IdM Projects: Business Case, Planning, and Resources A. Michael Berman VP for Instructional & Information Technology Cal Poly Pomona Bret Ingerman VP for Computing and Information Services Vassar College Copyright Bret Ingerman and A. Michael Berman This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Overview When to start What are the drivers Who to involve Assessing and planning The business case What to do Resources to do it
Overview When to start What are the drivers Who to involve Assessing and planning The business case What to do Resources to do it
When to start Right away… …why else would you be here? Unique to institution Unique to IT staff –Technical skills –Interpersonal skills Unique to you
When to start “I’ll know it when I see it” –“You’ll know it when you need it” Knowing when to start… …depends a lot on what you want to do You may have already begun!
Overview When to start What are the drivers Who to involve Assessing and planning The business case What to do Resources to do it
What are the drivers? Technology Drivers Positive Drivers Negative Drivers
Drivers for IdM Implementation Technology Drivers –Improved service –Reduced costs Positive business drivers –Enable new applications –Support better collaboration, sharing resources Negative business drivers –Improved security and protection of confidential information
Technology Drivers – Improved services Account provision – speed, accuracy Providing identity information to non-central “customers” Customer self-service WebISO –Risks of SSO w/o IdM Better integration for portals, ERP systems
Technology Drivers – reduced costs Server consolidation Reduce help-desk calls Simplify implementation of new applications Reduce/eliminate proxy servers Reduce number of shadow ID databases
Positive Business Drivers Enterprise course management Collaboration tools – calendaring, lists based on roles, video conferencing Resource sharing, distribution Workflow PKI
Negative Business Drivers Use directory to consolidate, control access to sensitive information Tie to SSN access control Reduce risk –Auditing risk – e.g. password control –Compliance risk –Liability risk
Overview When to start What are the drivers Who to involve Assessing and planning The business case What to do Resources to do it
Who to involve Seems obvious… …Involve those that need to be involved: –IT staff –Data custodians –Stakeholders –Executive level If appropriate
Who to involve Include those who are necessary Involve those who can help insure success –Technical skills –Ownership –Political skills / clout Inform those who can derail the project –Naysayers –People who want (need) to be (feel) included –Those key people who always need to be involved
Who to involve Include –Implementation committee Involve –Steering committee –Executive committee Inform –Existing committee structure –Private briefings
Who to involve Don’t over-involve –Too many cooks… –Management / technical efficiency Local culture / politics / practices are key –“The Enterprise Directory Implementation Roadmap”
The Enterprise Directory Implementation Roadmap Project methodology –Campus strategic project –Application requirement –Stealth Stealth –Probably where most small schools operate
Many implementations are done without campus buy-in and instead the business case is made and the project is done inside central IT. This approach requires the necessary data, systems, and network infrastructure groups to be cooperative and a degree of trust to be present between the technical staff and data custodians. The drawback to this method is the lack of concurrent policy development, which is important strategically when inter- institutional collaboration applications require similar trust levels.
Many implementations are done without campus buy-in and instead the business case is made and the project is done inside central IT. This approach requires the necessary data, systems, and network infrastructure groups to be cooperative and a degree of trust to be present between the technical staff and data custodians. The drawback to this method is the lack of concurrent policy development, which is important strategically when inter- institutional collaboration applications require similar trust levels.
Many implementations are done without campus buy-in and instead the business case is made and the project is done inside central IT. This approach requires the necessary data, systems, and network infrastructure groups to be cooperative and a degree of trust to be present between the technical staff and data custodians. The drawback to this method is the lack of concurrent policy development, which is important strategically when inter- institutional collaboration applications require similar trust levels.
Can you do a “stealth” directories project? May be possible for the first pass or as a prototype Current focus on protection of confidential information increases risk of stealth project Good strategy in some cases – embed within a larger project, e.g. ERP In some environments, only practical choice!
From: “The Enterprise Directory Implementation Roadmap” “Like ERP systems, middleware cuts across divisions and requires broad support and needs a champion and a shared vision, support from the executive levels.” Not necessarily…
Middleware vs. ERP Small schools may be (are) different –Perhaps so are (some) big schools? ERP systems –Affect lots of people –Change the way many people work –Highly visible Middleware –Affect significantly fewer people –Happens mostly behind the scenes –Done right, mostly transparent
Overview When to start What are the drivers Who to involve Assessing and planning The business case What to do Resources to do it
Planning Assessing your readiness to develop an Identity Management Infrastructure Understanding the likely potholes in the road
Assess Strengths, Weaknesses, and Critical Success Factors Do key campus and IT leaders have a good understanding of purpose and role of Enterprise Directory? Do key technical staff members have good understanding of core middleware and directory technologies? Have you identified campus business drivers that are compelling & linked to strategic needs of the campus?
Assessing… Have you identified an executive sponsor or champion with enough clout? Do you know who are the stakeholders outside the IT organization? Do you know who the “data owners” are, and can you get their support? Do you have project management expertise available?
Assessing… Does your campus have appropriate policies for ownership and management of the information you will put in your directory? Can you make changes in policies if necessary? Have potential roadblocks – organizational, political, legal, procedural – been identified?
Assessing… Is the core campus IT infrastructure in a stable configuration that can support the directory? Is there continuity in IT and campus leadership sufficient to sustain the effort required by the project? Do you have communications expertise available to you?
Overview When to start What are the drivers Who to involve Assessing and planning The business case What to do Resources to do it
Developing a Business Case Depending on the size, complexity, and cost of project and campus environment, may need to develop a more-or-less formal business case Purposes: –To focus your own thinking –To gain executive buy-in –To rally campus support
Potential elements of a directory project business case Most important – explain the need or drivers for the directory project, and how the project will address the need If possible, explicitly tie to the strategic objectives of the institution Typically includes a rough cut of project timeline and budget – address funding strategy Most important: executive summary
Overview When to start What are the drivers Who to involve Assessing and planning The business case What to do Resources to do it
What to do What needs to be done? Entire project? Smaller pieces? –Together add up to an entire project What can people handle technologically? What can people handle emotionally? Local culture / politics / practices are key
What I have done Huge projects hard to rally behind –Seem daunting –Seem never-ending –Rewards too far in the future –“Didn’t we just do a major implementation??” Focused on smaller steps –On path leading to consolidation
What I have done Leveraged frustrations –“Has to be a better way” –“Have to make better use of this” –“If only we did, then we could do ” Encouraged creative approaches Some examples…
Lewis & Clark College - Portland, OR Catalyst: –“There has to be a better way” Projects: –Online directory –Course lists Manually done –Yet data existed centrally Give people more control over their data Better utilize existing sources
Lewis & Clark College - Online Directory Easy to use and fault tolerant Simple to control/configure FERPA-compliant, secure Automatically updated Consolidate sources of information –Feed from authoritative sources User control over view – not data
Screen Shots Web Directory
Search Page
Results
Authentication
Set Privacy Preferences
Confirmation
Lewis & Clark College - Lists Staff tired of manually creating/updating lists Wanted something completely flexible –Initially for courses –Subsequently for most lists Dealing with reality –T.A.s, labs, prefs., faculty ownership Fundamental architectural changes Consolidate data from authoritative sources Utilize same tables as directory prefs
Screen Shots Mailing Lists
Mailing List Administration
Additional Access
Scalability
Skidmore College - Saratoga Springs, NY Catalyst: –“If only we did, then we could do ” Project(s): –Consolidate sources of authentication –Implement new technology (ColdFusion) –Make better use of existing data –Overtly create a platform for future growth Create a Data Repository
Skidmore College - Saratoga Springs, NY Data spread across many systems –Not readily linked (except by us) –Not readily accessible (except by us) –Seldom used beyond initial application But the data: Could be much better used –By us and by campus Should be much better used –By us and by campus
Skidmore College - Data Repository What was the problem with the data? We had the course data –Currently:AIMS –Soon:Oracle We had the authentication –Currently:LDAP (Netscape) –Soon:LDAP (Oracle or Microsoft) We were changing other apps as well –Blackboard to WebCT –Phorum to Fusetalk
Skidmore College - Data Repository Mitigate effects of upcoming data source changes –New student system, Misc. AIMS systems LDAP server changes –New LDAP server, potential scheme changes Work around primary data source downtime –Application upgrades, cold backups Address growing security concerns –Web access and developer access
Skidmore College - Data Repository The Repository Consolidate authoritative data –Current student system –Oracle Human Resources –Housing system –Campus card system –Etc. (for present and future) Common development platform Common authentication for custom apps.
Skidmore College - Data Repository Availability and efficiency –Close to 24 X 7 uptime –Flat file indexed data for faster retrieval –Easier for developers Updated nightly from primary data sources Scalable
Skidmore College - Data Repository Common user authentication –One ColdFusion component –Provides common authentication and returns a common set of data regardless of the data source –Isolates developers from the underlying data structure and potential changes Better availability of administrative data Platform for future growth
Skidmore College - Data Repository Ability to support additional needs: –On-line campus directories –Health Services client information –Campus Safety ticketing system –On-line grades, course schedules –Portal (future) –E-Portfolio (future) –Face book (students now, staff future)
Skidmore College - Data Repository What did we learn? Large investment in existing data –Time, effort, and money Original databases are silos of information Most databases only use original apps Most “custom” apps are used to… –View same data (within one silo) –By same department / users
Skidmore College - Data Repository Repository cuts across the silos Once in repository, easy to use / access –By everyone Repository creates ready opportunities for new applications
Vassar College - Poughkeepsie, NY Catalyst: –“There must be a better way.” Project: –Web based “Control Panel” No centralized directory –No real use of LDAP No single authoritative source of person info –Consolidation will occur in time –But this is a great start
Vassar College - Poughkeepsie, NY Single web page to manage many user prefs – prefs, spam settings, password changes Password changes ripple across systems – (Unix), Windows domain, Blackboard Password resets now handled by form –Challenge / response –Checks for (relatively) strong passwords –Resets across all systems ( , domain, Bboard)
Vassar College - Poughkeepsie, NY Not an ideal design –Still feed back to many systems –No centralized, authoritative source of authentication But it is a step in the right direction –Lots of synchronization –Staff thinking about consolidation
Control Panel
Overview When to start What are the drivers Who to involve Assessing and planning The business case What to do Resources to do it
Resources Hardware Software Staff Consulting
Development Strategies Continuum “Roll your own”, open source based approach –Requires some breadth/depth of technical capability –Can adapt to complicated local environment “Commercial” approach –Typically a smaller, more-centralized, less complex environment – e.g. “everyone” is in one Microsoft or Novell domain –Off-the-shelf tools may work with little customization –Requires less range of technical capability
Hardware Primary components –Directory servers –Registry servers –Application servers – e.g. WebISO, Shibboleth Design as high-availability, scalable, enterprise service
Hardware Cost factors –Size of enterprise –Anticipated applications –Complexity of environment –Operating system
Software Server licenses Database management Directory Software –Microsoft, Sun, Novell, Open Source Meta-merge Self-Service
Staffing Communications, collaboration, documentation –On some campuses, endless meetings… Architect Systems management Database management Applications development
Consulting Consulting requirements sensitive both to overall strategy and local staff availability
Can you outsource your directory? Your campus has to own Identity Management, but may be able to outsource directory development and management NMI-EDIT- funded experiment in the CSU –Cal Poly SLO and CSU Stanislaus
There are never enough questions. There are no easy answers. There are no right (or wrong) answers. Small steps are OK.
Thank you!
Questions?