This case study examines the enterprise Identity Management implementation undertaken at the Queensland Department of Education and Training in partnership with UNIFY Solutions. The study provides an insight into the formation of the program from strategy development to building the compelling business case necessary to gain Executive Board approval with insights from both a business and IT perspective.
UNIFY Solutions has played a fundamental role in enabling the Department’s vision for connecting staff and students to the digital world.
Strategic planning is not forecasting. Strategy is analytical thinking and commitment of resources to action.
The resulting Comparison Matrix mapped mandatory application requirements for IDM to platform capability based upon Provisioning, Access Management and Lifecycle
Management. It was not intended to be a feature by feature comparison of the platforms but was designed to identify the key strategic applications and whether the examined IDM platforms could meet the identified mandatory functionality requirements.
An outcome of this process showed that no single vendor could meet all the business and technical requirements of the future Target Architecture resulting in the adoption of a ‘best fit’ hybrid solution comprising of Microsoft’s ILM and IBM Tivoli Access Manager.
The resulting matrix was an important decision support tool incorporated in the business case and used to brief sponsoring Executives on the preferred approach and solutions.
The introduction of effective, streamlined security and authentication processes in order to provide secure, simplified access to information and services as envisaged by the Smart Classrooms strategy in 2005 has been realised.
As a result of the long term, productive partnership between UNIFY Solutions and the Department of Education and Training - teachers, students and staff now have 24 x 7 online access to the information and applications needed to support teaching and learning in the 21st Century The future challenge and opportunity for the Department is to evolve the IDM platform to meet the increasing demand for access to digital services anywhere, anytime, on any device.
Having a trusted strategic partner providing independent advice, certified IDM specialists and trainers, ensures the Department is in a strong position to meet these challenges and opportunities UNIFY Solutions were appointed in 2006 and continue to be the primary Identity Management Strategic Partner following the release of a tender and establishment of a panel of Identity Management Specialists.
A key step in the lead up to the business case is the development of a Target Architecture - a high level design for the future state of IDM within the organisation. This IDM Target Architecture should articulate the future business and technical requirements over the next three to five years.
The IDM Target Architecture is critical to building an understanding of IDM across stakeholders and enables the organisation to perform a gap analysis between the ‘as-is ‘ and ‘to-be’ future state which will form the basis of a comprehensive and logically structured implementation roadmap.
The approach taken to develop an IDM target architecture by the Department in partnership with UNIFY Solutions included:
Target Architecture Steps
- Identifying business and technical requirements;
- Reviewing applications and infrastructure resulting in a Directory Inventory;
- Defining the future Identity Management conceptual architecture
- Performing a gap analysis between the Directory Inventory and the IDM Target;
- Developing a roadmap including budget estimates;
- Detailed market scan and technical reviews
A key step undertaken by UNIFY Solutions and QDET in developing options to achieve the IDM Target Architecture was the conduct of a series of structured technical interviews and solution reviews with the leading IDM vendors and Solution Integrators. The output from the technical interviews was used to create a functional fit against the business and technical requirements. Having access to UNIFY’s technical IDM specialists with a deep understanding of each of the vendor products strengths and weaknesses was invaluable in determining the functional fit.
Administrative efficiencies, auditing and compliance whilst key benefits associated with an enterprise IDM system are not sufficient to make a compelling business case for either new or continuing expenditure. In constructing the business case going forward to an executive management board or budget committee, think business outcomes not technology outcomes
Business Outcomes not Technology Outcomes
- Don’t think Single Sign On... think improving the user experience leading to an increase in productivity
- Don’t think Directory Services ... Think a single point of truth for critical information, maintaining privacy and duty of care
- Don’t think Access Management ... think providing users with the information and systems needed to be successful in their role
- Don’t think Privileged Identity Management ... think protecting privacy and critical information and systems from unauthorised access
The system would provide user registration, streamlined security and authentication processes, access rights and restrictions, account profiles, passwords, and other attributes required to support a ‘single student record’ and provide students, teachers, staff and eventually parents with a secure, simplified access to information and services appropriate to their role.
This enabled the IDM Program to be initiated as part of the wider departmental digital strategy with a clear, causal link between IDM and the delivery of the core business of the Department. Without this strong and compelling connection the IDM Program and sub- projects risked delays, budget reduction and scale back especially as the implementation was scheduled across multiple years and budget cycles and eventually changes of government. All programs and initiatives at the scale, complexity and risk of an enterprise IDM program will eventually come before the organisation’s executive board of management for sign-off, initiation and review. Executive boards and budget committees are under constant pressure to reduce back office costs, improve efficiencies and focus resources on core business delivery and front line services or products. Any expenditure in areas not considered core and critical to the success of the organisation are inevitably targeted for reduction.
In the context of the Department at the time the Smart Classrooms strategy was being developed there were over 2600 directories and 1300 authoritative sources as a result of multiple, local split networks at every location and separate instances of the student management system for each school. Teachers were reporting that new user accounts took weeks to create with separate identities required to access each of the major learning and administration systems.
As Is IDM Architecture
In response to this complex, distributed, unmanaged environment, a future state IDM system was defined as an integrated system of business processes, policies and technologies that would enable teachers, students and staff access to departmental applications and resources — while protecting confidential student, staff personal and business information from unauthorised access.
Identity Management (IDM) implementations in any organisation is a technically complex, high risk activity let alone an education jurisdiction with over 600,000 student and staff identities located in over 1500 locations spanning a 2300 km footprint across Queensland. Implementations are resource intensive, spawning multiple projects usually executed over successive years that directly impact the core frontline and business systems of the organisation. In 2005 the Department launched the Smart Classrooms Strategy – a digital blueprint for the future of teaching and learning over the coming decade and beyond. The core of the vision was the personalisation of teaching and learning in order to lift student outcomes. The strategy was predicated on providing teachers, students and staff with increased access to online information, services and tools to personalise the learning for every student leading to improved student outcomes.
The IAM system is now considered to be both mature and business critical within the day-to-day operations of the Health Directorate. The process efficiencies and the associated business value that have been achieved are well recognised and a number of additional capabilities and refinements have been identified. These opportunities will be analysed and further project funding requested.
At the same time, IAM is attracting increased attention within the whole of ACT Government and the Health Directorate provides well-informed input to those discussions. Such interagency co-operation allows the Health Directorate to clearly demonstrate the business value it has already derived and to share its learnings with others.
This approach will allow the Health Directorate to continue to drive its own IAM initiatives whilst actively supporting whole of Government plans and solutions.
Phase 2 of the IAM system was developed over the following 15 months with a clear focus on:
- automating systems access requests and approvals;
- recording of subsequent time-based access “entitlements”; and
- automated provisioning actions.
At the same time, a number of repeatable use cases were analysed and IAM functionality was developed to improve their efficiency. Responding to feedback from over 12 months of operations, a number of process improvements were also introduced.
A significant challenge that needed to be addressed in the design of the IAM processes and the supporting technical architecture of the IAM system was the fact that the HR / Payroll system proved to be an unsuitable authoritative source of identity details and identity lifecycle events.
As part of the ACT Government’s shared service model, the Health Directorate’s HR and payroll processes are externally managed by the Shared Service HR team whose services and service levels are standardised for all agencies, and are focused on completing fortnightly payroll obligations. Consequently, it was not possible for the Health Directorate to make changes to those processes to effectively support the objectives of their IAM system.
Therefore the critical need to adopt an automated IAM system led the Health Directorate to select an alternative authoritative source for identities and their access-related details. It was decided to configure the Portal component of Microsoft’s FIM identity provisioning and synchronisation platform to support all identity creation, termination and maintenance functions as well as providing the request initiation, approval workflow and notification functions.
The unavailability of the traditionally preferred authoritative source for People (the corporate HR system) was overcome in a way that allowed the Health Directorate to have control over its identity and access processes which in part offset their inability to leverage existing HR processes.
The formal business case supporting the implementation of an automated IAM system presented a compelling case in terms of business impact (such as reducing staff on-boarding times from up to 10 days to a matter of hours) and the associated improvement in staff effectiveness in delivering clinical and other services. The supporting financial models demonstrated significant cost-benefit scenarios.
There are no technology projects, they are all business projects.