Post on 18-Nov-2014
description
Identity & Access Management in the cloud
Stephan Hendriks, Eric IJpelaar
March 23, 2011
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors0 Actual photo of Dubai City, taken from atop the Burj Tower.
Agenda
• Setting the scene
– Who are we?
– Define the topics
– Getting to know DSM
• The challenge
• The approach
• The solution
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors1
• The solution
• Key takeaways
Stephan Hendriks
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors2
Eric IJpelaar
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors3
What is Cloud Computing?
• Wikipedia
You can search yourself
• ENISA report
Cloud computing is an on-demand service model for IT provision, often based on
virtualization and distributed computer technology
– Highly abstracted resources
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors4
– Highly abstracted resources– Near instant scalability and flexibility– Near instantaneous provisioning– Shared resources (hardware, database memory)– Service on demand usually with “a pay as you go” billing system
• Cloud Security Alliance view: Internal External
Dedicated Shared
SAAS
PAAS
IAAS
Building blocks of Identity & Access Management
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors5
What is Identity and Access Management?
• One integrated identity base.
• Automated user management
– Provision users to target systems based on available authoritative
sources and administration processes.
• Automated entitlement or authorization management
– Managing access based on user characteristics: e.g. function,
location, context, etc.
– Active monitoring of SoD violationsIdentity Management Project
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors6
– Active monitoring of SoD violations
• User self service
– Request and approval for access to resources
– Account password reset / forgotten password
– Update profile information in case no authoritative source exists
• (Web) Single Sign-on, Policy enforcement (WAM) and Strong
authentication
– On and off premise... (i.e. federated apps, cloud apps, (legacy) web
apps, anytime, anyplace, any device)
– Providing access based on user and context characteristics
Identity Management Project
Access Management Project
DSM is everywhere
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors7
Focus on Life Sciences and Materials Sciences
Health and
Wellness
Climate and
Energy
Functionality and
Performance
Emerging
Economies
Life Sciences Materials Sciences
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors8
EBAsNutrition Pharma
PerformanceMaterials
PolymerIntermediates
Focus on Life Sciences and Materials Sciences
DSM Mission
Planet Profit People
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors9
The planet is our Care™Hidden Hunger – a global challenge
Definition:
• Enough calories to stay alive, but
• Not enough vitamins and minerals to be
mentally and physically healthy
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors10Recognition
Involvement
Over 2 billion people affected worldwide,
claiming 10 million lives every year
Partnering
Business
Nutrition Improvement Program
Innovation is our Sport™
DSM Composite Resins, Olympic sailing 470 class racing dinghyStiffness +120%, Strength +200%
2,5% less weight
Silver for Berkhout and de Koning !
Fabuless™, a breakthrough in weight controlDutch Consumers bought more than 5
Millions bottles Optimel® with
Fabuless™ in first three months of
market introduction!
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors11
DSM ICT BV
Organisation and Governance Some figures….
Basel
Sittard
New YorkShanghai
DSM-ICT Organization
Employees 500+
Nationalities 15
Affiliate locations 6
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors12
Singapore
Sao Paulo
Affiliate locations 6
Services
Sites 230
Countries 48
End-user workstations 19.000
SAP users 10.000
Business applications Ca.1600
World-wide
Centralized ICT organization
BG ICT spending ~90% by DICT
High level of Standardization Total DSM employees 23000
Agenda
• Setting the scene
• The challenge
– The new Strategic Vision
– The new Process Model
• The approach
• The solution
• Key takeaways
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors13
• Key takeaways
The new strategic vision: entering a new era of growth
High GrowthEconomies
from reaching out to
becoming truly global
Innovation Acquisitions& Partnerships
Sustainability
from responsibility
to business driver
from building themachine
to doubling the output
from portfolio
transformation to growth
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors14
DSM in motion: driving focused growth
Perf Mat growing via innovative sustainable solutions
Pol Int strengthening backward integration for DEP
Pharma leveraging partnerships for growth
Nutrition continued value growth
EBAs building new growth platforms
Life Sciences and
Materials Sciences
addressing
key global trends &
exploiting cross
fertilization
in One DSM
The necessity of change
• Better information and knowledge sharing
• Improving collaboration inside and outside the enterprise (e.g.
federation)
• Efficiency in our work
• Anticipate to organizational change and growth (agility)
• Quick on boarding of mergers and acquisitions
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors15
• Impacting …
People / Behaviors
Processes
Information Management
Tools
The new DSM Process Model: Apollo 2.0
• Aligning the Business Process Model with the “new DSM”
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors16
Agenda
• Setting the scene:
• The challenge
• The approach
– Architecture as structure
– Architectural Principles
• The solution
• Key takeaways
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors17
• Key takeaways
Critical success factors require good enterprise architecture
• Many people involved, 1
approach
• Create buy-in with all
stakeholders
• End to end
• Roadmap based incremental
implementation
TOGAF
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors18
implementation
• Each step needs to have a
business need
Architecture as structure
Architecture principles as guideline
Business
Strategy
IT Strategy
Design PrinciplesVisionary Principles
High GrowthEconomies
Innovation Acquisitions& Partnerships
SustainabilitySustainabilityBusiness
Strategy
IT Strategy
Design PrinciplesVisionary Principles
High GrowthEconomies
Innovation Acquisitions& Partnerships
SustainabilitySustainability
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors19
Design Principles
1. Standardization
2. Simplification
3. Share Unless
4. Evolutionary Implementation
5. Independent Service Blocks
6. Minimize On Site support
7. IT Responsibility
8. Transferable Services
9. Information Oriented
10. Data is an Asset
Visionary Principles
• Internet Centric
• On Demand
• Consumerization
• Design for Agility
Design Principles
1. Standardization
2. Simplification
3. Share Unless
4. Evolutionary Implementation
5. Independent Service Blocks
6. Minimize On Site support
7. IT Responsibility
8. Transferable Services
9. Information Oriented
10. Data is an Asset
Visionary Principles
• Internet Centric
• On Demand
• Consumerization
• Design for Agility
Explanation visionary principles
• Using Internet technology to connect end-nodes and strive to zero DSM-foot-printed end-user devices.
• On demand services that can be charged based on the usage.
• Consuming services with any tool, any product or any
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors20
• Consuming services with any tool, any product or any device which is common in the ICT consumer market.
• Dynamic services that can be easily and fast added, changed, or removed.
The core principle ‘Internet Centric’ visualized
Non-DSM-controlled
Computer
DSM-controlled
PDA
DSM-controlled
SmartPhone
DSM-controlled
Desktop
DSM-controlled
Laptop
Non-DSM-controlled
SmartPhone
Zero DSM-foot-printed end-user devices
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors21
Connectivity Based on Internet-technology
DSM Data Center(s)
Internet–resistance
SaaS Provider
• Moving to the consumer market means:– Brands & Intellectual property protection becomes more important– Reputation damage has bigger influence on shares and sales– FDA and other regulations become more important
• Changing the use of ICT which means ensure the level of trust:– Person/identity, be sure that the user is the person he/she claims
Leads to
Taking into account security risks & legal requirements
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors22
• Changing the use of ICT which means ensure the level of trust:– Person/identity, be sure that the user is the person he/she claims
• Multi factor authentication: e.g digital certificate on a token or derived from an authentication action (e.g. iris scan)
– Device /end-node, be sure that the device connected is OK• Certificate for DSM-end-user devices, • Certificates for end-nodes/servers
– Application, be sure that the application is the approved one for DSM• Check it is a trusted DSM-application with correct certificate licenses
– Data, be sure you can trust the (integrity of) data• Data Access Control, • Encryption,• Data Loss Prevention• Enterprise Right Management
Agenda
• Setting the scene
• The challenge
• The approach
• The solution
– Integrated Roadmap
– Identity & Access Management
– Example: Sharepoint 2010
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors23
– Example: Sharepoint 2010
• Key takeaways
Integrated Roadmap (key projects)
Newgeneration
ICT
Enterprise Search
Business ProcessManagement
SharePoint 2010
EDM
DLP/DRM
Master Data Management
today
ISM Self user Portal
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors24
Next Generation Network
Identity & Access ManagementNew Workplace
Data encryption
Site Server RedesignHR System of Record
Folder access Mgt
ISM Self user Portal
Objectives for IAM Solution
Support Internet Centric Vision and SAAS computing.
Different credential management and
authentication methods for different
applications and no secure authentication data
transfer over the internet to get access to
SAAS applications.
Common security / regulatory compliant
processes and tools that support secure uniform
data transfer for authentication over the
internet.
Integrated IAM process and tools (efficient and effective response to new/changed users)
Fragmented identity management systems
with separation of internal / external.
Multiple manual steps required for creation
and maintenance of identities and accounts.
Unreliable procedures for revoking access on
employee termination.
Integration of internal and external identities in
one process.
Automated process for user provisioning / de-
provisioning to main business applications.
Objectives From To
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors25
new/changed users) employee termination.
Easy of use / simplicity for all users (internal and external) who interact with DSM.
Network based access controls.
Multiple user id/passwords for different
applications.
No service based concepts (SOA / BPM).
Identify based access any time anywhere to
applications and services in the DSM network or
internet domain.
Single sign on based on common credentials, for
internal and external users.
Federated access/SSO to SAAS solutions
Reduce development and operational costs
Application specific implementations for
identity and account management, access
control. Multiple components requiring
complex (custom) integration.
A single platform for common functionality (e.g.
web access management). Integrated IAM
platform based on out of the box tooling.
Comply with security and regulatory requirements.
Different credential management and
authentication methods for different
applications. Lack of visibility and control over
access policies and use.
Common security / regulatory compliant
processes and tools. Low cost, easy to deploy
strong authentication when needed. Centrally
managed policy based access controls.
26IAM Program – Key relations to other initiatives
IAM Program
Aurora AD Email4All
System(s) of record:- Who should add?
- HR is monthly/ICT provision next day
Global
Employee Data
Management
User
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors26
IM Project AM ProjectApollo
ERP
ECM
Collaboration
Journey
BPMUser Portal:- IAM in relation to Service Management
- Integrated reporting?
User
Self-service
Portal
Identity & Access Management – a simplified picture
AccessModeling
Operational User Management2a
Tactical Identity & Access Model Management1
New user
‘Form’
Roles vs.
RightsProvisioning2b
Target
SystemTargetIdentity &
Who is responsible for which data field!
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors27
ProvisioningUser
vs.
rights
User
vs.
Role
Request
Form
Approvalprocess
Users / Admins
AuthenticationAuthorization
& ‘use’
Credentials
(e.g. Username /
Password)
Use3a
SystemTarget
SystemTarget
SystemTarget
System
HRSystems
4 DSM employee Management
New staff
Retirement
Resignation
Transfer
HRSystems
Identity &AccessStore
Check if identities
are in sync
What are the drivers for the business to quickly remove leavers and add joiners!
Requirements for the authentication process
• It should be as independent as possible of the authentication mechanism you are using (smart card token mobile phone) but should support strong/multifactor authentication (having something and knowing something)
• Could support physical access and logical access in one authentication mechanism / card / token
• External users from which we want to indentify them personally (not only trust the company so everybody of the company can access)
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors28
• External users from which we want to indentify them personally (not only trust the company so everybody of the company can access) should be possible
• When working externally or internally, the authentication process and the screen the DSM-user will see should be the same
• Business partners employees, contractors, and DSM employees should authenticate in the same way
• Solution should be as general as possible but DSM should strive to limit the amount of authentication process protocols
Moving towards an Open Enterprise
Protocol Stack:
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors29
Time
Protocol Stack:
1.SAML
2.WS federation
3.Radius
4.Kerberos (internal)
Example - SharePoint 2010
User Type /
Directory Service
DSM employee or3rd party hired by DSM
Device
DSM Workstation Any Device
3rd party nothired by DSM
Any Device
DSM
Directory
Extranet
Directory
Gradual addition of devices
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors30
Location Internal / VPN
Authentication SSO User name /
Password
Intranet
Team Sites
My Site
Internet
User name /
Password
Team SitesPresentation
Internet
All authorized
applications
Gradual addition of (cloud) services
Roll out of SSO / Federation /(Strong) Authentication
Roll out of Identity Management and Data Protection
Agenda
• Setting the scene
• The challenge
• The approach
• The solution
• Key takeaways
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors31
Key takeaways
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors32
DSM
Questions