Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
T-Systems. Automating ForgeRock Full Stack Deployments to a Magenta Cloud.
1. Telekom Security: Id Security
Automating ForgeRock Deployments to a Magenta Cloud
- Peter Weik -
2. Consumer
IAM (B2C)
Enterprise
IAM (B2E/B2B) Internet of
Things IAM (B2T)
User Centric
digital Identities
Social Logins &
User profiles
Domain Centric
Digital Identities
Identity & Access Gov.
B2B Federations with
Partners & Suppliers
Service Centric
Digital Identities
Non-Human Identities
& API Security
Three Disciplines of Today's Identity & Access Management
3. The Modern IAM Ecosystem
Identity & Access
Management
Things
Consumers
Employees
PArtners
Mobile
Workforce
Privileged
Users
Applications Data
Office
workspace
User
directory
On-Premise/PrivateCloud
Software
asaService
CloudPlatforms
&WebServices
4. Delivery Models for Cloud Based Identity & Access Mgmt
Identity as a Service
Multitenant IAM Offering delivered as Software as a
Service in a Public Cloud.
Weak integration with existing IAM deployments in the
customer domain
Focus on Single Sign-On and identity federation
Limited functionality with regards to authentication and
identity management
Operation and data storage typically in the US. Very few
providers operate in Germany as well
Public pricing information available, usage or user based
pricing models.
Managed IAM Service
Application outsourcing of an IAM product within a
Private Cloud offered as managed service.
Strong integration with existing IAM deployments in the
customer domain possible
Full IAM functionality available (depending on IAM
product used).Focus on IdM customizations.
Operation and data storage depends on customer
requirements and data center locations of the service
provider
No public pricing information available; Time & material
based quotes are common
5. “Cloudification Grades” of IdentIty & access MGMt
Hosted
IAM Solution
HW HW HW
OS OS OS
IAMInstance1
IAMInstance2
IAMInstancex
…
One individual IAM Instance per
customer with dedicated IT
resources.
Multi-tenant
IAM as a Service
HW
OS
Tenant1
Tenant2
Tenantx
…
IAM Instance
One standard IAM SaaS instance
for all tenants in Public Cloud
VM(s)
Virtualized
IAM Instances
One individual IAM instance per
customer with virtualized IT
resources
VM 1 VM 2 VM x
HW
OS OS OS
IAMInstance1
IAMInstance2
IAMInstancex
…
Virtualized &
Containerized
IAM Services
Individual IAM instances per
customer with virtualized IT
resources and containerized IAM
VM(s( VM (s) VM (s)
HW
OS OS OS
Tenant1
Tenant2
Tenantx
…
IAM
Instance
IAM
Instance
IAM
Instance
Private Cloud Public Cloud
Managed Service Un-managed Service
7. “Cloudification Grade” of IdentIty Protect Pro
Hosted
IAM Solution
HW HW HW
OS OS OS
IAMInstance1
IAMInstance2
IAMInstancex
…
One individual IAM Instance per
customer with dedicated IT
resources.
Multi-tenant
IAM as a Service
HW
OS
Tenant1
Tenant2
Tenantx
…
IAM Instance
One standard IAM SaaS instance
for all tenants in Public Cloud
VM(s)
Virtualized
IAM Instances
One individual IAM instance per
customer with virtualized IT
resources
VM 1 VM 2 VM x
HW
OS OS OS
IAMInstance1
IAMInstance2
IAMInstancex
…
Virtualized &
Containerized
IAM Services
Individual IAM instances per
customer with virtualized IT
resources and containerized IAM
VM (s) VM(s) VM (s)
HW
OS OS OS
Tenant1
Tenant2
Tenantx
…
IAM
Instance
IAM
Instance
IAM
Instance
Identity Protect Pro
8. Identity Protect
Pro
Office 365
Identity Protect Pro
Identity & Access Management from the Cloud
powered by
IdentityManagement
Access Management
Applications Data
Office
workspace
User
directory
Enterprise a
Applications Data
Office
workspace
User
directory
Enterprise B
Partner
Nomadic
Worker
Google
Box
Private
Cloud
Salesforce
10. Identity Protect Pro: The IAM Software Instance
vApp IAM iNSTANCE
VM AS01
VM DB01
VM AS02
VM DB02
ApplicationLayerDatabaseLayer
vApp FW
vApp FW
OSFW
OSFW
AppNet Web-Frontend
AppNetOperation
OSFW
OSFW
11. Identity Protect Pro: A Managed IAM Service with Tooling
Remarks
Configuration management by means of Subversion for the
management of customer configurations within in a central
repository and support of lifecycle measures for existing customer
configurations that are already operational.
Deployment of standardized IAM software bundles (incl. required
middleware) by means of Docker.
A private Docker repository eases the provisioning of patches and
updates for all customer instances.
Usage of T-Systems DSI vCloud (vmWare based IaaS offering) for
the realization of virtual data centers for Identity Protect Pro.
IT automation and orchestration of deployments (software and
configurations) by means of Ansible.
Virtualized & Containerized
IAM Services
Individual IAM instances per
customer with virtualized IT
resources and containerized IAM
VM (s) VM (s) VM (s)
HW
OS OS OS
Tenant1
Config&Data
Tenant2
Config&Data
Tenantx
Config&Data
…
IAMInstance
(Containerized)
IAMInstance
(Containerrized)
IAMInstance
(Containerized)
Tools
ForgeRock’s Identity Platform supports the required separation of
IAM executables, IAM data and IAM configurations.
12. Peace of mind – now and future
Access to skilled IAM experts; compliance with
international standards; deployment of the
latest technologies and mechanisms.
Identity Protect Pro: Identity & Access Mgmt delivered as
Managed Service from a Magenta Cloud
availability
The solution is delivered from a high-
availability Telekom/T-Systems data center –
for minimum downtime.
protection of Investments
Identity Protect Pro complements your existing
IAM infrastructures, providing staff with secure
access to cloud applications.
convenience
Employees can request access rights via self-
service workflows and single sign-on increases
staff productivity.
Cost savings
Identity Protect Pro is charged on a demand-
driven basis – so you only pay for the
resources you actually need.
Cost-efficiency
Lower up-front investment compared to local
IAM solutions (OPEX replaces CAPEX).
security
Identity Protect Pro is operated in a highly
secure data center of Telekom/T-Systems in
line with German data protection legislation.
speed
The deployment of high-performance
hardware and broadband network connections
enables fast IAM transactions.
scalability
Identity Protect Pro can be tailored to meet
your specific day-to-day requirements (e.g.
number of employees).