INFORMATION SECURITY FOR ACCESS PROVISIONING: THE BOEING COMPANYT-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR

June 6, 200906/06/2009

T-Bone & Tonic

What is Access Provisioning?ProvisioningTo create and maintain a subject's digital identity, accounts, credentials, and entitlements in response to automated or interactive business processes.

06/06/2009

2

IdentityA BEMSID (employee ID) and all related employee information

AccountA windows account for Jane Smith, Web Single Sign On (WSSO)

CredentialsBiometric identifier(s), Windows Password, Z-Token

EntitlementAccess to REDARS, A Boeing Badge, Access to newScale

T-Bone & Tonic

Recap of Problem

06/06/2009

3EPSS

CED

EPDWHRMS CARATS

EAP7/21/2008

NBR7/11/08

VSGATE

RADIUS

NBARSSA

DCAMS

CLAMS

ECARFMS

EEPPI

SEQUENTTEAMS

APPREG

Policies

ATMA

BART

RSS

Boeing Apps UNIX

(USA-NIS)

NOFRT

ACF2

ACF2 SUITE

MARS

AA

MAD/eAD

EAF/ SAPM

GGM

PLGM

WART

OARS

AD

EDS

VRA AAA

RACF

ALF AIM ICS RACFQRY RACF PHILLY

Exchange

UNIX(STL)

AccessTo RP

COGNOS

UIDR

SSLVPN-FM SSLVPN

SSGRP Domain

ToolSSGRP

CATIA SUITE STAR

D1SD MARS(MESA)

BLU/RAD

STAC

CSPR3Partial System Retirement

Full System Retirement

Potential System RetirementSystems outside Information Security

Legend

Retiredmm/dd/yy

T-Bone & Tonic

Goal

06/06/2009

4End Users

Technologists

End users focus on access to target systems like Windows, REDARS, etc.They don’t focus on what accounts they need to access Windows.

Technologists focus the accounts and permissions end users need to access Windows, etc .

CommonGround

Is A

With Access ToWith Access To

The goal of provisioning is to help Sally obtain

access to REDARS, etc.

Using the FollowingAccount(s)

Using the FollowingAccount(s)

newScale

T-Bone & Tonic

Why now?• Boeing is a very large corporation– Processes antiquated and inefficient– If solution is not known, slow, or does not

meet requirements, new solutions are implemented

• No centralized, enterprise-wide security organization until recently– Information Security group– Security Priorities Access Provisioning

06/06/2009

5

T-Bone & TonicEEPPI

SEQUENT

SolutionEPSS

CED

EPDWHRMS

VSGATE

RADIUS

Policies

ACF2

EAF/ SAPM

AD

EDS

RACF

Exchange

UNIX(STL)

AccessTo RP

COGNOS UNIX(USA-NIS)

Boeing Apps

SSLVPN

SSGRP

EPSS

CED

EPDWHRMS CARATS

EAP

NBR

VSGATE

RADIUS

NBARSSA

DCAMS

CLAMS

ECARFMS

TEAMS

APPREG

Policies

ATMA

BART

RSS

Apps UNIX(USA-NIS)

NOFRT

ACF2

ACF2 SUITE

MARS

AA

MAD/eAD

EAF/ SAPM

GGM

PLGM

WART

OARS

AD

EDS

VRA AAA

RACF

ALF AIM ICS RACFQRY RACF PHILLY

Exchange

UNIX(STL)

AccessTo RP

COGNOS

UIDR

SSLVPN-FM

SSGRP Domain

Tool

CATIA SUITE STAR

D1SD MARS(MESA)

BLU/RAD

STAC

CSPR3

VSGATE RADIUSBoeing Apps ACF2

AD

EDS RACFDatabase Env.

AccessTo RP

Vendor Apps

UNIX(USA-NIS)

ExportPeople DevicesApps Policies Contracts

AUDIT / RECONCILATION

WORKFLOW REPOSITORY

DISPATCHING

APPLICATIONS & DATABASES DIRECTORIES OPERATING SYSTEMS GATEWAYS AND VPNS

Connector Connector Connector Connector

Boeing Enterprise Provisioning Tool (BEPT)Component Level View

WAREHOUSE

INTERFACES

ADMINISTATION GUI

SELF SERVICE GUI

REPORTING AND METRICS

Customized GUIs (e.g. AA)

or external federated

Provisioning Systems

Managers, Auditors, etc.

End Users, Focals, etc.

Solution Operator

SSLVPN

SSGRP

AUTO-REQUEST SUBMITTAL

T-Bone & Tonic

Solution• Boeing has selected and purchased a COTS-

based provisioning solution– Conducted an RFP and proof of concept in 2007– Selected Oracle Identity Manager (OIM)– Purchased product in January 2008

• Established the Enterprise Provisioning Program – Establish and implement an enterprise-wide common

process for identity and access management– Implement a common tool (OIM) that is intuitive to

end users– Retire existing provisioning tools and systems

06/06/2009

7

T-Bone & Tonic

Oracle Identity Manager Overview

06/06/2009

8

T-Bone & Tonic

Oracle Identity Manager (OIM)• Self Service and Delegated Administration– User configurable proxy

• Workflow and Policy– Workflow management– Transaction integrity

• Password Management– Self-service password changes

• Audit and Compliance Management– Comprehensive historical reporting

• Integration Solutions06/06/2009

9

T-Bone & Tonic

OIM Details

06/06/2009

10

T-Bone & Tonic

OIM Connectors and Compatibility– Connectors

• Oracle E-Business Suite• PeopleSoft• Siebel• JD Edwards Enterprise One• SunONE• Microsoft AD & Exchange• SAP

– Compatibility• Remote Manager Acts as a wrapper for legacy

applications06/06/2009

11

T-Bone & Tonic

Technology Benefits• One System– Reduced personnel to maintain – Reduced maintenance costs

• Can plan a phased implementation• Cleaner Audit Controls

06/06/2009

12

T-Bone & Tonic

Expected Results• Realized business case • Reduced cycle time by 75%*• Improved non-Boeing and Boeing access processes• Improved end user experience• Enhanced manager/approver experience• Minimized reliance on custom development• Increased automation

* Assumes automated interface to target system

06/06/2009

13

T-Bone & Tonic

Expected Results• Reduced risk– Reduce the number of different means for

establishing identities, accounts, and entitlements– Ensure only approved access is granted– Ensure policies and rules are enforced through

automation rather than through human interaction – Identify and relegate rogue accounts– Periodically audit and attest access– Reconcile differences between provisioning systems

(authoritative source for access) and target environments (real world)

06/06/2009

14

T-Bone & Tonic

How do we get there?• The program will look for opportunities that will

enable one or more of the following– Reduce current cycle time – Target largest business impacts – Focus on streamlining and automating the existing

manual work activities– Select tool that is well understood to facilitate learning – Reduce risk associated with application support (server

end of life and/or tool knowledge base exhausted)– Analyze large systems in parallel to mitigate complexity

and long lead items – Ensure resources for critical functions have trained

backups06/06/2009

15

T-Bone & Tonic

Strategy• Provisioning will continue as one of the

key security services– Manage identities, accounts, and

entitlement– Publish data to the enterprise directory

and target systems (as required)– Referred to as identity management

service

06/06/2009

16

T-Bone & Tonic

Strategy• The goal for these services is to publish

security data to fewer target systems over time– Publish data to a central repository rather

than to individual application environments– Applications will consume authorization

data via well-defined APIs to minimize impact to application code over time

06/06/2009

17

T-Bone & Tonic

The Big Picture

06/06/2009

18Monitoring and Logging

Resource & Policy Mgmt.

Identity Management

AuthN

AuthZ

Identity Distribution

Policy Distribution

Token Exchange

Dat

a R

epos

itory

Ent

erpr

ise

Sec

urity

Ser

vice

s In

terfa

ce

Authoritative Sources

Federated Identity Store

Target

PDP

PEP

Authentication Decision

Authorization Decision

Identity Data

Policies

Tokens

Authorization Decision

Log Events & Traps

Log Events & Traps

ResourceData

Access & AccountRequests

T-Bone & Tonic

Enterprise Access Provisioning Must incorporate the four cornerstones

of information security: Confidentiality, Authenticity, Integrity,

Availability

06/06/2009

19

A successful provisioning solution ensures individuals get access to necessary resources easily and quickly while ensuring the proper security protocols are completed.

06/06/2009

20

Supplemental Slides(not to be presented)

T-Bone & Tonic

OIM J2EE Architecture

06/06/2009

21

T-Bone & Tonic

Offline Processing

06/06/2009

22

T-Bone & Tonic

Legacy Application Support

06/06/2009

23

T-Bone & Tonic

Scheduling Engine

06/06/2009

24

T-Bone & Tonic

Secure Communications

06/06/2009

25