National Australia Group (UK) With Hindsight!. Rules of Engagement If you have a question… raise...
16
National Australia Group (UK) With Hindsight!
-
Upload
shannon-singleton -
Category
Documents
-
view
214 -
download
0
Transcript of National Australia Group (UK) With Hindsight!. Rules of Engagement If you have a question… raise...
National Australia Group (UK)With Hindsight!
Rules of Engagement
If you have a question… raise your hand.
If you are shy… speak to me later or drop me an email at:
About the National
The Group is an international financial services organisation that provides a comprehensive and integrated range of financial products and services.
Our Purpose
Growth through excellent relationships.
Our Vision
We will be a leading international financial services company which is trusted by you and renowned for getting it right.
STRATEGIC OVERVIEW
Deliver solutions that help meet customer’s complete financial needs
Build and sustain ahigh level performance culture
Build trusted relationships with all stakeholders
Build and manage our portfolio of businesses for strong and sustainable total shareholder return
Create and leverage strategic assets and capabilities for competitive advantage
So You’re Australian, right?
• National Australia Group’s UK interests include:
• Clydesdale Bank
• Yorkshire Bank.
• National Australia Bank (London)
• The UK division has its own Technology team based in development centres in
• Glasgow (Scotland)
• Leeds (England)
• Belfast (Northern Ireland)
• More information can be found at www.nabgroup.com
NAG’s Applications
Retail Internet Banking (J2EE)
Branch Teller System (WSBTT)
Maintenance/Enquiries System (J2EE)
Sales & Illustration System (Siebel)
eMail System (iNotes)
Provisioning System (ITIM)
Adobe Print Servers/Archivers
I.M.M.P.s
NAG’s Applications
3270 Access to mainframe
Client/Server Applications
- Visual Basic
- C/C++
- Access
- Java
NAG Project Methodology & Success Criteria
Phase Business Process IM TechnologySuccess Criteria
Phase 1 (2003)Front End Replacement
Common authentication & authorisation service for J2EE application, Siebel and iNotes
Tivoli Access Manager/eTrust Directory
Reduction in UserIDs & Passwords
Phase 2 (2004)New Application Rollout
New applications protected by security architecture
Tivoli Access Manager/eTrust Directory
Reuse of UserIDs & Passwords
Phase 3 (2005)Internet Banking Programme
Reuse of security architecture for customer interfaces
Tivoli Access Manager/eTrust Directory
Creation of internet facing infrastructure
Phase 4 (2006)Teller Replacement
Account Management Tivoli Identity Manager
Self-Password Reset & Provisioning
Phase 5 (2006)3rd Party Integration
Single Sign-On from company intranet to internet applications hosted by trusted 3rd Parties
Tivoli Federated Identity Manager
Reuse of UserIDs & Passwords
We are here
The Final Picture
s1wsl2
s1wle2
s1wle1
s1wse2
s1wse1
s1ihe2
s1ihe1
s1ere1
eTrust Relay
V 440
s1wsl1
s1ets2
s1ets1
eTrust Directory
s1tam1
TAM Policy Srv
s1ids1
Tivoli Dir. Server
IBM DB/2 Server
WAS 5.0.2
TAM Agent
Tiv. Dir. Integr.
IHS
ITIM
s1ihc2
s1ihc1
s1was2
Symington (Bunker)
IHSInstances
ExternalDMZ
I nternalDMZ
CorporateNetwork(I ntranet)
Firewall
Firewall
Firewall
WebSEALInstances
WAS 5.1.x TAM enabled
IB
LoadBalancerCisco Content
Switch
BrowserIntranet
BrowserWWW
Junctions
Junctions
LBEdge
TAM Components
IHSInstances
WebSEALInstances
WAS 5.1.x TAM enabled
IB
TAM Components
CSU
s2ids1
Tivoli Dir. Server
IBM DB/2 Server
WAS 5.0.2
TAM Agent
Tiv. Dir. Integr.
IHS
ITIM
s2was2
WAS 5.1.x TAM enabled
IB
TAM Components
CSU
s2wsl2
s2wsl1
s2ets2
s2ets1
eTrust Directory
s2ihc2
s2ihc1
IHSInstances
s2tam1
TAM Policy Srv
s2wse2
s2wse1WAS 5.1.x TAM enabled
IB
TAM Components
s2ihe2
s2ihe1IHSInstances
s2ere1
eTrust Relay
s2wle2
s2wle1
WebSEALInstances
LoadBalancerCisco Content
Switch
BrowserIntranet
301
V.I.P.
Peer-to-PeerReplication
Junctions
WebSEALInstances
User Provisioning Junction to ITIMUser Provisioning Junction to ITIM
LoadBalancer
Global Site Selector
LBEdge
home.cbonline.co.ukhome.ybonline.co.uk
Junctions
Phase 1
Administrator
End Users (500)
WebSEAL
Application
Directory
Phase 1 - 2003
- 500 Users
- 3 Protected Applications
- “Manual” Scripted Provisioning
Phase 2
Auditor
End Users (260,000)
WebSEAL
Applications
Directory ITIM
Phase 4 - 2006
- 260,000 Users
- Many Protected Applications
- Internet Banking Protected
- Automated Provisioning
NAG’s User Base & Tivoli Products
• Web based access control for staff based applications
• 10,000 staff across hundreds of retail outlets and Head Office locations.
• Web based access control for customer based applications
• 250,000 Internet Banking customers ( -> 700,000 by Dec. 06)
• Applications Protected
• 14 Web based applications (including Internet Banking)
• The Tivoli Products in use are:
Tivoli Access Manager v5.1 Tivoli Identity Manager v4.5.1
Tivoli Directory Server v5.2 Tivoli Directory Integrator v6.0
Real World v Utopia
IM TEAM
s1wsl2
s1wle2
s1wle1
s1wse2
s1wse1
s1ihe2
s1ihe1s1ere1
eTrust Relay
V 440
s1wsl1
s1ets2
s1ets1
eTrust Directory
s1tam1
TAM Policy Srv
s1ids1
Tivoli Dir. Server
IBM DB/2 Server
WAS 5.0.2
TAM Agent
Tiv. Dir. Integr.
IHS
ITIM
s1ihc2
s1ihc1
s1was2
Symington (Bunker)
IHSInstances
ExternalDMZ
I nternalDMZ
CorporateNetwork(I ntranet)
Firewall
Firewall
Firewall
WebSEALInstances
WAS 5.1.x TAM enabled
IB
LoadBalancerCisco Content
Switch
BrowserIntranet
BrowserWWW
Junctions
Junctions
LBEdge
TAM Components
IHSInstances
WebSEALInstances
WAS 5.1.x TAM enabled
IB
TAM Components
CSU
s2ids1
Tivoli Dir. Server
IBM DB/2 Server
WAS 5.0.2
TAM Agent
Tiv. Dir. Integr.
IHS
ITIM
s2was2
WAS 5.1.x TAM enabled
IB
TAM Components
CSU
s2wsl2
s2wsl1
s2ets2
s2ets1
eTrust Directory
s2ihc2
s2ihc1
IHSInstances
s2tam1
TAM Policy Srv
s2wse2
s2wse1WAS 5.1.x TAM enabled
IB
TAM Components
s2ihe2
s2ihe1IHSInstances
s2ere1
eTrust Relay
s2wle2
s2wle1
WebSEALInstances
LoadBalancerCisco Content
Switch
BrowserIntranet
301
V.I.P.
Peer-to-PeerReplication
Junctions
WebSEALInstances
User Provisioning Junction to ITIMUser Provisioning Junction to ITIM
LoadBalancer
Global Site Selector
LBEdge
home.cbonline.co.ukhome.ybonline.co.uk
Junctions
IM TEAM
s1wsl2
s1wle2
s1wle1
s1wse2
s1wse1
s1ihe2
s1ihe1s1ere1
eTrust Relay
V 440
s1wsl1
s1ets2
s1ets1
eTrust Directory
s1tam1
TAM Policy Srv
s1ids1
Tivoli Dir. Server
IBM DB/2 Server
WAS 5.0.2
TAM Agent
Tiv. Dir. Integr.
IHS
ITIM
s1ihc2
s1ihc1
s1was2
Symington (Bunker)
IHSInstances
ExternalDMZ
I nternalDMZ
CorporateNetwork(I ntranet)
Firewall
Firewall
Firewall
WebSEALInstances
WAS 5.1.x TAM enabled
IB
LoadBalancerCisco Content
Switch
BrowserIntranet
BrowserWWW
Junctions
Junctions
LBEdge
TAM Components
IHSInstances
WebSEALInstances
WAS 5.1.x TAM enabled
IB
TAM Components
CSU
s2ids1
Tivoli Dir. Server
IBM DB/2 Server
WAS 5.0.2
TAM Agent
Tiv. Dir. Integr.
IHS
ITIM
s2was2
WAS 5.1.x TAM enabled
IB
TAM Components
CSU
s2wsl2
s2wsl1
s2ets2
s2ets1
eTrust Directory
s2ihc2
s2ihc1
IHSInstances
s2tam1
TAM Policy Srv
s2wse2
s2wse1WAS 5.1.x TAM enabled
IB
TAM Components
s2ihe2
s2ihe1IHSInstances
s2ere1
eTrust Relay
s2wle2
s2wle1
WebSEALInstances
LoadBalancerCisco Content
Switch
BrowserIntranet
301
V.I.P.
Peer-to-PeerReplication
Junctions
WebSEALInstances
User Provisioning Junction to ITIMUser Provisioning Junction to ITIM
LoadBalancer
Global Site Selector
LBEdge
home.cbonline.co.ukhome.ybonline.co.uk
Junctions
Real World
Many Project Managers By-Pass Identity ManagementMajor programmes forced to use Identity Management (& pick up cost)Technology Risk & Auditors have limited involvementService Delivery not involved
Utopia
Policies & Principles in place; CEO/CIO sponsorhip in placeAll Project Managers embrace Identity ManagementTechnology Risk & Auditors involved in design processService Delivery integrated into the process
Policies/PrinciplesCEO Mandate
Project ManagersProject Managers
Tech Risk/Auditor
Tech Risk/Auditor
Service Delivery
If We Had It All To Do Again…
• Identity Management Programme
• Create an Identity Management programme rather than relying on projects to fund the infrastructure
• Create strategy for future utilisation of infrastructure (rather than deployment by stealth
• Create the architectural policies, principles and guidelines up-front
• Deploy a provisioning solution up-front
• Enterprise Support
• Get Leadership Team sponsorship – both Business Sponsorship (CEO?) and Technology (CIO?)
• Engage Audit and Technology Risk teams earlier in the design phase
• Management Tools
• Spend additional time working on Configuration Management; Log File Management; Auditing Capabilities and infrastructure monitoring(!)
If We Had It All To Do Again…
• Pay our full-time employees a lot more money!
Will We Achieve Our Aims?
• Tivoli Access Manager for eBusiness
• YES
• TAMeb is well integrated into our infrastructure
• Performance is good & Reliability is good – “despite what they say”
• Enhances productivity – Java developers no longer need worry about security
• Tivoli Identity Manager
• YES
• Work is required to fully understand the organisational structure
• Provisioning new target platforms required to fully embed the product in the infrastructure
• Would greatly enhance productivity; reduce costs and free up resources – benefits, however, still to be realised
• Other Tivoli Security Products
• Tivoli Federated Identity Manager is a good fit for us but we are waiting on other 3rd parties to catch up with the technology!
THANK YOU
National Australia Group’s Hindsight
