API’s and Identity: Enabling Optum to become the HealthCare cloud Carlos Garcia

Synopsis

This is a short story on how Optum is transforming itself to become the HealthCare Services Cloud and how APIs

and Identity are the enablers to make this possible.

Copyright © 2015 Cloud Identity Summit. All rights reserved. 3

Or as I like to call it….

How the security dog finally caught the car

Copyright © 2015 Cloud Identity Summit. All rights reserved. 4

Back to the security dog…

Copyright © 2015 Cloud Identity Summit. All rights reserved. 5

But first…. Who are we?

UnitedHealth Group is an interconnected company composed of business segments. A few examples:

Copyright © 2015 Cloud Identity Summit. All rights reserved. 6

Health Benefits •  Employer and individual •  Medicare & Retirement •  Military and Veterans •  Amil (Brazil) •  NHS (UK) •  Lusíadas Saúde (Portugal)

Health Services •  Provider Solutions •  Payer Solutions •  Optum Bank •  OptumRX •  OptumCloud •  OptumIT

Story of the chase

Copyright © 2015 Cloud Identity Summit. All rights reserved. 7

The Big Challenges

Selling the value of WAM and SAML; Gaining adoption but not improving end-user experience. •  12+ million identities but silo’d. •  End user experience •  SAML masks identity problem. •  Common security framework for registration. •  Standard WAM/SSO integration patterns and SDK

Copyright © 2015 Cloud Identity Summit. All rights reserved. 8

Optum Opportunities

•  ACA provides huge opportunities •  Claims data mining. 100’s of millions of claims

•  Fraud Monitoring (US) 80 Billion dollars in 2014 •  Expose and monetize the data and services •  Enable the developers •  IaaS/PaaS/SaaS and Hosting •  Healthcare exchanges (Private and Government)

Copyright © 2015 Cloud Identity Summit. All rights reserved. 9

Wait… I think we need Identity

All of a sudden, the security dog didn’t catch the car, but rather the car hit the breaks….

….and security dog was along for the ride! Copyright © 2015 Cloud Identity Summit. All rights reserved. 10

Businessman’s best friend

Copyright © 2015 Cloud Identity Summit. All rights reserved. 11

IAM team now has a business partner and needs to solve for: •  Optum Cloud Marketplace •  Commercialization •  Health Exchanges (private & public)

We need it yesterday!

Now instead of selling the value of identity to the business, we run to keep up with demand •  Health APIs •  SaaS, PaaS, IaaS •  Developer Enablement •  Cloud Identity Provider

Copyright © 2015 Cloud Identity Summit. All rights reserved. 12

It better be bulletproof

•  Downtime was no longer something you coordinated and forced upon the business. Now you have commercial customers who expect 24x7

•  Enterprise support versus commercial support forced a change of culture.

•  From enterprise IAM shop to essentially a commercial cloud IDP.

Copyright © 2015 Cloud Identity Summit. All rights reserved. 13

What did we build??

We had green field to work with and great technology vendor partners. •  Best of Breed and home grown •  SOAP/REST •  Legacy to mobile •  LOA3 – FICAM/MARS-E •  Multi-tenancy

Copyright © 2015 Cloud Identity Summit. All rights reserved. 14

Copyright © 2015 Cloud Identity Summit. All rights reserved. 15

Front-­‐Ends

Policy  Enforcements  Points  /  Abstraction  SDK  

Policy  Decision  Point  /  Core  IDM  Services

Policy  Information  Point

OptumID  UI  (healthid)

Identity  Management  Web  Services

Radiant  Logic  VDS

Identity  verification  web  

services

DB

SiteMinder

DB

Ping  FederateIDP/SP

Security  SDK

Delegated  Login  Service

1.  Registration2    Forgot  Password/UserName3.  Login4.  Change  Password  and  update  profile.5.  Administrator  UI  for  setting  up  relying  party6.  Identity  verification  workflow

 Extended  attributes  

Web  Services

DB

         Layer  7      (API  Gateway)

External  Applications/Developer  Portal/orgs

(consumers  of  our  APIs)

SOAP  /  RESTful  Interface

UnboundIDOptumID  LDAP Cloud  DB

Step-­‐UpAuthentication/OTP  Services

Axiomatics

Agents

IDP  forConsumers,  Providers

Copyright © 2015 Cloud Identity Summit. All rights reserved. 16

ESSO  WebSphere

ESSO  Service

ProfileAudit

Oracle  DB

Authentication  LDAP Advanced  Auth  Service

SiteMinderPolicy  Server

OptumID  Component  Level  Diagram    

OptumID  LDAPStrong  AuthRisk  EngineAdapters

healthid.optum.com

OptumID  UIWebSphere

Strong  AuthOracle  DB

ESSO  RESTWebSphere

REST  Interface  –  User  ProfileSiteMinder  Policy  

LDAP

OptumID  VDS

Layer7  API  Gateway

What’s underneath the hood?

•  Java based App on WebSphere •  Multi-DC Active-Active •  Abstraction SDK •  4 million users; 40+ reply party

apps – rapid growth •  Target migration of 25+ million

identities

Copyright © 2015 Cloud Identity Summit. All rights reserved. 17

Copyright © 2015 Cloud Identity Summit. All rights reserved. 18

User Experience

User Experience

Copyright © 2015 Cloud Identity Summit. All rights reserved. 19

Copyright © 2015 Cloud Identity Summit. All rights reserved. 20

BFF Vendors

•  CA SiteMinder •  CA Layer7 •  CA Strong Auth •  Ping Federate •  RadiantLogic •  Axiomatics

Copyright © 2015 Cloud Identity Summit. All rights reserved. 21

No time to slow down!

•  We have started working on our next generation of IDM services based on micro architecture. •  More branding flexibility. •  Automation – Service Catalog •  REST as default for everything. •  Get ride of agents, identity tokens for everything. •  Dynamic elasticity, resiliency, containers and open

shift enterprise Copyright © 2015 Cloud Identity Summit. All rights reserved. 22

Thank You!