Christian Reilly, Manager of Global Systems Engineering and Brian Ward, Manager of Integration Services make a good case for how to use OpenID and OAuth in an extended enterprise environment. Bechtel is a $30B business with 44,000 employees.
See slide 13 for a description of Identity 2.0, and BYOI (Bring Your Own Identity) provided by Janrain Engage: www.janrain.com
Regression analysis: Simple Linear Regression Multiple Linear Regression
Bechtel On OpenID and OAuth from Cloud Identity Summit
1. Identity in the Bechtel Cloud
Why and how one of the most successful Engineering &
Construction companies rebuilt their digital world…..
Christian Reilly – Manager of Global Systems Engineering
Brian D Ward – Manager of Integration Services
5. Our business model is evolving
to be more complex and
distributed.
GRAY Our two main challenges are
related to:
Geography
Our projects are executed in
ZONE many and distributed locations
People
Our resource model includes
permanent and temporary
employees, as well as
vendors, customers, partners,
and competitors
8. Active Directory – separate internal and
external forests
Integrated Authentication, Kerberos
Constrained Delegation, Reverse Proxy
Complex trust models & ICC’s
Application mix from Bechtel, Client,
Partner, Competitor
Wide variety of application architectures
9. Core Apps:
TimeCard, SAP, Intranet
File Shares
Mail
Printers
Desktop
SaaS Bridge
SaaS
Internet Access
AD
Other apps (long tail)
10. High degree of operational complexity
Poor visibility into what people are
accessing what resource
Inflexible model slows down deployment of
services and applications to projects
Difficult to accommodate new user
communities (which change daily)
Not readily adaptable to SaaS offerings
11. Why is it so easy in The Cloud?
And yet so hard in the Enterprise?
12. Realizations
– “Castle and Moat” approach to security is dead
– Our Windows-centric approach has significant
technical and operational constraints
– Authentication/Authorization are the key problems
to solve
Resolutions
– We need a completely new approach
– Make all applications/services SaaS
– Make Bechtel a SaaS Provider (wow)
– Replace, not augment, the current model
13. Identity “2.0”
– A new identity model – identities for life
– BYOI with OpenID (Janrain), Federation
– Anyone can have an account
– Self Registration based on relationships
Authorization
– Integrated into SAP
– Attribute store – single source of truth,
replacement for groups
– Coarse grained authz performed by Ping
– Fine grained done in apps for now, centrally later
14. Integration
– SAML / OpenToken integration for all deployed
applications
– Citrix integration with credential translation for
legacy application support
– Two-legged OAuth STS for web services
Services
– New application stacks (SaaS-style)
– File / Print / Internet Access authentication
replacement
– New desktop model – BYOD
15. Core Apps:
TimeCard, SAP, Intranet
File Shares
Mail
Printers
Browser
SaaS
Identity Internet Access
Array
Other apps (long tail)
16. Simplicity
– Built for the “Internet” not for the “Enterprise”
– No “internal” vs. “external” architectural
constraints
– Moving away from managing every user account
Agility
– Modular framework of security, UI and services
– Applications decoupled from infrastructure
– No vendor lock in via open standards/open
source
– Able to accommodate SaaS and new identity
pools natively (with added hope for Geneva)
17. Affordability
– Lower overall operational cost
– “B3” approach allows greater flexibility in cost
management
– New vendors embrace new commercial models
Security
– Standards based security
– Single point of entry & logging
– Secured by policy not by topology (secure the
data and not the device)
– Easily allow any user access to any data in a
controlled life cycle
18. Why can’t we just buy this…hint, hint ?
Unraveling years of LAN / WAN based legacy is, well, damn hard.
19. Facts
– SaaS integration quickly becoming a commodity
– Federation and/or OpenID fills in the moat
– SaaS moves you out of the castle in the “Metro”
Key Questions
– What does the enterprise have left?
– How long is the tail for traditional enterprises?
Challenges
– Authorization is THE game to win
– Push provisioning is, at best, an interim solution
– A central model with standards-based interfaces
is desperately needed