Your SlideShare is downloading. ×
Stephan Hendriks Eric IJpelaar - Identity  access management in the cloud -
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Stephan Hendriks Eric IJpelaar - Identity access management in the cloud -

7,133
views

Published on

Published in: Technology, Business

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
7,133
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
29
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. DSM ICT Not be used in any other publication after explicitly approval of presenters 0 Identity & Access Management in the cloud Stephan Hendriks, Eric IJpelaar November 3, 2010 Actual photo of Dubai City, taken from atop the Burj Tower.
  • 2. DSM ICT Not be used in any other publication after explicitly approval of presenters 1AgendaAgenda • Setting the scene • Who are we? • Define the topics • Getting to know DSM • The challenge • The approach • The solution • Key takeaways
  • 3. DSM ICT Not be used in any other publication after explicitly approval of presenters 2Stephan HendriksStephan Hendriks
  • 4. DSM ICT Not be used in any other publication after explicitly approval of presenters 3EricEric IJpelaarIJpelaar
  • 5. DSM ICT Not be used in any other publication after explicitly approval of presenters 4What is Cloud Computing?What is Cloud Computing? • Wikipedia You can search yourself • ENISA report Cloud computing is an on-demand service model for IT provision, often based on virtualization and distributed computer technology • Highly abstracted resources • Near instant scalability and flexibility • Near instantaneous provisioning • Shared resources (hardware, database memory) • Service on demand usually with “a pay as you go” billing system • Cloud Security Alliance view: SAAS of IAAS PAAS SharedDedicated ExternalInternal
  • 6. DSM ICT Not be used in any other publication after explicitly approval of presenters 5What is Identity and Access Management?What is Identity and Access Management? • DSM definition: The business processes, policies (including enforcement of these policies) and technologies that enable organizations to provide the right people, with the right access, at the right time to applications and resources – while protecting confidential, personal and business information against unauthorized users.
  • 7. DSM ICT Not be used in any other publication after explicitly approval of presenters 66DSM is everywhereDSM is everywhere
  • 8. DSM ICT Not be used in any other publication after explicitly approval of presenters 77Focus on Life Sciences and Materials SciencesFocus on Life Sciences and Materials Sciences Health and Wellness Climate and Energy Functionality and Performance Emerging Economies EBAs Life Sciences Materials Sciences Nutrition Pharma Performance Materials Polymer Intermediates Focus on Life Sciences and Materials Sciences
  • 9. DSM ICT Not be used in any other publication after explicitly approval of presenters 8DSM MissionDSM Mission
  • 10. DSM ICT Not be used in any other publication after explicitly approval of presenters 9 The planet is our CareThe planet is our Care™™ Hidden HungerHidden Hunger –– a global challengea global challenge Definition: • Enough calories to stay alive, but • Not enough vitamins and minerals to be mentally and physically healthy Recognition Involvement Over 2 billion people affected worldwide, claiming 10 million lives every year Partnering Business Nutrition Improvement Program
  • 11. DSM ICT Not be used in any other publication after explicitly approval of presenters 1010Innovation is our SportInnovation is our Sport™™ DSM Composite Resins, Olympic sailing 470 class racing dinghy Stiffness +120%, Strength +200% 2,5% less weight Silver for Berkhout and de Koning ! Fabuless™, a breakthrough in weight control Dutch Consumers bought more than 5 Millions bottles Optimel® with Fabuless™ in first three months of market introduction!
  • 12. DSM ICT Not be used in any other publication after explicitly approval of presenters 1111DSM ICT BVDSM ICT BV Organisation and Governance Some figures…. Singapore Basel Sittard New York Sao Paulo Shanghai DSM-ICT Organization Employees 500+ Nationalities 15 Affiliate locations 6 Services Sites 230 Countries 48 End-user workstations 19.000 SAP users 10.000 Business applications Ca.1600 World-wide Centralized ICT organization BG ICT spending ~90% by DICT High level of Standardization 23000Total DSM employees
  • 13. DSM ICT Not be used in any other publication after explicitly approval of presenters 12AgendaAgenda • Setting the scene • The challenge • The new Strategic Vision • The new Process Model • The architecture balancing act • The approach • The solution • Key takeaways
  • 14. DSM ICT Not be used in any other publication after explicitly approval of presenters 13The new strategic visionThe new strategic vision:: entering a new era of growthentering a new era of growth High Growth Economies from reaching out to becoming truly global DSM in motion: driving focused growth Innovation Acquisitions & Partnerships Perf Mat growing via innovative sustainable solutions Pol Int strengthening backward integration for DEP Pharma leveraging partnerships for growth Nutrition continued value growth EBAs building new growth platforms Sustainability from responsibility to business driver from building the machine to doubling the output from portfolio transformation to growth Life Sciences and Materials Sciences addressing key global trends & exploiting cross fertilization in One DSM
  • 15. DSM ICT Not be used in any other publication after explicitly approval of presenters 14The necessity of changeThe necessity of change • Better information and knowledge sharing • Improving collaboration inside and outside the enterprise (e.g. federation) • Efficiency in our work • Anticipate to organizational change and growth (agility) • Quick on boarding of mergers and acquisitions • Impacting … People / Behaviors Processes Information Management Tools
  • 16. DSM ICT Not be used in any other publication after explicitly approval of presenters 15The new DSM Process Model: Apollo 2.0The new DSM Process Model: Apollo 2.0 • Aligning the Business Process Model with the “new DSM”
  • 17. DSM ICT Not be used in any other publication after explicitly approval of presenters 16 Speed in delivering new functionality Divestments / M&A Complex IT platform with many components End to end testing en documenting Standard versus harmonized versus local Impact assessment of changes Project dependencies Insight in business controls & compliance The balancing act in platform managementThe balancing act in platform management ……
  • 18. DSM ICT Not be used in any other publication after explicitly approval of presenters 17AgendaAgenda • Setting the scene: • The challenge • The approach • Architecture as structure • Internet Centric • The solution • Key takeaways
  • 19. DSM ICT Not be used in any other publication after explicitly approval of presenters 18 Critical success factors require good enterpriseCritical success factors require good enterprise architecturearchitecture • Many people involved, 1 approach • Create buy-in with all stakeholders • End to end • Roadmap based incremental implementation • Each step needs to have a business need Architecture as structure TOGAF
  • 20. DSM ICT Not be used in any other publication after explicitly approval of presenters 19 Top down translation of the strategy to theTop down translation of the strategy to the Business ModelBusiness Model • Translate the business strategy in a Business Model / Business Priorities Guide • DSM: Information plans per Business Group as input • Incremental delivery in 1 ½ - 2 years Business Model & Business Priorities Guide
  • 21. DSM ICT Not be used in any other publication after explicitly approval of presenters 20IT Platform ManagementIT Platform Management • From Business Model / Business Priorities guide to Platform Discussion Guide • All consolidated Platform Discussion Guides are translated in an integral ICT Roadmap • Platform development is following and supporting the business priorities
  • 22. DSM ICT Not be used in any other publication after explicitly approval of presenters 21Architecture principles as guidelineArchitecture principles as guideline Business Strategy IT Strategy Design Principles 1. Standardization 2. Simplification 3. Consolidation & Centralization 4. Evolutionary implementation 5. Independent Service Blocks 6. Minimize On Site support 7. DSM Ownership 8. Portability 9. Information Oriented 10. Data is an asset Visionary Principles • Internet Centric • Cloud Computing/Utilization • Consumerization • Agility
  • 23. DSM ICT Not be used in any other publication after explicitly approval of presenters 22Explanation visionary principlesExplanation visionary principles • Using Internet technology to connect end-nodes and strive to zero foot printed end-user devices. • On demand services that can be charged based on the usage. • Consuming services with any tool, any product or any device which is common in the ICT consumer market. • Dynamic services that can be easily and fast added, changed, or removed.
  • 24. DSM ICT Not be used in any other publication after explicitly approval of presenters 23The core principleThe core principle ‘‘Internet CentricInternet Centric’’ visualizedvisualized Non trusted Computer Trusted PDA Trusted SmartPhone Trusted Desktop Trusted Laptop DSM Data Center SaaS Provider Connectivity Based on Internet-technology
  • 25. DSM ICT Not be used in any other publication after explicitly approval of presenters 24Taking into account security risks & legal requirementsTaking into account security risks & legal requirements • Moving to the consumer market means: • Brands & Intellectual property protection becomes more important • Reputation damage has bigger influence on shares and sales • FDA and other regulations become more important • Changing the use of ICT means ensure the level of trust: • Person/identity, be sure that the user is the person he/she claims • Multi factor authentication: e.g digital certificate on a token or derived from an authentication action (e.g. iris scan) • Device /end-node, be sure that the device connected is OK • Certificate for DSM-end-user devices, • Certificates for end-nodes/servers • Application, be sure that the application is the approved one for DSM • Check it is a trusted DSM-application with correct certificate licenses • Data, be sure you can trust the (integrity of) data • Data Access Control, • Encryption, • Enterprise Right Management
  • 26. DSM ICT Not be used in any other publication after explicitly approval of presenters 25AgendaAgenda • Setting the scene • The challenge • The approach • The solution • Integrated Roadmap • Identity & Access Management • Example: Sharepoint 2010 • Key takeaways
  • 27. DSM ICT Not be used in any other publication after explicitly approval of presenters 26Integrated Roadmap (key projects)Integrated Roadmap (key projects) New generation ICT Next Generation Network Identity & Access Management Enterprise Search New Workplace Business Process Management SharePoint 2010 EDM Data Protection Site Server Redesign HR System of Record IRM/DRM Master Data Management today
  • 28. DSM ICT Not be used in any other publication after explicitly approval of presenters 27Identity and Access Management in the CloudIdentity and Access Management in the Cloud Important element in an integrated roadmap towards a new generation ICT Next to a culture change / new WOW program
  • 29. DSM ICT Not be used in any other publication after explicitly approval of presenters 28Objectives for IAM SolutionObjectives for IAM Solution Common security / regulatory compliant processes and tools that support secure uniform data transfer for authentication over the internet. Different credential management and authentication methods for different applications and no secure authentication data transfer over the internet to get access to SAAS applications. Support Internet Centric Vision and SAAS computing. Common security / regulatory compliant processes and tools. Low cost, easy to deploy strong authentication when needed. Centrally managed policy based access controls. Different credential management and authentication methods for different applications. Lack of visibility and control over access policies and use. Comply with security and regulatory requirements. A single platform for common functionality (e.g. web access management). Integrated IAM platform based on out of the box tooling. Application specific implementations for identity and account management, access control. Multiple components requiring complex (custom) integration. Reduce development and operational costs Identify based access any time anywhere to applications and services in the DSM network or internet domain. Single sign on based on common credentials, for internal and external users. Federated access/SSO to SAAS solutions Network based access controls. Multiple user id/passwords for different applications. No service based concepts (SOA / BPM). Easy of use / simplicity for all users (internal and external) who interact with DSM. Integration of internal and external identities in one process. Automated process for user provisioning / de- provisioning to main business applications. Fragmented identity management systems with separation of internal / external. Multiple manual steps required for creation and maintenance of identities and accounts. Unreliable procedures for revoking access on employee termination. Integrated IAM process and tools (efficient and effective response to new/changed users) Objectives From To
  • 30. DSM ICT Not be used in any other publication after explicitly approval of presenters 29Identity & Access ManagementIdentity & Access Management –– a simplified picturea simplified picture Provisioning User vs. rights Access Modeling User vs. Role Operational User Management2a Tactical Identity & Access Model Management1 Request Form New user ‘Form’ Roles vs. Rights Approval process Provisioning2b Users / Admins Authentication Authorization & ‘use’ Credentials (e.g. Username / Password) Use3a Target SystemTarget SystemTarget SystemTarget System HR Systems 4 DSM employee Management New staff Retirement Resignation Transfer HR Systems Identity & Access Store Check if identities are in sync What are the drivers for the business to quickly remove leavers and add joiners! Who is responsible for which data field!
  • 31. DSM ICT Not be used in any other publication after explicitly approval of presenters 30Requirements for the authentication processRequirements for the authentication process • It should be as independent as possible of the authentication mechanism you are using (smart card token mobile phone) but should support strong/multifactor authentication (having something and knowing something) • Could support physical access and logical access in one authentication mechanism / card / token • External users from which we want to indentify them personally (not only trust the company so everybody of the company can access) should be possible • When working externally or internally, the authentication process and the screen the DSM-user will see should be the same • Business partners employees, contractors, and DSM employees should authenticate in the same way • Solution should be as general as possible but DSM should strive to limit the amount of authentication process protocols
  • 32. DSM ICT Not be used in any other publication after explicitly approval of presenters 31End Goal for Authentication & Single Sign OnEnd Goal for Authentication & Single Sign On • A single experience for employees and business partners in accessing in house applications and outsourced functions • One mainstream identity that is recognized by every application Enterprise A Enterprise B Enterprise C User interaction Web based interaction Web service invocation
  • 33. DSM ICT Not be used in any other publication after explicitly approval of presenters 32Moving towards an Open EnterpriseMoving towards an Open Enterprise Web SSO / WAM Enterprise SSO Cloud SSO Claims Authentication E-business SAP EDM Saas applications OpenID Google (STS) LiveID Windows (STS) Protocol Stack: 1. SAML 2. WS federation 3. Radius 4. Kerberos (internal)
  • 34. DSM ICT Not be used in any other publication after explicitly approval of presenters 33Access and AuthenticationAccess and Authentication –– a simplified picturea simplified picture Time
  • 35. DSM ICT Not be used in any other publication after explicitly approval of presenters 34ExampleExample -- SharePoint 2010SharePoint 2010 User Type / Directory Service DSM employee or 3rd party hired by DSM Device DSM Workstation Location Internal / VPN Authentication SSO User name / Password Any Device Intranet Team Sites My Site 3rd party not hired by DSM Any Device Internet User name / Password Team Sites Presentation DSM Directory Extranet Directory Internet All authorized applications Gradual addition of devices Gradual addition of (cloud) services Roll out of SSO / Federation / (Strong) Authentication Roll out of Identity Management and Data Protection
  • 36. DSM ICT Not be used in any other publication after explicitly approval of presenters 35AgendaAgenda • Setting the scene • The challenge • The approach • The solution • Key takeaways
  • 37. DSM ICT Not be used in any other publication after explicitly approval of presenters 36Key takeawaysKey takeaways • Delivery of the Business Strategy through good enterprise architecture • Internet Centric as a core principle towards collaboration and innovation • Old in use security requirements/measures conflict or are unclear for internet centric, collaboration and innovation and need to be updated • It is a continuous evolutionary process • I&AM is an essential part • You need to change culture (new WOW) as well
  • 38. DSM ICT Not be used in any other publication after explicitly approval of presenters 37