• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
stefan hendriks - erik ijpelaar infosecurity - identity  access management in the cloud
 

stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud

on

  • 783 views

 

Statistics

Views

Total Views
783
Views on SlideShare
783
Embed Views
0

Actions

Likes
0
Downloads
11
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    stefan hendriks - erik ijpelaar infosecurity - identity  access management in the cloud stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud Presentation Transcript

    • Identity & Access Management in the cloudStephan Hendriks, Eric IJpelaarMarch 23, 2011Infosecurity Brussels 2011Page 0 Classification: Only to be Actual photo of Dubai City, taken explicit approval of the authors used in other publications after from atop the Burj Tower.
    • Agenda • Setting the scene – Who are we? – Define the topics – Getting to know DSM • The challenge • The approach • The solution • Key takeawaysInfosecurity Brussels 2011Page 1 Classification: Only to be used in other publications after explicit approval of the authors
    • Stephan HendriksInfosecurity Brussels 2011Page 2 Classification: Only to be used in other publications after explicit approval of the authors
    • Eric IJpelaarInfosecurity Brussels 2011Page 3 Classification: Only to be used in other publications after explicit approval of the authors
    • What is Cloud Computing?• Wikipedia You can search yourself• ENISA report Cloud computing is an on-demand service model for IT provision, often based on virtualization and distributed computer technology – Highly abstracted resources – Near instant scalability and flexibility – Near instantaneous provisioning – Shared resources (hardware, database memory) – Service on demand usually with “a pay as you go” billing system• Cloud Security Alliance view: Internal External Dedicated Shared SAAS PAAS Infosecurity Brussels 2011 IAAS Page 4 Classification: Only to be used in other publications after explicit approval of the authors
    • Building blocks of Identity & Access ManagementInfosecurity Brussels 2011Page 5 Classification: Only to be used in other publications after explicit approval of the authors
    • What is Identity and Access Management? • One integrated identity base. • Automated user management – Provision users to target systems based on available authoritative sources and administration processes. • Automated entitlement or authorization management Identity Management Project – Managing access based on user characteristics: e.g. function, location, context, etc. – Active monitoring of SoD violations • User self service – Request and approval for access to resources – Account password reset / forgotten password – Update profile information in case no authoritative source exists • (Web) Single Sign-on, Policy enforcement (WAM) and Strong authentication Access Management Project – On and off premise... (i.e. federated apps, cloud apps, (legacy) web apps, anytime, anyplace, any device) – Providing access based on user and context characteristicsInfosecurity Brussels 2011Page 6 Classification: Only to be used in other publications after explicit approval of the authors
    • DSM is everywhereInfosecurity Brussels 2011Page 7 Classification: Only to be used in other publications after explicit approval of the authors
    • Focus on Life Sciences and Materials Sciences Climate and Health and Functionality and Emerging Energy Wellness Performance Economies Life Sciences Materials Sciences EBAs Performance Polymer Nutrition Pharma Materials Intermediates Focus on Life Sciences and Materials SciencesInfosecurity Brussels 2011Page 8 Classification: Only to be used in other publications after explicit approval of the authors
    • DSM Mission Planet Profit PeopleInfosecurity Brussels 2011Page 9 Classification: Only to be used in other publications after explicit approval of the authors
    • The planet is our Care™Hidden Hunger – a global challengeDefinition:• Enough calories to stay alive, but• Not enough vitamins and minerals to be mentally and physically healthyPartnering Involvement Nutrition Improvement Program Over 2 billion people affected worldwide,Infosecurity Brussels 2011Recognition Page 10 Business claiming 10 million lives every year Classification: Only to be used in other publications after explicit approval of the authors
    • Innovation is our Sport™Fabuless™, a breakthrough in DSM Composite Resins, Olympicweight control sailing 470 class racing dinghyDutch Consumers bought more than 5 Stiffness +120%, Strength +200%Millions bottles Optimel® with 2,5% less weightFabuless™ in first three months of Silver for Berkhout and de Koning !market introduction!Infosecurity Brussels 2011Page 11 Classification: Only to be used in other publications after explicit approval of the authors
    • DSM ICT BV Organisation and Governance Some figures…. DSM-ICT Organization Sittard Employees 500+ Basel New York Nationalities 15 Shanghai Affiliate locations 6 Singapore Services Sao Paulo Sites 230 Countries 48World-wide End-user workstations 19.000Centralized ICT organization SAP users 10.000BG ICT spending ~90% by DICT Business applications Ca.1600High level of Standardization Total DSM employees 23000Infosecurity Brussels 2011Page 12 Classification: Only to be used in other publications after explicit approval of the authors
    • Agenda• Setting the scene• The challenge – The new Strategic Vision – The new Process Model• The approach• The solution• Key takeaways Infosecurity Brussels 2011 Page 13 Classification: Only to be used in other publications after explicit approval of the authors
    • The new strategic vision: entering a new era of growth High Growth Innovation Sustainability Acquisitions Economies & Partnerships from reaching out to from building the machine from responsibility from portfolio becoming truly global to doubling the output to business driver transformation to growth Life Sciences and Nutrition continued value growth Materials Sciences Pharma addressing leveraging partnerships for growth Perf Mat key global trends & growing via innovative sustainable solutions exploiting cross Pol Int strengthening backward integration for DEP fertilization EBAs in One DSM building new growth platforms DSM in motion: driving focused growthInfosecurity Brussels 2011Page 14 Classification: Only to be used in other publications after explicit approval of the authors
    • The necessity of change • Better information and knowledge sharing • Improving collaboration inside and outside the enterprise (e.g. federation) • Efficiency in our work • Anticipate to organizational change and growth (agility) • Quick on boarding of mergers and acquisitions • Impacting … People / Behaviors Information Management Processes ToolsInfosecurity Brussels 2011Page 15 Classification: Only to be used in other publications after explicit approval of the authors
    • The new DSM Process Model: Apollo 2.0 • Aligning the Business Process Model with the “new DSM”Infosecurity Brussels 2011Page 16 Classification: Only to be used in other publications after explicit approval of the authors
    • Agenda • Setting the scene: • The challenge • The approach – Architecture as structure – Architectural Principles • The solution • Key takeawaysInfosecurity Brussels 2011Page 17 Classification: Only to be used in other publications after explicit approval of the authors
    • Critical success factors require good enterprise architecture TOGAF • Many people involved, 1 approach • Create buy-in with all stakeholders • End to end • Roadmap based incremental implementation • Each step needs to have a business need Architecture as structure Infosecurity Brussels 2011 Page 18 Classification: Only to be used in other publications after explicit approval of the authors
    • Architecture principles as guideline High Growth Innovation BusinessSustainability Sustainability Acquisitions Economies & Partnerships Strategy IT Strategy Visionary Principles Design Principles 1. Standardization • Internet Centric 2. Simplification • On Demand 3. Share Unless • Consumerization 4. Evolutionary Implementation • Design for Agility 5. Independent Service Blocks 6. Minimize On Site support 7. IT Responsibility 8. Transferable Services 9. Information Oriented 10. Data is an AssetInfosecurity Brussels 2011Page 19 Classification: Only to be used in other publications after explicit approval of the authors
    • Explanation visionary principles • Using Internet technology to connect end-nodes and strive to zero DSM-foot-printed end-user devices. • On demand services that can be charged based on the usage. • Consuming services with any tool, any product or any device which is common in the ICT consumer market. • Dynamic services that can be easily and fast added, changed, or removed.Infosecurity Brussels 2011Page 20 Classification: Only to be used in other publications after explicit approval of the authors
    • The core principle ‘Internet Centric’ visualized Zero DSM-foot-printed end-user devices DSM-controlled DSM-controlled Non-DSM-controlled DSM-controlled DSM-controlled Non-DSM-controlled Laptop Desktop Computer PDA SmartPhone SmartPhone Connectivity Based on Internet-technology DSM Data Center(s) SaaS Provider Internet–resistanceInfosecurity Brussels 2011Page 21 Classification: Only to be used in other publications after explicit approval of the authors
    • Taking into account security risks & legal requirements• Moving to the consumer market means: – Brands & Intellectual property protection becomes more important – Reputation damage has bigger influence on shares and sales – FDA and other regulations become more important Leads to• Changing the use of ICT which means ensure the level of trust: – Person/identity, be sure that the user is the person he/she claims • Multi factor authentication: e.g digital certificate on a token or derived from an authentication action (e.g. iris scan) – Device /end-node, be sure that the device connected is OK • Certificate for DSM-end-user devices, • Certificates for end-nodes/servers – Application, be sure that the application is the approved one for DSM • Check it is a trusted DSM-application with correct certificate licenses – Data, be sure you can trust the (integrity of) data • Data Access Control, • Encryption, • Data Loss Prevention • Enterprise Right Management Infosecurity Brussels 2011 Page 22 Classification: Only to be used in other publications after explicit approval of the authors
    • Agenda • Setting the scene • The challenge • The approach • The solution – Integrated Roadmap – Identity & Access Management – Example: Sharepoint 2010 • Key takeawaysInfosecurity Brussels 2011Page 23 Classification: Only to be used in other publications after explicit approval of the authors
    • Integrated Roadmap (key projects) today New generation EDM Master Data Management ICT Business Process Management Enterprise Search DLP/DRM SharePoint 2010 ISM Self user Portal Identity & Access Management New Workplace Data encryption Site Server Redesign HR System of Record Folder access Mgt Next Generation NetworkInfosecurity Brussels 2011Page 24 Classification: Only to be used in other publications after explicit approval of the authors
    • Objectives for IAM SolutionObjectives From To Different credential management and Common security / regulatory compliantSupport Internet Centric authentication methods for different processes and tools that support secure uniformVision and SAAS computing. applications and no secure authentication data data transfer for authentication over the transfer over the internet to get access to internet. SAAS applications. Fragmented identity management systems Integration of internal and external identities inIntegrated IAM process and with separation of internal / external. one process.tools (efficient and Multiple manual steps required for creation Automated process for user provisioning / de- and maintenance of identities and accounts. provisioning to main business applications.effective response to Unreliable procedures for revoking access onnew/changed users) employee termination. Network based access controls. Identify based access any time anywhere toEasy of use / simplicity for Multiple user id/passwords for different applications and services in the DSM network orall users (internal and applications. internet domain. No service based concepts (SOA / BPM). Single sign on based on common credentials, forexternal) who interact with internal and external users.DSM. Federated access/SSO to SAAS solutions Application specific implementations for A single platform for common functionality (e.g.Reduce development and identity and account management, access web access management). Integrated IAMoperational costs control. Multiple components requiring platform based on out of the box tooling. complex (custom) integration. Different credential management and Common security / regulatory compliantComply with security and authentication methods for different processes and tools. Low cost, easy to deployregulatory requirements. applications. Lack of visibility and control over strong authentication when needed. Centrally access policies and use. managed policy based access controls. Infosecurity Brussels 2011 Page 25 Classification: Only to be used in other publications after explicit approval of the authors
    • IAM Program – Key relations to other initiatives 26 System(s) of record: - Who should add? - HR is monthly/ICT provision next day Global Employee Data Management Aurora AD Email4All IAM Program User IM Project AM Project Self-service Apollo Portal ERP User Portal: BPM - IAM in relation to Service Management ECM - Integrated reporting? Collaboration JourneyInfosecurity Brussels 2011Page 26 Classification: Only to be used in other publications after explicit approval of the authors
    • Identity & Access Management – a simplified picture1 Tactical Identity & Access Model Management Who is responsible for which data field! Access Modeling Roles vs. Rights2a Operational User Management 2b ProvisioningNew user ‘Form’ Target Identity & Target System Approval Access Target System Provisioning Users / Admins process User Store User Target SystemRequest vs. vs. System Authentication Form Role rights Authorization Credentials (e.g. Username / & ‘use’ Password)4 DSM employee Management Check if identities are in sync New staff Retirement HR Resignation HR Systems Transfer Systems What are the drivers for the business to quickly remove leavers and add joiners! 3a Use Infosecurity Brussels 2011 Page 27 Classification: Only to be used in other publications after explicit approval of the authors
    • Requirements for the authentication process• It should be as independent as possible of the authentication mechanism you are using (smart card token mobile phone) but should support strong/multifactor authentication (having something and knowing something)• Could support physical access and logical access in one authentication mechanism / card / token• External users from which we want to indentify them personally (not only trust the company so everybody of the company can access) should be possible• When working externally or internally, the authentication process and the screen the DSM-user will see should be the same• Business partners employees, contractors, and DSM employees should authenticate in the same way• Solution should be as general as possible but DSM should strive to limit the amount of authentication process protocols Infosecurity Brussels 2011 Page 28 Classification: Only to be used in other publications after explicit approval of the authors
    • Moving towards an Open EnterpriseProtocol Stack: Time1.SAML2.WS federation3.Radius4.Kerberos (internal) Infosecurity Brussels 2011 Page 29 Classification: Only to be used in other publications after explicit approval of the authors
    • Example - SharePoint 2010 DSM employee or 3rd party not 3rd party hired by DSM hired by DSMUser Type / DSM ExtranetDirectory Service Directory Directory Gradual addition of devices DSM Workstation Any Device Any DeviceDevice Roll out of SSO /Location Internal / VPN Internet Federation / Internet (Strong) AuthenticationAuthentication SSO User name / User name / Password Password All authorized Intranet Team SitesPresentation applications Team Sites My Site Gradual addition of (cloud) services Infosecurity Brussels 2011of Identity Management and Data Protection Roll out Page 30 Classification: Only to be used in other publications after explicit approval of the authors
    • Agenda • Setting the scene • The challenge • The approach • The solution • Key takeawaysInfosecurity Brussels 2011Page 31 Classification: Only to be used in other publications after explicit approval of the authors
    • Key takeawaysInfosecurity Brussels 2011Page 32 Classification: Only to be used in other publications after explicit approval of the authors
    • DSMQuestions