SIcurity Identity and Access Management Hanover, CeBIT 2005.

SIcurity Identity and Access Management

Hanover, CeBIT 2005

© Siemens CeBIT 2005 2

Protection„block the bad guys“

Enabling„support the good

guys“

Security policy „find the

loopholes“

Only an IT Security company like Siemens is able to cover everything

MegaTrends

The Security Challenge Why Why Siemens?Siemens?


Challenges for Identity and Access Management

Avoiding security breaches

Cutting administrative costs

Avoiding productivity gaps

Maintaining data quality

Avoiding island solutions

Ensuring regulatory compliance

Why Why Siemens?Siemens?


Scenario Highlights

Automated, policy-based and role-based user provisioning Password management and password synchronization

Access management and single sign-on for web portals and web-based applications

Self-registration, approval workflow and delegated administration for web portals in B2B environments



Sales

Marketing

Finance

Logistics

Multiple users seeking access to numerous IT resources

Resulting in many administrators repetitively establishing and revoking

user access privileges

Employees

Partners

B2B

Customers

Scenario: Situation Today Why Why Siemens?Siemens?


Scenario: Solution Tomorrow

Employees

Partners

B2B

Customers

Sales

Marketing

Finance

Logistics

Meta Directory

Who needs which rights?

Identities Organizations Applications

Identities Organizations Applications

User profiles

Roles & privileges

Business processes

User profiles

Roles & privileges

Business processes

When is access granted?

Who needs access to what?

Provisioning

Access Management

Acc

ess

Man

ag

emen

t

IT systems Resources …

IT systems Resources …

Rules

Policies

Conditions

Rules

Policies

Conditions

Iden

tity

Man

agem

ent



Scenario End-to-End, Secure eBusiness Processes

Headquarters/Factory Customer

Partner Supplier

Who, When, What, Access to What ?

• Equipment• Price list• Delivery date

• Prices• Equipment• Delivery dates• Suppliers• Service partner• End customer

• Prices• Factories• Delivery dates• Supplier• Service partner• Customer structure

• Prices• Equipment• Delivery dates• Partner• Service partner

• Stückkosten• Kosten sonstige• Verkaufspreis

Self-registrationVPN

VPN

VPN

Passwort

Identity andAccess Management

DelegatedAdministration



24h

Your Benefits

Lower costs

Automated, centralized user administration

Lower costs for helpdesk and hotline services

Enhanced cost transparency for asset management

Increased productivity

Get new employees up and running quickly

Automated provisioning of accounts in connected systems

Ensure data quality by automatic synchronization

Increase in user productivity through fewer passwords

Improved security

Enterprise-wide transparency of access rights

Quick revocation of access rights

Precise monitoring of access rights



Covering all vertical industry markets

Services/Logistics

Public/Health/Education

US ARMY

?

Media/Communications

Industry/Retail

Insurance/Banking



Customer ReferenceFinancial Services – Generali

Replacement of existing individual solutions for access and user rights for IT systems with a role-based management solution

Challenge

Improved productivity and availability Minimized administration and operating costs Lower costs thanks to simplified administration of

user accounts

Benefits

Role-based rights management for IT systems with DirXmetaRole

Solution



Customer ReferenceFinancial Services – SwissRe

A global system for user management in the customer portal for electronic reinsurance services

Challenge

Secure e-business Lower administration overhead savings Improved quality of enterprise-wide data

better service for customers

Benefits

DirX Metadirectory as a global directory service

Web-based single sign-on solution

Administration of customer and employee information

User authentication

Solution



Customer ReferenceIndustry – Audi AG

Modernization of the communications directories Integration of the HR SAP R/3, Windows NT, Exchange and IBM

OS/390 host directories Reduction in administration costs Stabile use in the Audi/Volkswagen group network

full X.500/LDAP compliance

Challenge

Consistent user data at all times across all directories at departments, plants and subsidiaries

Reliable access control thanks to unique, trusted identities Low administration costs

Benefits

Unique digital identities thanks to Metadirectory as a digital identity store

60,000 entries (2003) on internal and external employees; target: 250,000 (Audi/VW network)

Provisioning of corporate processes

Solution



Customer ReferencePublic Sector – GTZ (Gesellschaft f. Technische Zusammenarbeit)

One central address book integrated in Microsoft‘s ADS and Office infrastructure

Integration with SAP Migration from Novell office infrastructure to Windows

2000 / ADS

Challenge

Improved international communications Greater efficiency in administration Seamless integration of directory and Office products

efficiency at the workplace

Benefits

DirX Metadirectory as a central directory for employees, partners and projects worldwide

Allows administration processes of ADS to be automated

Convenient user access via intranet or Windows applications

Solution



ROI / Example CalculationCompany with 1000 Employees

Savings in changing entries, including new employee entries and deletion of employee entries of:

20 hours a month: € 1,500

Savings p.a. €18,000

More efficient searching for communications addresses

Savings thanks to user self service

Lower costs for developing own applications and running them

Lower help desk / hotline costs (fewer passwords, i.e. fewer forgotten

passwords)

Administration

Other effects

Total purch. price (1st year): €29,000

Savings in administration(per year): €18,000

Rights of use / licenses: € 15,000

• Agents:• Hicom DMS / DS-Win• Microsoft ADS• HiPath 4000 Manager

DirXweb:

Service (non-recurring): € 14,000

Total purchase price: € 29,000

Monthly price (total, w/o service): € 826 (including software and other maintenance; basis: 3-year lease factor)

Monthly price (per user): € 0.826

Included in the basic package

The investment pays off within just over one-and-a-half years!



ROI / Example CalculationCompany with 1000 Employees – Monthly Savings

A return on the monthly lease is achieved given even slight savings in administration of user data!

ChangesChanges 8 hours €75

New employeesNew employees 6 hours €75

Employees leavingEmployees leaving 6 hours €75

€600€600

€450€450

€450€450

=

=

=

Internal standard rateTime/effortService

x

x

x

When a new employee is hired, his or her master data must be entered in the systems

Costs

Access to company resources must be withdrawn and the master data deleted

Temporary provision of company resources to external consultants, for example, and changes to master data

€1500€1500Total



Product Highlights

Identity Management

User and privilege management / delegated administration / approval workflow / role-based and rule-based provisioning / Metadirectory Synchronization / Password management / Audit and reporting

Directory

LDAPv3 Directory Server / X.500 Directory Server / DirX Manager – Graphical Administration Interface / DirX DSML – DSMLv2 Server (Web Service/XML/SOAP) / DirXweb for JSP Technology – Web Gateway (HTTP)

Access Management

Web Access Management / Authentication / Authorization / Web Single Sign-On / Self-service / Self-registration / Federation / Web Services Security / Audit



HiP

ath

Co

mS

cen

do

HiP

ath

Pro

Cen

ter

HiP

ath

Op

enS

cap

e

HiP

ath

Mo

bil

eOff

ice

BusinessApplications

HiP

ath

M

etaM

anag

emen

t an

d H

iPat

h Q

oS

HiP

ath

SIc

uri

ty

IP Infrastructure

BusinessApplications

Common Application PlatformHiPath Servers & Gateways

HiP

ath

Rea

dy

-C

erti

fied

Ap

pli

cati

on

s

Oth

er A

pp

lica

tio

ns

Huawei

HiPath - Total Business Communications Components

optiClients, optiPointsoptiClients, optiPointsand Portalsand Portals



Managed ServicesLifecycle ServicesProfessional Services

• Network Management

• Security Management

• Multi-Vendor Support

• Asset Management

• Communications Out-Tasking

• Service/Help Desk

• Technology Consulting

• Assessments

• Customization

• Systems Integration

• Design

• Project Mgmt

• Remote monitoring, diagnostics, reporting

• Hardware/software installation, maintenance, fixes, spare parts

• Moves, Adds, Changes (MAC)

• Training

Manage EducateSupportBuildDesignConsult

Our Services Portfolio Why Why Siemens?Siemens?


Why Siemens?

HiPath SIcurityIdentity and Access Management …

… offers fully-integrated solutions for IT and real-time communication environments.

… is the leader when it comes to PKI authentication, authorization and SAP

integration

Thank you! Your Questions please!

Back Up


HiPath SIcurity PortfolioH

iPat

h S

Icu

rity

HiPath SIcurity

Solutions

It’s all right to laugh for who is allowed in

Only Mr. Right is welcome

The first step is always security

Protected in networks

Security Analysis and

Consulting

Security Analysis and

Consulting

Smart Card-Based

Solutions

Smart Card-Based

Solutions

Identity & Access

Management

Identity & Access

Management

Network & System Security

Network & System Security


HiPath SIcurityEnd-to-end, secure e-Business processes

Sales

Identity Management

Access ControlAuthentication

Marketing

Logistic

ContentUser

Network & Systems Security

Secure Business Processes

ID-Store and Provisioning

Enforcement of Security Policies

Secure Token

DirXCardOS Card API DirXmetahub DirXmetaRole DirX Access

End-to-end processes from a single source

• End-to-end security solution• Integrated Product suite from authentication

to Web access and SSO• Seamless software integration


Au

dit

Acco

un

tability

Self-Service

UserManagement Workflow

Password Management

Metadirectory Provisioning

Identity Management

DirXmetaRoleDirXmetahub

Identity Management

DirXmetaRoleDirXmetahub

Directory

Directory

DirXDirX Extranet

Directory

DirXDirX Extranet

ProductsProducts

Authentication Federation

Web Access Management

Web Single Sign-on

Web Services Security Access Management

DirX AccessAccess Management

DirX Access

FunctionalityFunctionality

Integrated Product Suite forIdentity and Access Management


Without Identity and Access Management, costs rise dramatically

* Project, hardware/software costs, data cleansing

Time

Cos

ts

Source: Bearing Point

without

Identity and Access Management

* Initial costs

with


HiPath SIcurity DirX - Live Presentation Identity and Access Management from a single source

Password Changes (e.g. every 4 weeks) as per security policyPassword Changes (e.g. every 4 weeks) as per security policy

Function changeChange of function within company Promotion, change of location, organizational change ...

Function changeChange of function within company Promotion, change of location, organizational change ...

Order processAuthorization workflow for procurement volume Order processAuthorization workflow for procurement volume

Change management

New hire Creating new employee as a new identityNew hire Creating new employee as a new identity

Making the identity knownDistribution of identity to all IT/RTC systemsMaking the identity knownDistribution of identity to all IT/RTC systems

Provisioning

Management User Admin

Involved in process


MyCompanyIntranet

MyCompanyIntranet

IAM DemoEnterprise and B2B Scenarios

Identity ManagementIdentity Management

Human ResourcesEmployee andchange management

Access ManagementAccess Management

DirectoryDirectory

Windows &Exchange

Windows &Exchange

HiPathUser Mgmt.

HiPathUser Mgmt.

DirXmetaRole

DirXmetahub

DirXmetaRole

DirXmetahub

HRHR

DirX Extranet EditionDirX Extranet Edition

DirXAccess

DirXAccess

Applica-tionsApplica-tions

ManagementAccessProvisioning

EmployeeSelf-service

MyCompanyExtranetMyCompanyExtranet

Supplier, PartnerSelf-registrationDelegated administrationPassword management


IAM DemoSteps

1. New employee Joe Doe joins MyCompany – HR creates employee record

2. Joe Doe’s record is synchronized to IT identity management and roles are assigned automatically

3. Provisioning of Windows account, mailbox, telephone and access to employee portal for Joe Doe

4. Joe Doe has access to MyCompany Intranet with default rights according to his role

5. Joe Doe requests additional privileges and approval workflow is initiated

6. Will Smith works for Ace Car Sales and registers for access to MyCompany’s Extranet; an approval workflow is initiated

7. The delegated administrator at Ace Car Sales approves the registration

8. Will Smith has access to MyCompany Extranet with default rights according to his role; Will Smith can manage his password and reset a forgotten password


ERP administration Master data in HR or

order processing system is generated and automatically provisioned to central directory

Identity administration Via the IAM platform, the appropriate

roles are assigned to the employee

Rules are stored based on the company’s security policies

Permissions The permissions

corresponding to the role are set automatically

Individual criteria, e.g. lifecycle, are entered in IAM

Provisioning process In the destination systems,

intranet/extranet access, e-mail account, (…and other) automatically generated

Individual rights for portals are set

Productivity Employee has the access

rights and permissions defined in the roles

In m

inu

tes

HiPath SIcurityIdentity & Access Management

Employeeis hired

Making a New Employee Productive Quickly


Process

Human Resources

e.g. SAP HRHiPath SIcurity

Identity & Access

Management

Resolution of the role “SALES”

- Granting of rights “MARKETING”

Function change

A Sales employee is switching to Marketing on Feb. 1.

This function change is entered by the personnel department in the HR system.

The IAM system passes the function change to the Corporate Directory.

The Corporate Directory synchronizes the new function – with new rights – on the connected target systems.

Sales activitiesin Sales Portal

date change...

January 31

February 1

Ready to moveMarketing Portal

Portaluser management

(and other target systems)

MARKETING PORTAL released

SALES PORTAL is no longer accessible

Flexible Change Management Change in function


Mr. Maier needs a monthly report

Sales process

Mr. Maier wants to enter a customer

contact

Mr. Maier wants to enter the day’s travel expenses

One-time authentication for all needed information, e.g. one password for all applications

Fast, straightforward management of access rights

One-time authentication for all needed information, e.g. one password for all applications

Fast, straightforward management of access rights

Increased security through secure session management and scalable authentication features

Lighter load on the hotline Faster ROI through savings in

administration and for user

Increased security through secure session management and scalable authentication features

Lighter load on the hotline Faster ROI through savings in

administration and for user

Benefits

CostsKM entryAdditional costs

CustomerContactOrder

ReportsQuarterMonth

NamePassword

Single Sign-on and Centralized Access Control Enforcement for all Web Applications


Process

Flexible Change Management Uniform password for several applications

Firstlogon

Change ofpassword

Ready to WorkEmployee Portal

a little later...

Windows 2000ADS

DirX Password Listener

Identity & Access

Management

DirX Solutions


(and other target systems)

Password management

The change of the password following prompt at first logon is recognized by the DirX Password Listener as a part of the IAM system.

The IAM system passes the password change to the central Corporate Directory

The Corporate Directory synchronizes the changed password on the connected target systems: Employee Portal

The changed password is available for access to Employee Portal


Flexible Change Management Authorization of an order

Process

Workflow

Identity & Access

Management

DirX Solutions

Authorization / order process

Sales employee needs and orders an analyst report that has to be authorized.

The IAM system handles the authorization process and automatically forwards the request to the management of Sales.

Following authorization by the management of Sales, the IAM system synchronizes the change in rights in the portal user management system

Need for analyst report

Release via Sales mgmt

Order of analyst report

Ready to useSales Portal

Sales employee is informed by e-mail via the authorization workflow

The needed study is then acquired via the SALES PORTAL.



Setting a good example:References for Identity and Access Management

Service Providers /

ASPs

Financial Services

Europäische Union

Deutsche Telekom

Volkswagen AG

Italienisches Innenministerium Schweizer

Bahn

Deutsche Gesellschaft für Technische Zusammenarbeit

Public Sector

Industry

Others

Ontario Provincial Police

Gesundheitsnetz Stockholm

DeutschesInnenministerium

Hong Kong

StadtwerkeMünchen

LVA (deutscherSozialversicherungsfonds)AOK Bayern

SIcurity Identity and Access Management Hanover, CeBIT 2005.

Documents

Transcript of SIcurity Identity and Access Management Hanover, CeBIT 2005.