University Identity and Access Management (UIAM) CIO ... · CIO Council Project Completion Report University Identity and Access Management (UIAM) Report to CIO Council ... and sponsor

CIO Council Project Completion Report

University Identity and Access Management (UIAM)

Report to CIO Council

May 1, 2017

Project Completion Summary - Identity and Access Management

Page 2

Summary Metrics

Budget: Overall project delivered on budget ($380k transferred to Collaboration Program 6/14)

Schedule: Overall project delivered on time

Major Benefits Achieved• Simplified Experience: One login for life has replaced an average of over 6 logins per user• Security: University-wide adoption of standardized and improved passwords with associated two factor

authentication dramatically increases security• Improved Access: All schools across Harvard are integrated with common user identities that enable

University email, HarvardPhone, and over 2,000 other applications• Efficiencies: 100k+ alumni use IAM identity data preventing redundant data, experience, and system

costs; provisioning expansion to additional schools ongoing

Key Success Factors• Adaptability: Flexible processes allowed for successful incorporation of new scope (Alumni & Duo)• Strategic Alignment: Original strategic plan (1/14) provided direction and vision throughout program• Usability & Outreach: Focus areas of outreach and User Experience accelerated adoption

Areas for Improvement (see lessons learned)• Usability & Outreach: Continually improving throughout the program, required focus sooner• Stronger Integration with Schools: Dedicated communications staff helped, better model is possible• Scope Management: Additional scope impacted roadmap, additional impact analysis necessary

Green = less than 10%, Yellow = between 10% and 20%, Red = more than 20%

Green = less than 10%, Yellow = between 10% and 20%, Red = more than 20%

Award: $12.9MReforecast: $12.5M

Spent: $12.3M

Start: 02/13End: 06/17

2

Page 3

Objectives Guiding Principles Key Performance Indicators

The Vision for the Program (

4

UIAM Program Timeline

Key Program Objectives

● Simplify the User Experience

● Enable Research and Collaboration

● Protect University Resources

● Facilitate Technology Innovation

ITCRB Funded Project

FY’13 FY’14 FY’15 FY’16 FY’17 FY’18+

|IAM

Strategy Published

|HarvardKey Released

|Two Step Mandate

|FAS / Central Provisioning

Updated

|UIAM

Project Launched

|Continued

expansion & support

5

Achieved Goals and Impact

IAM Strategic Objectives Impact

Simplify the User Experience

Less passwords to remember...

● One login for life has replaced an average of over 6 logins per user across Harvard

Enable Research and Collaboration

Improved access to university resources...

● All schools across Harvard are integrated with common user identities that enable University email, HarvardPhone, and over 2,000 other applications

Protect University Resources

Better security...

● University-wide adoption of standardized and improved passwords with associated two factor authentication dramatically increases security

Facilitate Technology Innovation

Improved participation in higher education community...

● Improved sponsored guest accounts and external federation allow external researchers and university staff to collaborate quickly

6

“Imagine If…”

Stakeholder Imagine If… Outcome Solution Implemented

Faculty and Staff

• Faculty and staff could access information and perform research across schools and with other institutions without having to use several sets of credentials.

• Faculty and staff could manage their own accounts and sponsor others through a centralized web applications.

COMPLETE

• Harvard has Federated with InCommon to allow for resource access across other Higher Ed institutions using Harvard credentials

• Sponsored Account process automated and distributed across the University to allow for self-service management of Harvard partners

Students

• Students could choose to use their home school credentials to login into applications across the University.

• Students could keep using the same set of credentials after they graduate.

COMPLETE

• HarvardKey credentials aligned to University affiliations with ability to choose login name

• One HarvardKey for life for all Harvard affiliates including Students / Alumni

Technical Staff

• Automated provisioning could reduce the burden on IT staff and increases the security posture of the University.

• Application teams could easily integrate Harvard users with internal and external applications.

COMPLETE

• Automatic provisioning of access based on users’ University affiliations

• Over 2000 applications integrated with HarvardKey

External Users

• External users could access Harvard applications using credentials native to their home institution. COMPLETE

• External access to Harvard resources based with either federated login or sponsored accounts

At the onset of the IAM program, we imagined a list of key ideas that represented an ideal state for our stakeholder groups. This is how we did:

Evolving Program Focus

Provisioning

Federation

Directory Services

App Owner Portal

Identity Governance

Authentication Enhancements

Authorization Enhancements

External Directories

Expanded Provisioning

Cloud Migrations

Provisioning

Federation

Directory Services

Identity Governance

Authentication Enhancements

Authorization Enhancements

External Directories

Expanded Provisioning

Cloud Migrations

7

Office365 Integration

Alumni Provisioning and Support

Two-Step Authentication and Security Improvements

App Owner Portal

COMPLETE

POSTPONED

PROJECTED~ Effort to Completion

KEYBox size represents approximate (~) effort to completion

Planned Project

ACTUAL~ Effort to Completion

Additional Project

~ 600k users

~ 150k users

Transition

8

Ongoing Governance (to be established)

Ongoing Support• Jane Hill continues as IAM Service Owner / Product Manager

• IAM organization: End User Services and Integration Services (IT Provider Services)

• FY’18 will serve as a transition year from program to steady operating state

Communication and Engagement• Regular meetings between schools and IAM in partnership with HUIT Account Management

going forward

• Twice Yearly IAM Town Halls to provide general updates on IAM roadmap progress

• Grouper Clinics to provide specific service/functionality overview

• Evaluating the possibility of an IT Academy course to increase IAM awareness

IAM Product Advisory Group

Schools Library

Service Owner

Product Owners

Sponsor

Engagement Councils

Middleware Workgroup

Campus Services ATATS ITS

IAM Data Workgroup

(w/ SIS)

Directory Services

Steering Com

Lessons Learned - Scope & Planning

9

Surprises• IAM had several starts before the UIAM program gained traction

• Project timeline was primarily focused on delivery activities and could have benefited from increased time for team norming and stabilization

• Data cleanup activities were critical to success and require significant effort

• Alumni integration effort required far more effort than anticipated

• Agile requires constant attention and tweaking to fit culture and business needs

Best Practices• Define a clear program vision to set multi-year roadmap, ensure alignment and

allow for leadership/team transitions

• Ensure appropriate time and resources allocated to data conversion efforts

• If running a multiyear agile progress consider using Program Increment Planning Strategic Plan > Program Increment Objectives (3 months) > Sprints (2 weeks)

• Ensure agile is “tuned” to delivering value to the organization

• Consider a staffing approach that accommodates team normalization (trust building, process acceptance, buy-in)

• Involve security early in designs and approach to minimize rework

Lessons Learned - Engagement

10

Surprises• The complexity of the IAM ecosystem is difficult to communicate to stakeholders

• The IAM Program staffed for communications but not “engagement” as fully as the program required at the start

• When developing an enterprise service you have to factor in time for each unique school and environment, not assume economies of scale

• Work being completed in the year before establishing HarvardKey brand was difficult to communicate to individuals outside of the program

Best Practices• Dedicate staff to engagement with the University, not just communicating

updates/status; partner with school communications personnel

• Be transparent and honest with technical teams to ensure alignment of developer’s work to the “Why” value statements for the organization

• Knowledge transfer early and consistently with support teams that will respond to customer requests

• A clean and concise website is valuable to both internal and external audiences

• Define a brand as early as possible in a project and relate program efforts back to that unifying identity

Lessons Learned - Governance, Budget & Staffing

11

Surprises• Balancing strategic program work against lower value tactical work is an ongoing

struggle

• The classic definition of a Product Owner is challenging to map effectively to Harvard’s many stakeholders

• The value provided by external vendors was very limited

• Two groups established early in the program didn’t continue throughout the program due to difficulty in maintaining effective cross-University working groups

Best Practices• Track both strategic & tactical priorities to understand when one impacts another

• Define goals/objectives of various committees and revisit those goals regularly

• Consider integrating team with other similar teams (AD, Collaboration, Accounts)

• YearUp provides a valuable pipeline of resources but requires dedicated management

• Diversity matters; different experiences & backgrounds makes everyone stronger

• Consider dedicated DevOps and Release Management roles to increase agility

Lessons Learned - Technical

12

Surprises• Adoption and migration to the cloud required dedicated resources, team focus,

and new models of support/testing/integration

• A focus by individuals on a particular product or technology creates siloed knowledge and limits creative problem solving

• New development follows cycles of innovation and stability. Windows for stability tend to be minimized which can lead to change fatigue and decreased ability to decommission legacy technology

• IAM was not a technical change but an organizational change effort

Best Practices• Choose a cloud first approach, even when vendors caution against it, work to

mitigate their concerns

• Do not align teams by products but by functionality and solutions (e.g. Auth)

• Manage the number of deliverables for a given quarter to align efforts and simplify messaging

• Utilize best of breed industry software, follow other Harvard use cases, and standardize use (GitHub, Jenkins, Cloud Formation, Slack, Wiki, SharePoint, etc.)

• Establish Lunch and Learns to share knowledge and experiences across teams

Lessons Learned - Discussion

13

From your perspective, it would be really helpful to capture input on the project and product, to help inform how we a.) deliver services in the coming years and b.) design future projects of similar magnitude and complexity

What should HUIT…

… Keep Doing

… Start Doing

… Stop Doing