Case Study: McKesson

Virtual Directory Use Cases

McKesson

McKesson At-a-Glance

McKesson Corporation 2

• Founded in 1833

• Ranked 14th on Fortune’s list,

with $140.0 billion in revenues

• Headquartered in San Francisco

• More than 42,000 employees

• Two segments: Distribution Solutions

and Technology Solutions

• Total focused on health care

. McKesson is one of America’s oldest and largest services company

Leadership Positions in Both Segments


#1 pharmaceutical distributor in U.S.

and Canada

#1 generics distributor

#2 in specialty distribution and

services

#1 in medical-surgical distribution to

alternate care sites

2,900+ Health Mart® retail pharmacy

franchisees

Comprehensive retail information

systems and automation offerings

Serve 52% of all U.S. hospitals

Leader in clinical, revenue-cycle and

resource-management solutions

Leading RelayHealth™ claims-

processing and connectivity

business

200,000+ physician customers

#1 in physician revenue cycle and

practice management

#1 in medical-management software

and services to payers

Distribution Solutions

Technology Solutions

4

Information Security Architecture & Services

• Offering a comprehensive portfolio of security services supported by core

security capabilities that meet McKesson customers’ regulatory, industry and

internal requirements

• Enabling McKesson business units establish trust between organizations,

partners, third party users, and customers through federation, certificate services

and secure collaboration

• Increasing our competitive advantage in security solutions through ongoing

analysis of the latest security architecture trends and product offerings such as

cloud security and security as a service

We Deliver Security Solutions to Enable and Protect Businesses by:

We are members of McKesson’s Information Security and Risk Management,

providing a range of services including security consulting and operations, IT risk

management and incident management.

McKesson Corporation

The Four Pillars of Identity Services

Enhanced user experience

Improved management

of security risks

Efficient development/

deployment of applications

Reusable integration

HIPAA, SOX

compliance

Common access logs

Improved

accountability

Common reporting

Reduced

administrative tasks

Reduced help desk calls

Improved process

efficiency

Central user information

Reduced administrative

tasks

Reduced help desk calls

Improved security

Accountability

Cost savings

User Self-Service &

Password Management Virtual Directory

Web Access

Management/SSO Centralized Audit

Delegated Administration

Synchronization/

Replication

Federated Identity

Management/SSO

Logging and

Monitoring

Automated Approvals

and Workflows

Meta Directory

Authentication &

Authorization Access Certification

Enterprise

Role Definition Directory Storage Standard APIs Reporting

Audit, Role

& Compliance Access

Management

Identity

Management Identity

Data Services

5 McKesson Corporation

Identity Data Foundational Element for IRM

HR

Databases Applications Databases LDAP Directories Cloud Apps

Business Case for Virtual Directory


Use Cases Benefit

Enterprise Role &

Compliance

Simplifies user access review

application integration

Business units subject to PCI and/or

HIPAA Privacy/Security regulations

One place to report across all platforms

Hybrid Cloud SSO &

SaaS Identity

Management

Facilitates SSO to cloud based services

(e.g. Azure/Office 365, Salesforce, Box,

WebEx)

Provides global view of identity

SSO Enterprise &

Customer Facing

Across Multiple Identity

data stores

Reduce development effort in migrating

to a single directory

Simplify migration to IAM platform

Business Case for Virtual Directory


Use Cases Benefit

Mergers & Acquisitions Reduction of migration cost due to

minimization of identity data consolidation

and custom coding

Reduced engagement of external M&A

specialists

No violation of EU Data Protection

Directives due to the M&A activities with

Identity data

Attribute-based Access

Control

Provides more granular access control

Attributes are easier to Attest then

Groups and Roles

Database Security Improve user experience and security by

enabling SSO to databases using

corporate credentials

Achieving SSO across Identity Silos

McKesson Corporation Confidential and Proprietary 9

Situation #1: Scattered Attributes


Situation #2: Scattered Passwords


Approach#1: SSO with OpenAM/DJ/IDM Alone


• Design OpenDJ schema to store all the user attributes within

targeted SSO application(s) – A significant effort if targeted

applications have various overlapping user attributes

• Migrating existing user authentication store to OpenDJ (leave

the user authorization local to the individual applications) – this

is a significant effort, especially when user store is RDBMS

instead of LDAP

• Use OpenAM for access management for the SSO portal

• Change each individual application to integrate with OpenAM

Multiple sources of identity with different schemas, protocols, format, and structure.

Application(s) expects a single normalized source

App 2

Database

LDAP/Other

Federated Identity Service

App 1

Database

App 3

Database SaaS and Web

Applications

Approach#2: OpenAM and VDS Common Access Point and Common Identity


Step#1: Join Identities Across Data Sources


• Improved user experience where user only needs to login once and be able to access one or multiple applications

• SSO implementation has minimal impact on existing applications since there is no user data migration

• Self-service password user management enhances usability while increasing security and reduces the need for helpdesk support

• Standards-based solution reduces vendor lock-in

• Established Identity Data Service benefits mobile and cloud services


Benefits of RadiantOne and ForgeRock

Joining Data across AD Domains


McKesson employees primarily reside in one AD domain (IT)

A business unit’s (BU) employees are being migrated from their AD domain to the IT AD domain

The BU domain also includes non-employee accounts that cannot be migrated to the IT domain

Distribution lists originating in the BU and migrated to IT may contain non-employee accounts that will remain in the BU

Changes made to the BU distribution lists are automatically replicated to the corresponding IT distribution lists

Distribution lists cannot be managed across the BU and IT domains without logging into each domain separately to add and remove uses in each domain

Requiring logging in and out of each domain to make a single update introduces unacceptable management overhead and increases risk of error.

Challenge – Two Autonomous Domains


Radiant Logic Virtual Directory Service (VDS) is installed and configured to access both AD domains

• VDS extracts the users and groups from both domains

• A view is created in the VDS as a branch that includes the groups and users from the BU domain including the non-employee accounts

• Another view is created in the VDS as a branch that includes the groups and users from the IT domain

• Use the VDS Groups Builder to add and remove users to distribution lists in the BU and IT domains in a single interface

• Groups Builder allows add user function to provide a pick-list of available user accounts to add or remove.

• Creating new distribution groups is also an option

Solution


Mergers and Acquisitions (M & A)


Why is it important to the business?

• Value of M&A impacted by rate of assimilation of users and

resources

• M&A targets have vastly different IT structures and conventions

• Need a layer to provide translation and transformation

• Maintain business continuity (first do no harm!)

• Provide access to applications across both environments

• Migrate applications and users at desired pace

Mergers & Acquisitions


Mergers & Acquisitions

US Company Population

European Company Population

US Co.

Eur. Co.

US Company View

US Co.

Eur. Co.

European Company View

US Co.

Eur. Co.


Existing synchronization will duplicate additions made to

groups in the BU domain to the corresponding groups in the

IT domain

Filter initial views from BU and IT to only provide access to

specific distribution groups and exclude security groups

Filter the attributes of the user accounts in the view to

simplify display and hide any sensitive data

Use ACL’s in VDS to tailor access to the BU and IT views

Limit access to view or update the users and distribution

groups only to select individuals or members of select

security groups

Configuration and Security


Technical Benefits of Virtual Directory Approach

• Build a global list of all identities and a complete profile of each identity usually in days — not months.

• Eliminate any manual re-architecting, schema extensions, synchronization, or construction of complex code in order to achieve future state identity repository.

• Safely expose true identities to external applications and partners through a secure virtual layer.

• Reduce or eliminate the need to establish new trusts across AD domains and forests.

• Migrate existing groups, and dynamically create new groups based on attributes found in legacy repositories.

• Guarantee directory-like performance


Flexibility in Defining Groups by attributes

Based on Joining Attributes for a user

LDAP Directory Active Directory Database

509-34-5855 PA 1 Andrew_Fuller

EMPID REGION CLRLEVEL USERID DEPTID

234

employeeNumber=2 samAccountName=Andrew_Fuller objectClass=user mail: [email protected] departmentNumber=234

uid=AFuller title=VP Sales givenName=Andrew sn=Fuller departmentNumber234

employeeNumber=2

samAcountName=Andrew_Fuller

objectClass=user

mail: [email protected]

uid=AFuller

title=VP Sales

clearanceLevel=1

region=PA

departmentName=Sales

memberOf=PA Sales

Correlated Identity View Dynamic Groups View

cn=PA Sales member=Andrew_Fuller **Based on identities that have: • ClearanceLevel=1 • title=VP Sales • Region=PA


mailto:[email protected]

mailto:[email protected]

Flexibility with Groups:

Leveraging/Re-Mapping Existing Groups

dc=us

ou=people ou=groups

cn=john cn=marketing

Active Directory US Domain

member=cn=john,ou=people,dc=us

dc=europe

cn=users ou=groups

cn=bob cn=sales

Active Directory Europe Domain

member=cn=bob,cn=users,dc=europe

o=corp

ou=west ou=groups

cn=nancy

cn=HR ou=ca

Sun Directory

uniqueMember=cn=nancy,ou=ca,ou=west,o=corp

o=VDS

ou=AD1 ou=Sun

ou=people ou=groups

cn=john cn=marketing

ou=AD2

cn=users ou=groups

cn=bob cn=sales

ou=west ou=groups

cn=nancy

cn=HR ou=ca

member=cn=john,ou=people,ou=AD1,o=vds

member=cn=bob,cn=users,ou=AD2,o=vds

member=cn=nancy,ou=ca,ou=west,ou=Sun,o=vds


Flexibility in Defining Groups:

Groups memberships that change with your Users

o=VDS

LDAP Directory userID=12952

cn=john_smith

department=Sales

userID=12954

cn=leah_scott

department=HR

userID=12943

cn=todd_jones

department=Marketing

Active Directory

EmployeeID=16473

samAcountName=ssmith

department=Marketing

Email: [email protected]

EmployeeID=16453

samAcountName=lgreen

department=Sales

Email: [email protected]

Database

Sales Seattle Jim Samon 129

DEPT OFFICE DEPT_MGR DEPT_ID

HR LA Scott Thalon 954

cn=Sales

objectClass=group

member=john_smith

member=lgreen

member=Jim Samon

cn=HR

objectClass=group

member=leah_scott

member=Scott Thalon

cn=Marketing

objectClass=group

member=todd_jones

member=ssmith

Group members are built dynamically

based on the department attribute

in the user entries


Case Study: McKesson

Software

Transcript of Case Study: McKesson