DIDW: One Identity at XL - A Success Story
Thomas Dunbar - CSO XL Global Services
Publicly traded as XL
Parent of a group of Insurance, Reinsurance & Financial Products
$58B in assets
www.xlcapital.com
Founded in 1986 as an offshore insurance company, 50 employees when you started, but there has been a ton of mergers and acquisitions, each of which has separate naming schemes.
Had 17 IT organizations, wanted consolidation, then shared services, then one IT.
Needed to support the business:
-Organic growth
-Business unit managers is to support new services
Identity issues
- No governance model
- No standards
- No technical or application architectures
- 250 dominio applications
- many exchange organizations
- 6 notes domains
- no common naming standard
- over 40 email domains
- dozens of customer applications requiring authentication
Data - Multiple repositories of user ID
User Experience - Had to logon to 10-12 applications per day
Org Culture - Global user base increases complexity
Applications - Big gaps in security and compliance. 3000 applications, now down to 600 with goals to reduce further.
XL Key business objectives and requirements
- One company without borders
- Increased security - password standards, deprovisioning people
- SARBOX - rights and privileges,
- Increase user satisfaction and productivity - reduce logons, improve IT perception
- Cost measurement / management - Better admin and infrastructure
- Infrastructure Responsive to New business requirements - building block technology with no throwaway work.
Selling IdM at XL
Security, Productivity, User Experience were how we sold it. Sold as a phased approach with investment occurring over time.
Phase 1: Build an identity management foundation
- create a common identity
- establish its authoritative source
- develop a common directory
- identity your authorizations
Phase 2: Build a directory exchange broker (meta directory)
Phase 3: Enable web and windows apps with simplified sign-on
Phase 4: Develop enterprise directory services solution
Single identity store for all Xl employees and non-employees and brokers and partners etc.
Phase 5: Develop enterprise simplified Sign-on (round two after phase 3)
Phase 6: RBAC and Federated IdM
- Advice, don’t start here, build credibility and momentum first
- Roles are complex, not starting there
Roadmap Development Approach
- Risk Avoidance - smaller projects, use proven products
- Rapid Value Realization - immediate value and results
- Pragmatism - use existing skills and technology base
- Cost Containment -
In 2004, Initial account provisioning was created. Peoplesoft is our authoritative source. Feeds into AD, Exchange, ClearTrust, Lotus Notes
Using cleartrust, linked this into Plumtree Domino and other web apps
XL Initial success
134 Apps SSO overnight
86.4 User Sat
Help desk calls reduced 20%
New account provisioning within 5 days before new hire start date
Accounts easily deprovisioned
One common lifelong Identity
Established framework easily leveraged
In 2005, brought in more apps, more cleartrust deployment, etc. this continued through 2006. Other businesses like HR started leveraging the identity infrastructure to provide more applications.
Bringing in Oracle CoreID in 2006, better simplified sign-on, extranet portal / cleartrust integration
2007 plans - Develop approval workflow for user access, delegated admin for power users to manage other users’ rights, improve rights management and provisioning
Post IdM - Auth is AD (consultants and employees) - RSA Secure ID for remote acces, RSA single sign on manager
Authorization - AD, EDS and AD/AM, RSA Cleartrust, Custom Applications
Administration - MIIS, Oracle Virt Dir Eng, Oracle Core ID
Auditing - MIIS, Cleartrust, AD form repository
Mission pieces - User lifecycle management (2007), Feteration System (2008), Roles based access control (2008) (Doing some policies with GPO in AD/AM but looking to do more)
Formula for success - Plan ahead, don’t go it alone, detail the benefits, build momentum, communicate
- Develop a strategy
- Sell but don’t oversell
- Demonstrate business value
- Highlight security and compliance gaps
- Seek industry experts
- Form partnerships
- Goal: SSO
- Sell the ability to lower operation costs and improve user experience, focus on phased approach
- Sell better security through better managed passwords
- Don’t start too big (enterprise Provisioiing) or complex (RBAC)
- Build credibility and gain momentum through low risk / high value tactical components
- user building block mentality
- demonstrate how each piece fits into the company’s long term strategy
- Continuously sell, sell, sell
- Demonstrate success
Technorati Tags: Digital ID World, identity