Post on 05-Dec-2014
description
Identity in the Bechtel Cloud Why and how one of the most successful Engineering & Construction companies rebuilt their digital world…..
Christian Reilly – Manager of Global Systems Engineering Brian D Ward – Manager of Integration Services
Information Evolution & Business Change Introducing the Project Services Network
Our business model is evolving to be more complex and distributed.
Our two main challenges are related to:
Geography Our projects are executed in many and distributed locations
People Our resource model includes permanent and temporary employees, as well as vendors, customers, partners, and competitors
GRAY
ZONE
Current Position
Square pegs and round holes…. How much pain would you like?
Active Directory – separate internal and external forests
Integrated Authentication, Kerberos Constrained Delegation, Reverse Proxy
Complex trust models & ICC’s Application mix from Bechtel, Client,
Partner, Competitor Wide variety of application architectures
Printers
File Shares
Internet Access AD
Desktop
Other apps (long tail)
Core Apps: TimeCard, SAP, Intranet
SaaS
SaaS Bridge
High degree of operational complexity Poor visibility into what people are
accessing what resource Inflexible model slows down deployment of
services and applications to projects Difficult to accommodate new user
communities (which change daily) Not readily adaptable to SaaS offerings
Why is it so easy in The Cloud? And yet so hard in the Enterprise?
Realizations – “Castle and Moat” approach to security is dead – Our Windows-centric approach has significant
technical and operational constraints – Authentication/Authorization are the key problems
to solve Resolutions
– We need a completely new approach – Make all applications/services SaaS – Make Bechtel a SaaS Provider (wow) – Replace, not augment, the current model
Identity “2.0” – A new identity model – identities for life – BYOI with OpenID (Janrain), Federation – Anyone can have an account – Self Registration based on relationships
Authorization – Integrated into SAP – Attribute store – single source of truth,
replacement for groups – Coarse grained authz performed by Ping – Fine grained done in apps for now, centrally later
Integration – SAML / OpenToken integration for all deployed
applications – Citrix integration with credential translation for
legacy application support – Two-legged OAuth STS for web services
Services – New application stacks (SaaS-style) – File / Print / Internet Access authentication
replacement – New desktop model – BYOD
Browser
Other apps (long tail)
Core Apps: TimeCard, SAP, Intranet
Identity Array
Printers
File Shares
Internet Access
SaaS
Simplicity – Built for the “Internet” not for the “Enterprise” – No “internal” vs. “external” architectural
constraints – Moving away from managing every user account
Agility – Modular framework of security, UI and services – Applications decoupled from infrastructure – No vendor lock in via open standards/open
source – Able to accommodate SaaS and new identity
pools natively (with added hope for Geneva)
Affordability – Lower overall operational cost – “B3” approach allows greater flexibility in cost
management – New vendors embrace new commercial models
Security – Standards based security – Single point of entry & logging – Secured by policy not by topology (secure the
data and not the device) – Easily allow any user access to any data in a
controlled life cycle
Why can’t we just buy this…hint, hint ? Unraveling years of LAN / WAN based legacy is, well, damn hard.
Facts – SaaS integration quickly becoming a commodity – Federation and/or OpenID fills in the moat – SaaS moves you out of the castle in the “Metro”
Key Questions – What does the enterprise have left? – How long is the tail for traditional enterprises?
Challenges – Authorization is THE game to win – Push provisioning is, at best, an interim solution – A central model with standards-based interfaces
is desperately needed
Questions & Answers Or if you’re too shy, grab one of us later….