IdM Projects:
Business Case, Planning, and Resources
A. Michael Berman
VP for Instructional & Information Technology
Cal Poly Pomona
Bret Ingerman
VP for Computing and Information Services
Vassar College
Copyright Bret Ingerman and A. Michael Berman 2004. This work is the intellectual property of the author. Permission is granted for this
material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials
and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from
the author.
Overview
•
•
•
•
•
•
•
When to start
What are the drivers
Who to involve
Assessing and planning
The business case
What to do
Resources to do it
Overview
•
•
•
•
•
•
•
When to start
What are the drivers
Who to involve
Assessing and planning
The business case
What to do
Resources to do it
When to start
•
•
•
•
Right away…
…why else would you be here?
Unique to institution
Unique to IT staff
– Technical skills
– Interpersonal skills
• Unique to you
When to start
• “I’ll know it when I see it”
– “You’ll know it when you need it”
• Knowing when to start…
• …depends a lot on what you want to do
• You may have already begun!
Overview
•
•
•
•
•
•
•
When to start
What are the drivers
Who to involve
Assessing and planning
The business case
What to do
Resources to do it
What are the drivers?
• Technology Drivers
• Positive Drivers
• Negative Drivers
Drivers for IdM Implementation
• Technology Drivers
– Improved service
– Reduced costs
• Positive business drivers
– Enable new applications
– Support better collaboration, sharing resources
• Negative business drivers
– Improved security and protection of confidential
information
Technology Drivers – Improved services
• Account provision – speed, accuracy
• Providing identity information to non-central
“customers”
• Customer self-service
• WebISO
– Risks of SSO w/o IdM
• Better integration for portals, ERP systems
Technology Drivers – reduced costs
•
•
•
•
•
Server consolidation
Reduce help-desk calls
Simplify implementation of new applications
Reduce/eliminate proxy servers
Reduce number of shadow ID databases
Positive Business Drivers
• Enterprise course management
• Collaboration tools – calendaring, email lists
based on roles, video conferencing
• Resource sharing, distribution
• Workflow
• PKI
Negative Business Drivers
• Use directory to consolidate, control access
to sensitive information
• Tie to SSN access control
• Reduce risk
– Auditing risk – e.g. password control
– Compliance risk
– Liability risk
Overview
•
•
•
•
•
•
•
When to start
What are the drivers
Who to involve
Assessing and planning
The business case
What to do
Resources to do it
Who to involve
• Seems obvious…
• …Involve those that need to be involved:
–
–
–
–
IT staff
Data custodians
Stakeholders
Executive level
• If appropriate
Who to involve
• Include those who are necessary
• Involve those who can help insure success
– Technical skills
– Ownership
– Political skills / clout
• Inform those who can derail the project
– Naysayers
– People who want (need) to be (feel) included
– Those key people who always need to be involved
Who to involve
• Include
– Implementation committee
• Involve
– Steering committee
– Executive committee
• Inform
– Existing committee structure
– Private briefings
Who to involve
• Don’t over-involve
– Too many cooks…
– Management / technical efficiency
• Local culture / politics / practices are key
– “The Enterprise Directory Implementation Roadmap”
The Enterprise Directory
Implementation Roadmap
• Project methodology
– Campus strategic project
– Application requirement
– Stealth
• Stealth
– Probably where most small schools operate
Many implementations are done without campus buy-in and
instead the business case is made and the project is done inside
central IT.
This approach requires the necessary data, systems, and
network infrastructure groups to be cooperative and a degree of
trust to be present between the technical staff and data
custodians.
The drawback to this method is the lack of concurrent policy
development, which is important strategically when interinstitutional collaboration applications require similar trust levels.
Many implementations are done without campus buy-in and
instead the business case is made and the project is done inside
central IT.
This approach requires the necessary data, systems, and
network infrastructure groups to be cooperative and a degree of
trust to be present between the technical staff and data
custodians.
The drawback to this method is the lack of concurrent policy
development, which is important strategically when interinstitutional collaboration applications require similar trust levels.
Many implementations are done without campus buy-in and
instead the business case is made and the project is done inside
central IT.
This approach requires the necessary data, systems, and
network infrastructure groups to be cooperative and a degree of
trust to be present between the technical staff and data
custodians.
The drawback to this method is the lack of concurrent policy
development, which is important strategically when interinstitutional collaboration applications require similar trust levels.
Can you do a “stealth” directories project?
• May be possible for the first pass or as a
prototype
• Current focus on protection of confidential
information increases risk of stealth project
• Good strategy in some cases – embed within
a larger project, e.g. ERP
• In some environments, only practical choice!
From: “The Enterprise Directory Implementation Roadmap”
“Like ERP systems, middleware cuts across
divisions and requires broad support and
needs a champion and a shared vision,
support from the executive levels.”
Not necessarily…
Middleware vs. ERP
• Small schools may be (are) different
– Perhaps so are (some) big schools?
• ERP systems
– Affect lots of people
– Change the way many people work
– Highly visible
• Middleware
– Affect significantly fewer people
– Happens mostly behind the scenes
– Done right, mostly transparent
Overview
•
•
•
•
•
•
•
When to start
What are the drivers
Who to involve
Assessing and planning
The business case
What to do
Resources to do it
Planning
• Assessing your readiness to develop an
Identity Management Infrastructure
• Understanding the likely potholes in the road
Assess Strengths, Weaknesses, and Critical
Success Factors
• Do key campus and IT leaders have a good
understanding of purpose and role of
Enterprise Directory?
• Do key technical staff members have good
understanding of core middleware and
directory technologies?
• Have you identified campus business drivers
that are compelling & linked to strategic
needs of the campus?
Assessing…
• Have you identified an executive sponsor or
champion with enough clout?
• Do you know who are the stakeholders
outside the IT organization?
• Do you know who the “data owners” are, and
can you get their support?
• Do you have project management expertise
available?
Assessing…
• Does your campus have appropriate policies
for ownership and management of the
information you will put in your directory?
• Can you make changes in policies if
necessary?
• Have potential roadblocks – organizational,
political, legal, procedural – been identified?
Assessing…
• Is the core campus IT infrastructure in a
stable configuration that can support the
directory?
• Is there continuity in IT and campus
leadership sufficient to sustain the effort
required by the project?
• Do you have communications expertise
available to you?
Overview
•
•
•
•
•
•
•
When to start
What are the drivers
Who to involve
Assessing and planning
The business case
What to do
Resources to do it
Developing a Business Case
• Depending on the size, complexity, and cost
of project and campus environment, may
need to develop a more-or-less formal
business case
• Purposes:
– To focus your own thinking
– To gain executive buy-in
– To rally campus support
Potential elements of a directory project
business case
• Most important – explain the need or drivers
for the directory project, and how the project
will address the need
• If possible, explicitly tie to the strategic
objectives of the institution
• Typically includes a rough cut of project
timeline and budget – address funding
strategy
• Most important: executive summary
Overview
•
•
•
•
•
•
•
When to start
What are the drivers
Who to involve
Assessing and planning
The business case
What to do
Resources to do it
What to do
• What needs to be done?
• Entire project?
• Smaller pieces?
– Together add up to an entire project
• What can people handle technologically?
• What can people handle emotionally?
• Local culture / politics / practices are key
What I have done
• Huge projects hard to rally behind
–
–
–
–
Seem daunting
Seem never-ending
Rewards too far in the future
“Didn’t we just do a major implementation??”
• Focused on smaller steps
– On path leading to consolidation
What I have done
• Leveraged frustrations
– “Has to be a better way”
– “Have to make better use of this”
– “If only we did <this>, then we could do <that>”
• Encouraged creative approaches
• Some examples…
Lewis & Clark College - Portland, OR
• Catalyst:
– “There has to be a better way”
• Projects:
– Online directory
– Course email lists
• Manually done
– Yet data existed centrally
• Give people more control over their data
• Better utilize existing sources
Lewis & Clark College - Online Directory
•
•
•
•
•
Easy to use and fault tolerant
Simple to control/configure
FERPA-compliant, secure
Automatically updated
Consolidate sources of information
– Feed from authoritative sources
• User control over view – not data
Screen Shots
Web Directory
Search Page
Results
Authentication
Set Privacy Preferences
Confirmation
Lewis & Clark College - Email Lists
• Staff tired of manually creating/updating lists
• Wanted something completely flexible
– Initially for courses
– Subsequently for most email lists
• Dealing with reality
– T.A.s, labs, e-mail prefs., faculty ownership
• Fundamental architectural changes
• Consolidate data from authoritative sources
• Utilize same tables as directory prefs
Screen Shots
Mailing Lists
Mailing List Administration
Additional Access
Scalability
Skidmore College - Saratoga Springs, NY
• Catalyst:
– “If only we did <this>, then we could do <that>”
• Project(s):
–
–
–
–
Consolidate sources of authentication
Implement new technology (ColdFusion)
Make better use of existing data
Overtly create a platform for future growth
• Create a Data Repository
Skidmore College - Saratoga Springs, NY
• Data spread across many systems
– Not readily linked (except by us)
– Not readily accessible (except by us)
– Seldom used beyond initial application
• But the data:
• Could be much better used
– By us and by campus
• Should be much better used
– By us and by campus
Skidmore College - Data Repository
• What was the problem with the data?
• We had the course data
– Currently:
– Soon:
AIMS
Oracle
• We had the authentication
– Currently:
– Soon:
LDAP (Netscape)
LDAP (Oracle or Microsoft)
• We were changing other apps as well
– Blackboard to WebCT
– Phorum to Fusetalk
Skidmore College - Data Repository
• Mitigate effects of upcoming data source changes
– New student system, Misc. AIMS systems
• LDAP server changes
– New LDAP server, potential scheme changes
• Work around primary data source downtime
– Application upgrades, cold backups
• Address growing security concerns
– Web access and developer access
Skidmore College - Data Repository
• The Repository
• Consolidate authoritative data
–
–
–
–
–
Current student system
Oracle Human Resources
Housing system
Campus card system
Etc. (for present and future)
• Common development platform
• Common authentication for custom apps.
Skidmore College - Data Repository
• Availability and efficiency
– Close to 24 X 7 uptime
– Flat file indexed data for faster retrieval
– Easier for developers
• Updated nightly from primary data sources
• Scalable
Skidmore College - Data Repository
• Common user authentication
– One ColdFusion component
– Provides common authentication and returns a
common set of data regardless of the data source
– Isolates developers from the underlying data
structure and potential changes
• Better availability of administrative data
• Platform for future growth
Skidmore College - Data Repository
• Ability to support additional needs:
–
–
–
–
–
–
–
On-line campus directories
Health Services client information
Campus Safety ticketing system
On-line grades, course schedules
Portal (future)
E-Portfolio (future)
Face book (students now, staff future)
Skidmore College - Data Repository
• What did we learn?
• Large investment in existing data
– Time, effort, and money
• Original databases are silos of information
• Most databases only use original apps
• Most “custom” apps are used to…
– View same data (within one silo)
– By same department / users
Skidmore College - Data Repository
• Repository cuts across the silos
• Once in repository, easy to use / access
– By everyone
• Repository creates ready opportunities for
new applications
Vassar College - Poughkeepsie, NY
• Catalyst:
– “There must be a better way.”
• Project:
– Web based “Control Panel”
• No centralized directory
– No real use of LDAP
• No single authoritative source of person info
– Consolidation will occur in time
– But this is a great start
Vassar College - Poughkeepsie, NY
• Single web page to manage many user prefs
– Email prefs, spam settings, password changes
• Password changes ripple across systems
– Email (Unix), Windows domain, Blackboard
• Password resets now handled by form
– Challenge / response
– Checks for (relatively) strong passwords
– Resets across all systems (email, domain, Bboard)
Vassar College - Poughkeepsie, NY
• Not an ideal design
– Still feed back to many systems
– No centralized, authoritative source of authentication
• But it is a step in the right direction
– Lots of synchronization
– Staff thinking about consolidation
Control Panel
Control Panel
Control Panel
Overview
•
•
•
•
•
•
•
When to start
What are the drivers
Who to involve
Assessing and planning
The business case
What to do
Resources to do it
Resources
•
•
•
•
Hardware
Software
Staff
Consulting
Development Strategies Continuum
• “Roll your own”, open source based approach
– Requires some breadth/depth of technical capability
– Can adapt to complicated local environment
• “Commercial” approach
– Typically a smaller, more-centralized, less complex
environment – e.g. “everyone” is in one Microsoft or Novell
domain
– Off-the-shelf tools may work with little customization
– Requires less range of technical capability
Hardware
• Primary components
– Directory servers
– Registry servers
– Application servers – e.g. WebISO, Shibboleth
• Design as high-availability, scalable,
enterprise service
Hardware
• Cost factors
–
–
–
–
Size of enterprise
Anticipated applications
Complexity of environment
Operating system
Software
• Server licenses
• Database management
• Directory Software
– Microsoft, Sun, Novell, Open Source
• Meta-merge
• Self-Service
Staffing
• Communications, collaboration,
documentation
– On some campuses, endless meetings…
•
•
•
•
Architect
Systems management
Database management
Applications development
Consulting
• Consulting requirements sensitive both to
overall strategy and local staff availability
Can you outsource your directory?
• Your campus has to own Identity
Management,
• but may be able to outsource directory
development and management
• NMI-EDIT- funded experiment in the CSU
– Cal Poly SLO and CSU Stanislaus
There are no easy answers.
There are no right (or wrong) answers.
There are never enough questions.
Small steps are OK.
Thank you!
Questions?