• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content

Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!

Stephan Hendriks Eric IJpelaar - Identity access management in the cloud -

on

  • 7,192 views

 

Statistics

Views

Total Views
7,192
Views on SlideShare
7,095
Embed Views
97

Actions

Likes
0
Downloads
21
Comments
0

1 Embed 97

http://www.infosecurity.nl 97

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Stephan Hendriks Eric IJpelaar - Identity  access management in the cloud - Stephan Hendriks Eric IJpelaar - Identity access management in the cloud - Presentation Transcript

    • 0 Identity & Access Management in the cloud Stephan Hendriks, Eric IJpelaar November 3, 2010 DSM ICT Not be used in any other publication after explicitly approval of presenters Actual photo of Dubai City, taken from atop the Burj Tower.
    • Agenda 1 • Setting the scene • Who are we? • Define the topics • Getting to know DSM • The challenge • The approach • The solution • Key takeaways DSM ICT Not be used in any other publication after explicitly approval of presenters
    • Stephan Hendriks 2 DSM ICT Not be used in any other publication after explicitly approval of presenters
    • Eric IJpelaar 3 DSM ICT Not be used in any other publication after explicitly approval of presenters
    • What is Cloud Computing? 4 • Wikipedia You can search yourself • ENISA report Cloud computing is an on-demand service model for IT provision, often based on virtualization and distributed computer technology • Highly abstracted resources • Near instant scalability and flexibility • Near instantaneous provisioning • Shared resources (hardware, database memory) • Service on demand usually with “a pay as you go” billing system • Cloud Security Alliance view: Internal External Dedicated Shared SAAS PAAS DSM ICT IAAS Not be used in any other publication after explicitly approval of presenters
    • What is Identity and Access Management? 5 • DSM definition: The business processes, policies (including enforcement of these policies) and technologies that enable organizations to provide the right people, with the right access, at the right time to applications and resources – while protecting confidential, personal and business information against unauthorized users. DSM ICT Not be used in any other publication after explicitly approval of presenters
    • DSM is everywhere 6 DSM ICT Not be used in any other publication after explicitly approval of presenters
    • Focus on Life Sciences and Materials Sciences 7 Climate and Health and Functionality and Emerging Energy Wellness Performance Economies Life Sciences Materials Sciences EBAs Performance Polymer Nutrition Pharma Materials Intermediates Focus on Life Sciences and Materials Sciences DSM ICT Not be used in any other publication after explicitly approval of presenters
    • DSM Mission 8 DSM ICT Not be used in any other publication after explicitly approval of presenters
    • The planet is our Care™ 9 Hidden Hunger – a global challenge Definition: • Enough calories to stay alive, but • Not enough vitamins and minerals to be mentally and physically healthy Partnering Involvement Nutrition Improvement Program DSM ICT Over 2 billion people affected worldwide, Recognition in any other Business explicitly approval of presenters million lives every year Not be used publication after claiming 10
    • Innovation is our Sport™ 10 Fabuless™, a breakthrough DSM Composite Resins, in weight control Olympic sailing 470 class Dutch Consumers bought more than 5 racing dinghy Millions bottles Optimel® with Stiffness +120%, Strength +200% Fabuless™ in first three months of market introduction! 2,5% less weight Silver for Berkhout and de Koning ! DSM ICT Not be used in any other publication after explicitly approval of presenters
    • DSM ICT BV 11 Organisation and Governance Some figures…. DSM-ICT Organization Sittard Employees 500+ Basel New York Nationalities 15 Shanghai Affiliate locations 6 Singapore Services Sao Paulo Sites 230 Countries 48 World-wide End-user workstations 19.000 Centralized ICT organization SAP users 10.000 BG ICT spending ~90% by DICT Business applications Ca.1600 High level of Standardization Total DSM employees 23000 DSM ICT Not be used in any other publication after explicitly approval of presenters
    • Agenda 12 • Setting the scene • The challenge • The new Strategic Vision • The new Process Model • The architecture balancing act • The approach • The solution • Key takeaways DSM ICT Not be used in any other publication after explicitly approval of presenters
    • The new strategic vision: entering a new era of growth 13 High Growth Innovation Sustainability Acquisitions Economies & Partnerships from reaching out to from building the machine from responsibility from portfolio becoming truly global to doubling the output to business driver transformation to growth Life Sciences and Nutrition continued value growth Materials Sciences Pharma addressing leveraging partnerships for growth Perf Mat key global trends & growing via innovative sustainable solutions exploiting cross Pol Int strengthening backward integration for DEP fertilization EBAs in One DSM building new growth platforms DSM in motion: driving focused growth DSM ICT Not be used in any other publication after explicitly approval of presenters
    • The necessity of change 14 • Better information and knowledge sharing • Improving collaboration inside and outside the enterprise (e.g. federation) • Efficiency in our work • Anticipate to organizational change and growth (agility) • Quick on boarding of mergers and acquisitions • Impacting … People / Behaviors Information Management Processes Tools DSM ICT Not be used in any other publication after explicitly approval of presenters
    • The new DSM Process Model: Apollo 2.0 15 • Aligning the Business Process Model with the “new DSM” DSM ICT Not be used in any other publication after explicitly approval of presenters
    • The balancing act in platform management … 16 Speed in delivering new Divestments / M&A functionality Project dependencies Complex IT platform with many components Insight in business controls & compliance Impact assessment End to end of changes testing en Standard versus documenting harmonized DSM ICT versus local Not be used in any other publication after explicitly approval of presenters
    • Agenda 17 • Setting the scene: • The challenge • The approach • Architecture as structure • Internet Centric • The solution • Key takeaways DSM ICT Not be used in any other publication after explicitly approval of presenters
    • Critical success factors require good enterprise 18 architecture TOGAF • Many people involved, 1 approach • Create buy-in with all stakeholders • End to end • Roadmap based incremental implementation • Each step needs to have a business need Architecture as structure DSM ICT Not be used in any other publication after explicitly approval of presenters
    • Top down translation of the strategy to the 19 Business Model Business Model & Business Priorities Guide • Translate the business strategy in a Business Model / Business Priorities Guide • DSM: Information plans per Business Group as input • Incremental delivery in 1 ½ - 2 years DSM ICT Not be used in any other publication after explicitly approval of presenters
    • IT Platform Management 20 • From Business Model / Business Priorities guide to Platform Discussion Guide • All consolidated Platform Discussion Guides are translated in an integral ICT Roadmap • Platform development is following and supporting the business priorities DSM ICT Not be used in any other publication after explicitly approval of presenters
    • Architecture principles as guideline 21 Business Strategy IT Strategy Visionary Principles Design Principles • Internet Centric 1. Standardization • Cloud Computing/Utilization 2. Simplification • Consumerization 3. Consolidation & Centralization • Agility 4. Evolutionary implementation 5. Independent Service Blocks 6. Minimize On Site support 7. DSM Ownership 8. Portability 9. Information Oriented 10. Data is an asset DSM ICT Not be used in any other publication after explicitly approval of presenters
    • Explanation visionary principles 22 • Using Internet technology to connect end-nodes and strive to zero foot printed end-user devices. • On demand services that can be charged based on the usage. • Consuming services with any tool, any product or any device which is common in the ICT consumer market. • Dynamic services that can be easily and fast added, changed, or removed. DSM ICT Not be used in any other publication after explicitly approval of presenters
    • The core principle ‘Internet Centric’ visualized 23 Non trusted Computer Trusted Trusted Desktop PDA Trusted Trusted Laptop SmartPhone Connectivity Based on Internet-technology DSM SaaS Data Center Provider DSM ICT Not be used in any other publication after explicitly approval of presenters
    • Taking into account security risks & legal requirements 24 • Moving to the consumer market means: • Brands & Intellectual property protection becomes more important • Reputation damage has bigger influence on shares and sales • FDA and other regulations become more important • Changing the use of ICT means ensure the level of trust: • Person/identity, be sure that the user is the person he/she claims • Multi factor authentication: e.g digital certificate on a token or derived from an authentication action (e.g. iris scan) • Device /end-node, be sure that the device connected is OK • Certificate for DSM-end-user devices, • Certificates for end-nodes/servers • Application, be sure that the application is the approved one for DSM • Check it is a trusted DSM-application with correct certificate licenses • Data, be sure you can trust the (integrity of) data • Data Access Control, • Encryption, • Enterprise Right Management DSM ICT Not be used in any other publication after explicitly approval of presenters
    • Agenda 25 • Setting the scene • The challenge • The approach • The solution • Integrated Roadmap • Identity & Access Management • Example: Sharepoint 2010 • Key takeaways DSM ICT Not be used in any other publication after explicitly approval of presenters
    • Integrated Roadmap (key projects) 26 today New generation EDM Master Data Management ICT Business Process Management Enterprise Search IRM/DRM SharePoint 2010 Data Protection New Workplace Identity & Access Management Site Server Redesign HR System of Record Next Generation Network DSM ICT Not be used in any other publication after explicitly approval of presenters
    • Identity and Access Management in the Cloud 27 Important element in an integrated roadmap towards a new generation ICT Next to a culture change / new WOW program DSM ICT Not be used in any other publication after explicitly approval of presenters
    • Objectives for IAM Solution 28 Objectives From To Support Internet Centric Vision and Different credential management and Common security / regulatory compliant SAAS computing. authentication methods for different processes and tools that support secure applications and no secure authentication data uniform data transfer for authentication over transfer over the internet to get access to the internet. SAAS applications. Integrated IAM process and tools Fragmented identity management systems Integration of internal and external identities in (efficient and effective response to with separation of internal / external. one process. new/changed users) Multiple manual steps required for creation and Automated process for user provisioning / de- maintenance of identities and accounts. provisioning to main business applications. Unreliable procedures for revoking access on employee termination. Easy of use / simplicity for all users Network based access controls. Identify based access any time anywhere to (internal and external) who interact Multiple user id/passwords for different applications and services in the DSM network applications. or internet domain. with DSM. No service based concepts (SOA / BPM). Single sign on based on common credentials, for internal and external users. Federated access/SSO to SAAS solutions Reduce development and Application specific implementations for A single platform for common functionality (e.g. operational costs identity and account management, access web access management). Integrated IAM control. Multiple components requiring complex platform based on out of the box tooling. (custom) integration. Comply with security and regulatory Different credential management and Common security / regulatory compliant requirements. authentication methods for different processes and tools. Low cost, easy to deploy applications. Lack of visibility and control over strong authentication when needed. Centrally access policies and use. managed policy based access controls. DSM ICT Not be used in any other publication after explicitly approval of presenters
    • Identity & Access Management – a simplified picture 29 1 Tactical Identity & Access Model Management Who is responsible for which data field! Access Modeling Roles vs. Rights 2a Operational User Management 2b Provisioning New user ‘Form’ Target Identity & Target System Approval Target Access Provisioning System Users / Admins process User Store User Target System Request vs. vs. System Authentication Form Role rights Authorization Credentials (e.g. Username / & ‘use’ Password) 4 DSM employee Management Check if identities are in sync New staff Retirement HR Resignation HR Systems Systems Transfer What are the drivers for the business to quickly remove leavers and add joiners! 3a Use DSM ICT Not be used in any other publication after explicitly approval of presenters
    • Requirements for the authentication process 30 • It should be as independent as possible of the authentication mechanism you are using (smart card token mobile phone) but should support strong/multifactor authentication (having something and knowing something) • Could support physical access and logical access in one authentication mechanism / card / token • External users from which we want to indentify them personally (not only trust the company so everybody of the company can access) should be possible • When working externally or internally, the authentication process and the screen the DSM-user will see should be the same • Business partners employees, contractors, and DSM employees should authenticate in the same way • Solution should be as general as possible but DSM should strive to limit the amount of authentication process protocols DSM ICT Not be used in any other publication after explicitly approval of presenters
    • End Goal for Authentication & Single Sign On 31 • A single experience for employees and business partners in accessing in house applications and outsourced functions • One mainstream identity that is recognized by every application Enterprise A Enterprise B User interaction Web based interaction Web service invocation Enterprise C DSM ICT Not be used in any other publication after explicitly approval of presenters
    • Moving towards an Open Enterprise 32 E-business SAP EDM Web SSO / Enterprise WAM SSO Protocol Stack: 1. SAML Claims Authentication 2. WS federation 3. Radius 4. Kerberos (internal) Cloud SSO Saas applications OpenID LiveID DSM ICT Google (STS) Windows (STS) Not be used in any other publication after explicitly approval of presenters
    • Access and Authentication – a simplified picture 33 Time DSM ICT Not be used in any other publication after explicitly approval of presenters
    • Example - SharePoint 2010 34 DSM employee or 3rd party not 3rdparty hired by DSM hired by DSM User Type / DSM Extranet Directory Service Directory Directory Gradual addition of devices DSM Workstation Any Device Any Device Device Roll out of SSO / Location Internal / VPN Internet Federation / Internet (Strong) Authentication Authentication SSO User name / User name / Password Password All authorized Intranet Team Sites Presentation applications Team Sites My Site Gradual addition of (cloud) services DSM ICT Roll out of Identity Management and Data Not be used in any other publication after explicitly approval of presenters Protection
    • Agenda 35 • Setting the scene • The challenge • The approach • The solution • Key takeaways DSM ICT Not be used in any other publication after explicitly approval of presenters
    • Key takeaways 36 y through ss Strateg e Busine cture elive ry of th e archite e towards • D nterpris re principl good e c as a co tion terne ion at Centri nd innova /m easure s • In rat ements centric, collabo uir u rity req r internet d in use sec nclear fo d need to • Ol ct or are u vation a n confli ation and inno r collabo ted ry process be upda v olutiona tinuous e • It is a con s en tial part w W OW) is an es ul ture (ne • I&AM d to change c e DSM ICT • You ne ell Not be used in any otheras w after explicitly approval of presenters publication
    • 37 DSM ICT Not be used in any other publication after explicitly approval of presenters