Paradigmo specialised in Identity & Access Management


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Paradigmo specialised in Identity & Access Management

  1. 1. Company  presenta-on   Olivier  Naveau   Managing  Director  
  2. 2. 2 Our  history  of  IAM  
  3. 3. 3 Access  control  is  on  top  of  priority  list!   As  stated  by  Deloi.e  in  their  GFSI  Security  Survey,  top   external  audit  findings  are  about  excessive  access  rights,   segrega>on  of  du>es  and  access  control  compliance.   h.p://  
  4. 4. 4 Why  access  control  remains  difficult?   Who are my users? What do they have access to? Are these accesses legitimate? Objectives Landscape Business applications are developed in silos. IAM implies horizontal integration. Multiplication of # of users and of # of applications. Evolving landscape: cloud, mobile, social, compliance, liability
  5. 5. Iden-ty  &  Access  Management     A  structured  approach  
  6. 6. 6 Structured  approach  of  Iden-ty  &  Access  Mgmt   1.  Data  model   2.  Func>ons  &  Processes   3.  Key  components   4.  Business  values   6
  7. 7. 7 1.  Data  model:  administer  IAM  data   Identity data •  Identities •  Attributes (contractual status, dates, job description, location) •  Manager •  Organization •  Accounts Access data •  Business roles •  Technical roles (or profiles) •  Applications •  Entitlements •  Policies (or access rights) (who, what, what for, condition) Activity data •  Authentication requests •  Access requests •  Changes to Identity data •  Changes to Access data
  8. 8. 8 1.  Data  model:  the  power  of  Brainwave  
  9. 9. 9 2.  Iden-ty  &  Access  Management  processes   Administer   IAM  data   Access  (or  use)   IAM  data   Control   IAM  data   Access data Identity data Authenticate Authorize Federate Analyse Audit Comply
  10. 10. 10 2.  Iden-ty  &  Access  Management  processes   Administer   IAM  data   Access  (or  use)   IAM  data   Control   IAM  data   ...  is  the  construc>on  phase  of  iden>ty,  and  subsequently   providing  it  with  a  "personality"  by  assigning  a.ributes,   en>tlements,  creden>als.  It  provides  the  create/maintain/ re>re  capabili>es  of  IAM.  Administra>on  also  provides  the   plaPorm  for  intelligence:  a  means  to  make  sense  of  the   iden>ty  and  access  events.     ...  serves  as  a  founda>onal  plaPorm  to  facilitate   authen>ca>on  and  authoriza>on,  and  the  capabili>es  within   them,  from  single  sign-­‐on  to  en>tlements  resolu>on  and   enforcement  of  access  decisions.  Access  is  the  "engine"  of   IAM  that  takes  iden>>es  and  their  informa>on  and  uses   them  to  effect.   ... generates reports for auditors, provides real-time monitoring for operations and delivers the analytics necessary for analysts and business stakeholders to make intelligent, actionable decisions in the business and in IT.
  11. 11. 11 Techno- logies 3.  Key  components   ProcessesPeople rely  on  support   sustain   Cendio® ThinLinc ®
  12. 12. 12 4.  Business  values:  iden-fy  and  measure  KPIs   KPIs   Efficiency     of  opera>ons   Effec>veness   of  security   Enablement   of  business  
  13. 13. Iden-ty  &  Access  Management     Iden-ty  Intelligence     Virtual  Desktop  Infrastructure         Paradigmo’s  proposal  
  14. 14. 14 Paradigmo’s  proposal  is  process  based   Administer* IAM*data* Access*(or*use)* IAM*data* Control* IAM*data* Cendio® ThinLinc ® Boost** user*mobility*
  15. 15. 15 Account Administer   IAM  data   The  theory   Rules Roles Requests Attributes Actions Objects Policies Conditions Role management Policy management
  16. 16. 16 File Share Active Directory Microsoft Applica>ons   Human  resources   Signaletic Attributes Coarse-grained Fine-grained User  form  (C,U,D)   Access  form   Mandates   Administer   IAM  data   A  standard  use  case   Databases   Profiles
  17. 17. 17 PAP Policy Manager: -  Applications -  Roles -  URLs -  Business Transactions -  Conditions -  Coarse-grained access matrix -  Fine-grained access matrix Corporate   LDAP   Mandates   FAS AUributes   AUributes   Mandates   Roles   Scope: ~140 internal applications ~30 external applications Policies     ac-va-on   Administer   IAM  data   Policy  Manager  
  18. 18. 18 Applica-on   Roles  (LDAP  filter)   Coarse   grained   matrix   URL   Allow   Deny   Condi>on  (LDAP  filter)   Roles  (LDAP  filter)   Fine   grained   matrix   BT   Allow   Deny   Condi>on  (LDAP  filter)   <URL,  [GET|POST]>   <Resource,  Ac-on>   Administer   IAM  data   ABAC  implementa-on   Scope: ~140 internal applications ~30 external applications
  19. 19. 19 Access  (or  use)   IAM  data   Identity Provider (IDP) Service Provider (SP) Applica>ons   Concepts  
  20. 20. 20 Why  ForgeRock?   ü All-­‐in-­‐one  Unified   Open  Iden>ty  Stack   ü Easy  to  install  and  to   operate:  one  single  process   delivers  all  func>ons   ü Simple  and  scalable     to  cope  with  Internet  scale   ü Simple  and  flexible   to  cope  with  new  concepts   ü Support  and  extensibility   capabili>es  (developer   friendly)   ü Subscrip>on  model,  no   cost  un>l  Enterprise  build   is  use  in  produc>on   Administer* IAM*data* Access%(or%use)% IAM%data%
  21. 21. 21 FedICT  delivers  Federal  Authen>ca>on  Service  (FAS),  the   reference  public  IDP  service  in  Belgium,  based  on  OpenAM.   FPS  Finance  delivers  AuthN,  AuthZ  &  SSO  of  internal  (~140)   and  external  (~30)  applica>ons  based  on  OpenSSO.   Toyota  implemented  AuthN  &  AuthZ  of  “things”  on  OpenAM.   For  internal  apps,  the  migra>on  is  ongoing.     Luxair  provides  AuthN,  AuthZ  &  SSO  for  home-­‐developed   applica>ons  using  OpenAM.     BNP  PIP  uses  OpenDJ  to  provide  central  authen>ca>on  of   Unix  administrators  and  users.     Clinique  Saint-­‐Luc  provides  AuthN,  AuthZ  &  SSO  of   commercial  applica>ons  using  OpenAM.     Why  ForgeRock?   Administer* IAM*data* Access%(or%use)% IAM%data%
  22. 22. 22 Use  cases  Control' IAM'data' Who are my users? What do they have access to? Are these accesses legitimate? How do I communicate on the role structure of my organization? How do I clean up data before an IAM deployment?
  23. 23. 23 ü Control  oriented  approach:  it   rebuilds  the  AM  theore>cal  model   from  <accounts,  en>tlements>   ü Low  footprint  on  organiza>on:  it   applies  ETL  method  for  data   loading   ü Data  model  is  complete  and   agnos>c   ü BI  principles  applied  to  Iden>ty  for   online  inves>ga>ons  or  repor>ng   ü Full  history  built  through   successive  snapshots   Ø Quickly  delivers  concrete  results   Why  Brainwave?  Control' IAM'data' D a t a
  24. 24. 24 ü Provide  a  feature-­‐rich  VDI  infrastructure  at  an  op>mized  cost   ü Provide  fast  hot-­‐desking.  Typically,  nurses  in  hospitals  and   clinics   ü Support  remote  sites  or  home  workers   ü Implement  ‘BYOD’  projects   ü Support  advanced  graphics   ü Op>mize  performance  of  Java  applica>ons  (when  there  are   network  latencies)   ü Support  Windows  and  Linux  desktops   ü Lower  noise  level  in  training  rooms   ü Secure  sterile  environments   Boost%% user%mobility%  Use  cases  
  25. 25. 25 Desktop( access( Desktop( management( Desktop( virtualisa3on( Cendio® ThinLinc ® •  IGEL thin client (Windows or Linux) •  IGEL UDC (Desktop converter) •  IGEL UMS (Mgmt suite) •  HW: Card reader, WIFI •  SW: PowerTerm, Codec •  All included in purchase price •  Desktop and application virtualization •  Session server, fast hot-desking support •  Mixed Windows and Linux desktop support •  Advanced Graphics support •  Optimized network performance •  Concurrent licensing, subscription model Boost%% user%mobility% Innova-ve  and  cost  effec-ve  solu-on  
  26. 26. 26 Project  objec>ves     ü Replace  1200  desktops   whilst  op>mizing  costs   ü Support  current  business   requirements,  including   hot-­‐desking  for  nurses   ü Build  capacity  to  ease   future  deployments   ü Support  emerging   concepts  (mobile,  cloud…)   Project  achievements     Ø IGEL  Thin  Client  +  IGEL  UDC   +  IGEL  UMS     Ø IGEL  /  Cendio  ThinLinc  /   Smartcard  integra>on     Ø Windows  2012  TS  server   farm   Ø Cendio  ThinLinc  mul>-­‐ client,  network  op>mized   technology     Boost%% user%mobility% Reference  deployment:  
  27. 27. 27           Olivier  Naveau   Managing  Director   Ques-ons  &  answers