically be vulnerable to rainbow tables or other brute force attacks and written down passwords are unsecure for reasons too numerous to mention. As a result, the user with a single extremely complex password is arguably much more secure. There may be one key to the kingdom, but the key is much more secure. Integration Oracle ESSO+ s client side based architecture will help eliminate or significantly mitigate integration efforts with GLOCO applications. SIAM reviewed GLOCO s target applications and identified: 85% as easily integrated using standard ESSO+ pre-configuration or wizard auto-identification 10% requiring low-moderate effort using ESSO+ utilities or custom coding and scripting 5% as difficult to integrate because they feature Rich Interface Applications like Flash, Silverlight, and AJAX or home-grown legacy applications with exceedingly disparate interfaces Because easier to integrate applications offer a greater return on investment, the 15% outliers will be considered the lowest priority for integration. In addition to these application integration needs, ESSO+ components will require special integration considerations for touch points with the existing GLOCO infrastructure. Again, the client side based architecture will minimize integration concerns and the modularity of the ESSO+ Suite also provides GLOCO overall integration flexibility and scalability, but the following items must be addressed during implementation: 18

23 ESSO Integration Points LM PR PG Anywhere Reporting Sync with central credential data source X X X Sync with ESSO specific data elements X X X Sync with other ESSO components X X X X Sync with external data sources X X X Administration rights to write files to local X X X X machine Network connections with web servers/services X X X X X Table 3 - ESSO+ components integration touch points with GLOCO infrastructure Synchronization with central credential data sources connections to existing GLOCO Active Directory, ADAM, LDAP databases, file servers, and other directory services Synchronization with ESSO specific data elements connections to data stores for application templates, rules, questions, and answers for reset quizzes, text for help desk s for password reset exceptions Synchronization with other ESSO components PG and LM Synchronization with external data sources PG connecting to external sources(peoplesoft) Administration rights to write files to local machines download reports, write encrypted credential files, install LM, PG, and PR Network connections with web servers/services all ESSO+ components linking with Reporting, linking to servers for alerts and exceptions Application Integration Example: Use Cases 2 and 3 GLOCO s use cases #2 and #3 consist of user streamlined password reset and enhanced auditing and reporting. In this example the GLOCO user clicks on the tab from the Windows logon screen to initiate ESSO-PR. From this point the local PR client will connect over a secure network link and via a secure PR user account to retrieve the user s specific security questions stored in the central repository (AD, LDAP, etc.). Once authenticated, the GLOCO user can select a new password and automatically synchronize the encrypted password file using LM and PG with the server once again. Meanwhile, all ESSO application level activity will be logged via ESSO+ Reporting web services into the ESSO+ reporting database. ESSO+ Reporting services will also monitor incoming events, and if needed initiate alerts and messages should any events meet GLOCO determined rules. Events will also be made 19

24 available from ESSO+ Reporting via a network connection directly to the ESSO+ Reporting web interface, or through reports automatically distributed via . Solution Demonstration The table below contains four scenarios that summarize GLOCO s primary use cases covered in the scope of GLOCO s ESSO Solution. Scenario 1 Employee Sets User Credentials for Desktop Applications (pre-defined by System Administrator) Use Case Use Case 1: Consolidate Application Access Description GLOCO employees can use Windows login username and password (already setup in AD/LDAP/HR database) and log into ESSO and password reset enabled desktop. Using Oracle ESSO-LM primary Logon Setup wizard, user can then select Windows Logon as his/her Primary Logon Method. ESSO-LM then stores Windows logon credential in AD Directory. User then sets up the credentials for all predefined desktop applications. Screenshot Refer to Appendix J for visual illustration of this scenario demonstration Scenario 2 Employee Single Sign On into Desktop Applications Use Case Use Case 1: Consolidate Application Access Description Once a GLOCO employee logs into his/her Windows machine, whenever the user tries to access a password protected application that is part of the ESSO enabled desktop application for the user, ESSO Logon Manger will identify the client (the application), fill in the user s credentials, (specific username and password for that application) and execute the sign in process. Screenshot Refer to Appendix K for visual illustration of this scenario demonstration Scenario 3 Self Service Password Reset Enrollment Use Case Use Case 2: Streamline Password Reset Description GLOCO employees can enroll for self-service password reset by accessing Password Reset web service. Employee enters his address to start the enrollment process. Then the employee is asked to answer and complete a list of required security questions (set by admin) in order to enable Self Service Password reset. Screenshot Refer to Appendix L for visual illustration of this scenario demonstration Scenario 4 GLOCO Employee resets Desktop Password through Self Service process Use Case Use Case 2: Streamline Password Reset Description GLOCO employees can click on the Oracle Forgot your password tab on the Windows logon prompt. This will take him to Oracle ESSO Password Reset Wizard where the user will be asked to answer a set of predefined security questions (a reset quiz ). The answers provided by the user will be verified against user s original answers to the questions during the enrollment process. Once all the answers match, the user s password will be reset. Table 4 - ESSO+ Software Prototype and Demos 20

25 Part 3: Implementation Plan Road Map for ESSO Initiative SIAM s ESSO solution will be implemented in a phased approach. Each phase will involve a milestone review as well as a project status review. During the reviews both GLOCO and SIAM must: 1) agree the previous deliverables have been achieved; 2) agree on the clear deliverables and timelines for the upcoming phase; 3) agree on the work schedule, distribution, and resources allocations for the upcoming schedule; 4) sign contracts obligating each party to complete their responsibilities. This review process allows issues identified in previous phases such as the pilot groups to be corrected. It also provides GLOCO with a holistic view of the identity management strategy and illustrates how ESSO+ is simply a foundation on which the GLOCO identity management strategy will be built. The proposed phases are: Phase #1 - Initial pilot with intranet deployment of Logon Manger (LM) with Provisioning Gateway (PG) for a small group of local Windows users using ESSO-Anywhere. The pilot will also include deployment of the basic Reporting component enabling additional logging and reporting for events as well as deployment of the Password Reset component for the same group of users Phase #2 Implement enhanced reporting capabilities and expand the number of users beyond the pilot group Phase #3 Expand the number of applications beyond the pilot group Phase #4 Roll out the application across the enterprise incrementally Add-on Expand to implement Kiosk manager and Authentication Manager for additional logon methods (smart cards and biometrics) for manufacturing departments and lab sites Add-on Roll out other IAM solutions like Oracle Identity Management, Oracle Access Manager and Federated Sign On solutions GLOCO and SIAM have agreed to proceed with Phase 1 as outlined above for this engagement. Application Analysis and Prioritization for Phase 1 While Oracle ESSO+ is designed to be a plug and play solution, GLOCO s IT infrastructure will require significant configuration and customization. During the first phase of the solution, SIAM has facilitated the development of GLOCO s cohesive ESSO+ strategy and governing ESSO+ policies. To complete the analysis and planning phase, SIAM worked with GLOCO to complete a comprehensive evaluation of all of their business applications. 5 Among the applications reviewed were large mainframehosted applications, thick-client computational applications, and web-based applications. The applications 5 See Appendix Q for the application questionnaire used to review applications. 21

26 covered business processes from Customer Relationship Management, Service Operation, Enterprise Resource Planning, Supply Chain Management, Business Intelligence, and Communication and Collaboration systems such as , calendaring, social software, and web conferencing. Due to GLOCO s recent mergers and acquisitions, many systems are used in varying regional offices with different hardware and software stacks to handle the same business processes. From this analysis all parties agreed that the opportunities to address the core business requirements of this initial ESSO+ phase (improve employee productivity by facilitating application access and password management; decreasing support costs by reducing password related help desk calls; and achieving compliance via improved auditing, reporting, and record keeping) were abundant. GLOCO and SIAM stakeholders also agreed that the key to success in this initial phase will be not over-reaching when selecting viable pilot applications. To concentrate the scope of the initial project, SIAM focused on key criteria such as the number of corporate wide application users, the geographic distribution of users, volume of authentication helpdesk calls, the existing application access processes, the centrality and accessibility of the user authorization information, the maturity of the application and the supporting development team, and the sophistication of the current business processes around user provisioning and maintenance, the network location, and the application platform. Based on SIAM s recommendation, GLOCO prioritized all the potential candidates and identified four applications for their initial pilot ESSO+ launch. These four applications 1) are all physically located at corporate headquarters in Cambridge, MA; 2) are all centralized on one network location; 3) are all deemed business critical to the functionality of GLOCO s daily operation; 5) can all potential be expanded/rolled out to other locations; and 5) all generate a significant volume of password/access related help desk tickets. The pilot applications will be: 1. Rumba - Back-end manufacturing inventory management 2. PeopleSoft - Human Resources 3. Outlook Web Access Hyperion - Reporting Project Management Methodology A phased approach will be taken in implementing ESSO+. Because of the modular service oriented architectural style of ESSO+, the installation of each individual component follows a similar pattern. Each component will be rolled out and tested in turn, allowing lessons learned from each prior module 22

27 implementation to guide installs. This also has the added benefit of allowing mistakes to be contained and not repeated on a wide-scale throughout the installation. The overall project management approach will follow GLOCO s existing Project-to-System Lifecycle: 1. Business Case 2. Requirements 3. Functional Requirements 4. Interface Specifications 5. Data Model Specs 6. Software Specification 7. Software Package 8. Deployment Plan 9. Operations Plan Stakeholder Responsibilities Role Project Manager DBA / Web Server Technicians Network Engineer Lead Security Officer Configuration/ System Integration Engineers Implementation Staff Training Coordinators Organization & Quantity GLOCO (1) SIAM (1) GLOCO (2) GLOCO (1) GLOCO (1) SIAM (3) SIAM (2) SIAM (2) Functional Responsibilities Monitoring project progress, identifying and reporting issues, and ensuring effective communication is in place Installations of the ESSO+ modules (including links to the directories), creating the SQL databases, and implementing the web servers Ensures all installations meet GLOCO security requirements, completes network related tasks Provides written documentation of all access and authentication policies for the applications to be integrated into the ESSO+ implementation Creates cross functional architecture, leads overall ESSO+ integration effort with current GLOCO infrastructure Provide the architectural documentation and support manuals for GLOCO ICT ESSO+ administrators Provide training documentation for GLOCO administrators and end users Comments GLOCO and SIAM project managers will form a joint project management team to avoid the silo effect from developing between GLOCO and SIAM s implementation teams Also responsible for obtaining technical support from Oracle, Microsoft, SAP and any other 3rd party vendors in the event there are technical problems during the project deployment Documentations will include all password policies including strength, repetition, and duration as well as on/off-boarding users Brings significant prior experience implementing ESSO+ components per Oracle suggested minimum standards Developers GLOCO (2) SIAM (1) Quality Assurance Engineers GLOCO (1) SIAM (1) Custom coding for connectors, carry out technical updates and changes, fix bugs Create test plan and test cases for System Integration testing, Regression testing and User Acceptance testing, execute test cases, log bugs Help Desk Staff GLOCO (3) Handle anticipated increased call volume during installations Table 5 - Stakeholder Roles and Responsibilities Developers will also be responsible for unit testing 23

28 Deployment The initial pilot will be rolled out to approximately 500 users in the Cambridge, Massachusetts. This will include implementing and configuring the core administrative functions (the Administrator Console, ESSO Anywhere, Provisioning Gateway, and basic ESSO Reporting) as well as installing the ESSO Logon Manager Agent and Password Reset end user components. Customized ESSO Reporting reports will be developed and rolled out soon after the initial installation. SIAM Integration Engineers will work with GLOCO DBAs, Network Engineers, and Security Officers to provision and install all the ESSO+ web servers, server software, and address network configurations (ACLs). This will follow all standard GLOCO protocols and practices. ESSO+ administrator work stations will be installed manually by GLOCO ICT with SIAM s assistance and then configured for the GLOCO environment. This includes creating application templates, posting templates to the correct directories and repositories, installing ESSO Anywhere, defining the initial provisioning rights, and using Anywhere to construct user executable installation packages. End user work stations will be configured via two methods. The first is ESSO Anywhere installation packages for ESSO LM and PG which users can download from the GLOCO intranet or FTP sites and execute. Also, ICT desktop support will use their enterprise standard BMC BladeLogic Client Automation (formerly Marimba) for pushing the ESSO Password Reset Agent to user desktops as well as manually running the ESSO Anywhere install package to deploy ESSO LM and PG clients for users not comfortable with self-installation. Roll Back As part of the comprehensive release plan, GLOCO s enterprise roll back Standard Operating Procedures will be integrated into the deployment process starting with the pilot project. On the workstation level this involves routine standard back-ups of user machines using IronMountain Connected Backup, archiving of previous ESSO Anywhere deployment packages for posting previous stable releases, and GLOCO ICT using BMC BladeLogic to push client software roll backs to desktops. Server roll backs will be managed using GLOCO enterprise standards for software version control, complete server backups prior to any software releases/upgrades, and ultimately GLOCO s standard disaster recovery procedures. All documentation around installation, re/uninstalls, and roll backs including policies and practices will be documented and stored in GLOCO s common ICT SharePoint FAQ web page. Project Timeline / High Level WBS Project Plan & Milestones The ESSO+ project involves a work breakdown structure (WBS) that consists of three main project management phases (Elaboration, Transition, Phase Closure) enclosed by the standard Project Inception 24

29 and Project Closure phases. Significant Milestones (M) mark the end of each management phase. The structure naturally follows a phased approach within Elaboration and Transition due to required actions and tasks that repeat both within and across the larger ESSO+ Project Phases depicted in the Project Timeline. 6 The WBS covers the Pilot period, which encompasses all actions and tasks that will be performed again across Enterprise roll out. 7 Incident, Change & Release Management With regard to incident, change and release management, GLOCO and SIAM have agreed to have the ESSO+ project Change Management Committee (CMC) authorize all recommendations prior to release. The CMC will be comprised of senior GLOCO and SIAM project leads and stakeholders. Risks & Mitigation Figure 10 - ESSO+ project Change Management Process Three primary risks were identified by project stakeholders during the initial requirements gathering and planning phase. The first risk centered on security, specifically ESSO+ creating a single point of access and attack to all systems at GLOCO. This concern has been addressed in the Security portion in Part 2 of this document. The second risk focused on ESSO+ system outages creating a single point of failure resulting in enterprise wide user lockouts across multiple applications. This concern is addressed in Part 2 of this document in the Redundancy section. Finally, concerns around failed initial and subsequent deployments raised the issue of a roll back strategy which is addressed in detail in the Deployment section in Part 3 of this document. Testing Through collaboration with the ICT software quality assurance team, SIAM will develop a comprehensive test plan for GLOCO s ESSO+ pilot implementation. The overall test plan will include three main testing phases: unit and system integration testing, regression testing, and user acceptance 6 See Appendix R for GLOCO ESSO+ Timeline 7 See Appendix P for work breakdown structure 25

30 testing. Each of the components for the ESSO+ pilot will be first deployed to the development (DEV) environment for unit and system integration testing. Upon satisfying GLOCO s standard exit and entry criteria for test environments 8, the component will be then deployed to the quality assurance (QA) test environment for Regression and User Acceptance Testing. Once thoroughly tested in the DEV and QA environments and satisfying GLOCO s standard quality assurance entry criteria for production environments, all five ESSO+ components for the pilot phase will be deployed to production as one migration package. SIAM will also coordinate the production checkout testing on the deployment day. SIAM will lead the system integration testing efforts, including but not limited to, testing the synchronization of ESSO-LM and ESSO-PG with LDAP and Active Directory, ESSO-Anywhere configuration XML, integration of ESSO Reporting Web server with both Microsoft SQL Server and ESSO-LM Webs server, integration of various APIs (i.e. event notification service API), and integration of ESSO-LM with ESSO-PG. The system integration testing phase will also include load testing and stress testing, which will adhere to GLOCO s current performance testing methodologies and standards. The ICT software quality assurance team will be responsible for executing regression and user acceptance testing. The primary focus of the regression testing will be to ensure that the applications and their functionality are not negatively affected by the ESSO implementation. User acceptance testing, performed by the prospective users of the system, will verify if the new solution is functioning according to the predefined user requirements and business specifications. Training SIAM consulting will offer comprehensive training workshops and customized training materials to GLOCO employees. The majority of the training materials will be available online on the internal document repository and SharePoint websites. Adobe Captivate 5 will be used to create online training modules consisting of interactive presentations, wikis, FAQ/troubleshooting guides and user training videos. These training modules will cover three primary training areas and audiences outlined in Table 5. Throughout the pilot implementation phase, SIAM will also offer on-site training sessions, which will provide a hands on introduction to the Oracle ESSO+ architecture, deployment topologies, and configuration processes. If additional training and documentation are needed, SIAM recommends free online training materials and tutorials offered by the Oracle Documentation Library 2 or the Oracle Suite Deep Drive course and training materials offered by Oracle University. 3 8 See Appendix O for the list of GLOCO s standard exit and entry criteria for testing and Production Environments 26

31 TARGET AUDIENCE ICT Operational Personnel ICT Help Desk Personnel ICT Help Desk Personnel GLOCO End User TRANING TOPICS COVERED Installation and Configuration of ESSO-LM Admin console, ESSO-PR environment, ESSO PG and ESSO- Anywhere, Custom Installation of ESSO-LM agent, Configuration of AD with ESSO-LM, Setup AD Synchronization Overview of ESSO Enabled Desktop and Automated Password Reset Process, Support and Troubleshooting Installation of ESSO-LM agent on user s desktop, Enabling ESSO for Desktop Applications, Automated Password Reset Enrollment Process and Taking Password Reset Quiz Table 6 - Training Audience and Topics Success Criteria CRITERIA/METRIC DATA COLLECTION/ANALYSIS TARGET Help Desk Calls/Cost User Productivity Security Audit Tracking Time/Cost Avg Number of User Logon Credentials User Satisfaction User Adoption Help Desk Database Querying/Reporting ESSO Event Reporting Average of $30.00 per trouble ticket (too high) ESSO Event Reporting Help Desk Database Querying/Reporting User Shadowing User Studies/Surveys ESSO Event Reporting User Audits Procedure & Process Audits Password strength analysis ESSO Event Reporting User Studies/Surveys User Feedback Sessions/Focus Groups User Studies/Surveys ESSO Event Reporting User Audits Table 7 - ESSO+ Project Success Criteria Evaluation 40% Help Desk Call Reduction $870,000 cost savings/year/application Password Expire/Reset Hrs: 29,000 hrs save/yr PW Lockout/Forgotten Reset Hrs: 48,000 hrs save/yr 95% Audit Data Gathering Time Reduction 60% Audit Analysis Time Reduction 75% Auditing Cost Reduction 90% Reduction in actively used logon credentials 55% or greater positive rating on user surveys 90% use statistics from event reporting 27

32 References Executive Summary References: Kreizman, Gregg. "Market Scope for Enterprise Single Sign-On". Gartner. September Web. February 2011 Dunne, Chris. Build and Implement A Single Sign-On Solution. developertutorials.com. January 28, Web. February 2011 Lodha, Ajay and Sarma, Ram. A Single Sign-On Approach. slant.avenuea-razorfish.com. March Web. February 2011 Runyon, Barry. "Single Sign-On and the Real-Time Healthcare System". Gartner. October Web. February 2011 Dutta, Rian. Planning For Single Sign On. mielesecurity.com Web. February 2011 Kreizman, Gregg. Hype Cycle for Identity and Access Management Technologies, Gartner. July Web. February 2011 Carpenter, Perry. IAM Foundations, Part 1: So You've Been Handed an IAM Program... Now What?. Gartner. May Web. February 2011 Carpenter, Perry and Perkins, Earl. Magic Quadrant for User Provisioning. Gartner. September Web. February 2011 SSO Strategy and Policies. authenticationworld.com Web. Authentication/SSOStragegyandPolicies.html 101 THINGS TO KNOW ABOUT SINGLE SIGN ON. authenticationworld.com Web. Authentication/101ThingsToKnowAboutSingleSignOn.pdf Oracle Enterprise Single Sign-On Suite Plus (n.d.). Oracle. Retrieved February 15, 2011, from and Web Access Management and Enterprise Single Sign On (ESSO) (n.d.). Oracle. Retrieved February 15, 2011, from < act=4&id1= &id2= &pe=null&pr=365.0&pt=n&pd=y&xs= &xa=4&pu =Null&po=WWMK MP&ps=N&p_ext=Y&p_tm=Null&r1=-1&r2=-1&r0=-1> Enterprise Single Sign-On: The Missing Link in Password Management (December, 2010). Oracle. Retrieved February 15, 2011, from Implementing Enterprise Single Sign-On in an Identity Management System (December, 2010). Oracle. Retrieved February 15, 2011, from Enabling Single Sign-On from Desktop to Cloud for the Extended Enterprise (January, 2011). Enterprise Management Associates, White Paper prepared for Oracle. Retrieved February 15, 2011, from 28

33 Business Requirements References ISO/IEC 17799:2005, Abstract. International Organization for Standardization. Retrieved March 5, 2001, from _kent_newformat_.pdf Research References Carpenter, Perry. IAM Foundations, Part 1: So you ve Been Handed an IAM Program Now What?. Gartner. May Web. February Code=200386&ref=docDisplay Carpenter, Perry. IAM Foundations, Part 2: Tools and Technologies. Gartner. July Web. February d= &ref=quicksearch&sthkw=enterprise+single+sign-on#h-n66419 Kreizman, Gregg. "Hype Cycle for Identity and Access Management Technologies, 2010". Gartner. July Web. February Code=201318&ref=docDisplay Kreizman, Gregg. "Market Scope for Enterprise Single Sign-On". Gartner. September Web. February d= &ref=quicksearch&sthkw=single+sign+on Runyon, Barry. "Single Sign-On and the Real-Time Healthcare System". Gartner. October Web. February d= &ref=quicksearch&sthkw=single+sign+on Oracle Enterprise Single Sign-On Suite Plus (n.d.). Oracle. Retrieved February 15, 2011, from and Web Access Management and Enterprise Single Sign On (ESSO) (n.d.). Oracle. Retrieved February 15, 2011, from ct=4&id1= &id2= &pe=null&pr=365.0&pt=n&pd=y&xs= &xa=4&pu= Null&po=WWMK MP&ps=N&p_ext=Y&p_tm=Null&r1=-1&r2=-1&r0=-1 Enterprise Single Sign-On: The Missing Link in Password Management (December, 2010). Oracle. Retrieved February 15, 2011, from 29

34 Implementing Enterprise Single Sign-On in an Identity Management System (December, 2010). Oracle. Retrieved February 15, 2011, from Enabling Single Sign-On from Desktop to Cloud for the Extended Enterprise (January, 2011). Enterprise Management Associates, White Paper prepared for Oracle. Retrieved February 15, 2011, from Oracle Fusion Middleware Documentation Library: Oracle Enterprise Single Sign On Plus Suite 11g (n.d.) Oracle, Retrieved February 15, 2011, from Oracle Enterprise Single Sign-on: Technical Guide (June, 2009). Oracle. Retrieved February 15, 2011, from Oracle Buys Passlogix (October, 2010). Market Wire. Retrieved February 15, 2011, from htm Oracle Enterprise Single Sign-on: Oracle Expert Services Data Sheet (2007). Oracle. Retrieved February 15, 2011, from Architectural References Buyer s Guide for Enterprise Single Sign-On. Oracle Sep Oracle. Web. March Oracle Fusion Web. March Enterprise Single Sign-On: The Missing Link in Password Management. Oracle. December, Web. March Software Solution References Kreizman, Gregg. "Market Scope for Enterprise Single Sign-On". Gartner. September Web. February d= &ref=quicksearch&sthkw=single+sign+on Kreizman, Gregg. "Magic Quadrant for Enterprise Single Sign On". Gartner. September Web. March d= &ref=quicksearch&sthkw=single+sign+on Oracle Fusion Middleware Documentation Library: Oracle Enterprise Single Sign On Plus Suite 11g. Oracle Web. March Oracle Buys Passlogix. Oracle Press Release. Oracle. October Web. March

35 Appendices Appendix A: Proposal Research Business Need: An employee s typical environment today requires the use of multiple applications with differing levels of security and accessibility. This creates issues businesses must address from many perspectives. They face high costs associated with password related help desk requests. Many require shared workstation support with multiple users accessing the same applications on the same machines. (Kreizman) From a security perspective it is difficult for users to manage multiple applications with differing passwords and as a result users often violate security policies and best practices - they recycle passwords, use common passwords across applications, or implement personal management techniques such as keeping easily accessible but unsecure text files or paper inventories. To address these issues and improve user convenience many companies develop comprehensive long-term Identity Access Management (IAM) strategies and one of the most common components of those strategies is an Enterprise single sign-on (ESSO) tool. (Carpenter) Definition: ESSO tools enable unknown users to be authenticated via their credentials once, and then subsequently automatically sign on without re-supplying credentials to other target systems when accessed by that user. The tools manage the authentication interactions with the target systems (including password change requests and some post sign-on automation tasks) seamlessly without modifying the target systems. These ESSO tools can be used with systems across multiple platforms such as Widows, networks, the internet and terminal client interfaces. (Kreizman) IAM Overview Where ESSO fits: 4 ESSO is part of the overall technology defined as Identity Access Management (IAM). Per Gartner (Carpenter), IAM technologies span four functional areas: Intelligence - the means of collecting, analyzing, auditing, reporting and making rule-based decisions based on identity and identity-related data. 31

36 Administration - performing identity-related tasks like user provisioning (adding a user account to a specific system) which typically are automated using a logical decision-tree, rule-based workflow engine. Authentication - real time assurance that a person is who he or she claims to be using different types of credentials and mechanisms such as passwords, tokens, smart cards, and biometrics. Authorization - control used to determine the specific scope of access to grant to an authenticated identity. ESSO is functionally classified as an Authentication technology. Fundamentals of ESSO Architecture: The technical infrastructure of ESSO software consists of common authoritative Identity and Policy Repositories, as well as an Authorization Policy Decision Process. The Identity Repository uses clearly documented standards that ensure the accessibility of all identity information and provide a consistent source for authentication and authorization the key to enabling SSO. The Policy Repository holds the information used to make authentication and authorization decisions via defined controls around user and application requests. The Identity and Policy Repositories are closely related and can either be combined or stand alone entities. Finally, the Authorization Policy Decision Process is a common component that evaluates Policy Repository data against the Identity Repository s user access profile. It is responsible for maintaining a consistent user session across all application access requests. It is important to note that the Policy decision points do not need to be in a centralized physical environment throughout the organization but they must use a common product and platform. Implementation: In practice one critical key to ESSO software is that repository data and authorization processes must only be available to the software infrastructure components consuming the information, and must be secured and encrypted where applicable. This means software must reside on secured network resources appropriately protected via firewalls, proxies, or other mechanisms. It also means traffic routed from, to, and through the ESSO infrastructure must be predictable, secure and consistent. Finally all administration GUI s and interfaces to ESSO infrastructure components must connect via secured encrypted transport (e.g. SSL, SSH) and comply with relevant standards and policies. Another critical component of the ESSO software is auditing. All ESSO infrastructure components must log relevant system access, decision, and change information for reporting and auditing purposes. The 32

37 logs produced by the software should be configured to follow applicable company policies and industry standards in terms on-site storage, identification, indexing, encryption, archiving, and recall. Clearly defined process and flow diagrams around Application Integration must be written, approved, and followed to ensure consistency and stability in the ESSO environment. Typically there are three roles for staff in this integration process: Application Developers, Security Integrators, and Security Operations. Application Developers are responsible for the development and/or configuration of applications that will utilize the ESSO functionality. Security Integrators are responsible for coordinating integration efforts between Application Developers and Security Operations by following clear common registration and integration processes and generating clear requirements. Finally Security Operations execute the actually implementation of requests into the ESSO environment. Per Gartner (Kreizman) the average install takes 3-6 months for applications with approximately 2000 users. With this level of engagement companies usual recouped their costs in 2 years. Key Steps to Successful Implementation: As is common with most IT projects, barriers to success tend to be nontechnical such as improper vendor analysis, scoping shortfalls, and breakdowns in communication among stakeholder. These are easily avoidable with proper planning, forethought, and project management and thus Gartner (Carpenter) recommends Enterprises: Create an IAM steering committee consisting of business and technical stakeholders to author/approve/govern all IAM standards, policies, and procedures. Incorporate ESSO as part of the larger Enterprise IAM startegy. Develop long-term (3 year+) goals regarding how IAM will meet technical and business needs. Evaluate applications and data individually for integration into ESSO environments because all are not viable candidates. This must be done against common agreed upon critieria. Market Summary: Prior to 2007, Gartner (Kreizman) proposed renaming single sign-on reduced sign-on because of its limitations. However, in recent years the tools have improved and enterprises can typically integrate 95% or more of their applications. In fact ESSO standards have become arguably more secure than traditional logon methods within enterprises, making access to multiple applications more efficient and safe. (Runyon). Gartner (Kreizman) now places ESSO in the Plateau of Productivity on their Hype Cycle for Identity and Access Management Technologies, 2010 and will likely remove ESSO soon because it is considered a mature mainstream technology with a 50% market penetration of the target audience. This 33

38 maturation has also caused prices to trend downward with an 18% decrease in implementation costs from 2009 to The main vendors in the ESSO market are ActivIdentity; Avencis; CA; Citrix; Evidian; i-sprint Innovations; IBM; Imprivata; MetaPass; Novell; Passlogix (purchased by Oracle in 2010); and Sentillion (purchased by Microsoft in 2009). Appendix A: Resources and Works Cited Carpenter, Perry. IAM Foundations, Part 1: So you ve Been Handed an IAM Program Now What?. Gartner. May Web. February Code=200386&ref=docDisplay Carpenter, Perry. IAM Foundations, Part 2: Tools and Technologies. Gartner. July Web. February d= &ref=quicksearch&sthkw=enterprise+single+sign-on#h-n66419 Kreizman, Gregg. "Hype Cycle for Identity and Access Management Technologies, 2010". Gartner. July Web. February Code=201318&ref=docDisplay Kreizman, Gregg. "Market Scope for Enterprise Single Sign-On". Gartner. September Web. February d= &ref=quicksearch&sthkw=single+sign+on Runyon, Barry. "Single Sign-On and the Real-Time Healthcare System". Gartner. October Web. February d= &ref=quicksearch&sthkw=single+sign+on Oracle Enterprise Single Sign-On Suite Plus (n.d.). Oracle. Retrieved February 15, 2011, from and Web Access Management and Enterprise Single Sign On (ESSO) (n.d.). Oracle. Retrieved February 15, 2011, from ct=4&id1= &id2= &pe=null&pr=365.0&pt=n&pd=y&xs= &xa=4&pu= Null&po=WWMK MP&ps=N&p_ext=Y&p_tm=Null&r1=-1&r2=-1&r0=-1 Enterprise Single Sign-On: The Missing Link in Password Management (December, 2010). Oracle. Retrieved February 15, 2011, from Implementing Enterprise Single Sign-On in an Identity Management System (December, 2010). Oracle. Retrieved February 15, 2011, from Enabling Single Sign-On from Desktop to Cloud for the Extended Enterprise (January, 2011). Enterprise Management Associates, White Paper prepared for Oracle. Retrieved February 15, 34

39 2011, from Oracle Fusion Middleware Documentation Library: Oracle Enterprise Single Sign On Plus Suite 11g (n.d.) Oracle, Retrieved February 15, 2011, from Oracle Enterprise Single Sign-on: Technical Guide (June, 2009). Oracle. Retrieved February 15, 2011, from Oracle Buys Passlogix (October, 2010). Market Wire. Retrieved February 15, 2011, from htm Oracle Enterprise Single Sign-on: Oracle Expert Services Data Sheet (2007). Oracle. Retrieved February 15, 2011, from 35

40 Appendix B: Success Metric Calculation Assumptions All 29,000 GLOCO users converted to ESSO using a phased development and deployment approach. Helpdesk Cost: 29,000 users = 29,000 helpdesk calls per year per application * $30 industry average per trouble ticket = $870,000/yr/app User Productivity Hrs (PW Expire/Reset Hrs): 29,000 users, 60 day PW Reset Policy, 60 seconds to reset, Average 10 apps per user = 29,000 hrs User Productivity Hrs (Acct/PW Lockout/Forgot Reset Hrs): 29,000 users, Average 1 Lockout/yr, Average 10 minutes to reset PW, Average 10 apps per user = 48,000 hrs Software Development Time: 12 week RUP Dev. Project, 3 40 hrs/week $40/hr = 1,440 development hrs (vs w SSO) = $10,400/project Appendix C: ISO Abstract 5 ISO/IEC 17799:2005 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management. ISO/IEC 17799:2005 contains best practices of control objectives and controls in the following areas of information security management: security policy organization of information security asset management human resources security physical and environmental security communications and operations management access control information systems acquisition, development and maintenance information security incident management business continuity management compliance The control objectives and controls in ISO/IEC 17799:2005 are intended to be implemented to meet the requirements identified by a risk assessment. ISO/IEC 17799:2005 is intended as a common basis and practical guideline for developing organizational security standards and effective security management practices, and to help build confidence in inter-organizational activities. Appendix D: Gartner Magic Quadrant for Enterprise Single Sign-On 36

41 Appendix E: Gartner Market Scope Rating Framework Gartner Market Scope Rating Framework Strong Positive Is viewed as a provider of strategic products, services or solutions: Customers: Continue with planned investments. Potential customers: Consider this vendor a strong choice for strategic investments. Positive Demonstrates strength in specific areas, but execution in one or more areas may still be Developing or inconsistent with other areas of performance: Customers: Continue planned investments. Potential customers: Consider this vendor a viable choice for strategic or tactical Investments, while planning for known limitations. Promising Shows potential in specific areas; however, execution is inconsistent: Customers: Consider the short- and long-term impact of possible changes in status. Potential customers: Plan for and be aware of issues and opportunities related to the Evolution and maturity of this vendor. Caution Faces challenges in one or more areas: Customers: Understand challenges in relevant areas, and develop contingency plans Based on risk tolerance and possible business impact. Potential customers: Account for the vendor's challenges as part of due diligence. Strong Negative Has difficulty responding to problems in multiple areas: Customers: Execute risk mitigation plans and contingency options. Potential customers: Consider this vendor only for tactical investment with short-term, Rapid payback. Appendix F: Oracle ESSO Suite Supported Software List 37

42 Operating System Versions Supported Emulator Versions Supported Microsoft Windows XP Professional SP3 (32-bit) Attachmate Extra! X-treme 8.0 SP1, 2000, 6.5, 6.4, 6.3 Microsoft Windows Vista Business Edition SP1 (32-bit) Attachmate IRMA for the Mainframe 4.01, 4 Microsoft Windows 7 Enterprise Edition 32-bit and 64-bit Attachmate myextra! Presentation Services 7.1, 7.0 Microsoft Windows Server 2008 R2 (32-bit and 64-bit), 2003 SP2 (32-bit and 64-bit) Attachmate/WRQ Reflection 15.0, 14.0, 10.0, 9.0, 8.0, 7.0 BOSaNOVA TCP/IP 6.0, 5.0 Repository Versions Supported Ericom PowerTerm Interconnect 9.1.0, IBM DB2 Database G&R Glink 6.0 IBM Tivoli Directory Server 5.2 Hummingbird Exceed 11.0, 10.0, 9.0 Microsoft Active Directory 2008, 2003, 2000 Hummingbird HostExplorer 11.0, 10.0, 9.0 Microsoft Active Directory Application Mode 2003 SP1 IBM WebSphere Host On-Demand , 9.0, 8.0, 4.0 Microsoft Active Directory Lightweight Directory Services 2008 IBM Personal Communications 5.8, 5.6, 5.5, 4.3 Microsoft SQL Server 2008, 2005 Jolly Giant QWS3270 PLUS 4.4 SP5, 4.3 SP10 Novell edirectory 8.8 SP1 NetManage NS/ElitePlus for Mainframe 3.12 Open LDAP Directory Server 2.4.x, 2.2, NetManage Rumba 7.5, 7.1, 6.0 Oracle Database Management System 10g Newhart Systems BLUES Oracle Internet Directory PuTTY 0.60 Siemens DirX Directory 8.0 ScanPak (Eicon) Aviva 9.1, 9.0, 8.1 Sun Java System Directory Server 6.3, 5.2 Seagull BlueZone 4.0, 3.4 Zephyr PASSPORT PC TO HOST 2005 Web Server Version Supported Zephyr PASSPORT WEB TO HOST 2005 Microsoft Internet Information Server 6.0 (Required For Web Viewer), 5.1, 5.0 Browser Versions Supported Microsoft Internet Explorer 8, 7, 6 SP1 Mozilla Firefox 3.5 Application Versions Supported Adobe Reader 9.1, 8.13, 6.0, 5.1, 5.05, 4.05 Novell Client 4.91 SP5, 4.91 SP4, 4.91 SP1, 4.90, 4.83 AIM (AOL instant Messenger) 6.9, 6.8, 5.5, 5.2 Novell GroupWise 6.5, 6.0, 5.5 Citrix ICA Client / Program Neighborhood , 9.15, 9.0 Oracle 11g, 10g Oracle ESSO-LM Administrative Console , Entrust 7.0, 6.1, 6.0, 5.5, 5.0, Fix Pack 6 Eudora 7.1, 6.1, 5.2, 5.1.1, 5.0.2, 4.2 PKZip 12.2, 12.1, 12.0, 11.2, 11.0, 10.0, 9.0, 8.0, 5.0 QuickBooks Pro (Password-Only) 2009, 2004, 2003, 2002, GoldMine 6.7, 6.5, 6.2, 5.7, 5.0, , 2000 ICQ 6.5.1, 2002a, 4.0 Sage ACT! 2009 (11.0), 6.0, 5.0, 4.0, 3.0 Lotus Notes 8.0.1, 8.0, 6.5, 6.0, 5.0 Siebel Sales CRM 8.1.1, 5.0 Lotus Organizer 6.1, 6.0, 5.0, 4.1 Skype 4.1 Lotus Sametime 8.0.2, 8.0 Windows Logon 8.0 Meeting Maker 8.0, 7.3, 7.2, 7.1, 7.0, 6.0, WinZip 12.0, 11.2, 11.0, 10.0, 9.0, 8.1, 8.0, 7.0 Microsoft FrontPage 2007, 2003, XP, 2000 Yahoo! Messenger 9.0, 5.6, 5.5 Microsoft Outlook 2007, 2003, XP, 2000 Microsoft Word 2007, 2003, XP, 2000 MSN Messenger 9.0, 7.5, 6.2, 5.0 Appendix G: Gartner Magic Quadrant for Identity Management System Vendors 38

43 Appendix H: Complete Listing of Standard Reports Report Name Description Account Reconciliation Shows all Application User ID s stored by each esso User, the last time used, and the # of times used. Application Credentials Added Shows all Application credentials added to esso by each esso User. Application Usage by User Shows all Applications used, and the date/time each Application was last used by each ESSO User. Failed Authentication Events Shows all failed authentication events for each ESSO User. First Time Use Shows all ESSO Users that have successfully completed the SSO First Time Use wizard. Password Change Shows the most recent date each Application password was changed for each ESSO User. Pause & Shutdown Shows all events where users shut down or pause ESSO. Shared Application User IDs Shows all instances where an Application User ID is the same for two or more different ESSO Users. User Activity Shows all ESSO Users and the date and time they last used esso. User Credentials Provisioned Shows all Application credentials added to SSO by each SSO User. Additional custom reports can be created and added to the Reporting Administrative Console as necessary. 39

44 Appendix I: ESSO Integration Matrix Summary PRODUCT Oracle ESSO- Anywhere (ESSO-A) Oracle ESSO- Provisioning Gateway (PG) Oracle ESSO- Logon Manager (LM) Oracle ESSO- Password Reset (PR) Oracle ESSO- Access Manager (AM) Oracle ESSO- Reporting (RPT) DEPENDENT/ INTEGRATED COMPONENTS 1) ESSO- Anywhere Console 2) ESSO-Admin Console 3) ESSO-LM 1) ESSO-LM 1) ESSO-Admin Console 2) Client Agents 1) ESSO-LM 1) ESSO-LM 1) Reporting Admin Console 2) Oracle ESSO Product Events PREREQUISITE OPERATING SYSTEM, SYSTEM, SOFTWARE Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server (03) Microsoft Vista Disk Space: 5 MB Microsoft.NET Framework: 20 MB Microsoft Win Installer: 20 MB Processor: 1 GHz, 256 MB RAM Windows Installer 3.0 Microsoft.NET Framework 2.0 Microsoft IIS (5.0, 6.0) Visual C++ Runtime Microsoft Windows 2000 Server Microsoft Win Server (03) Family Disc Space (MB): 25-Min, 50-Temp, 2 MB-Runtime Expansion. Microsoft.NET Framework: 20 MB RAM: 256MB, Recom.: 512 MB Processor: 1 GHZ, Recom.: 2.0 GHZ Microsoft.NET Framework 2.0 Microsoft IIS (5.0, 6.0) Microsoft Web Services EI 3.0 Directory (IBM, MSAD, Oracle, etc) Microsoft SQL Server (00,05) Browsers: IE, Firefox Certificate: X.509 Cert for SSL Microsoft Windows 2000 Microsoft Windows XP Prof Microsoft Windows Server (03, 08) Microsoft Vista Disc Space (MB): 40-Min, 40-Temp, 2 MB/User- Runtime Expansion. Microsoft Win Installer: 20MB. Microsoft.NET Framework: 20 MB Microsoft Visual C++ (08): 6 MB RAM: 256MB, Recom.: 512 MB Processor: 1 GHZ, Recom.: 1.6 GHZ Microsoft.NET Framework 2.0 Windows Installer 3.1 Directory (IBM, MSAD, Oracle, etc) Browser: IE, Firefox Microsoft Windows 2000 Microsoft Win XP (Client Only) Microsoft Windows Server (03) Microsoft Vista (Client Only) Disc Space (MB): 10-Min, 15-Temp Microsoft.NET Framework: 20MB RAM: 512MB, Processor: 1.6 GHz Microsoft.NET Framework 2.0 Microsoft IIS (5.0, 6.0) Directory: (MSAD, Oracle, MSSQL) Browser: IE (6.0, 7.0) Microsoft Windows 2000 Microsoft Win XP Microsoft Windows Server (03) Disc Space (MB): 15-Min, 30-Temp, 20 MB- Runtime Expansion. Microsoft Win Installer: 20MB Microsoft.NET Framework: 20 MB Authenticator Software Windows Installer 2.0 Microsoft.NET Framework 2.0 Microsoft Win Server (03, 08) Disc Space (MB): 17-Min, 64-Temp, 256-Runtime Expansion. Microsoft Win Installer: 20MB. RAM: 512MB, Processor: 1GHz Recommended : 2GB, Proc: 2GHz Microsoft.NET Framework 3.5 SP1 Windows Installer 3.1 DB: Microsoft SQL Server (05,08) Web Server: Microsoft IIS (6.0,7.0) Browser: IE, Firefox COMMENTS Function: deploy ESSO-LM, ESSO-AM and SSO-PG to end users without administrator intervention. Integration: The admin configures locally, creates a deployment package, and then distributes it by means of a Web server or file share. Users can then download ESSO-Anywhere and perform the installation with certainty that the configuration is exactly as it should be. Function: Enables an administrator to automatically provision in ESSO-LM with a user s ID and password by using a provisioning system. Integration: An administrator is able to add, modify, and delete IDs and passwords for particular applications within the provisioning system and have the changes reflected in ESSO- LM. Function: Enables users to log onto most or all of their applications with a single password. Integration: Supports any type of user authentication from passwords to smart cards and can store user credentials and its own system settings and policies in any LDAP directory or one of several SQL databases. The admin console simplifies admin by automatically recognizing and configuring applications for sign-on with minimal effort by the administrator. Some scripting & custom coding will apply for difficult apps. Function: Delivers a secure and easy to use and administer self-service password-reset solution for the Windows password. Integration: Enables workstation users to reset their own Windows domain passwords without the intervention of administrative or help-desk personnel. It provides end users with an alternative means of authenticating themselves by taking a quiz comprising a series of passphrase questions. Function: Adds the capability to enable multiple logon methods to authenticate the user (LDAP and Windows Logon or stronger smart cards, proximity devices, and tokens). Integration: Enables organizations to seamlessly bridge strong authentication to all of their apps, including smart cards, biometrics, and Entrust authenticators. Users can employ different authenticators at different times and app access can be controlled based upon the authenticator. Function: Create reports to leverage all data and events that routinely take place in the day-to-day usage of ESSO Suite. Integration: The Web-based administrative console accesses the SQL database and generates reports using the event records. 40

45 Appendix J: Software Demonstration for Scenario 1 41

46 Appendix K: Software Demonstration for Scenario 2 42

47 Appendix L: Software Demonstration for Scenario 3 43

48 Appendix M: Software Demonstration for Scenario 4 44

49 Appendix N: Complete Oracle Identity Management Solution 45

50 Appendix O: Testing Criteria Entry Criteria for Unit and System Integration Testing Phase 1. All project artifacts (i.e. Business Requirements documents, Functional Specification Document etc.) have been reviewed and approved by the project stakeholders. 2. Unit and System Integration Quality Assurance plan has been reviewed and approved by the project stakeholders 3. Change management / Issue tracking tool and process have been installed and process 4. All custom code is completed 5. All hardware and software requirements specified in the technical specification have been satisfied (installed and configured in the test environment) Exit Criteria for Unit and System Integration Testing Phase 1. All Unit and System Integration test cases have been executed 2. There is no missing feature. All features have been coded, configured and installed 3. All issues discovered during the testing phase have been logged, reviewed and prioritized in an Issue Triage meeting run by the development team, QA team and business team. 4. Appropriate project artifacts (Test plans, test cases, QA sign off, development team sign off documents) are updated accurately and communicated to the larger project group 5. Stress, performance, and load tests have been satisfactorily conducted Entry Criteria for Regression Testing and UAT Phases 1. Exit Criteria for the Unit and System Integration testing have been met 2. All Priority 1 defects have been fixed 3. All hardware and software requirements specified in the technical specification have been satisfied (installed and configured in the test environment) 4. ICT QA team had performed and signed off a sanity test of the environment Exit Criteria for Regression Testing and UAT Phase 1. All Regression and UAT test cases have been executed 2. UAT has been completed and approved by business users 3. Regression testing discovers no negative impact to the current GLOCO s application functionalities 4. Appropriate project artifacts are updated accurately and communicated to project group Entry Criteria for Production Release 1. Regression and UAT testing phase has been completed and approved 2. All Priority 1 defects have been fixed and known defects have been properly documented 3. Migration package documentation has been completed, reviewed, and approved by the project team 4. Production Day Deployment plan has been created any circulated by project manager to all parties involved in the deployment 5. Production check out test plan has been created any circulated QA manager to all parties involved in the deployment 6. A Roll back plan is developed by the support and development team 46

51 Appendix P: Work Breakdown Structure Work Breakdown Structure Project: GLOCO ESSO+ Project # Updated 4/11/2011 ID Type Name ESSO Project Phase Start Date Finish Date Duration (Cal Days) 1000 P Project Inception 6/13/2011 7/8/ A Planning/Objectives 6/13/2011 6/30/ A Develop Project Charter 6/13/2011 6/20/ A Develop Business Requirements 6/20/2011 7/5/ A Develop Project Plan 6/20/2011 7/8/ A Setup Hardware Requirements 6/20/2011 6/30/ M Project Charter Sign-Off 6/20/2011 6/20/ M Project Business Requirements Sign-Off 7/5/2011 7/5/ M Project Plan Sign-Off 7/8/2011 7/8/ P Elaboration- Phase 1 1 7/5/2011 8/8/ A Elaboration Management 1 7/5/2011 8/8/ T Project Mgmt 1 7/5/2011 8/8/ T Incident, Change & Release Mgmt 1 7/5/2011 8/8/ A Component Architectural Overview 1 7/5/2011 8/9/ T Admin Console Overview 1 7/5/2011 7/6/ T Provisioning Gateway Overview 1 7/11/2011 7/12/ T Reporting Overview 1 7/18/2011 7/19/ T Password Reset Overview 1 7/25/2011 7/26/ T Anywhere Overview 1 8/8/2011 8/9/ T Logon Mgr Agent Overview 1 8/8/2011 8/9/ A Validate Component OS, Software, System 1 7/5/2011 8/8/ Requirements 2305 T Admin Console Requirements 1 7/5/2011 7/5/ T Provisioning Gateway Requirements 1 7/11/2011 7/11/ T Reporting Requirements 1 7/18/2011 7/18/ T Password Reset Requirements 1 7/25/2011 7/25/ T Anywhere Requirements 1 8/8/2011 8/8/ T Logon Mgr Agent Requirements 1 8/8/2011 8/8/ A Review Application/System Integration 1 7/5/2011 8/8/ Requirements 2405 T Admin Console Integration Requirements 1 7/5/2011 7/5/ T Provisioning Gateway Integration 1 7/11/2011 7/11/ Requirements 2415 T Reporting Integration Requirements 1 7/18/2011 7/18/ T Password Reset Integration Reset 1 7/25/2011 7/25/ Requirements 2425 T Anywhere Integration Requirements 1 8/8/2011 8/8/ T Logon Mgr Agent Integration Requirements 1 8/8/2011 8/8/ M Component Pre-Implementation Sign-Off 1 7/5/2011 8/8/ P Transition- Phase 1 1 7/7/2011 9/9/ A Transition Management 1 7/7/2011 9/9/ T Project Mgmt 1 7/7/2011 9/9/ T Incident, Change & Release Mgmt 1 7/7/2011 9/9/ A Install ESSO+ Component - DEV 1 7/7/2011 8/11/ T Install Admin Console 1 7/7/2011 7/8/ T Install Provisioning Gateway 1 7/13/2011 7/14/ T Install Reporting 1 7/20/2011 7/21/ T Install Password Reset 1 7/27/2011 7/28/ T Install Anywhere 1 8/10/2011 8/11/ T Install Logon Mgr Agent 1 8/10/2011 8/11/ A Component Configuration - DEV 1 7/11/2011 8/1/ T Rules Engines 1 7/11/2011 7/13/ T Directory GUI Hierarchies 1 7/11/2011 7/13/ T Synching Settings/Schedules 1 7/11/2011 7/12/ Variance Comments

52 3320 T Role/Group Access Features 1 7/11/2011 7/13/ T Server URL Additions 1 7/11/2011 7/11/ T Provisioning 1 7/15/2011 7/18/ T Report Templates/Scheduling/Transmissions 1 7/22/2011 7/25/ T Password Reset Enrollment Settings 1 7/29/2011 8/1/ A Execute Endpoint Connections - DEV 1 7/12/2011 7/13/ T Rumba 1 7/12/2011 7/13/ T PeopleSoft 1 7/12/2011 7/13/ T Outlook Web Access 1 7/12/2011 7/13/ T Hyperion 1 7/12/2011 7/13/ A Perform Custom Coding/Scripting - DEV 1 7/14/2011 7/29/ T Rich Interface Application (RIA) Features 1 7/14/2011 7/19/ T Special Management/Security Audit 1 7/22/2011 7/29/ Reporting 3600 A Perform Component Unit/Integration 1 7/14/2011 8/19/ Testing- DEV 3610 T Test Component Install, Integration, 1 7/14/2011 8/22/ Configuration 3611 T Admin Console Install, Integration, 1 7/14/2011 7/18/ Configuration 3612 T Provisioning Gateway Install, Integration, 1 7/21/2011 7/25/ Configuration 3613 T Reporting Install, Integration, Configuration 1 7/28/2011 8/1/ T Password Reset Install, Integration, 1 8/4/2011 8/8/ Configuration 3615 T Anywhere Install, Integration, Configuration 1 8/17/2011 8/22/ T Logon Mgr Agent Install, Integration, 1 8/17/2011 8/22/ Configuration 3620 T Test Back/Restore 1 8/1/2011 8/5/ T Test Custom Coding/Scripting 1 8/1/2011 8/5/ T Test Load Balancing 1 8/15/2011 8/19/ A Perform Component User Acceptance 1 7/18/2011 8/26/ Testing- DEV 3705 T Admin Console 1 7/18/2011 7/22/ T Provisioning Gateway 1 7/25/2011 7/29/ T Reporting 1 8/1/2011 8/5/ T Password Reset 1 8/8/2011 8/12/ T Anywhere 1 8/22/2011 8/26/ T Logon Mgr Agent 1 8/22/2011 8/26/ A Perform Regression Testing- DEV 1 8/15/2011 8/26/ A Perform Component Demo, Training & 1 8/15/2011 8/26/ Adoption Assistance T Admin Console 1 8/15/2011 8/26/ T Anywhere Deployment 1 8/15/2011 8/26/ T Logon User Download 1 8/15/2011 8/26/ T User Logon Agent Setup 1 8/15/2011 8/26/ T Logon User Adoption 1 8/15/2011 8/26/ T Reporting Console 1 8/15/2011 8/26/ T Reporting User Adoption 1 8/15/2011 8/26/ T Password Reset Functions 1 8/15/2011 8/26/ T Password Reset Adoption 1 8/15/2011 8/26/ M Components Testing/Implementation -DEV 1 8/26/2011 8/26/ Sign-off 3970 M Production Migration Authorization 1 8/26/2011 8/26/ A Production Migration 1 8/29/2011 9/9/ T Migration Preparation 1 8/29/2011 9/2/ T Migration Weekend 1 9/3/2011 9/4/ M Production Migration Stabilization 1 9/5/2011 9/9/ Evaluation Period 4000 P Phase 1 Closure 1 9/5/2011 9/9/ A Validate All Phase Open Items & Documentation are Complete 1 9/5/2011 9/9/ A Phase Evaluation, Learning, Documentation 1 9/5/2011 9/9/

53 4300 A Operational Hand-Off 1 9/5/2011 9/9/ A Phase Closure Meeting 1 9/9/2011 9/9/ M Phase Sign-Off 1 9/9/2011 9/9/ P Elaboration Phase 2 2 8/29/2011 9/7/ A Elaboration Management 2 8/29/2011 9/7/ A Reporting Enhancement Overview 2 8/29/2011 8/31/ A Additional Roll Out Overview 2 9/5/2011 9/7/ P Transition- Phase 2 2 9/1/2011 9/21/ A Transition Management 2 9/1/2011 9/21/ A Reporting Enhancement Configuration -DEV 2 9/1/2011 9/5/ A Reporting Enhancement Custom 2 9/1/2011 9/6/ Coding/Scripting 6130 A Reporting Enhancement Unit Testing 2 9/5/2011 9/6/ A Reporting Enhancement User Acceptance 2 9/6/2011 9/9/ Testing 6150 M Reporting Enhancement Sign-off 2 9/9/2011 9/9/ A Reporting Enhancement Prod Migration 2 9/12/2011 9/12/ A Logon User Download 2 9/8/2011 9/21/ A Logon Agent Set Up 2 9/8/2011 9/21/ A Logon Agent Demo, Training & Adoption 2 9/8/2011 9/21/ Assistance 7000 P Phase 2 Closure 2 9/16/2011 9/21/ P Elaboration Phase 3 3 9/13/2011 9/15/ A Elaboration Management 3 9/13/2011 9/15/ A Additional Target Applications Overview 3 9/13/2011 9/15/ P Transition- Phase 3 3 9/16/ /1/ A Transition Management 3 9/16/ /1/ A Additional App Endpoint Connections -DEV 3 9/16/2011 9/21/ A Custom Coding/Scripting 3 9/16/2011 9/21/ A Additional App Unit Testing 3 9/22/2011 9/23/ A Additional App User Acceptance Testing 3 9/26/2011 9/30/ M Additional App Sign-off 3 9/30/2011 9/30/ A Additional App Prod Migration 3 10/1/ /1/ P Phase 3 Closure 3 10/1/ /1/ P PILOT Closure 9/26/ /1/ A Validate All Open Items & Documentation 9/26/ /1/ are Complete A Project Closure Meeting 9/26/ /1/ A Full Operational Hand-Off 9/26/ /1/ A Project Evaluation 9/26/ /1/ M Pilot Sign-Off 10/1/ /1/

54 Appendix Q: Evaluation Questionnaire Which type of users access this system: employees, contractors, consultants, temps, customers, business partners, research partners, vendors and others? What is the quality of the user data in the system? How mission critical is the data in the system? How mission critical is the application to GLOCO s daily business operations? How sensitive is the data in the system? What is the current authentication mechanism for this application? Where does this system reside in your network infrastructure? Is there a lag time before modifications reach the authorization mechanisms for the application? What is the mechanism for synchronization and how long does it take for a change to user data to make its way to the enterprise LDAP directory/directories or other authoritative sources? Is there one enterprise LDAP directory for the SSO or are there multiple authoritative sources? If multiple authoritative sources exist what is the synchronization strategy between the directory (directories) and the authoritative source What is the time lag in changes in an authoritative source and the enterprise directory feeding the SSO system? What are the existing mechanisms for account additions, modifications, deletions? How often are user accounts updated or modified? If roles are used: o What is the number of roles the enterprise has? o What is the frequency of change to user roles? o What is the human resource business processes for picking up the role changes and populating these into the HRMS and then the enterprise LDAP directory? o What is the time lag between a role change and the update into the enterprise LDAP? o What are the privileges assigned to the roles? o What is the management system that maps the privileges to the roles? o How frequently do privileges change for a given role? o How fast do role privilege changes make their way into the role based management system? Does the enterprise have a set of authentication strength policies in place? If so are they documented and what are they? What action is required after a successful authentication? What identity attributes are returned from the enterprise LDAP directory to the application, portal or resource? What are the SSO actions for an unsuccessful authentication? Are there environment policies set up for each environment such that the application owner understands what is acceptable and what isn't? What is the current volume of active users for this application? What is the peak count of concurrent users on the application? What is the geographic distribution of the application? What is the network location and distribution of the application? Are there additional applications that interface with this application? Are there additional applications within the corporate environment that serve the same business function (redundant) as this application? 50

55 Appendix R: ESSO+ Timeline 51

56 End Notes 1 Image source: Image source: Code=200386&ref=docDisplay