Identity and Access Management in a Highly Distributed and Dynamic Global Enterprise
-
Upload
intigrow -
Category
Technology
-
view
1.413 -
download
0
description
Transcript of Identity and Access Management in a Highly Distributed and Dynamic Global Enterprise
RestaurantsChina
RestaurantsInternational
Identity and Access Management in a Highly Distributed and Dynamic Global Enterprise
Shannon Tompkins, MBA, CISSPManager, Global Identity and Access Management
Yum! Brands, Inc.
Dan FitzgeraldVP, Sales and Marketing
intiGrow
• World’s largest restaurant company in terms of the number of restaurant systems– 37,000 restaurants in 110 countries– 1,000,000 associates– $11 billion in revenue in 2009– Mix of both equity restaurant systems and franchise restaurant systems
• Primary brands– A&W, KFC, Long John Silver’s, Pizza Hut, Taco Bell
• Three Operating Segments– U.S., Yum Restaurants International, China Division
• Leader in international retail development– In 2009 Yum opened more than four restaurants per day internationally– On average, China alone opens one new restaurant per day
Who is Yum! Brands, Inc.?
2IBM Pulse11: Feb. 28, 2011
• Premier IBM Business Partner – Focused on IAM– Operating in the USA and India– Providing service in South America and Australia
• Became part of Yum! Brands IAM team when IAM expansion took off. Has continued to provide services since 2007.
Who is intiGrow?
3IBM Pulse11: Feb. 28, 2011
• Yum’s IAM Journey• Current Global IAM Drivers• Meeting the Challenges• Successes• Lessons Learned• Q&A
Agenda
4IBM Pulse11: Feb. 28, 2011
Yum’s IAM JourneyEarly U.S. IAM
2005 - 2007
• Early IAM Research: Role based access control research to gain administrative efficiencies
• IAM Business Case Developed: Web-based benefits enrollment enabled for equity-based corporate and restaurant employees
Before IAM2005
• Corporate: Standard and unique Active Directory UIDs
• Restaurants: No individual restaurant identities
• Administration: Manual administration
U.S. > Global IAM2007 – Present
• Provisioning: Now automatically maintain 400k+ accounts (and growing) around the globe for corporate, restaurant, and franchisee identities
• Access: Controlled Internet access to Web apps
• Passwords: SSO, password synch, and self-service functions
5IBM Pulse11: Feb. 28, 2011
Yum’s IAM JourneyBefore IAM
2005
• Corporate: Standard and unique Active Directory UIDs
• Restaurants: No individual restaurant identities
• Administration: Manual administration
• All corporate equity employees around the globe received an Active Directory (AD) account and Exchange mailbox
• Five separate AD domains
• Global AD account naming convention and naming uniqueness ensured via manual account requests and centralized ID generator application
• AD integrations for some enterprise applications
• No individual restaurant accounts; role-based shared accounts only for in-restaurant point of sale and back of house applications
6IBM Pulse11: Feb. 28, 2011
Yum’s IAM JourneyEarly U.S. IAM
2005 - 2007
• Early IAM Research: Role based access control research to gain administrative efficiencies
• IAM Business Case Developed: Web-based benefits enrollment enabled for equity-based corporate and restaurant employees
Before IAM2005
• Corporate: Standard and unique Active Directory UIDs
• Restaurants: No individual restaurant identities
• Administration: Manual administration
• IAM was being researched for possible role based access control (RBAC) benefits when a business case suddenly developed
• IT told the U.S. business that it would provide Web-based benefits enrollment
• Suddenly ALL U.S. equity restaurant employees required an optional centralized account
7IBM Pulse11: Feb. 28, 2011
Yum’s IAM Journey
8
U.S. > Global IAM2007 – Present
• Provisioning: Now automatically maintain 400k+ accounts (and growing) around the globe for corporate, restaurant, and franchisee identities
• Access: Controlled Internet access to Web apps
• Self Service: SSO, password synch, and self-service functions
• Provide Internet access to key internal Portal and other Web applications via Tivoli WebSEAL and IBM Tivoli Access Manager (ITAM)
• Migrated from multi-domain AD to ITAM LDAP as enterprise application directory, which increased the scope and criticality of user provisioning
• User provisioning and password synchronizations to third-party hosted Software as a Service (SAAS) Web applications
• Provision equity and franchisee restaurant crew employee accounts around the globe for access to key, strategic, global applications
IBM Pulse11: Feb. 28, 2011
How Did IAM Become Global At Yum?
9
Key global Web applications became strategic Yum global initiatives across brands (e.g., learning management, hiring management)
For the first time, restaurant crew-level associates around the globe required individual identity credentials to access global and brand-based applications
IBM Pulse11: Feb. 28, 2011
The Business Challenges
10
• Technology to the restaurants– Strategic global Web
applications– Brand-based Web applications
• Outsource application hosting
• Provide rapid and accurate access to resources
• Reduce costs
IBM Pulse11: Feb. 28, 2011
The Operational Challenges
11
• Dynamic staffing environments– Thousands of restaurants around
the globe– Average ~30-40 associates per
restaurant – High restaurant employee turnover
• High franchise-to-equity ownership ratios
• Outsourced application hosting models
IBM Pulse11: Feb. 28, 2011
How Does IAM Meet the Challenges?
12
• Automates the creation, modification, and deletion of widely distributed equity and franchisee account data
• Enables global access to applications
• Provides one user account and one password per equity and franchise associate
• Enables password synch, password self-service, and (new) single sign-on services
IBM Pulse11: Feb. 28, 2011
How Do We Do It?
13
Ha – One of our team whiteboard talks on the “New Hire” process
IBM Pulse11: Feb. 28, 2011
How Do We Do It?
14
ITIM Provisions to Managed Endpoints by Policy
ITIM LDAP AD
ITAM LDAP
Voice MailEmail
CollabApp
Market LDAPs
Attribute Data
Learning App
Hiring App
= Internally Hosted
= Externally Hosted
ITIM
App LDAPs
IBM Pulse11: Feb. 28, 2011
How Do We Do It?Provisioning Inputs
ITIM
Franchisee Batch
UploadsUP Web Services
SFTP Server
= Internally Hosted
= Externally Hosted
Equity HR App Data
Various Apply for Access Apps
International ITIM
BOH Real-Time
Processing
Restaurant Inventory
App
TDIs
= Internal Collection
Batch Feeds
Real-Time 24/7/365
Custom throttli
ng
applicatio
ns
Perform
ance
considerations
15IBM Pulse11: Feb. 28, 2011
How Do We Do It?Web Services – The Glue That Binds
• In our early stages of IAM, we provisioned only equity-based user accounts for access to brand-based Portal applications
• Our HR system was our authoritative source for equity-based corporate and restaurant employee information
• With the growth of features, function and popularity of our brand-based Portal applications, we suddenly needed a way to grant access to franchisee employees
• We had no authoritative source for franchisee employee information
• Java-based Web Services enabled franchisees to submit their data to us through apply-for-access Web applications, batch data feeds, and in-restaurant HR application integrations
16IBM Pulse11: Feb. 28, 2011
How Do We Do It?Web Services – The Glue That Binds
• Today, with the growth of Web Services correlating directly with the growth of IAM, custom-built Web Services play a crucial role in our global provisioning environment
• Creates and tracks a behind-the-scenes “Global Person Number” (GPN) for every individual to follow them indefinitely through rehires and across organizations (separate from their transient logon IDs)
• Transfers attribute data to attribute data stores
• Enables password synch and self-service operations
• Provides over-the-Internet authentication services for third-party hosted Web applications
• (New) Enables near real-time provisioning services from restaurants to third-party Web Applications
17IBM Pulse11: Feb. 28, 2011
How Do We Do It?
18
Ha – Another One of our team whiteboard talks on the Web Services process
IBM Pulse11: Feb. 28, 2011
How Do We Do It?
19
ITIMWeb Services
AD
Learning App
Password Synchronizations
ITAM
= Internally Hosted
= Externally Hosted
= Internal Collection
International ITIM
Self-Service
App
IBM Pulse11: Feb. 28, 2011
How Do We Do It?
20
Password Self-Service
Learning App
Self Service
Web App
= Internally Hosted
= Externally Hosted
= Internal Collection
ITIM
Hiring App
ITIM WSWrappers
Self-Service
WS
Links to Web App
Web App with Forgot Password
and Challenge Response Questions
Links to Web App
IBM Pulse11: Feb. 28, 2011
How Do We Do it?
21
• All ITIM accounts have corresponding ITAM accounts
• WebSEAL/ITAM provides access to internal resources via junctions– Authentication required– Authorization to follow junctions
occurs via ITAM policies per membership in designated ITAM LDAP groups
• Decentralized WebSEAL/ITAM deployment and support strategy
Access Management
IBM Pulse11: Feb. 28, 2011
• IAM has enabled automatic user account provisions, password synchronizations, and password self-care operations to hundreds of thousands of clients around the globe which provides 24/7/365 access to key, strategic, global applications
• Very high IAM utilization levels– Current monthly average metrics:
• 27,467 user accounts added• 75,204 user accounts modified• 16,575 user accounts deleted
• Lean and efficient FTE staffing model to support the IAM environment with staff augmentation support as needed
Yum’s IAM Successes
22IBM Pulse11: Feb. 28, 2011
• Very low downtime tolerance:– Our IAM processes support core global, strategic initiatives 24/7/365 – Scheduling downtime maintenance windows has become very challenging– We overlooked early opportunities to lock-in routine maintenance windows. Now
we’re reviewing options to increase resiliency even further to lessen our already low downtime occurrences.
• Provisioning:– Automated provisioning is very logical. To succeed, business partners must
be involved in workflow designs.– Batch provisioning eventually takes too long for the business. Real-time /
near real-time provisioning becomes required.
• Password Self-Service:– Password self-service operations are heavily utilized. Helpdesk calls are
substantially reduced. – But once it’s in place, password self-service must always work. It quickly
builds organizational and operational dependencies.
• Password Synch, SSO, Etc.– Regardless of possible assumptions or directions from project leads to the
contrary, every new provisioning project to a third-party hosted application will likely and eventually require a single sign-on, password synch, LDAP integration, or similar service.
– There is becoming an increasingly low tolerance within the organization for multiple passwords per logon account.
Lessons Learned
23IBM Pulse11: Feb. 28, 2011
Closing Comments
24IBM Pulse11: Feb. 28, 2011
Questions
25IBM Pulse11: Feb. 28, 2011