stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud
DESCRIPTION
TRANSCRIPT
![Page 1: stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud](https://reader033.vdocuments.us/reader033/viewer/2022051312/546c2e6caf795958298b4fd0/html5/thumbnails/1.jpg)
Identity & Access Management in the cloud
Stephan Hendriks, Eric IJpelaar
March 23, 2011
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors0 Actual photo of Dubai City, taken from atop the Burj Tower.
![Page 2: stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud](https://reader033.vdocuments.us/reader033/viewer/2022051312/546c2e6caf795958298b4fd0/html5/thumbnails/2.jpg)
Agenda
• Setting the scene
– Who are we?
– Define the topics
– Getting to know DSM
• The challenge
• The approach
• The solution
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors1
• The solution
• Key takeaways
![Page 3: stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud](https://reader033.vdocuments.us/reader033/viewer/2022051312/546c2e6caf795958298b4fd0/html5/thumbnails/3.jpg)
Stephan Hendriks
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors2
![Page 4: stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud](https://reader033.vdocuments.us/reader033/viewer/2022051312/546c2e6caf795958298b4fd0/html5/thumbnails/4.jpg)
Eric IJpelaar
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors3
![Page 5: stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud](https://reader033.vdocuments.us/reader033/viewer/2022051312/546c2e6caf795958298b4fd0/html5/thumbnails/5.jpg)
What is Cloud Computing?
• Wikipedia
You can search yourself
• ENISA report
Cloud computing is an on-demand service model for IT provision, often based on
virtualization and distributed computer technology
– Highly abstracted resources
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors4
– Highly abstracted resources– Near instant scalability and flexibility– Near instantaneous provisioning– Shared resources (hardware, database memory)– Service on demand usually with “a pay as you go” billing system
• Cloud Security Alliance view: Internal External
Dedicated Shared
SAAS
PAAS
IAAS
![Page 6: stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud](https://reader033.vdocuments.us/reader033/viewer/2022051312/546c2e6caf795958298b4fd0/html5/thumbnails/6.jpg)
Building blocks of Identity & Access Management
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors5
![Page 7: stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud](https://reader033.vdocuments.us/reader033/viewer/2022051312/546c2e6caf795958298b4fd0/html5/thumbnails/7.jpg)
What is Identity and Access Management?
• One integrated identity base.
• Automated user management
– Provision users to target systems based on available authoritative
sources and administration processes.
• Automated entitlement or authorization management
– Managing access based on user characteristics: e.g. function,
location, context, etc.
– Active monitoring of SoD violationsIdentity Management Project
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors6
– Active monitoring of SoD violations
• User self service
– Request and approval for access to resources
– Account password reset / forgotten password
– Update profile information in case no authoritative source exists
• (Web) Single Sign-on, Policy enforcement (WAM) and Strong
authentication
– On and off premise... (i.e. federated apps, cloud apps, (legacy) web
apps, anytime, anyplace, any device)
– Providing access based on user and context characteristics
Identity Management Project
Access Management Project
![Page 8: stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud](https://reader033.vdocuments.us/reader033/viewer/2022051312/546c2e6caf795958298b4fd0/html5/thumbnails/8.jpg)
DSM is everywhere
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors7
![Page 9: stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud](https://reader033.vdocuments.us/reader033/viewer/2022051312/546c2e6caf795958298b4fd0/html5/thumbnails/9.jpg)
Focus on Life Sciences and Materials Sciences
Health and
Wellness
Climate and
Energy
Functionality and
Performance
Emerging
Economies
Life Sciences Materials Sciences
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors8
EBAsNutrition Pharma
PerformanceMaterials
PolymerIntermediates
Focus on Life Sciences and Materials Sciences
![Page 10: stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud](https://reader033.vdocuments.us/reader033/viewer/2022051312/546c2e6caf795958298b4fd0/html5/thumbnails/10.jpg)
DSM Mission
Planet Profit People
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors9
![Page 11: stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud](https://reader033.vdocuments.us/reader033/viewer/2022051312/546c2e6caf795958298b4fd0/html5/thumbnails/11.jpg)
The planet is our Care™Hidden Hunger – a global challenge
Definition:
• Enough calories to stay alive, but
• Not enough vitamins and minerals to be
mentally and physically healthy
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors10Recognition
Involvement
Over 2 billion people affected worldwide,
claiming 10 million lives every year
Partnering
Business
Nutrition Improvement Program
![Page 12: stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud](https://reader033.vdocuments.us/reader033/viewer/2022051312/546c2e6caf795958298b4fd0/html5/thumbnails/12.jpg)
Innovation is our Sport™
DSM Composite Resins, Olympic sailing 470 class racing dinghyStiffness +120%, Strength +200%
2,5% less weight
Silver for Berkhout and de Koning !
Fabuless™, a breakthrough in weight controlDutch Consumers bought more than 5
Millions bottles Optimel® with
Fabuless™ in first three months of
market introduction!
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors11
![Page 13: stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud](https://reader033.vdocuments.us/reader033/viewer/2022051312/546c2e6caf795958298b4fd0/html5/thumbnails/13.jpg)
DSM ICT BV
Organisation and Governance Some figures….
Basel
Sittard
New YorkShanghai
DSM-ICT Organization
Employees 500+
Nationalities 15
Affiliate locations 6
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors12
Singapore
Sao Paulo
Affiliate locations 6
Services
Sites 230
Countries 48
End-user workstations 19.000
SAP users 10.000
Business applications Ca.1600
World-wide
Centralized ICT organization
BG ICT spending ~90% by DICT
High level of Standardization Total DSM employees 23000
![Page 14: stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud](https://reader033.vdocuments.us/reader033/viewer/2022051312/546c2e6caf795958298b4fd0/html5/thumbnails/14.jpg)
Agenda
• Setting the scene
• The challenge
– The new Strategic Vision
– The new Process Model
• The approach
• The solution
• Key takeaways
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors13
• Key takeaways
![Page 15: stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud](https://reader033.vdocuments.us/reader033/viewer/2022051312/546c2e6caf795958298b4fd0/html5/thumbnails/15.jpg)
The new strategic vision: entering a new era of growth
High GrowthEconomies
from reaching out to
becoming truly global
Innovation Acquisitions& Partnerships
Sustainability
from responsibility
to business driver
from building themachine
to doubling the output
from portfolio
transformation to growth
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors14
DSM in motion: driving focused growth
Perf Mat growing via innovative sustainable solutions
Pol Int strengthening backward integration for DEP
Pharma leveraging partnerships for growth
Nutrition continued value growth
EBAs building new growth platforms
Life Sciences and
Materials Sciences
addressing
key global trends &
exploiting cross
fertilization
in One DSM
![Page 16: stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud](https://reader033.vdocuments.us/reader033/viewer/2022051312/546c2e6caf795958298b4fd0/html5/thumbnails/16.jpg)
The necessity of change
• Better information and knowledge sharing
• Improving collaboration inside and outside the enterprise (e.g.
federation)
• Efficiency in our work
• Anticipate to organizational change and growth (agility)
• Quick on boarding of mergers and acquisitions
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors15
• Impacting …
People / Behaviors
Processes
Information Management
Tools
![Page 17: stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud](https://reader033.vdocuments.us/reader033/viewer/2022051312/546c2e6caf795958298b4fd0/html5/thumbnails/17.jpg)
The new DSM Process Model: Apollo 2.0
• Aligning the Business Process Model with the “new DSM”
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors16
![Page 18: stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud](https://reader033.vdocuments.us/reader033/viewer/2022051312/546c2e6caf795958298b4fd0/html5/thumbnails/18.jpg)
Agenda
• Setting the scene:
• The challenge
• The approach
– Architecture as structure
– Architectural Principles
• The solution
• Key takeaways
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors17
• Key takeaways
![Page 19: stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud](https://reader033.vdocuments.us/reader033/viewer/2022051312/546c2e6caf795958298b4fd0/html5/thumbnails/19.jpg)
Critical success factors require good enterprise architecture
• Many people involved, 1
approach
• Create buy-in with all
stakeholders
• End to end
• Roadmap based incremental
implementation
TOGAF
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors18
implementation
• Each step needs to have a
business need
Architecture as structure
![Page 20: stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud](https://reader033.vdocuments.us/reader033/viewer/2022051312/546c2e6caf795958298b4fd0/html5/thumbnails/20.jpg)
Architecture principles as guideline
Business
Strategy
IT Strategy
Design PrinciplesVisionary Principles
High GrowthEconomies
Innovation Acquisitions& Partnerships
SustainabilitySustainabilityBusiness
Strategy
IT Strategy
Design PrinciplesVisionary Principles
High GrowthEconomies
Innovation Acquisitions& Partnerships
SustainabilitySustainability
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors19
Design Principles
1. Standardization
2. Simplification
3. Share Unless
4. Evolutionary Implementation
5. Independent Service Blocks
6. Minimize On Site support
7. IT Responsibility
8. Transferable Services
9. Information Oriented
10. Data is an Asset
Visionary Principles
• Internet Centric
• On Demand
• Consumerization
• Design for Agility
Design Principles
1. Standardization
2. Simplification
3. Share Unless
4. Evolutionary Implementation
5. Independent Service Blocks
6. Minimize On Site support
7. IT Responsibility
8. Transferable Services
9. Information Oriented
10. Data is an Asset
Visionary Principles
• Internet Centric
• On Demand
• Consumerization
• Design for Agility
![Page 21: stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud](https://reader033.vdocuments.us/reader033/viewer/2022051312/546c2e6caf795958298b4fd0/html5/thumbnails/21.jpg)
Explanation visionary principles
• Using Internet technology to connect end-nodes and strive to zero DSM-foot-printed end-user devices.
• On demand services that can be charged based on the usage.
• Consuming services with any tool, any product or any
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors20
• Consuming services with any tool, any product or any device which is common in the ICT consumer market.
• Dynamic services that can be easily and fast added, changed, or removed.
![Page 22: stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud](https://reader033.vdocuments.us/reader033/viewer/2022051312/546c2e6caf795958298b4fd0/html5/thumbnails/22.jpg)
The core principle ‘Internet Centric’ visualized
Non-DSM-controlled
Computer
DSM-controlled
PDA
DSM-controlled
SmartPhone
DSM-controlled
Desktop
DSM-controlled
Laptop
Non-DSM-controlled
SmartPhone
Zero DSM-foot-printed end-user devices
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors21
Connectivity Based on Internet-technology
DSM Data Center(s)
Internet–resistance
SaaS Provider
![Page 23: stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud](https://reader033.vdocuments.us/reader033/viewer/2022051312/546c2e6caf795958298b4fd0/html5/thumbnails/23.jpg)
• Moving to the consumer market means:– Brands & Intellectual property protection becomes more important– Reputation damage has bigger influence on shares and sales– FDA and other regulations become more important
• Changing the use of ICT which means ensure the level of trust:– Person/identity, be sure that the user is the person he/she claims
Leads to
Taking into account security risks & legal requirements
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors22
• Changing the use of ICT which means ensure the level of trust:– Person/identity, be sure that the user is the person he/she claims
• Multi factor authentication: e.g digital certificate on a token or derived from an authentication action (e.g. iris scan)
– Device /end-node, be sure that the device connected is OK• Certificate for DSM-end-user devices, • Certificates for end-nodes/servers
– Application, be sure that the application is the approved one for DSM• Check it is a trusted DSM-application with correct certificate licenses
– Data, be sure you can trust the (integrity of) data• Data Access Control, • Encryption,• Data Loss Prevention• Enterprise Right Management
![Page 24: stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud](https://reader033.vdocuments.us/reader033/viewer/2022051312/546c2e6caf795958298b4fd0/html5/thumbnails/24.jpg)
Agenda
• Setting the scene
• The challenge
• The approach
• The solution
– Integrated Roadmap
– Identity & Access Management
– Example: Sharepoint 2010
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors23
– Example: Sharepoint 2010
• Key takeaways
![Page 25: stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud](https://reader033.vdocuments.us/reader033/viewer/2022051312/546c2e6caf795958298b4fd0/html5/thumbnails/25.jpg)
Integrated Roadmap (key projects)
Newgeneration
ICT
Enterprise Search
Business ProcessManagement
SharePoint 2010
EDM
DLP/DRM
Master Data Management
today
ISM Self user Portal
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors24
Next Generation Network
Identity & Access ManagementNew Workplace
Data encryption
Site Server RedesignHR System of Record
Folder access Mgt
ISM Self user Portal
![Page 26: stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud](https://reader033.vdocuments.us/reader033/viewer/2022051312/546c2e6caf795958298b4fd0/html5/thumbnails/26.jpg)
Objectives for IAM Solution
Support Internet Centric Vision and SAAS computing.
Different credential management and
authentication methods for different
applications and no secure authentication data
transfer over the internet to get access to
SAAS applications.
Common security / regulatory compliant
processes and tools that support secure uniform
data transfer for authentication over the
internet.
Integrated IAM process and tools (efficient and effective response to new/changed users)
Fragmented identity management systems
with separation of internal / external.
Multiple manual steps required for creation
and maintenance of identities and accounts.
Unreliable procedures for revoking access on
employee termination.
Integration of internal and external identities in
one process.
Automated process for user provisioning / de-
provisioning to main business applications.
Objectives From To
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors25
new/changed users) employee termination.
Easy of use / simplicity for all users (internal and external) who interact with DSM.
Network based access controls.
Multiple user id/passwords for different
applications.
No service based concepts (SOA / BPM).
Identify based access any time anywhere to
applications and services in the DSM network or
internet domain.
Single sign on based on common credentials, for
internal and external users.
Federated access/SSO to SAAS solutions
Reduce development and operational costs
Application specific implementations for
identity and account management, access
control. Multiple components requiring
complex (custom) integration.
A single platform for common functionality (e.g.
web access management). Integrated IAM
platform based on out of the box tooling.
Comply with security and regulatory requirements.
Different credential management and
authentication methods for different
applications. Lack of visibility and control over
access policies and use.
Common security / regulatory compliant
processes and tools. Low cost, easy to deploy
strong authentication when needed. Centrally
managed policy based access controls.
![Page 27: stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud](https://reader033.vdocuments.us/reader033/viewer/2022051312/546c2e6caf795958298b4fd0/html5/thumbnails/27.jpg)
26IAM Program – Key relations to other initiatives
IAM Program
Aurora AD Email4All
System(s) of record:- Who should add?
- HR is monthly/ICT provision next day
Global
Employee Data
Management
User
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors26
IM Project AM ProjectApollo
ERP
ECM
Collaboration
Journey
BPMUser Portal:- IAM in relation to Service Management
- Integrated reporting?
User
Self-service
Portal
![Page 28: stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud](https://reader033.vdocuments.us/reader033/viewer/2022051312/546c2e6caf795958298b4fd0/html5/thumbnails/28.jpg)
Identity & Access Management – a simplified picture
AccessModeling
Operational User Management2a
Tactical Identity & Access Model Management1
New user
‘Form’
Roles vs.
RightsProvisioning2b
Target
SystemTargetIdentity &
Who is responsible for which data field!
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors27
ProvisioningUser
vs.
rights
User
vs.
Role
Request
Form
Approvalprocess
Users / Admins
AuthenticationAuthorization
& ‘use’
Credentials
(e.g. Username /
Password)
Use3a
SystemTarget
SystemTarget
SystemTarget
System
HRSystems
4 DSM employee Management
New staff
Retirement
Resignation
Transfer
HRSystems
Identity &AccessStore
Check if identities
are in sync
What are the drivers for the business to quickly remove leavers and add joiners!
![Page 29: stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud](https://reader033.vdocuments.us/reader033/viewer/2022051312/546c2e6caf795958298b4fd0/html5/thumbnails/29.jpg)
Requirements for the authentication process
• It should be as independent as possible of the authentication mechanism you are using (smart card token mobile phone) but should support strong/multifactor authentication (having something and knowing something)
• Could support physical access and logical access in one authentication mechanism / card / token
• External users from which we want to indentify them personally (not only trust the company so everybody of the company can access)
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors28
• External users from which we want to indentify them personally (not only trust the company so everybody of the company can access) should be possible
• When working externally or internally, the authentication process and the screen the DSM-user will see should be the same
• Business partners employees, contractors, and DSM employees should authenticate in the same way
• Solution should be as general as possible but DSM should strive to limit the amount of authentication process protocols
![Page 30: stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud](https://reader033.vdocuments.us/reader033/viewer/2022051312/546c2e6caf795958298b4fd0/html5/thumbnails/30.jpg)
Moving towards an Open Enterprise
Protocol Stack:
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors29
Time
Protocol Stack:
1.SAML
2.WS federation
3.Radius
4.Kerberos (internal)
![Page 31: stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud](https://reader033.vdocuments.us/reader033/viewer/2022051312/546c2e6caf795958298b4fd0/html5/thumbnails/31.jpg)
Example - SharePoint 2010
User Type /
Directory Service
DSM employee or3rd party hired by DSM
Device
DSM Workstation Any Device
3rd party nothired by DSM
Any Device
DSM
Directory
Extranet
Directory
Gradual addition of devices
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors30
Location Internal / VPN
Authentication SSO User name /
Password
Intranet
Team Sites
My Site
Internet
User name /
Password
Team SitesPresentation
Internet
All authorized
applications
Gradual addition of (cloud) services
Roll out of SSO / Federation /(Strong) Authentication
Roll out of Identity Management and Data Protection
![Page 32: stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud](https://reader033.vdocuments.us/reader033/viewer/2022051312/546c2e6caf795958298b4fd0/html5/thumbnails/32.jpg)
Agenda
• Setting the scene
• The challenge
• The approach
• The solution
• Key takeaways
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors31
![Page 33: stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud](https://reader033.vdocuments.us/reader033/viewer/2022051312/546c2e6caf795958298b4fd0/html5/thumbnails/33.jpg)
Key takeaways
PageInfosecurity Brussels 2011
Classification: Only to be used in other publications after explicit approval of the authors32
![Page 34: stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud](https://reader033.vdocuments.us/reader033/viewer/2022051312/546c2e6caf795958298b4fd0/html5/thumbnails/34.jpg)
DSM
Questions