Stephan Hendriks Eric IJpelaar - Identity access management in the cloud -

DSM ICTNot be used in any other publication after explicitly approval of presenters

0

Identity & Access Management in the cloud

Stephan Hendriks, Eric IJpelaar

November 3, 2010

Actual photo of Dubai City, taken from atop the Burj Tower.


1AgendaAgenda

• Setting the scene• Who are we?• Define the topics• Getting to know DSM

• The challenge• The approach• The solution• Key takeaways


2Stephan HendriksStephan Hendriks


3EricEric IJpelaarIJpelaar


4What is Cloud Computing?What is Cloud Computing?

• WikipediaYou can search yourself

• ENISA reportCloud computing is an on-demand service model for IT provision, oftenbased on virtualization and distributed computer technology• Highly abstracted resources• Near instant scalability and flexibility• Near instantaneous provisioning• Shared resources (hardware, database memory)• Service on demand usually with “a pay as you go” billing system

• Cloud Security Alliance view:

SAAS

of IAAS

PAAS

SharedDedicated

ExternalInternal


5What is Identity and Access Management?What is Identity and Access Management?

• DSM definition: The business processes, policies(including enforcement of these policies) and technologiesthat enable organizations to provide the right people, withthe right access, at the right time to applications andresources – while protecting confidential, personal andbusiness information against unauthorized users.


66DSM is everywhereDSM is everywhere


77Focus on Life Sciences and Materials SciencesFocus on Life Sciences and Materials Sciences

Health andWellness

Climate andEnergy

Functionality andPerformance

EmergingEconomies

EBAs

Life Sciences Materials Sciences

Nutrition Pharma PerformanceMaterials

PolymerIntermediates

Focus on Life Sciences and Materials Sciences


8DSM MissionDSM Mission


9The planet is our CareThe planet is our Care™™Hidden HungerHidden Hunger –– a global challengea global challenge

Definition:• Enough calories to stay alive, but• Not enough vitamins and minerals to be

mentally and physically healthy

Recognition

Involvement

Over 2 billion people affected worldwide,claiming 10 million lives every year

Partnering

Business

Nutrition Improvement Program


1010Innovation is our SportInnovation is our Sport™™

DSM Composite Resins,Olympic sailing 470 classracing dinghyStiffness +120%, Strength +200%2,5% less weightSilver for Berkhout and de Koning !

Fabuless™, a breakthroughin weight controlDutch Consumers bought more than 5Millions bottles Optimel® withFabuless™ in first three months ofmarket introduction!


1111DSM ICT BVDSM ICT BV

Organisation and Governance Some figures….

Singapore

Basel

Sittard

New York

Sao Paulo

Shanghai

DSM-ICT Organization

Employees 500+Nationalities 15Affiliate locations 6Services

Sites 230Countries 48End-user workstations 19.000SAP users 10.000Business applications Ca.1600

World-wideCentralized ICT organizationBG ICT spending ~90% by DICTHigh level of Standardization 23000Total DSM employees


12AgendaAgenda

• Setting the scene• The challenge

• The new Strategic Vision• The new Process Model• The architecture balancing act

• The approach• The solution• Key takeaways


13The new strategic visionThe new strategic vision:: entering a new era of growthentering a new era of growth

High GrowthEconomies

from reaching out tobecoming truly global

DSM in motion: driving focused growth

Innovation Acquisitions& Partnerships

Perf Mat growing via innovative sustainable solutions

Pol Int strengthening backward integration for DEP

Pharma leveraging partnerships for growth

Nutrition continued value growth

EBAs building new growth platforms

Sustainability

from responsibilityto business driver

from building the machineto doubling the output

from portfoliotransformation to growth

Life Sciences andMaterials Sciences

addressingkey global trends &

exploiting crossfertilization

in One DSM


14The necessity of changeThe necessity of change

• Better information and knowledge sharing• Improving collaboration inside and outside the enterprise (e.g.

federation)• Efficiency in our work• Anticipate to organizational change and growth (agility)• Quick on boarding of mergers and acquisitions

• Impacting …

People / Behaviors

Processes

Information Management

Tools


15The new DSM Process Model: Apollo 2.0The new DSM Process Model: Apollo 2.0

• Aligning the Business Process Model with the “new DSM”


16

Speed indelivering newfunctionality Divestments / M&A

Complex ITplatform with many

components

End to endtesting en

documentingStandard versus

harmonizedversus local

Impact assessmentof changes

Projectdependencies

Insight inbusiness controls

& compliance

The balancing act in platform managementThe balancing act in platform management ……


17AgendaAgenda

• Setting the scene:• The challenge• The approach

• Architecture as structure• Internet Centric

• The solution• Key takeaways


18Critical success factors require good enterpriseCritical success factors require good enterprisearchitecturearchitecture

• Many people involved, 1approach

• Create buy-in with allstakeholders

• End to end• Roadmap based

incremental implementation• Each step needs to have a

business need

Architecture as structure

TOGAF


19Top down translation of the strategy to theTop down translation of the strategy to theBusiness ModelBusiness Model

• Translate the business strategy in a Business Model /Business Priorities Guide

• DSM: Information plans per Business Group as input• Incremental delivery in 1 ½ - 2 years

Business Model & Business Priorities Guide


20IT Platform ManagementIT Platform Management

• From Business Model / BusinessPriorities guide to Platform DiscussionGuide

• All consolidated Platform DiscussionGuides are translated in an integral ICTRoadmap

• Platform development is following andsupporting the business priorities


21Architecture principles as guidelineArchitecture principles as guideline

Business Strategy

IT Strategy

Design Principles1. Standardization2. Simplification3. Consolidation & Centralization4. Evolutionary implementation5. Independent Service Blocks6. Minimize On Site support7. DSM Ownership8. Portability9. Information Oriented10. Data is an asset

Visionary Principles• Internet Centric• Cloud Computing/Utilization• Consumerization• Agility


22Explanation visionary principlesExplanation visionary principles

• Using Internet technology to connect end-nodes and striveto zero foot printed end-user devices.

• On demand services that can be charged based on theusage.

• Consuming services with any tool, any product or anydevice which is common in the ICT consumer market.

• Dynamic services that can be easily and fast added,changed, or removed.


23The core principleThe core principle ‘‘Internet CentricInternet Centric’’ visualizedvisualized

Non trustedComputer

TrustedPDA

TrustedSmartPhone

TrustedDesktop

TrustedLaptop

DSMData Center

SaaSProvider

ConnectivityBased on

Internet-technology


24Taking into account security risks & legal requirementsTaking into account security risks & legal requirements

• Moving to the consumer market means:• Brands & Intellectual property protection becomes more important• Reputation damage has bigger influence on shares and sales• FDA and other regulations become more important

• Changing the use of ICT means ensure the level of trust:• Person/identity, be sure that the user is the person he/she claims

• Multi factor authentication: e.g digital certificate on a token or derived from anauthentication action (e.g. iris scan)

• Device /end-node, be sure that the device connected is OK• Certificate for DSM-end-user devices,• Certificates for end-nodes/servers

• Application, be sure that the application is the approved one for DSM• Check it is a trusted DSM-application with correct certificate licenses

• Data, be sure you can trust the (integrity of) data• Data Access Control,• Encryption,• Enterprise Right Management


25AgendaAgenda

• Setting the scene• The challenge• The approach• The solution

• Integrated Roadmap• Identity & Access Management• Example: Sharepoint 2010

• Key takeaways


26Integrated Roadmap (key projects)Integrated Roadmap (key projects)

Newgeneration

ICT

Next Generation Network

Identity & Access Management

Enterprise Search

New Workplace

Business ProcessManagement

SharePoint 2010

EDM

Data Protection

Site Server RedesignHR System of Record

IRM/DRM

Master Data Management

today


27Identity and Access Management in the CloudIdentity and Access Management in the Cloud

Important element in an integrated roadmaptowards a new generation ICT

Next to a culture change / new WOW program


28Objectives for IAM SolutionObjectives for IAM Solution

Common security / regulatory compliantprocesses and tools that support secureuniform data transfer for authentication overthe internet.

Different credential management andauthentication methods for differentapplications and no secure authentication datatransfer over the internet to get access toSAAS applications.

Support Internet Centric Vision andSAAS computing.

Common security / regulatory compliantprocesses and tools. Low cost, easy to deploystrong authentication when needed. Centrallymanaged policy based access controls.

Different credential management andauthentication methods for differentapplications. Lack of visibility and control overaccess policies and use.

Comply with security and regulatoryrequirements.

A single platform for common functionality (e.g.web access management). Integrated IAMplatform based on out of the box tooling.

Application specific implementations foridentity and account management, accesscontrol. Multiple components requiring complex(custom) integration.

Reduce development andoperational costs

Identify based access any time anywhere toapplications and services in the DSM networkor internet domain.Single sign on based on common credentials,for internal and external users.Federated access/SSO to SAAS solutions

Network based access controls.Multiple user id/passwords for differentapplications.No service based concepts (SOA / BPM).

Easy of use / simplicity for all users(internal and external) who interactwith DSM.

Integration of internal and external identities inone process.Automated process for user provisioning / de-provisioning to main business applications.

Fragmented identity management systemswith separation of internal / external.Multiple manual steps required for creation andmaintenance of identities and accounts.Unreliable procedures for revoking access onemployee termination.

Integrated IAM process and tools(efficient and effective response tonew/changed users)

Objectives From To


29Identity & Access ManagementIdentity & Access Management –– a simplified picturea simplified picture

ProvisioningUservs.

rights

AccessModeling

Uservs.

Role

Operational User Management2a

Tactical Identity & Access Model Management1

RequestForm

New user‘Form’

Roles vs.Rights

Approvalprocess

Provisioning2b

Users / AdminsAuthenticationAuthorization

& ‘use’Credentials

(e.g. Username /Password)

Use3a

TargetSystemTarget

SystemTargetSystemTarget

System

HRSystems

4 DSM employee Management

New staffRetirementResignationTransfer

HRSystems

Identity &AccessStore

Check if identitiesare in sync

What are the drivers for the business to quicklyremove leavers and add joiners!

Who is responsible for which data field!


30Requirements for the authentication processRequirements for the authentication process

• It should be as independent as possible of the authenticationmechanism you are using (smart card token mobile phone) but shouldsupport strong/multifactor authentication (having something andknowing something)

• Could support physical access and logical access in one authenticationmechanism / card / token

• External users from which we want to indentify them personally (notonly trust the company so everybody of the company can access)should be possible

• When working externally or internally, the authentication process andthe screen the DSM-user will see should be the same

• Business partners employees, contractors, and DSM employeesshould authenticate in the same way

• Solution should be as general as possible but DSM should strive tolimit the amount of authentication process protocols


31End Goal for Authentication & Single Sign OnEnd Goal for Authentication & Single Sign On

• A single experience for employees and business partners in accessingin house applications and outsourced functions

• One mainstream identity that is recognized by every application

Enterprise A Enterprise B

Enterprise C

User interaction

Web based interaction

Web service invocation


32Moving towards an Open EnterpriseMoving towards an Open Enterprise

Web SSO /WAM

EnterpriseSSO

CloudSSO

ClaimsAuthentication

E-business SAP EDM

Saas applications

OpenIDGoogle (STS)

LiveIDWindows (STS)

Protocol Stack:

1. SAML

2. WS federation

3. Radius

4. Kerberos (internal)


33Access and AuthenticationAccess and Authentication –– a simplified picturea simplified picture

Time


34ExampleExample -- SharePoint 2010SharePoint 2010

User Type /Directory Service

DSM employee or3rd party hired by DSM

DeviceDSM Workstation

Location Internal / VPN

Authentication SSO User name /Password

Any Device

IntranetTeam Sites

My Site

3rd party nothired by DSM

Any Device

Internet

User name /Password

Team SitesPresentation

DSMDirectory

ExtranetDirectory

Internet

All authorizedapplications

Gradual addition of devices

Gradual addition of (cloud) services

Roll out of SSO /Federation /(Strong) Authentication

Roll out of Identity Management and Data Protection


35AgendaAgenda

• Setting the scene• The challenge• The approach• The solution• Key takeaways


36Key takeawaysKey takeaways

• Delivery of the Business Strategy through

good enterprise architecture

• Internet Centric as a core principle towards

collaboration and innovation

• Old in use security requirements/measures

conflict or are unclear for internet centric,

collaboration and innovation and need to

be updated

• It is a continuous evolutionary process

• I&AM is an essential part

• You need to change culture (new WOW)

as well


37

Stephan Hendriks Eric IJpelaar - Identity access management in the cloud -

Technology

Transcript of Stephan Hendriks Eric IJpelaar - Identity access management in the cloud -