Stephan Hendriks Eric IJpelaar - Identity access management in the cloud -
-
Upload
infosecurity2010 -
Category
Technology
-
view
7.177 -
download
1
Transcript of Stephan Hendriks Eric IJpelaar - Identity access management in the cloud -
DSM ICTNot be used in any other publication after explicitly approval of presenters
0
Identity & Access Management in the cloud
Stephan Hendriks, Eric IJpelaar
November 3, 2010
Actual photo of Dubai City, taken from atop the Burj Tower.
DSM ICTNot be used in any other publication after explicitly approval of presenters
1AgendaAgenda
• Setting the scene• Who are we?• Define the topics• Getting to know DSM
• The challenge• The approach• The solution• Key takeaways
DSM ICTNot be used in any other publication after explicitly approval of presenters
2Stephan HendriksStephan Hendriks
DSM ICTNot be used in any other publication after explicitly approval of presenters
3EricEric IJpelaarIJpelaar
DSM ICTNot be used in any other publication after explicitly approval of presenters
4What is Cloud Computing?What is Cloud Computing?
• WikipediaYou can search yourself
• ENISA reportCloud computing is an on-demand service model for IT provision, oftenbased on virtualization and distributed computer technology• Highly abstracted resources• Near instant scalability and flexibility• Near instantaneous provisioning• Shared resources (hardware, database memory)• Service on demand usually with “a pay as you go” billing system
• Cloud Security Alliance view:
SAAS
of IAAS
PAAS
SharedDedicated
ExternalInternal
DSM ICTNot be used in any other publication after explicitly approval of presenters
5What is Identity and Access Management?What is Identity and Access Management?
• DSM definition: The business processes, policies(including enforcement of these policies) and technologiesthat enable organizations to provide the right people, withthe right access, at the right time to applications andresources – while protecting confidential, personal andbusiness information against unauthorized users.
DSM ICTNot be used in any other publication after explicitly approval of presenters
66DSM is everywhereDSM is everywhere
DSM ICTNot be used in any other publication after explicitly approval of presenters
77Focus on Life Sciences and Materials SciencesFocus on Life Sciences and Materials Sciences
Health andWellness
Climate andEnergy
Functionality andPerformance
EmergingEconomies
EBAs
Life Sciences Materials Sciences
Nutrition Pharma PerformanceMaterials
PolymerIntermediates
Focus on Life Sciences and Materials Sciences
DSM ICTNot be used in any other publication after explicitly approval of presenters
8DSM MissionDSM Mission
DSM ICTNot be used in any other publication after explicitly approval of presenters
9The planet is our CareThe planet is our Care™™Hidden HungerHidden Hunger –– a global challengea global challenge
Definition:• Enough calories to stay alive, but• Not enough vitamins and minerals to be
mentally and physically healthy
Recognition
Involvement
Over 2 billion people affected worldwide,claiming 10 million lives every year
Partnering
Business
Nutrition Improvement Program
DSM ICTNot be used in any other publication after explicitly approval of presenters
1010Innovation is our SportInnovation is our Sport™™
DSM Composite Resins,Olympic sailing 470 classracing dinghyStiffness +120%, Strength +200%2,5% less weightSilver for Berkhout and de Koning !
Fabuless™, a breakthroughin weight controlDutch Consumers bought more than 5Millions bottles Optimel® withFabuless™ in first three months ofmarket introduction!
DSM ICTNot be used in any other publication after explicitly approval of presenters
1111DSM ICT BVDSM ICT BV
Organisation and Governance Some figures….
Singapore
Basel
Sittard
New York
Sao Paulo
Shanghai
DSM-ICT Organization
Employees 500+Nationalities 15Affiliate locations 6Services
Sites 230Countries 48End-user workstations 19.000SAP users 10.000Business applications Ca.1600
World-wideCentralized ICT organizationBG ICT spending ~90% by DICTHigh level of Standardization 23000Total DSM employees
DSM ICTNot be used in any other publication after explicitly approval of presenters
12AgendaAgenda
• Setting the scene• The challenge
• The new Strategic Vision• The new Process Model• The architecture balancing act
• The approach• The solution• Key takeaways
DSM ICTNot be used in any other publication after explicitly approval of presenters
13The new strategic visionThe new strategic vision:: entering a new era of growthentering a new era of growth
High GrowthEconomies
from reaching out tobecoming truly global
DSM in motion: driving focused growth
Innovation Acquisitions& Partnerships
Perf Mat growing via innovative sustainable solutions
Pol Int strengthening backward integration for DEP
Pharma leveraging partnerships for growth
Nutrition continued value growth
EBAs building new growth platforms
Sustainability
from responsibilityto business driver
from building the machineto doubling the output
from portfoliotransformation to growth
Life Sciences andMaterials Sciences
addressingkey global trends &
exploiting crossfertilization
in One DSM
DSM ICTNot be used in any other publication after explicitly approval of presenters
14The necessity of changeThe necessity of change
• Better information and knowledge sharing• Improving collaboration inside and outside the enterprise (e.g.
federation)• Efficiency in our work• Anticipate to organizational change and growth (agility)• Quick on boarding of mergers and acquisitions
• Impacting …
People / Behaviors
Processes
Information Management
Tools
DSM ICTNot be used in any other publication after explicitly approval of presenters
15The new DSM Process Model: Apollo 2.0The new DSM Process Model: Apollo 2.0
• Aligning the Business Process Model with the “new DSM”
DSM ICTNot be used in any other publication after explicitly approval of presenters
16
Speed indelivering newfunctionality Divestments / M&A
Complex ITplatform with many
components
End to endtesting en
documentingStandard versus
harmonizedversus local
Impact assessmentof changes
Projectdependencies
Insight inbusiness controls
& compliance
The balancing act in platform managementThe balancing act in platform management ……
DSM ICTNot be used in any other publication after explicitly approval of presenters
17AgendaAgenda
• Setting the scene:• The challenge• The approach
• Architecture as structure• Internet Centric
• The solution• Key takeaways
DSM ICTNot be used in any other publication after explicitly approval of presenters
18Critical success factors require good enterpriseCritical success factors require good enterprisearchitecturearchitecture
• Many people involved, 1approach
• Create buy-in with allstakeholders
• End to end• Roadmap based
incremental implementation• Each step needs to have a
business need
Architecture as structure
TOGAF
DSM ICTNot be used in any other publication after explicitly approval of presenters
19Top down translation of the strategy to theTop down translation of the strategy to theBusiness ModelBusiness Model
• Translate the business strategy in a Business Model /Business Priorities Guide
• DSM: Information plans per Business Group as input• Incremental delivery in 1 ½ - 2 years
Business Model & Business Priorities Guide
DSM ICTNot be used in any other publication after explicitly approval of presenters
20IT Platform ManagementIT Platform Management
• From Business Model / BusinessPriorities guide to Platform DiscussionGuide
• All consolidated Platform DiscussionGuides are translated in an integral ICTRoadmap
• Platform development is following andsupporting the business priorities
DSM ICTNot be used in any other publication after explicitly approval of presenters
21Architecture principles as guidelineArchitecture principles as guideline
Business Strategy
IT Strategy
Design Principles1. Standardization2. Simplification3. Consolidation & Centralization4. Evolutionary implementation5. Independent Service Blocks6. Minimize On Site support7. DSM Ownership8. Portability9. Information Oriented10. Data is an asset
Visionary Principles• Internet Centric• Cloud Computing/Utilization• Consumerization• Agility
DSM ICTNot be used in any other publication after explicitly approval of presenters
22Explanation visionary principlesExplanation visionary principles
• Using Internet technology to connect end-nodes and striveto zero foot printed end-user devices.
• On demand services that can be charged based on theusage.
• Consuming services with any tool, any product or anydevice which is common in the ICT consumer market.
• Dynamic services that can be easily and fast added,changed, or removed.
DSM ICTNot be used in any other publication after explicitly approval of presenters
23The core principleThe core principle ‘‘Internet CentricInternet Centric’’ visualizedvisualized
Non trustedComputer
TrustedPDA
TrustedSmartPhone
TrustedDesktop
TrustedLaptop
DSMData Center
SaaSProvider
ConnectivityBased on
Internet-technology
DSM ICTNot be used in any other publication after explicitly approval of presenters
24Taking into account security risks & legal requirementsTaking into account security risks & legal requirements
• Moving to the consumer market means:• Brands & Intellectual property protection becomes more important• Reputation damage has bigger influence on shares and sales• FDA and other regulations become more important
• Changing the use of ICT means ensure the level of trust:• Person/identity, be sure that the user is the person he/she claims
• Multi factor authentication: e.g digital certificate on a token or derived from anauthentication action (e.g. iris scan)
• Device /end-node, be sure that the device connected is OK• Certificate for DSM-end-user devices,• Certificates for end-nodes/servers
• Application, be sure that the application is the approved one for DSM• Check it is a trusted DSM-application with correct certificate licenses
• Data, be sure you can trust the (integrity of) data• Data Access Control,• Encryption,• Enterprise Right Management
DSM ICTNot be used in any other publication after explicitly approval of presenters
25AgendaAgenda
• Setting the scene• The challenge• The approach• The solution
• Integrated Roadmap• Identity & Access Management• Example: Sharepoint 2010
• Key takeaways
DSM ICTNot be used in any other publication after explicitly approval of presenters
26Integrated Roadmap (key projects)Integrated Roadmap (key projects)
Newgeneration
ICT
Next Generation Network
Identity & Access Management
Enterprise Search
New Workplace
Business ProcessManagement
SharePoint 2010
EDM
Data Protection
Site Server RedesignHR System of Record
IRM/DRM
Master Data Management
today
DSM ICTNot be used in any other publication after explicitly approval of presenters
27Identity and Access Management in the CloudIdentity and Access Management in the Cloud
Important element in an integrated roadmaptowards a new generation ICT
Next to a culture change / new WOW program
DSM ICTNot be used in any other publication after explicitly approval of presenters
28Objectives for IAM SolutionObjectives for IAM Solution
Common security / regulatory compliantprocesses and tools that support secureuniform data transfer for authentication overthe internet.
Different credential management andauthentication methods for differentapplications and no secure authentication datatransfer over the internet to get access toSAAS applications.
Support Internet Centric Vision andSAAS computing.
Common security / regulatory compliantprocesses and tools. Low cost, easy to deploystrong authentication when needed. Centrallymanaged policy based access controls.
Different credential management andauthentication methods for differentapplications. Lack of visibility and control overaccess policies and use.
Comply with security and regulatoryrequirements.
A single platform for common functionality (e.g.web access management). Integrated IAMplatform based on out of the box tooling.
Application specific implementations foridentity and account management, accesscontrol. Multiple components requiring complex(custom) integration.
Reduce development andoperational costs
Identify based access any time anywhere toapplications and services in the DSM networkor internet domain.Single sign on based on common credentials,for internal and external users.Federated access/SSO to SAAS solutions
Network based access controls.Multiple user id/passwords for differentapplications.No service based concepts (SOA / BPM).
Easy of use / simplicity for all users(internal and external) who interactwith DSM.
Integration of internal and external identities inone process.Automated process for user provisioning / de-provisioning to main business applications.
Fragmented identity management systemswith separation of internal / external.Multiple manual steps required for creation andmaintenance of identities and accounts.Unreliable procedures for revoking access onemployee termination.
Integrated IAM process and tools(efficient and effective response tonew/changed users)
Objectives From To
DSM ICTNot be used in any other publication after explicitly approval of presenters
29Identity & Access ManagementIdentity & Access Management –– a simplified picturea simplified picture
ProvisioningUservs.
rights
AccessModeling
Uservs.
Role
Operational User Management2a
Tactical Identity & Access Model Management1
RequestForm
New user‘Form’
Roles vs.Rights
Approvalprocess
Provisioning2b
Users / AdminsAuthenticationAuthorization
& ‘use’Credentials
(e.g. Username /Password)
Use3a
TargetSystemTarget
SystemTargetSystemTarget
System
HRSystems
4 DSM employee Management
New staffRetirementResignationTransfer
HRSystems
Identity &AccessStore
Check if identitiesare in sync
What are the drivers for the business to quicklyremove leavers and add joiners!
Who is responsible for which data field!
DSM ICTNot be used in any other publication after explicitly approval of presenters
30Requirements for the authentication processRequirements for the authentication process
• It should be as independent as possible of the authenticationmechanism you are using (smart card token mobile phone) but shouldsupport strong/multifactor authentication (having something andknowing something)
• Could support physical access and logical access in one authenticationmechanism / card / token
• External users from which we want to indentify them personally (notonly trust the company so everybody of the company can access)should be possible
• When working externally or internally, the authentication process andthe screen the DSM-user will see should be the same
• Business partners employees, contractors, and DSM employeesshould authenticate in the same way
• Solution should be as general as possible but DSM should strive tolimit the amount of authentication process protocols
DSM ICTNot be used in any other publication after explicitly approval of presenters
31End Goal for Authentication & Single Sign OnEnd Goal for Authentication & Single Sign On
• A single experience for employees and business partners in accessingin house applications and outsourced functions
• One mainstream identity that is recognized by every application
Enterprise A Enterprise B
Enterprise C
User interaction
Web based interaction
Web service invocation
DSM ICTNot be used in any other publication after explicitly approval of presenters
32Moving towards an Open EnterpriseMoving towards an Open Enterprise
Web SSO /WAM
EnterpriseSSO
CloudSSO
ClaimsAuthentication
E-business SAP EDM
Saas applications
OpenIDGoogle (STS)
LiveIDWindows (STS)
Protocol Stack:
1. SAML
2. WS federation
3. Radius
4. Kerberos (internal)
DSM ICTNot be used in any other publication after explicitly approval of presenters
33Access and AuthenticationAccess and Authentication –– a simplified picturea simplified picture
Time
DSM ICTNot be used in any other publication after explicitly approval of presenters
34ExampleExample -- SharePoint 2010SharePoint 2010
User Type /Directory Service
DSM employee or3rd party hired by DSM
DeviceDSM Workstation
Location Internal / VPN
Authentication SSO User name /Password
Any Device
IntranetTeam Sites
My Site
3rd party nothired by DSM
Any Device
Internet
User name /Password
Team SitesPresentation
DSMDirectory
ExtranetDirectory
Internet
All authorizedapplications
Gradual addition of devices
Gradual addition of (cloud) services
Roll out of SSO /Federation /(Strong) Authentication
Roll out of Identity Management and Data Protection
DSM ICTNot be used in any other publication after explicitly approval of presenters
35AgendaAgenda
• Setting the scene• The challenge• The approach• The solution• Key takeaways
DSM ICTNot be used in any other publication after explicitly approval of presenters
36Key takeawaysKey takeaways
• Delivery of the Business Strategy through
good enterprise architecture
• Internet Centric as a core principle towards
collaboration and innovation
• Old in use security requirements/measures
conflict or are unclear for internet centric,
collaboration and innovation and need to
be updated
• It is a continuous evolutionary process
• I&AM is an essential part
• You need to change culture (new WOW)
as well
DSM ICTNot be used in any other publication after explicitly approval of presenters
37