Secure Extended-Enterprise Collaborationdownload.microsoft.com/download/D/8/1/D813E355-3336-415A...>...
Transcript of Secure Extended-Enterprise Collaborationdownload.microsoft.com/download/D/8/1/D813E355-3336-415A...>...
Secure Extended-Enterprise Collaboration
17 March 2009
Microsoft France seminar on
Extended Enterprise
Exostar Collaboration solutions for Aerospace & Defense
Jean-Paul Buu-Sao, Information System Architect
Email: [email protected]
Exostar Company Overview
Company Facts
> Headquartered in Herndon, VA, USA
> Founded in 2000 by aerospace and defense
industry leaders that shared a common
vision to reduce supply chain costs across
the entire industry
> Largest provider of multi-enterprise
collaboration services to the aerospace and
defense industry
> Industry leader in security and identity
management
Customer Adoption
> Customers include 85 of Top 100 Global
A&D companies
> Major customers include BAE Systems,
Boeing, Lockheed Martin, Raytheon,
Rolls-Royce, UK MOD and Northrop
Grumman
> 40,000 enabled trading partners with over
95,000 users of on-demand applications
> Integrated to hundreds of back office
systems
> 10M annual transactions valued at over
$40B in spend
Exostar enables secure information sharing, collaboration and business
process integration throughout the extended value chain
Copyright 2009 Exostar LLC. All Rights Reserved. For Public Distribution 2
Requirements for Extended Collaboration within the
A&D sector
• Extend key processes beyond enterprise boundaries:
> Product Design
> Procurement & Strategic sourcing
> Supply chain Planning & Execution
• Some key challenges that need to be addressed:
> Meet regulatory requirements (e.g. ITAR, EAR)
> Protect everyone‟s Intellectual Property
> Offer a flexible security model
> Enable suppliers regardless of their geographical
locations size or technical expertise
Copyright 2009 Exostar LLC. All Rights Reserved. For Public Distribution 3
Detailed Requirements
Copyright 2009 Exostar LLC. All Rights Reserved. For Public Distribution 4
• Identity and Access Management requirements:
> Distributed, yet compliant, Identity Management,
– Federated Identity Management, governed by the appropriate Policy Authorities and Identity Policies
> Access Management, based on:
– Compartmentalized access control across a multi-tenant environment (SAAS) that supports
– Role-based access,
– Multiple levels of authentication strength, and encryption,
– Full audit and non-repudiation
• Agility, flexibility, interoperability requirements:
> Flexible security model providing the right service level for each project/program
> Multiple identity federation protocols and single sign-on services
• Scalability, reliability, supportability
> Scalable Trust Fabric
> Company and users on-boarding process at global level
Copyright 2009 Exostar LLC. All Rights Reserved. For Public Distribution 5
Solution: Exostar Trusted Workspace (1/2)
Hub Services
3rd Party
Applications
Exostar Identity Management Solutions
Customer Information CenterSupplier On-Boarding
Federated Identity ServiceHosted PKI Credential Service
Exostar Trusted Workspace
Exostar Applications
ForumPass4Hosted collaboration
Environment
IContactSecure email
enablement
S.C.PSupply Chain
Platform
SourcePassHosted eSourcing
Environment
3rd Party
Identity
Management
(DoD CAC)
Portal Services
Single Sign-OnHosted identity authentication
Partner Id. FederationId. Federation Service
Identities
Enterprise GatewayFederate Once
Identities Identities Identities Identities Identities Identities
Copyright 2009 Exostar LLC. All Rights Reserved. For Public Distribution 6
Category Solutions Key point Benefits summary
Collaborative
applications
• ForumPass4, leveraging
Microsoft SharePoint 2007
• Microsoft Forefront
• Other applications
Delivered in a secure,
federated, SAAS
environment
Easy-to-use,
compatible with
desktop environment,
frees IT
Identity &
Access
Management
• Microsoft Active Directory
Federation Service (ADFS) 1.0
• End-to-end data confidentiality
• Ping Federate
• MS CA Server
• Exostar FIS/MAG/EAG
• Levels of security profile
• Multiple levels of Identity
Assurance
• Role-based access
• Single sign-on
• Multiple credential levels
Risk management, IP
Protection
Trust Fabric • PKI Trust Fabric
• Federation Trust Fabric
• Compliant with A&D policy
standards (TSCP)
• Scalable through
mechanisms of transitive
trust
• Global support for
Organization and user
registration, identity
proofing and credentialing
Compliance,
scalability
Solution: Exostar Trusted Workspace (2/2)
PKI Trust Fabric across the A&D industry
UK MoDUS DoD
Leveraging own certification authoritiesBuying individual certificates
Issuing Certificate
Authorities
Boeing Lockheed MartinExostar ARINCSITA
FBCA(Federal)
CBCA(Certipath)
NL MoD
Rolls-Royce BAE Systems
EADS / Airbus RaytheonCompanies Company
Northrop Finmeccanica
Companies CompanyCompanies CompanyCompany CompanyCompany CompanyCompany Company
Cross-certificationSAFE CA(Pharma)
Copyright 2009 Exostar LLC. All Rights Reserved. For Public Distribution 7
Federated Identity Service - FIS: Overview
• Exostar managed credential issuance service providing PKI credentials for enterprises and trading partners
• Three levels of identity assurance> Rudimentary Assurance
– Software certificates which are issued based on organization sponsorship
> Medium Software Assurance Credential Assurance– Software certificates with in-person proofing– CertiPath Policy compliance
> Medium Hardware Credential Assurance – Hardware token, FIPS 1409-2 based, certificate– Third-party face-to-face identity proofing– CertiPath Policy compliance
• Full service enablement, training and support
• Commercially available
Copyright 2009 Exostar LLC. All Rights Reserved. For Public Distribution 8
Copyright 2009 Exostar LLC. All Rights Reserved. For Public Distribution 9
Core
Sensitiv
e
Restric
ted
Account
Management
Certificate
Management FP US
Core
Sensitiv
e
FP EU
Exostar Managed
Access Gateway
(MAG)
www. Single Authentication ApplicationsPortal Services
FIS
Self-Service Self-Service
Corporate / Public Network Exostar Trusted Workspace
Enterprise Access
Gateway
(EAG)
ForumPass4 – Access Architecture
ForumPass4 – Multiple levels of security
Copyright 2009 Exostar LLC. All Rights Reserved. For Public Distribution 10
Restricted
Data
[CertiPath PKI Compliant]
RLOA
-Identity Federation Support
-End to End Encryption
-User Name and Password
-Sharepoint Access Controls
-SSL
Government
Specified
Military Grade
Security
Easy Access
UKR Compliance
Additional „Restricted Attribute‟, Credential Support
Advanced security policy enablement
Intellectual Property exchanges
2 Factor Authentication Requirements
Sensitive Data Exchange-share financial data
Compliance enablement-ITAR Sensitive data
Basic Team Collaboration-Simple File Sharing
Web Conferencing
Knowledge Sharing
Multi-partner workflow enabled business process
Copyright 2009 Exostar LLC. All Rights Reserved. For Public Distribution 11
ForumPass4 – Supporting multiple profiles
ForumPass4 – some European case-studies
• BAES Submarines Solution> Management of the commodities for the “Astute” class attack submarine
> Reduced design approval time: from 12 months down to 3 (75% gain)
Source: Global Logistics & Supply Chain Strategies, 16 Dec 2008
• Rolls-Royce> Design of the “Trent 1000” engine for the Boeing 787
> Reduced design collaboration time: from 45 weeks down to 23 (48% gain)
Source: Aviation Week, 22 Sep 2008
Copyright 2009 Exostar LLC. All Rights Reserved. For Public Distribution 12
ForumPass4 - Status
Copyright 2009 Exostar LLC. All Rights Reserved. For Public Distribution 13
• 6,700 registered users (4301 EU, 2399 US)
• 246 companies are registered with ForumPass
Largest Users:
• Rolls-Royce
• BAE Systems
• Northrop Grumman
• Esterline
FP4 Addresses the Gaps in OOTB SharePoint identified by Forrester Research1. Identity and Access Control
2. Document Confidentiality (at rest and in motion)
3. Integrity (at rest and in motion)
Lessons learned (on MS products)
Copyright 2009 Exostar LLC. All Rights Reserved. For Public Distribution 14
• SharePoint 2007 (MOSS) is an excellent foundation for collaborative capability> Excellent features set, scalability, reliability
> A&D organizations look very positively at PDM products that build on top of
MOSS (e.g. Siemens Teamcenter Community)
> Needed to make changes to make multitenant / multi enterprise
• We needed to enhance MOSS to meet defense business security requirements> Strengthen OBB security
> Desktop Integration not fully integrated with some ADFS scenarios (web-
based authentication)
> Need to introduce just-in-time provisioning (pick list, contact info)
> Roadmap includes fine-grained, claims-aware, access control
> Multiple authentication protocols (ADFS and Ping as Authentication front-
end to MOSS)