Case Study: McKesson
description
Transcript of Case Study: McKesson
Virtual Directory Use Cases
McKesson
McKesson At-a-Glance
McKesson Corporation 2
• Founded in 1833
• Ranked 14th on Fortune’s list,
with $140.0 billion in revenues
• Headquartered in San Francisco
• More than 42,000 employees
• Two segments: Distribution Solutions
and Technology Solutions
• Total focused on health care
. McKesson is one of America’s oldest and largest services company
Leadership Positions in Both Segments
McKesson Corporation 3
#1 pharmaceutical distributor in U.S.
and Canada
#1 generics distributor
#2 in specialty distribution and
services
#1 in medical-surgical distribution to
alternate care sites
2,900+ Health Mart® retail pharmacy
franchisees
Comprehensive retail information
systems and automation offerings
Serve 52% of all U.S. hospitals
Leader in clinical, revenue-cycle and
resource-management solutions
Leading RelayHealth™ claims-
processing and connectivity
business
200,000+ physician customers
#1 in physician revenue cycle and
practice management
#1 in medical-management software
and services to payers
Distribution Solutions
Technology Solutions
4
Information Security Architecture & Services
• Offering a comprehensive portfolio of security services supported by core
security capabilities that meet McKesson customers’ regulatory, industry and
internal requirements
• Enabling McKesson business units establish trust between organizations,
partners, third party users, and customers through federation, certificate services
and secure collaboration
• Increasing our competitive advantage in security solutions through ongoing
analysis of the latest security architecture trends and product offerings such as
cloud security and security as a service
We Deliver Security Solutions to Enable and Protect Businesses by:
We are members of McKesson’s Information Security and Risk Management,
providing a range of services including security consulting and operations, IT risk
management and incident management.
McKesson Corporation
The Four Pillars of Identity Services
Enhanced user experience
Improved management
of security risks
Efficient development/
deployment of applications
Reusable integration
HIPAA, SOX
compliance
Common access logs
Improved
accountability
Common reporting
Reduced
administrative tasks
Reduced help desk calls
Improved process
efficiency
Central user information
Reduced administrative
tasks
Reduced help desk calls
Improved security
Accountability
Cost savings
User Self-Service &
Password Management Virtual Directory
Web Access
Management/SSO Centralized Audit
Delegated Administration
Synchronization/
Replication
Federated Identity
Management/SSO
Logging and
Monitoring
Automated Approvals
and Workflows
Meta Directory
Authentication &
Authorization Access Certification
Enterprise
Role Definition Directory Storage Standard APIs Reporting
Audit, Role
& Compliance Access
Management
Identity
Management Identity
Data Services
5 McKesson Corporation
Identity Data Foundational Element for IRM
HR
Databases Applications Databases LDAP Directories Cloud Apps
Business Case for Virtual Directory
McKesson Corporation 7
Use Cases Benefit
Enterprise Role &
Compliance
Simplifies user access review
application integration
Business units subject to PCI and/or
HIPAA Privacy/Security regulations
One place to report across all platforms
Hybrid Cloud SSO &
SaaS Identity
Management
Facilitates SSO to cloud based services
(e.g. Azure/Office 365, Salesforce, Box,
WebEx)
Provides global view of identity
SSO Enterprise &
Customer Facing
Across Multiple Identity
data stores
Reduce development effort in migrating
to a single directory
Simplify migration to IAM platform
Business Case for Virtual Directory
McKesson Corporation 8
Use Cases Benefit
Mergers & Acquisitions Reduction of migration cost due to
minimization of identity data consolidation
and custom coding
Reduced engagement of external M&A
specialists
No violation of EU Data Protection
Directives due to the M&A activities with
Identity data
Attribute-based Access
Control
Provides more granular access control
Attributes are easier to Attest then
Groups and Roles
Database Security Improve user experience and security by
enabling SSO to databases using
corporate credentials
Achieving SSO across Identity Silos
McKesson Corporation Confidential and Proprietary 9
Situation #1: Scattered Attributes
10 McKesson Corporation
Situation #2: Scattered Passwords
11 McKesson Corporation
Approach#1: SSO with OpenAM/DJ/IDM Alone
McKesson Corporation 12
• Design OpenDJ schema to store all the user attributes within
targeted SSO application(s) – A significant effort if targeted
applications have various overlapping user attributes
• Migrating existing user authentication store to OpenDJ (leave
the user authorization local to the individual applications) – this
is a significant effort, especially when user store is RDBMS
instead of LDAP
• Use OpenAM for access management for the SSO portal
• Change each individual application to integrate with OpenAM
Multiple sources of identity with different schemas, protocols, format, and structure.
Application(s) expects a single normalized source
App 2
Database
LDAP/Other
Federated Identity Service
App 1
Database
App 3
Database SaaS and Web
Applications
Approach#2: OpenAM and VDS Common Access Point and Common Identity
McKesson Corporation 13
Step#1: Join Identities Across Data Sources
McKesson Corporation 14
• Improved user experience where user only needs to login once and be able to access one or multiple applications
• SSO implementation has minimal impact on existing applications since there is no user data migration
• Self-service password user management enhances usability while increasing security and reduces the need for helpdesk support
• Standards-based solution reduces vendor lock-in
• Established Identity Data Service benefits mobile and cloud services
McKesson Corporation 16
Benefits of RadiantOne and ForgeRock
Joining Data across AD Domains
McKesson Corporation Confidential and Proprietary 17
McKesson employees primarily reside in one AD domain (IT)
A business unit’s (BU) employees are being migrated from their AD domain to the IT AD domain
The BU domain also includes non-employee accounts that cannot be migrated to the IT domain
Distribution lists originating in the BU and migrated to IT may contain non-employee accounts that will remain in the BU
Changes made to the BU distribution lists are automatically replicated to the corresponding IT distribution lists
Distribution lists cannot be managed across the BU and IT domains without logging into each domain separately to add and remove uses in each domain
Requiring logging in and out of each domain to make a single update introduces unacceptable management overhead and increases risk of error.
Challenge – Two Autonomous Domains
McKesson Corporation 18
Radiant Logic Virtual Directory Service (VDS) is installed and configured to access both AD domains
• VDS extracts the users and groups from both domains
• A view is created in the VDS as a branch that includes the groups and users from the BU domain including the non-employee accounts
• Another view is created in the VDS as a branch that includes the groups and users from the IT domain
• Use the VDS Groups Builder to add and remove users to distribution lists in the BU and IT domains in a single interface
• Groups Builder allows add user function to provide a pick-list of available user accounts to add or remove.
• Creating new distribution groups is also an option
Solution
McKesson Corporation 19
Mergers and Acquisitions (M & A)
McKesson Corporation Confidential and Proprietary 20
Why is it important to the business?
• Value of M&A impacted by rate of assimilation of users and
resources
• M&A targets have vastly different IT structures and conventions
• Need a layer to provide translation and transformation
• Maintain business continuity (first do no harm!)
• Provide access to applications across both environments
• Migrate applications and users at desired pace
Mergers & Acquisitions
McKesson Corporation 21
Mergers & Acquisitions
US Company Population
European Company Population
US Co.
Eur. Co.
US Company View
US Co.
Eur. Co.
European Company View
US Co.
Eur. Co.
McKesson Corporation 22
Existing synchronization will duplicate additions made to
groups in the BU domain to the corresponding groups in the
IT domain
Filter initial views from BU and IT to only provide access to
specific distribution groups and exclude security groups
Filter the attributes of the user accounts in the view to
simplify display and hide any sensitive data
Use ACL’s in VDS to tailor access to the BU and IT views
Limit access to view or update the users and distribution
groups only to select individuals or members of select
security groups
Configuration and Security
McKesson Corporation 23
Technical Benefits of Virtual Directory Approach
• Build a global list of all identities and a complete profile of each identity usually in days — not months.
• Eliminate any manual re-architecting, schema extensions, synchronization, or construction of complex code in order to achieve future state identity repository.
• Safely expose true identities to external applications and partners through a secure virtual layer.
• Reduce or eliminate the need to establish new trusts across AD domains and forests.
• Migrate existing groups, and dynamically create new groups based on attributes found in legacy repositories.
• Guarantee directory-like performance
McKesson Corporation 24
Flexibility in Defining Groups by attributes
Based on Joining Attributes for a user
LDAP Directory Active Directory Database
509-34-5855 PA 1 Andrew_Fuller
EMPID REGION CLRLEVEL USERID DEPTID
234
employeeNumber=2 samAccountName=Andrew_Fuller objectClass=user mail: [email protected] departmentNumber=234
uid=AFuller title=VP Sales givenName=Andrew sn=Fuller departmentNumber234
employeeNumber=2
samAcountName=Andrew_Fuller
objectClass=user
mail: [email protected]
uid=AFuller
title=VP Sales
clearanceLevel=1
region=PA
departmentName=Sales
memberOf=PA Sales
Correlated Identity View Dynamic Groups View
cn=PA Sales member=Andrew_Fuller **Based on identities that have: • ClearanceLevel=1 • title=VP Sales • Region=PA
McKesson Corporation 25
Flexibility with Groups:
Leveraging/Re-Mapping Existing Groups
dc=us
ou=people ou=groups
cn=john cn=marketing
Active Directory US Domain
member=cn=john,ou=people,dc=us
dc=europe
cn=users ou=groups
cn=bob cn=sales
Active Directory Europe Domain
member=cn=bob,cn=users,dc=europe
o=corp
ou=west ou=groups
cn=nancy
cn=HR ou=ca
Sun Directory
uniqueMember=cn=nancy,ou=ca,ou=west,o=corp
o=VDS
ou=AD1 ou=Sun
ou=people ou=groups
cn=john cn=marketing
ou=AD2
cn=users ou=groups
cn=bob cn=sales
ou=west ou=groups
cn=nancy
cn=HR ou=ca
member=cn=john,ou=people,ou=AD1,o=vds
member=cn=bob,cn=users,ou=AD2,o=vds
member=cn=nancy,ou=ca,ou=west,ou=Sun,o=vds
McKesson Corporation 26
Flexibility in Defining Groups:
Groups memberships that change with your Users
o=VDS
LDAP Directory userID=12952
cn=john_smith
department=Sales
userID=12954
cn=leah_scott
department=HR
userID=12943
cn=todd_jones
department=Marketing
Active Directory
EmployeeID=16473
samAcountName=ssmith
department=Marketing
Email: [email protected]
EmployeeID=16453
samAcountName=lgreen
department=Sales
Email: [email protected]
Database
Sales Seattle Jim Samon 129
DEPT OFFICE DEPT_MGR DEPT_ID
HR LA Scott Thalon 954
cn=Sales
objectClass=group
member=john_smith
member=lgreen
member=Jim Samon
cn=HR
objectClass=group
member=leah_scott
member=Scott Thalon
cn=Marketing
objectClass=group
member=todd_jones
member=ssmith
Group members are built dynamically
based on the department attribute
in the user entries
McKesson Corporation 27
Q&A