Olivier Naveau, Managing Director of the company, presented on identity and access management (IAM). Access control is a top priority for companies according to security surveys. IAM remains difficult due to the growing number of users and applications as well as an evolving landscape including cloud, mobile, social, and compliance needs. The presentation outlined a structured approach to IAM including administering identity data, key IAM processes, technologies, and identifying business value metrics. Paradigmo's proposal takes a process-based approach utilizing ForgeRock's identity platform and Brainwave for identity intelligence.

1. Company
presenta-on
Olivier
Naveau
Managing
Director

2. 2
Our
history
of
IAM

3. 3
Access
control
is
on
top
of
priority
list!
As
stated
by
Deloi.e
in
their
GFSI
Security
Survey,
top
external
audit
findings
are
about
excessive
access
rights,
segrega>on
of
du>es
and
access
control
compliance.
h.p://www.deloi.e.com/gfsi/securitysurvey

4. 4
Why
access
control
remains
difficult?
Who are my users?
What do they have access to?
Are these accesses legitimate?
Objectives
Landscape
Business applications are developed in
silos. IAM implies horizontal integration.
Multiplication of # of users and
of # of applications.
Evolving landscape: cloud, mobile, social,
compliance, liability

5. Iden-ty
&
Access
Management
A
structured
approach

6. 6
Structured
approach
of
Iden-ty
&
Access
Mgmt
1. Data
model
2. Func>ons
&
Processes
3. Key
components
4. Business
values
6

7. 7
1.
Data
model:
administer
IAM
data
Identity data
• Identities
• Attributes
(contractual status, dates, job description,
location)
• Manager
• Organization
• Accounts
Access data
• Business roles
• Technical roles (or profiles)
• Applications
• Entitlements
• Policies (or access rights)
(who, what, what for, condition)
Activity data
• Authentication requests
• Access requests
• Changes to Identity data
• Changes to Access data

8. 8
1.
Data
model:
the
power
of
Brainwave

9. 9
2.
Iden-ty
&
Access
Management
processes
Administer
IAM
data
Access
(or
use)
IAM
data
Control
IAM
data
Access
data
Identity
data
Authenticate
Authorize
Federate
Analyse
Audit
Comply

10. 10
2.
Iden-ty
&
Access
Management
processes
Administer
IAM
data
Access
(or
use)
IAM
data
Control
IAM
data
...
is
the
construc>on
phase
of
iden>ty,
and
subsequently
providing
it
with
a
"personality"
by
assigning
a.ributes,
en>tlements,
creden>als.
It
provides
the
create/maintain/
re>re
capabili>es
of
IAM.
Administra>on
also
provides
the
plaPorm
for
intelligence:
a
means
to
make
sense
of
the
iden>ty
and
access
events.
...
serves
as
a
founda>onal
plaPorm
to
facilitate
authen>ca>on
and
authoriza>on,
and
the
capabili>es
within
them,
from
single
sign-­‐on
to
en>tlements
resolu>on
and
enforcement
of
access
decisions.
Access
is
the
"engine"
of
IAM
that
takes
iden>>es
and
their
informa>on
and
uses
them
to
effect.
... generates reports for auditors, provides real-time
monitoring for operations and delivers the analytics
necessary for analysts and business stakeholders to
make intelligent, actionable decisions in the business
and in IT.

11. 11
Techno-
logies
3.
Key
components
ProcessesPeople
rely
on
support
sustain
Cendio®
ThinLinc
®

12. 12
4.
Business
values:
iden-fy
and
measure
KPIs
KPIs
Efficiency
of
opera>ons
Effec>veness
of
security
Enablement
of
business

13. Iden-ty
&
Access
Management
Iden-ty
Intelligence
Virtual
Desktop
Infrastructure
Paradigmo’s
proposal

14. 14
Paradigmo’s
proposal
is
process
based
Administer*
IAM*data*
Access*(or*use)*
IAM*data*
Control*
IAM*data*
Cendio®
ThinLinc
®
Boost**
user*mobility*

15. 15
Account
Administer
IAM
data
The
theory
Rules
Roles
Requests
Attributes
Actions
Objects
Policies
Conditions
Role management Policy management

16. 16
File Share
Active Directory
Microsoft
Applica>ons
Human
resources
Signaletic
Attributes
Coarse-grained
Fine-grained
User
form
(C,U,D)
Access
form
Mandates
Administer
IAM
data
A
standard
use
case
Databases
Profiles

17. 17
PAP
Policy Manager:
- Applications
- Roles
- URLs
- Business Transactions
- Conditions
- Coarse-grained access matrix
- Fine-grained access matrix
Corporate
LDAP
Mandates
FAS
AUributes
AUributes
Mandates
Roles
Scope:
~140 internal applications
~30 external applications
Policies
ac-va-on
Administer
IAM
data
Policy
Manager

18. 18
Applica-on
Roles
(LDAP
filter)
Coarse
grained
matrix
URL
Allow
Deny
Condi>on
(LDAP
filter)
Roles
(LDAP
filter)
Fine
grained
matrix
BT
Allow
Deny
Condi>on
(LDAP
filter)
<URL,
[GET|POST]>
<Resource,
Ac-on>
Administer
IAM
data
ABAC
implementa-on
Scope:
~140 internal applications
~30 external applications

19. 19
Access
(or
use)
IAM
data
Identity
Provider
(IDP)
Service
Provider
(SP)
Applica>ons
Concepts

20. 20
Why
ForgeRock?
ü All-­‐in-­‐one
Unified
Open
Iden>ty
Stack
ü Easy
to
install
and
to
operate:
one
single
process
delivers
all
func>ons
ü Simple
and
scalable
to
cope
with
Internet
scale
ü Simple
and
flexible
to
cope
with
new
concepts
ü Support
and
extensibility
capabili>es
(developer
friendly)
ü Subscrip>on
model,
no
cost
un>l
Enterprise
build
is
use
in
produc>on
Administer*
IAM*data*
Access%(or%use)%
IAM%data%

21. 21
FedICT
delivers
Federal
Authen>ca>on
Service
(FAS),
the
reference
public
IDP
service
in
Belgium,
based
on
OpenAM.
FPS
Finance
delivers
AuthN,
AuthZ
&
SSO
of
internal
(~140)
and
external
(~30)
applica>ons
based
on
OpenSSO.
Toyota
implemented
AuthN
&
AuthZ
of
“things”
on
OpenAM.
For
internal
apps,
the
migra>on
is
ongoing.
Luxair
provides
AuthN,
AuthZ
&
SSO
for
home-­‐developed
applica>ons
using
OpenAM.
BNP
PIP
uses
OpenDJ
to
provide
central
authen>ca>on
of
Unix
administrators
and
users.
Clinique
Saint-­‐Luc
provides
AuthN,
AuthZ
&
SSO
of
commercial
applica>ons
using
OpenAM.
Why
ForgeRock?
Administer*
IAM*data*
Access%(or%use)%
IAM%data%

22. 22
Use
cases
Control'
IAM'data'
Who are my users?
What do they have access to?
Are these accesses legitimate?
How do I communicate
on the role structure of
my organization?
How do I clean
up data before an
IAM deployment?

23. 23
ü Control
oriented
approach:
it
rebuilds
the
AM
theore>cal
model
from
<accounts,
en>tlements>
ü Low
footprint
on
organiza>on:
it
applies
ETL
method
for
data
loading
ü Data
model
is
complete
and
agnos>c
ü BI
principles
applied
to
Iden>ty
for
online
inves>ga>ons
or
repor>ng
ü Full
history
built
through
successive
snapshots
Ø Quickly
delivers
concrete
results
Why
Brainwave?
Control'
IAM'data'
D
a
t
a

24. 24
ü Provide
a
feature-­‐rich
VDI
infrastructure
at
an
op>mized
cost
ü Provide
fast
hot-­‐desking.
Typically,
nurses
in
hospitals
and
clinics
ü Support
remote
sites
or
home
workers
ü Implement
‘BYOD’
projects
ü Support
advanced
graphics
ü Op>mize
performance
of
Java
applica>ons
(when
there
are
network
latencies)
ü Support
Windows
and
Linux
desktops
ü Lower
noise
level
in
training
rooms
ü Secure
sterile
environments
Boost%%
user%mobility%
Use
cases

25. 25
Desktop(
access(
Desktop(
management(
Desktop(
virtualisa3on(
Cendio®
ThinLinc
®
• IGEL thin client
(Windows or Linux)
• IGEL UDC (Desktop converter)
• IGEL UMS (Mgmt suite)
• HW: Card reader, WIFI
• SW: PowerTerm, Codec
• All included in purchase price
• Desktop and application virtualization
• Session server, fast hot-desking support
• Mixed Windows and Linux desktop
support
• Advanced Graphics support
• Optimized network performance
• Concurrent licensing, subscription model
Boost%%
user%mobility%
Innova-ve
and
cost
effec-ve
solu-on

26. 26
Project
objec>ves
ü Replace
1200
desktops
whilst
op>mizing
costs
ü Support
current
business
requirements,
including
hot-­‐desking
for
nurses
ü Build
capacity
to
ease
future
deployments
ü Support
emerging
concepts
(mobile,
cloud…)
Project
achievements
Ø IGEL
Thin
Client
+
IGEL
UDC
+
IGEL
UMS
Ø IGEL
/
Cendio
ThinLinc
/
Smartcard
integra>on
Ø Windows
2012
TS
server
farm
Ø Cendio
ThinLinc
mul>-­‐
client,
network
op>mized
technology
Boost%%
user%mobility%
Reference
deployment:

27. 27
Olivier
Naveau
Managing
Director
olivier.naveau@paradigmo.com
Ques-ons
&
answers