| IAM EXECUTIVE STATUS DASHBOARD Nov. 21, 2014 KEY

IAM EXECUTIVE STATUS DASHBOARD | Nov. 21, 2014
PROGRAM NARRATIVE
KEY
NO SIGNIFICANT CONCERNS
SIGNIFICANT CONCERNS/RISKS;
NEEDS IMMEDIATE ATTENTION
RISKS IDENTIFIED; MITIGATION
FEASIBLE AND UNDER REVIEW
MAJOR RISKS TO DELIVERABLES/
MILESTONES; NO PLAN YET
EXECUTIVE ATTENTION NEEDED
Accomplishments include official Bronze certification from InCommon; completion of identity APIs in support of the SIS strategic initiative and Alumni
provisioning; and delivery of a finalized Alumni data model. Additional effort to complete HMS provisioning has been identified; see right for details. IAM
analysts will assist HMS with discovery while shifting IAM developer focus to FAS onboarding. Upon completing PI-1, the team met Nov. 20 to begin
planning the next 12-week effort, which will focus on continuing Alumni provisioning and beginning analysis and implementation for FAS provisioning.
Issue: HMS provisioning requirements and business rules require additional research.
Description: Additional analysis and exploration are required to properly understand the HMS provisioning codebase.
Mitigation: In partnership with HMS, IAM will provide additional technical analysts to work in conjunction with HMS teams to review the current
HMS codebase and document requirements for SailPoint IIQ provisioning. The additional effort is projected to take 3-4 months.
CRITICAL SUCCESS FACTORS
Executive Sponsorship
Transition Planning
Budget Planning
• Executive Committee to review and consider
proposed changes to the IAM Program Plan
for the Provisioning project
• Program has joined TIER and has committed
to active participation in evolving identity
and access management practices for the
higher-ed community
• PI-1 demo scheduled for 10 a.m. Dec. 2
• Interviews and knowledge transfer with
cross-functional team to inform new release
and transition process
• Quick win: Release calendar that announces
upcoming events via email
• Signing SOW by Dec. 1 with El El See to
consult on DevOps in the cloud
• Identified $25,000 to participate in TIER
for the next three calendar years
Resource Planning
Community & School Engagement
Cross-Program Collaboration
• New staff: Matt Mazer (Transition Manager),
Usman Mutawakil (Associate Software
Engineer)
• Final state of candidate selection for QA
position
• Continued work with PIN3 web gate owners
to meet Dec. 22 migration deadline
• Initiated periodic IAM program email
updates to stakeholders (via Salesforce)
• HMS requirements gathering underway;
discovery meetings being held with HSPH,
HLS, and HKS
• Schedule for SEAS O365 migration defined,
with work underway
• Revived bimonthly cross-program planning
meetings with Collaboration
• With UC, developing a joint plan to onboard
FAS into O365
PROJECT PLAN SUMMARY, STATUS, AND MILESTONES
KEY
2014
PROGRAM
PROJECT STATUS
NEAR-TERM MILESTONES
Q1
Jan
Provisioning
Jan: Improve experience for IIQprovisioned end users by providing selfOn track to complete Alumni
service portal for completing onboarding
commitment for PI-1: Database
and setting account passwords.
changes and data migration method
Feb: Improve experience for IIQdefinition.
provisioned end users by giving them the
ability to change and reset passwords.
Feb
Q2
Mar
Apr
May
Nov
Dec
Jan
Feb
Q2
Mar
Apr
May
Jun
Jul
Aug
One-Way Fed
No near-term milestones.
No near-term milestones.
Dec: Decommission PIN3 to improve user
experience, simplify support, and save costs.
Feb: Support Alumni user authentication.
SIS Wave 0 release completed; SIS
team can now use IAM API to read and
write user data.
July: Enable SIS to benefit from IAM data by
granting data access in production.
July: Make authorization admin tasks easier by
enabling creation of user groups.
External
Directories
No near-term milestones.
No near-term milestones.
Expanded
Provisioning
FIM/IdDB sync for HMS O365 migration in final
P-1 (stage) testing; will move to prod at end PI-1.
No near-term milestones.
On track to complete POC for
IdDB in the cloud by end PI-1, and
deploy a new Harvard LDAP to P-1
environment for IAM team use.
Feb: Move LDAP to the cloud, saving costs
and improving performance.
Feb: Migrate PIN to the cloud, keeping
it current with other IAM infrastructure
improvements while reducing costs.
Sep
Oct
Nov
Q1
Dec
Jan
Feb
2017
Q2
Mar
Apr
Q3
May
Jun
Jul
Aug
Q4
Sep
Oct
Nov
Q1
Dec
Sponsored Account Self-Service
Jan
Feb
Q2
Mar
Apr
May
Identity Analytics & Risk Assessment
Expand Provisioning Targets
Decommission Waveset
idP Functionality for New Targets
InCommon Bronze Self-Certification Preparation (AD, PIN/CAS)
Automation of Internal Partner Configuration
External Partner
Enhanced idP Functionality for Privacy
Federation for Hospitals
New Cloud LDAP (HU and AUTH LDAP)
LDAP Functional Enhancement
LDAP Attribute Expansion
Decommission FAS AD
AD Migration (FAS/Central)
Identity APIs
LDAP Security Update
Application Registration
All customers scheduled to move
off PIN3 by end 2014: 52% already
retired.
Q4
FIM Replacement for O365
idP Functionality Expansion
No near-term milestones.
July: Reduce the risk profile for all users
by truncating SSN, ensuring that this PII
is no longer stored in places where it is
not absolutely needed.
NOT STARTED
PIN/AD Credential Management
No near-term milestones.
Identity Access
No near-term milestones.
Governance
UNDER DEVELOPMENT
2016
Q3
Alumni
App Portal
Cloud
Migration
Oct
Account Claiming Self-Service
Feb: Boost convenience for HUIT dev
LDAP Updates (HU/Auth)
teams that interact with IAM data by
UUID Enhancement
providing a data-layer web service interface
that supports searching, user create/
update, and a variety of read operations.
Authorization
Enhancements
Sep
Foundation
Waveset
SIS team working with v.1 of
FindPerson API; on track to begin
use in Production Nov. 22.
Authentication
Enhancements
Aug
Q1
Expansion (Office 365)
Jan: Maintain InCommon Bronze
certification by improving the
encryption level for Harvard’s IdP.
Directory
Services
Jul
Q4
Readiness
InCommon Bronze self-certification
application approved, with team
committed to enhancements
required to maintain certification.
Federation
2015
Q3
Jun
RELEASE COMPLETED
Dev Sandbox Release
Federation Updates
Application Usage Statistics
IAM Reference Implementations
OWF Onboarding for HBS
Program-Level KPI Reporting
IAM Service Usage & Access Reporting
IAM External-Facing Website
Metric Dashboard
School-Level KPI Reporting
Refine Privacy Protocols
SSN Truncation
Business Intelligence Tool Set
Decommission PIN3
Identity Proofing
CAS Bridge
Adaptive Access
Multifactor Authentication
SIS Wave 0
Bring Your Own Identity
Connections Update
Expand Groups
Coarse-Grained Authorization
Expose LDAP Directory Data
Yellow Pages Improvements
Connections UI Improvements
FIM Support
New Cloud LDAP
Connections Migration
Desktop & Mobile Native Applications
SIS Wave 2
Group Management
Cloud Architectural Reference Model
Automated Alerting and Monitoring
Retire Old LDAP
Authenticable Credentials for Machines
PIN/CAS Migration
IdDB Migration and Database Export/View Migration
Phonebook & Public LDAP Cloud Migration
Self Service Migration
MIDAS Migration
SailPoint Migration
Jun
IAM EXECUTIVE STATUS DASHBOARD | Nov. 21, 2014
KEY
NO SIGNIFICANT CONCERNS
SIGNIFICANT CONCERNS/RISKS;
NEEDS IMMEDIATE ATTENTION
RISKS IDENTIFIED; MITIGATION
FEASIBLE AND UNDER REVIEW
MAJOR RISKS TO DELIVERABLES/
MILESTONES; NO PLAN YET
STRATEGY AND PLANNING: TOPICS & TREND LINES
PI-1 is scheduled to end Dec. 3. Team expects to complete work on 15 of the 17 features originally proposed. Key accomplishments include FIM development to support HMS Office 365
migrations, work to support migration and onboarding of Alumni users (database and API), and meeting customer-driven deadlines for work to support SIS, PeopleSoft, and Unified
Communications (“AD Lockout”). For PI-2, which ends in late Feb. 2015, the team has prioritized additional development for Alumni and FAS self-service and execution of data migration,
retirement of database-related tech debt, analysis and discovery for HMS, and an ongoing commitment to meet customer-driven timelines for external teams and applications.
Schedule
Budget
Scope
Reporting
Staffing
Community Outreach
Release Management
FUNCTIONAL STATUS: TOPICS & TREND LINES
Two additional releases to SailPoint IIQ added features welcomed by the UC team and Support Services. Testing with PeopleSoft and SIS is complete, with production deployment imminent.
HMS Office 365 provisioning using FIM and the IdDB Sync process are now in pilot after a period of comprehensive testing. Customers continue to retire PIN3 web gates, and we are on track for
retiring PIN3 at the end of December. The requirements analysis template for school onboarding with provisioning has been posted. Outreach to schools and programs to refine our program
planning projections continues, particularly with HMS. The next PI will focus on account management and provisioning for Alumni and FAS.
Policy Governance
Service Support
Documentation
Requirements Assessment
Service Definition
Quality Assurance
Service Transition
TECHNICAL STATUS: TOPICS & TREND LINES
The team has delivered the FindPerson/Create ID API that enables SIS go-live with Wave 0. We are also making significant progress to support the Alumni release by delivering an API that
enables Alumni to import and maintain their user population with us. The team has also created a new Harvard LDAP instance for storing credentials for all new and existing populations, including
Alumni, in addition to building a first version of the account management application for Alumni to allow their users to onboard. All of these have been deployed to the cloud, and will be used by all
Schools we onboard in the future. Finally, the FIM/IDDB Sync work used for HMS O365 migration is undergoing final testing in P-1 (stage) before being moved into production.
Identity Management
Cloud Migration
Access Management
Infrastructure
Directory Services
Data
User Experience
COMMUNITY OUTREACH: HARVARD UNITS & TREND LINES
Development work with Alumni is progressing very well. SEAS and HMS are moving
through planning. Holding ongoing discovery meetings with HKS, HLS, and HSPH.
Presented on behalf of IAM at HR Directors, CAIT, and FAS IT Managers meetings.
Attended Dreamforce conference to boost skill set for ongoing Salesforce ramp-up.
Coordinating communications with PIN3 and PIN/Shib app owners for end-of-year
termination and/or changes. Coordination with UC continues to be problematic,
with recent surfacing of VoIP issue.
Faculty of Arts and Sciences
Graduate School of Design
2000
Graduate School of Arts and Sciences
Graduate School of Education
Harvard Business School
School of Engineering & Applied Sciences
Division of Continuing Education
Kennedy School of Government
Harvard School of Dental Medicine
Harvard Divinity School
1700
1700
1700
1400
1400
1400
1100
800
500
1100
800
IAM Incidents as Percent of Total
7
6
1100
800
7
6
7
5
5
5
4
4
3
3
3
2
2
2
500
500
0
Oct Nov
OctDec
Nov
Oct
Jan
Dec
Nov
Feb
Jan
Dec
Mar
Feb
Jan
Apr
Mar
Feb
May
Apr
Mar
Jun
May
Apr
JulJun
May
Aug
Jul
Jun
Sep
Aug
Jul
Oct
Sep
AugOct
Sep Oct
13
13
1314
14
14
1700
1800
17
SIS
1600
16
TLT
1500
15
Unified Communications
1400
14
Other HUIT Departments
1300
13
1200
12
Feb
14
6
Alumni Affairs
5
5
Campus Services
4
4
3
3
2
2
1100
1100
FSS
Harvard Medical School
800
800
Human Resources
1
500
Oct Nov Oct
Dec Nov
Jan Dec
Feb Jan
Mar Feb
Apr Mar
May Apr
Jun May
Jul Jun
Aug Jul
Sep Aug
Oct Sep Oct
13
14
13
14
0
1
0
Oct Nov Oct
Dec Nov
Jan Dec
Feb Jan
Mar Feb
Apr Mar
May Apr
Jun May
Jul Jun
Aug Jul
Sep Aug
Oct Sep Oct
13
14
13
14
1700
1700
1600
1600
1600
1500
1500
1500
1400
1400
1400
1300
1300
0
0
1200
Oct Nov
OctDec
Nov
Oct
Jan
Dec
Nov
Feb
Jan
Dec
Mar
Feb
Jan
Apr
Mar
Feb
May
Apr
Mar
Jun
May
Apr
JulJun
May
Aug
Jul
Jun
Sep
Aug
Jul
Oct
Sep
AugOct
Sep Oct
13
13
1314
14
14
1200
Feb
14
1200
Mar
Feb
14
Monthly Provisioning Transactions
80000
640000 640000
630000 630000
610000
Apr
Mar
Feb
14
We expect a reduction in IAM incidents over time as a
percentage of total ServiceNow incidents. In October,
80000 80000 80000
we checked in at under 5% for the first time.
May
Apr
Mar
Jun
May
Apr
May
Jul
Jun
Aug
Jun
Jul
Sep
Aug
Jul
Oct
Sep
Aug
Nov
Oct
Sep
Nov
Oct
Nov
Registered
Registered
Applications
Registered
Applications
Applications
IAM Percentage
IAM Percentage
IAM
ofPercentage
Totalof Totalof Total
70000 70000 70000
Total Identities in SailPoint IIQ
620000 620000
1
60000 60000 60000
IAM Percentage
of Total of Total
IAM Percentage
650000 650000
1800
1300
1
Account
Account
Management
Account
Management
Management
Help Desk
HelpRequests
Desk
HelpRequests
Desk Requests
640000640000640000
18
1700
6
Harvard Law School
Total Authentication Services Registrations
1800
6
4
1
Aside from academic-year cyclical trends, we expect
a decline in requests as self-service functionality is
650000650000650000
introduced, offset by the increase in user population.
1800
Account Management
Help DeskHelp
Requests
Account Management
Desk Requests
Account Management Help Desk Requests
1700
7
Registrars
1400
KEY PERFORMANCE INDICATORS
2000 2000
1700
Harvard Library
7
Radcliffe Institute for Advanced Study
1400
500
2000
Harvard School of Public Health
2000
Number of registrations is expected to fluctuate over
time based upon new applications added and removal
of unused
10
10 applications.
10
9
9
9
8
8
8
610000
600000 600000
July
14
Aug
July
14
Sep
Aug
Oct
Sep
Nov
Oct
Dec
Nov
Number of
Identities
Number
of Identities
The number of identities illustrated will increase
over time as migration from Waveset to
SailPoint IIQ progresses.
Dec
80000
70000
70000
60000
60000
50000
50000
40000
40000
30000
30000
20000
20000
10000
10000
0
Feb 14
0
Mar 14
Feb
Apr
Mar
May
Apr
Jun
May
July
Jun
Aug
July
Sep
Aug
Sep
Deprovision
(IIQ)
Create/Update
(IIQ)
Deprovision
(IIQ)
Create/Update
(IIQ)
Deprovision
(WS)
Create/Update
(WS)
Deprovision
(WS)
Create/Update
(WS)
Distribution of provisioning transactions is expected
to shift from Waveset to SailPoint IIQ over time, with
outlier data points due to bulk migrations.