CIO Council Project Completion Report University Identity and Access Management (UIAM) Report to CIO Council May 1, 2017
CIO Council Project Completion Report
University Identity and Access Management (UIAM)
Report to CIO Council
May 1, 2017
Project Completion Summary - Identity and Access Management
Page 2
Summary Metrics
Budget: Overall project delivered on budget ($380k transferred to Collaboration Program 6/14)
Schedule: Overall project delivered on time
Major Benefits Achieved• Simplified Experience: One login for life has replaced an average of over 6 logins per user• Security: University-wide adoption of standardized and improved passwords with associated two factor
authentication dramatically increases security• Improved Access: All schools across Harvard are integrated with common user identities that enable
University email, HarvardPhone, and over 2,000 other applications• Efficiencies: 100k+ alumni use IAM identity data preventing redundant data, experience, and system
costs; provisioning expansion to additional schools ongoing
Key Success Factors• Adaptability: Flexible processes allowed for successful incorporation of new scope (Alumni & Duo)• Strategic Alignment: Original strategic plan (1/14) provided direction and vision throughout program• Usability & Outreach: Focus areas of outreach and User Experience accelerated adoption
Areas for Improvement (see lessons learned)• Usability & Outreach: Continually improving throughout the program, required focus sooner• Stronger Integration with Schools: Dedicated communications staff helped, better model is possible• Scope Management: Additional scope impacted roadmap, additional impact analysis necessary
Green = less than 10%, Yellow = between 10% and 20%, Red = more than 20%
Green = less than 10%, Yellow = between 10% and 20%, Red = more than 20%
Award: $12.9MReforecast: $12.5M
Spent: $12.3M
Start: 02/13End: 06/17
2
4
UIAM Program Timeline
Key Program Objectives
● Simplify the User Experience
● Enable Research and Collaboration
● Protect University Resources
● Facilitate Technology Innovation
ITCRB Funded Project
FY’13 FY’14 FY’15 FY’16 FY’17 FY’18+
|IAM
Strategy Published
|HarvardKey Released
|Two Step Mandate
|FAS / Central Provisioning
Updated
|UIAM
Project Launched
|Continued
expansion & support
5
Achieved Goals and Impact
IAM Strategic Objectives Impact
Simplify the User Experience
Less passwords to remember...
● One login for life has replaced an average of over 6 logins per user across Harvard
Enable Research and Collaboration
Improved access to university resources...
● All schools across Harvard are integrated with common user identities that enable University email, HarvardPhone, and over 2,000 other applications
Protect University Resources
Better security...
● University-wide adoption of standardized and improved passwords with associated two factor authentication dramatically increases security
Facilitate Technology Innovation
Improved participation in higher education community...
● Improved sponsored guest accounts and external federation allow external researchers and university staff to collaborate quickly
6
“Imagine If…”
Stakeholder Imagine If… Outcome Solution Implemented
Faculty and Staff
• Faculty and staff could access information and perform research across schools and with other institutions without having to use several sets of credentials.
• Faculty and staff could manage their own accounts and sponsor others through a centralized web applications.
COMPLETE
• Harvard has Federated with InCommon to allow for resource access across other Higher Ed institutions using Harvard credentials
• Sponsored Account process automated and distributed across the University to allow for self-service management of Harvard partners
Students
• Students could choose to use their home school credentials to login into applications across the University.
• Students could keep using the same set of credentials after they graduate.
COMPLETE
• HarvardKey credentials aligned to University affiliations with ability to choose login name
• One HarvardKey for life for all Harvard affiliates including Students / Alumni
Technical Staff
• Automated provisioning could reduce the burden on IT staff and increases the security posture of the University.
• Application teams could easily integrate Harvard users with internal and external applications.
COMPLETE
• Automatic provisioning of access based on users’ University affiliations
• Over 2000 applications integrated with HarvardKey
External Users
• External users could access Harvard applications using credentials native to their home institution. COMPLETE
• External access to Harvard resources based with either federated login or sponsored accounts
At the onset of the IAM program, we imagined a list of key ideas that represented an ideal state for our stakeholder groups. This is how we did:
Evolving Program Focus
Provisioning
Federation
Directory Services
App Owner Portal
Identity Governance
Authentication Enhancements
Authorization Enhancements
External Directories
Expanded Provisioning
Cloud Migrations
Provisioning
Federation
Directory Services
Identity Governance
Authentication Enhancements
Authorization Enhancements
External Directories
Expanded Provisioning
Cloud Migrations
7
Office365 Integration
Alumni Provisioning and Support
Two-Step Authentication and Security Improvements
App Owner Portal
COMPLETE
POSTPONED
PROJECTED~ Effort to Completion
KEYBox size represents approximate (~) effort to completion
Planned Project
ACTUAL~ Effort to Completion
Additional Project
~ 600k users
~ 150k users
Transition
8
Ongoing Governance (to be established)
Ongoing Support• Jane Hill continues as IAM Service Owner / Product Manager
• IAM organization: End User Services and Integration Services (IT Provider Services)
• FY’18 will serve as a transition year from program to steady operating state
Communication and Engagement• Regular meetings between schools and IAM in partnership with HUIT Account Management
going forward
• Twice Yearly IAM Town Halls to provide general updates on IAM roadmap progress
• Grouper Clinics to provide specific service/functionality overview
• Evaluating the possibility of an IT Academy course to increase IAM awareness
IAM Product Advisory Group
Schools Library
Service Owner
Product Owners
Sponsor
Engagement Councils
Middleware Workgroup
Campus Services ATATS ITS
IAM Data Workgroup
(w/ SIS)
Directory Services
Steering Com
Lessons Learned - Scope & Planning
9
Surprises• IAM had several starts before the UIAM program gained traction
• Project timeline was primarily focused on delivery activities and could have benefited from increased time for team norming and stabilization
• Data cleanup activities were critical to success and require significant effort
• Alumni integration effort required far more effort than anticipated
• Agile requires constant attention and tweaking to fit culture and business needs
Best Practices• Define a clear program vision to set multi-year roadmap, ensure alignment and
allow for leadership/team transitions
• Ensure appropriate time and resources allocated to data conversion efforts
• If running a multiyear agile progress consider using Program Increment Planning Strategic Plan > Program Increment Objectives (3 months) > Sprints (2 weeks)
• Ensure agile is “tuned” to delivering value to the organization
• Consider a staffing approach that accommodates team normalization (trust building, process acceptance, buy-in)
• Involve security early in designs and approach to minimize rework
Lessons Learned - Engagement
10
Surprises• The complexity of the IAM ecosystem is difficult to communicate to stakeholders
• The IAM Program staffed for communications but not “engagement” as fully as the program required at the start
• When developing an enterprise service you have to factor in time for each unique school and environment, not assume economies of scale
• Work being completed in the year before establishing HarvardKey brand was difficult to communicate to individuals outside of the program
Best Practices• Dedicate staff to engagement with the University, not just communicating
updates/status; partner with school communications personnel
• Be transparent and honest with technical teams to ensure alignment of developer’s work to the “Why” value statements for the organization
• Knowledge transfer early and consistently with support teams that will respond to customer requests
• A clean and concise website is valuable to both internal and external audiences
• Define a brand as early as possible in a project and relate program efforts back to that unifying identity
Lessons Learned - Governance, Budget & Staffing
11
Surprises• Balancing strategic program work against lower value tactical work is an ongoing
struggle
• The classic definition of a Product Owner is challenging to map effectively to Harvard’s many stakeholders
• The value provided by external vendors was very limited
• Two groups established early in the program didn’t continue throughout the program due to difficulty in maintaining effective cross-University working groups
Best Practices• Track both strategic & tactical priorities to understand when one impacts another
• Define goals/objectives of various committees and revisit those goals regularly
• Consider integrating team with other similar teams (AD, Collaboration, Accounts)
• YearUp provides a valuable pipeline of resources but requires dedicated management
• Diversity matters; different experiences & backgrounds makes everyone stronger
• Consider dedicated DevOps and Release Management roles to increase agility
Lessons Learned - Technical
12
Surprises• Adoption and migration to the cloud required dedicated resources, team focus,
and new models of support/testing/integration
• A focus by individuals on a particular product or technology creates siloed knowledge and limits creative problem solving
• New development follows cycles of innovation and stability. Windows for stability tend to be minimized which can lead to change fatigue and decreased ability to decommission legacy technology
• IAM was not a technical change but an organizational change effort
Best Practices• Choose a cloud first approach, even when vendors caution against it, work to
mitigate their concerns
• Do not align teams by products but by functionality and solutions (e.g. Auth)
• Manage the number of deliverables for a given quarter to align efforts and simplify messaging
• Utilize best of breed industry software, follow other Harvard use cases, and standardize use (GitHub, Jenkins, Cloud Formation, Slack, Wiki, SharePoint, etc.)
• Establish Lunch and Learns to share knowledge and experiences across teams
Lessons Learned - Discussion
13
From your perspective, it would be really helpful to capture input on the project and product, to help inform how we a.) deliver services in the coming years and b.) design future projects of similar magnitude and complexity
What should HUIT…
… Keep Doing
… Start Doing
… Stop Doing