And we finally move on to the next, last talk of today from Nick Tufts from Vodafone. Welcome on stage, please. Hello. Nice. Just give me a short description of your area of responsibility.
Sure. Yeah. So hi everyone. I'm basically the principal delivery manager in the workforce identity and access management program in Vodafone group technology security.
But as I mentioned in the presentation, we are actually changing our organization at the moment and moving away from technology security and into more of a delivery, which I think quite suits our program and our needs within Vodafone
And identities or customer identities,
Workforce
Work, workforce internal only
Workforce.
How many people?
About 350,000 identities at the moment. Okay.
Partners, consultants, contractors, employees, vendors. So our workforce has grown outside of the normal sort of enterprise boundaries.
Thank you very much. Floors yours.
Thank you.
Well, firstly, thanks everyone for hanging around. I've got five minutes for this. Is that right? Maybe 10. I knew I was gonna hap this was gonna happen when I, when I took this slot, but I'll try and rattle through it and yeah, you know, I'm, I'm not a regular presenter, so apologies for any hesitation or deviation or anything like that. But the last time I did this presentation was with my, with my boss, but he dropped me in it this time and we were doing it on beam, which is the, the software that, and the robots that Jackson showed on screen earlier. And you actually, you drive them around.
So myself and my boss were sat in London, in an office, connected our laptops for our Vodafone 4g network. And thankfully we were driving these robots around in Miami presenting to a room, very similar to this as a robot. But I hope my presentation today is not too robotic as a result. So Vota Vodafone group, I think most people in the room probably have heard of Vodafone global enterprise, lots of different markets, you know, very complex organization, getting more complex transformations, acquisitions, selling, stakes, everything like that.
I want to talk to you, not as a supplier or a vendor particularly, but you know, give you some ideas. Some that might work for your organizations as they hopefully are working for Vodafone as a kind of complex multinational a little bit about our platform. So it's workforce identity and access management. It's used by all the Vodafone operating companies in all the local markets, all the countries shown on the previous slide.
The kind of picture on your left hand side is kind of classic.
I suppose, employee identity and access management. We've got the authoritative sources on the left hand side. We've got our core platform in the middle, which is an Oracle based platform. And we've got the target applications on the right hand side where we're doing access provisioning based on requests. And we're doing single sign on authentication. The sides of the problem is shown on the, the right hand side. So the left hand, side's probably fairly typical for most IM programs. The right hand side gives you an idea of the scale of Vodafone and the challenge that we've got.
So 4,000 applications going up, going down, depending on who we've bought, who we've sold identities 350,000 at the moment, going up, probably not going to go down purely because we're working with more vendors, we're working with more partners, you know, for us workforces also partners like in the UK car phone warehouse who are selling Vodafone products to you on the high street, they need access to Vodafone systems. We treat them as part of the workforce.
So we've got to meet the needs of that sort of group
And the access management side, the number of requests going through the platform at the moment, probably a quarter of a million could grow to dunno, dunno how big it's gonna get. So as well as giving you some ideas on kind of the solutions and some of the business problems that we face are kind of underlying proposition is that actually identity and access management. Isn't really a technology security thing.
You know, the challenges you'll face, the solutions you'll come up with are not technology security specific. And hopefully you can illustrate that in the next few slides. So it's called good, bad and ugly. This is really why. So this is the Vodafone journey that we've been on at a high level. We've I wanted to talk about five particular problems and there's actually only really three solutions because we haven't found a solution for the last one. So if anyone can think of a good solution, I'll buy a beer later in the bar, but come up to me and, and give me your thoughts.
I won't talk anymore about that slide. I don't think we'll just go into the detail and go through the business problems and then the solutions that we've come up with.
So first business problem is, well, it's all about integration, isn't it? So our main objective as a program is to deliver that blue box in the middle, your tool, that's it, right? Your objective at the end of the year is just build that program. Here's some money. Here's some people put that platform together. If you do that, you'll, you'll meet your objective, right? But you probably won't deliver the business benefit.
You know, that that's expected of you. So you've had a business case and you'll save the organization X amount. You won't ever deliver that unless you do the integration to the data sources, to the targets. So the kind of business problem, and, and the idea here is create your program for the multi-year integration journey, not just the 12 month build of the blue box in the middle. So business problem, number two, business volatility, I guess I mentioned it earlier, Vodafones buying and selling offshoring. Onshoring federating insourcing.
You know, that's probably familiar to a lot of people in the room is constant change. So how do you create your program to protect yourself from the business, but also serve the business? So don't be driven by what's going on around outside of, of your program, but still be able to serve your customers and deliver the, the benefits that they expect. So you've got to protect and serve if you like.
So the first, what we believe is a, a good technology solution to these first two business problems is, you know, building a, a flexible modular architecture.
So the, the blue box up there, the identity management, the workflow orchestration, the authorization services in a, you know, probably a typical, small to medium sized enterprise. That's what you think of IAM. Those three boxes in blue for us, it was about building the insulation around that core. So using the data integration layer, the enterprise service bus, you know, the data gives you insulation from those authoritative sources that are constantly changing.
The enterprise service bus allows you to provision and manage the provisioning to all those targets that may be up or down at any point in time, we were in a good position, I suppose, being able to take advantage of an Oracle enterprise license agreement to use those non identity management kind of tools, to build an entire platform that meets our needs. I know there's Oracle guys in the room. So the second bullet point, you know, it does allow us to swap out vendors.
So if that ELA does end, we can bring in the right tools, the right bits of software, into the different areas to, to keep our platform up to speed.
Cause we, we dunno when that may happen. And that's obviously a decision in which a program like ours is gonna have no, no sort of say, so it will be decided somewhere up the tree.
We also made a conscious decision through this modular kind of architecture that we wanted to avoid being a small fish in a big pond. So that's particularly looking at the enterprise service bus on the right hand side.
So within Vodafone, there's lots of service buses. There's lots of global service buses. There's lots of architects saying you must integrate to the global service bus.
Well, we probably did a typical thing for a program trying to deliver. We went, no, sorry. We don't wanna be a, a small fish in a big pond subject to your budget, your prioritization, when there's always a, a CRM or a billing program, that's gonna knock you out of the water and push you down the list.
No, we decided let's have our own service bus. Let's integrate to our targets directly. Let's be self-sufficient. And finally, the, the modular architecture allows you to take advantage or work within the annual budget cycle. So that platform up there is two years in the making probably another year to finish it off. So the API gateway, or mention it later, that one doesn't exist for us at the moment. It's only on this slide pretty much, but in this year's financial budget cycle, we have the money to do that.
So over the past two cycles, we've built up the program through these modules and you know, we've not gone on year one with a huge cost to build this whole thing. We've built it up over time and that's what this architecture kind of allows you to do.
So that's good. Okay. Back to the business problems, then this one's probably a classic. I work in information security. So it's an information security tool. This w IM thing, right?
Well, not really because you look around the business and all these other stakeholder groups, they're dependent on you to deliver their programs. So without you, they will fail. So by default, you become kind of at the center of all of these massive transformation or enterprise type programs. And so managing that stakeholder community is very important. So the advice kind of is to don't think of it purely as a technology security program, create it as a enabler for the widest range of owners, because they'll come to you expecting the earth anyway.
So be, be prepared for that.
So having all those stakeholders and having all that demand, how do you kind of deliver it?
Well, this is the solution that we've come up with is to automate. So we live in a, an environment of we've got kind of four delivery, work, streams, data application, core platform, and the kind of operational BAU stuff, all trying to deliver through 20 plus environments into production. Every two weeks, every two weeks, we release something into production. How do we manage that?
Well, through automation, there's no other way to do it without some manual errors. And then your stakeholders get annoyed. They lose confidence in the program. So automation is the way, but I mean, there is no silver bullet. There isn't one solution that covers everything.
You know, we've got a multitude of things there that cover kind of the whole lifecycle of a, of software. So we've got Vodafone Plex, which is our kind of internal cloud based environments solutions.
So we can stand up a, a new environment in two days, rather than two weeks. We've got things like Jenkin's that help to automate, build and deployment. We've got selenium, which is automated testing, and we've got tools for automation on the operational side as well. So we're trying to cover the whole life cycle through tooling, through automation. Now it doesn't, it doesn't come cheap. Right?
All of that. So there's, there's two things I'd suggest, like build a single business case for the whole lot. Come up with a strategy for your tooling that covers the whole life cycle and present a business case based on that. Cuz if you present the business case individually, they probably won't add up to much, but if you can show it through the whole life cycle, then the guys in finance will girls in finance. They'll probably give you a tick in the box and allow you to go on.
And there's also, especially in a big kind of organization like Vodafone there's skills and tools and people and processes already doing automation. So find out where they are, get them involved. It's very kind of portable skill set if you like, because again, it's not specific to, I am. So initial costs may be high, but the improvements can be significant. So spinning up an environment in two days and I slides, but I sorry about that at the bottom there, it says, I'm not making this up. It says that we can do our regression testing in four hours instead of 12 hours.
So press go six o'clock at night, come in in the next morning, your test's there. Your results are all there. Your screenshots are all there much better than having somebody manually running through the test that takes 12 hours or something. So automation,
This next business problem, it's basically one size doesn't fit all. So the example we've used here is the user interface. So this is what our kind of dashboard of our system looks like when you land into it. So it's not, it's not ugly in itself, but you know, you try and standardize, you try and avoid customization.
And they're kind of in conflict because through standardization you get cost savings, but you probably get unhappy users because we have so many stakeholders and they all want different things. They have different expectations.
You know, some examples across the top, there, some people want it on a mobile app to approve some people want it in 27 languages. Some people are happy with it just in English. Some people want one click approval. Security wants three clicks, you know, lots of different expectations and the user interfaces where it all sort of comes to life. So you could go down the complete customization route and you'll probably have very happy users, but you'll have a hell of a system to manage and maintain probably a huge cost to deploy. Where we going on this one?
Well, this is probably the one where we are struggling with at the moment. And that's why we've kind of, I've put it in the bad category purely because we're just starting off with this. And had we thought about it two years ago, we probably wouldn't be in the, the bad situation if you like.
So where, where we're going with this is kind of around having a, an API gateway
Becoming a kind of headless service, almost not having a user interface, just having a set of services that are standardized that allow you to call, call the core activities of any IM system. You know, authenticate a user, create a request, disabled and identity, whatever it might be through that way we can kind of standardize, but also let people customize the UI because all they have to do is build their own login page.
If they want to call the API and it can look how they want it to look for their partners, how they want it to look for the employees, it's then kind of not us becoming if you like a UI user interface kind of factory. And also I think we can help to control the consumption of our services through this API gateway and allow our operations teams to focus on what's going on in the back end.
What's actually happening in the application and the infrastructure rather than what is an end user seeing on the front, which as I was saying a minute, I'm not sure our operations team can, can manage so well, I think last year or the year before I went to Gartner conference in London and heard a lot about identity as a service and myself and my boss came out of that and said, well, what's our kind of strategy. If we get asked and now it's sort of taken shape
Outta the back of this of thinking, well, how do we become an identity as a service provider internally within Vodafone?
Well, it's through kind of having an API gateway and allowing people to do as they see fit using our APIs, breaking some of those dependencies and really providing a service that can be used by any of the Vodafone operating companies in group, in enterprise, whatever it is, right. Last of all, last business problem. This is the one please buy I'll buy beers. If anyone comes up with a good solution to this, cuz it's the source of a lot of frustration.
So we've, we've kind of managed a, a program that's been pretty user-centric right. Identity management. It's obvious, you know, we've got a user-centric program, we've got an SI who's thinking from the user perspective, we've got a vendor that delivers a product. That's very user-centric we go live, we hand it over to our operations team and they're kind of
Not very user-centric. So what do we end up with? We end up with kind of frustrated and really annoyed kind of users. So we've outsourced our reputation in other words of our program, to our operational teams.
And, you know, we've made lots of step forward steps forward in terms of the architecture and the solution itself. But our operations teams are still a little bit in the dark ages and they're, you know, how, how can we solve that problem? How can we come up with a technology solution to take this from ugly to good. I'd be really interested to hear other people's thoughts on that too many clicks on that one. Okay. So
I think that's about 15, 20 minutes.
So that's kind of my ideas, some of the experiences that we've had, some of the solutions we are coming up with, as I said, I don't think it's a technology security type of problem or architecture when you look at it. And I think the actually the good thing from since when I put these slides together on the 1st of May, it was announced that we, our team is moving from security into a kind of delivery organization.
So I think somebody maybe has been coming to these presentations from Vodafone management and listening to what we're saying, and we're actually moving now, so we can go forward and deliver on some of these things, which should quite exciting. And yeah, I'm quite enthusiastic about, so hopefully I didn't keep you for too long from the food and the beer. So thanks. Thanks for listening.
Thank you. So I think with the API strategy, you're on the right track. So only a matter of execution and, and moving forward and getting more traction and get some money. Yes.
Money, definitely. But on the, on the ugly part, this operations team, so who, what are they responsible for in practice?
I mean, what they're, what are they doing?
So user access management in Vodafone is quite disconnected. So there's one central service desk. And in theory, you go to that central service desk and you say, I've got a problem with user access management and it could go any one of 20 different ways of which one is our w IM platform.
Ah,
So someone phones up and goes, I've got a w IM problem and it can go off shooting down the wrong channel. So, you know, that, that's why I say it's kind of a bit of a mess from a, from a user perspective. They just want someone to help when they phone up, but it ends up going in the wrong direction. As soon as you can talk to someone in our team, the teams themselves, the guys there on the ground, they're, they're the right guys doing the right things, but navigating it through that kind of
Too many channels, too many
Hubs. Yeah. Because of the nature of Vodafone. Right.
And we said acquisitions and things. It's, it's always like that. So we haven't quite nailed that
One yet. Centralizing service desk probably is the only solution, right? Yeah. That's not in your hands
Probably. Exactly. Yeah.
Okay. Thank you again. Thank
You. Thanks.
