HiPath 4000 Converging Solutions for Enterprises Hanover, CeBIT 2005.
SIcurity Identity and Access Management Hanover, CeBIT 2005.
-
Upload
roy-bryant -
Category
Documents
-
view
226 -
download
2
Transcript of SIcurity Identity and Access Management Hanover, CeBIT 2005.
SIcurity Identity and Access Management
Hanover, CeBIT 2005
© Siemens CeBIT 2005 2
Protection„block the bad guys“
Enabling„support the good
guys“
Security policy „find the
loopholes“
Only an IT Security company like Siemens is able to cover everything
MegaTrends
The Security Challenge Why Why Siemens?Siemens?
© Siemens CeBIT 2005 3
Challenges for Identity and Access Management
Avoiding security breaches
Cutting administrative costs
Avoiding productivity gaps
Maintaining data quality
Avoiding island solutions
Ensuring regulatory compliance
Why Why Siemens?Siemens?
© Siemens CeBIT 2005 4
Scenario Highlights
Automated, policy-based and role-based user provisioning Password management and password synchronization
Access management and single sign-on for web portals and web-based applications
Self-registration, approval workflow and delegated administration for web portals in B2B environments
Why Why Siemens?Siemens?
© Siemens CeBIT 2005 5
Sales
Marketing
Finance
Logistics
Multiple users seeking access to numerous IT resources
Resulting in many administrators repetitively establishing and revoking
user access privileges
Employees
Partners
B2B
Customers
Scenario: Situation Today Why Why Siemens?Siemens?
© Siemens CeBIT 2005 6
Scenario: Solution Tomorrow
Employees
Partners
B2B
Customers
Sales
Marketing
Finance
Logistics
Meta Directory
Who needs which rights?
Identities Organizations Applications
Identities Organizations Applications
User profiles
Roles & privileges
Business processes
User profiles
Roles & privileges
Business processes
When is access granted?
Who needs access to what?
Provisioning
Access Management
Acc
ess
Man
ag
emen
t
IT systems Resources …
IT systems Resources …
Rules
Policies
Conditions
Rules
Policies
Conditions
Iden
tity
Man
agem
ent
Why Why Siemens?Siemens?
© Siemens CeBIT 2005 7
Scenario End-to-End, Secure eBusiness Processes
Headquarters/Factory Customer
Partner Supplier
Who, When, What, Access to What ?
• Equipment• Price list• Delivery date
• Prices• Equipment• Delivery dates• Suppliers• Service partner• End customer
• Prices• Factories• Delivery dates• Supplier• Service partner• Customer structure
• Prices• Equipment• Delivery dates• Partner• Service partner
• Stückkosten• Kosten sonstige• Verkaufspreis
Self-registrationVPN
VPN
VPN
Passwort
Identity andAccess Management
DelegatedAdministration
Why Why Siemens?Siemens?
© Siemens CeBIT 2005 9
24h
Your Benefits
Lower costs
Automated, centralized user administration
Lower costs for helpdesk and hotline services
Enhanced cost transparency for asset management
Increased productivity
Get new employees up and running quickly
Automated provisioning of accounts in connected systems
Ensure data quality by automatic synchronization
Increase in user productivity through fewer passwords
Improved security
Enterprise-wide transparency of access rights
Quick revocation of access rights
Precise monitoring of access rights
Why Why Siemens?Siemens?
© Siemens CeBIT 2005 10
Covering all vertical industry markets
Services/Logistics
Public/Health/Education
US ARMY
?
Media/Communications
Industry/Retail
Insurance/Banking
Why Why Siemens?Siemens?
© Siemens CeBIT 2005 11
Customer ReferenceFinancial Services – Generali
Replacement of existing individual solutions for access and user rights for IT systems with a role-based management solution
Challenge
Improved productivity and availability Minimized administration and operating costs Lower costs thanks to simplified administration of
user accounts
Benefits
Role-based rights management for IT systems with DirXmetaRole
Solution
Why Why Siemens?Siemens?
© Siemens CeBIT 2005 12
Customer ReferenceFinancial Services – SwissRe
A global system for user management in the customer portal for electronic reinsurance services
Challenge
Secure e-business Lower administration overhead savings Improved quality of enterprise-wide data
better service for customers
Benefits
DirX Metadirectory as a global directory service
Web-based single sign-on solution
Administration of customer and employee information
User authentication
Solution
Why Why Siemens?Siemens?
© Siemens CeBIT 2005 13
Customer ReferenceIndustry – Audi AG
Modernization of the communications directories Integration of the HR SAP R/3, Windows NT, Exchange and IBM
OS/390 host directories Reduction in administration costs Stabile use in the Audi/Volkswagen group network
full X.500/LDAP compliance
Challenge
Consistent user data at all times across all directories at departments, plants and subsidiaries
Reliable access control thanks to unique, trusted identities Low administration costs
Benefits
Unique digital identities thanks to Metadirectory as a digital identity store
60,000 entries (2003) on internal and external employees; target: 250,000 (Audi/VW network)
Provisioning of corporate processes
Solution
Why Why Siemens?Siemens?
© Siemens CeBIT 2005 14
Customer ReferencePublic Sector – GTZ (Gesellschaft f. Technische Zusammenarbeit)
One central address book integrated in Microsoft‘s ADS and Office infrastructure
Integration with SAP Migration from Novell office infrastructure to Windows
2000 / ADS
Challenge
Improved international communications Greater efficiency in administration Seamless integration of directory and Office products
efficiency at the workplace
Benefits
DirX Metadirectory as a central directory for employees, partners and projects worldwide
Allows administration processes of ADS to be automated
Convenient user access via intranet or Windows applications
Solution
Why Why Siemens?Siemens?
© Siemens CeBIT 2005 15
ROI / Example CalculationCompany with 1000 Employees
Savings in changing entries, including new employee entries and deletion of employee entries of:
20 hours a month: € 1,500
Savings p.a. €18,000
More efficient searching for communications addresses
Savings thanks to user self service
Lower costs for developing own applications and running them
Lower help desk / hotline costs (fewer passwords, i.e. fewer forgotten
passwords)
Administration
Other effects
Total purch. price (1st year): €29,000
Savings in administration(per year): €18,000
Rights of use / licenses: € 15,000
• Agents:• Hicom DMS / DS-Win• Microsoft ADS• HiPath 4000 Manager
DirXweb:
Service (non-recurring): € 14,000
Total purchase price: € 29,000
Monthly price (total, w/o service): € 826 (including software and other maintenance; basis: 3-year lease factor)
Monthly price (per user): € 0.826
Included in the basic package
The investment pays off within just over one-and-a-half years!
Why Why Siemens?Siemens?
© Siemens CeBIT 2005 16
ROI / Example CalculationCompany with 1000 Employees – Monthly Savings
A return on the monthly lease is achieved given even slight savings in administration of user data!
ChangesChanges 8 hours €75
New employeesNew employees 6 hours €75
Employees leavingEmployees leaving 6 hours €75
€600€600
€450€450
€450€450
=
=
=
Internal standard rateTime/effortService
x
x
x
When a new employee is hired, his or her master data must be entered in the systems
Costs
Access to company resources must be withdrawn and the master data deleted
Temporary provision of company resources to external consultants, for example, and changes to master data
€1500€1500Total
Why Why Siemens?Siemens?
© Siemens CeBIT 2005 17
Product Highlights
Identity Management
User and privilege management / delegated administration / approval workflow / role-based and rule-based provisioning / Metadirectory Synchronization / Password management / Audit and reporting
Directory
LDAPv3 Directory Server / X.500 Directory Server / DirX Manager – Graphical Administration Interface / DirX DSML – DSMLv2 Server (Web Service/XML/SOAP) / DirXweb for JSP Technology – Web Gateway (HTTP)
Access Management
Web Access Management / Authentication / Authorization / Web Single Sign-On / Self-service / Self-registration / Federation / Web Services Security / Audit
Why Why Siemens?Siemens?
© Siemens CeBIT 2005 18
HiP
ath
Co
mS
cen
do
HiP
ath
Pro
Cen
ter
HiP
ath
Op
enS
cap
e
HiP
ath
Mo
bil
eOff
ice
BusinessApplications
HiP
ath
M
etaM
anag
emen
t an
d H
iPat
h Q
oS
HiP
ath
SIc
uri
ty
IP Infrastructure
BusinessApplications
Common Application PlatformHiPath Servers & Gateways
HiP
ath
Rea
dy
-C
erti
fied
Ap
pli
cati
on
s
Oth
er A
pp
lica
tio
ns
Huawei
HiPath - Total Business Communications Components
optiClients, optiPointsoptiClients, optiPointsand Portalsand Portals
Why Why Siemens?Siemens?
© Siemens CeBIT 2005 19
Managed ServicesLifecycle ServicesProfessional Services
• Network Management
• Security Management
• Multi-Vendor Support
• Asset Management
• Communications Out-Tasking
• Service/Help Desk
• Technology Consulting
• Assessments
• Customization
• Systems Integration
• Design
• Project Mgmt
• Remote monitoring, diagnostics, reporting
• Hardware/software installation, maintenance, fixes, spare parts
• Moves, Adds, Changes (MAC)
• Training
Manage EducateSupportBuildDesignConsult
Our Services Portfolio Why Why Siemens?Siemens?
© Siemens CeBIT 2005 20
Why Siemens?
HiPath SIcurityIdentity and Access Management …
… offers fully-integrated solutions for IT and real-time communication environments.
… is the leader when it comes to PKI authentication, authorization and SAP
integration
Thank you! Your Questions please!
Back Up
© Siemens CeBIT 2005 23
HiPath SIcurity PortfolioH
iPat
h S
Icu
rity
HiPath SIcurity
Solutions
It’s all right to laugh for who is allowed in
Only Mr. Right is welcome
The first step is always security
Protected in networks
Security Analysis and
Consulting
Security Analysis and
Consulting
Smart Card-Based
Solutions
Smart Card-Based
Solutions
Identity & Access
Management
Identity & Access
Management
Network & System Security
Network & System Security
© Siemens CeBIT 2005 24
HiPath SIcurityEnd-to-end, secure e-Business processes
Sales
Identity Management
Access ControlAuthentication
Marketing
Logistic
ContentUser
Network & Systems Security
Secure Business Processes
ID-Store and Provisioning
Enforcement of Security Policies
Secure Token
DirXCardOS Card API DirXmetahub DirXmetaRole DirX Access
End-to-end processes from a single source
• End-to-end security solution• Integrated Product suite from authentication
to Web access and SSO• Seamless software integration
© Siemens CeBIT 2005 25
Au
dit
Acco
un
tability
Self-Service
UserManagement Workflow
Password Management
Metadirectory Provisioning
Identity Management
DirXmetaRoleDirXmetahub
Identity Management
DirXmetaRoleDirXmetahub
Directory
Directory
DirXDirX Extranet
Directory
DirXDirX Extranet
ProductsProducts
Authentication Federation
Web Access Management
Web Single Sign-on
Web Services Security Access Management
DirX AccessAccess Management
DirX Access
FunctionalityFunctionality
Integrated Product Suite forIdentity and Access Management
© Siemens CeBIT 2005 26
Without Identity and Access Management, costs rise dramatically
* Project, hardware/software costs, data cleansing
Time
Cos
ts
Source: Bearing Point
without
Identity and Access Management
* Initial costs
with
© Siemens CeBIT 2005 27
HiPath SIcurity DirX - Live Presentation Identity and Access Management from a single source
Password Changes (e.g. every 4 weeks) as per security policyPassword Changes (e.g. every 4 weeks) as per security policy
Function changeChange of function within company Promotion, change of location, organizational change ...
Function changeChange of function within company Promotion, change of location, organizational change ...
Order processAuthorization workflow for procurement volume Order processAuthorization workflow for procurement volume
Change management
New hire Creating new employee as a new identityNew hire Creating new employee as a new identity
Making the identity knownDistribution of identity to all IT/RTC systemsMaking the identity knownDistribution of identity to all IT/RTC systems
Provisioning
Management User Admin
Involved in process
© Siemens CeBIT 2005 28
MyCompanyIntranet
MyCompanyIntranet
IAM DemoEnterprise and B2B Scenarios
Identity ManagementIdentity Management
Human ResourcesEmployee andchange management
Access ManagementAccess Management
DirectoryDirectory
Windows &Exchange
Windows &Exchange
HiPathUser Mgmt.
HiPathUser Mgmt.
DirXmetaRole
DirXmetahub
DirXmetaRole
DirXmetahub
HRHR
DirX Extranet EditionDirX Extranet Edition
DirXAccess
DirXAccess
Applica-tionsApplica-tions
ManagementAccessProvisioning
EmployeeSelf-service
MyCompanyExtranetMyCompanyExtranet
Supplier, PartnerSelf-registrationDelegated administrationPassword management
© Siemens CeBIT 2005 29
IAM DemoSteps
1. New employee Joe Doe joins MyCompany – HR creates employee record
2. Joe Doe’s record is synchronized to IT identity management and roles are assigned automatically
3. Provisioning of Windows account, mailbox, telephone and access to employee portal for Joe Doe
4. Joe Doe has access to MyCompany Intranet with default rights according to his role
5. Joe Doe requests additional privileges and approval workflow is initiated
6. Will Smith works for Ace Car Sales and registers for access to MyCompany’s Extranet; an approval workflow is initiated
7. The delegated administrator at Ace Car Sales approves the registration
8. Will Smith has access to MyCompany Extranet with default rights according to his role; Will Smith can manage his password and reset a forgotten password
© Siemens CeBIT 2005 30
ERP administration Master data in HR or
order processing system is generated and automatically provisioned to central directory
Identity administration Via the IAM platform, the appropriate
roles are assigned to the employee
Rules are stored based on the company’s security policies
Permissions The permissions
corresponding to the role are set automatically
Individual criteria, e.g. lifecycle, are entered in IAM
Provisioning process In the destination systems,
intranet/extranet access, e-mail account, (…and other) automatically generated
Individual rights for portals are set
Productivity Employee has the access
rights and permissions defined in the roles
In m
inu
tes
HiPath SIcurityIdentity & Access Management
Employeeis hired
Making a New Employee Productive Quickly
© Siemens CeBIT 2005 31
Process
Human Resources
e.g. SAP HRHiPath SIcurity
Identity & Access
Management
Resolution of the role “SALES”
- Granting of rights “MARKETING”
Function change
A Sales employee is switching to Marketing on Feb. 1.
This function change is entered by the personnel department in the HR system.
The IAM system passes the function change to the Corporate Directory.
The Corporate Directory synchronizes the new function – with new rights – on the connected target systems.
Sales activitiesin Sales Portal
date change...
January 31
February 1
Ready to moveMarketing Portal
Portaluser management
(and other target systems)
MARKETING PORTAL released
SALES PORTAL is no longer accessible
Flexible Change Management Change in function
© Siemens CeBIT 2005 32
Mr. Maier needs a monthly report
Sales process
Mr. Maier wants to enter a customer
contact
Mr. Maier wants to enter the day’s travel expenses
One-time authentication for all needed information, e.g. one password for all applications
Fast, straightforward management of access rights
One-time authentication for all needed information, e.g. one password for all applications
Fast, straightforward management of access rights
Increased security through secure session management and scalable authentication features
Lighter load on the hotline Faster ROI through savings in
administration and for user
Increased security through secure session management and scalable authentication features
Lighter load on the hotline Faster ROI through savings in
administration and for user
Benefits
CostsKM entryAdditional costs
CustomerContactOrder
ReportsQuarterMonth
NamePassword
Single Sign-on and Centralized Access Control Enforcement for all Web Applications
© Siemens CeBIT 2005 33
Process
Flexible Change Management Uniform password for several applications
Firstlogon
Change ofpassword
Ready to WorkEmployee Portal
a little later...
Windows 2000ADS
DirX Password Listener
Identity & Access
Management
DirX Solutions
Portaluser management
(and other target systems)
Password management
The change of the password following prompt at first logon is recognized by the DirX Password Listener as a part of the IAM system.
The IAM system passes the password change to the central Corporate Directory
The Corporate Directory synchronizes the changed password on the connected target systems: Employee Portal
The changed password is available for access to Employee Portal
© Siemens CeBIT 2005 34
Flexible Change Management Authorization of an order
Process
Workflow
Identity & Access
Management
DirX Solutions
Authorization / order process
Sales employee needs and orders an analyst report that has to be authorized.
The IAM system handles the authorization process and automatically forwards the request to the management of Sales.
Following authorization by the management of Sales, the IAM system synchronizes the change in rights in the portal user management system
Need for analyst report
Release via Sales mgmt
Order of analyst report
Ready to useSales Portal
Sales employee is informed by e-mail via the authorization workflow
The needed study is then acquired via the SALES PORTAL.
Portaluser management
© Siemens CeBIT 2005 35
Setting a good example:References for Identity and Access Management
Service Providers /
ASPs
Financial Services
Europäische Union
Deutsche Telekom
Volkswagen AG
Italienisches Innenministerium Schweizer
Bahn
Deutsche Gesellschaft für Technische Zusammenarbeit
Public Sector
Industry
Others
Ontario Provincial Police
Gesundheitsnetz Stockholm
DeutschesInnenministerium
Hong Kong
StadtwerkeMünchen
LVA (deutscherSozialversicherungsfonds)AOK Bayern