stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud

Identity & Access Management in the cloud

Stephan Hendriks, Eric IJpelaar

March 23, 2011

PageInfosecurity Brussels 2011

Classification: Only to be used in other publications after explicit approval of the authors0 Actual photo of Dubai City, taken from atop the Burj Tower.

Agenda

• Setting the scene

– Who are we?

– Define the topics

– Getting to know DSM

• The challenge

• The approach

• The solution


Classification: Only to be used in other publications after explicit approval of the authors1

• The solution

• Key takeaways

Stephan Hendriks



Eric IJpelaar



What is Cloud Computing?

• Wikipedia

You can search yourself

• ENISA report

Cloud computing is an on-demand service model for IT provision, often based on

virtualization and distributed computer technology

– Highly abstracted resources



– Highly abstracted resources– Near instant scalability and flexibility– Near instantaneous provisioning– Shared resources (hardware, database memory)– Service on demand usually with “a pay as you go” billing system

• Cloud Security Alliance view: Internal External

Dedicated Shared

SAAS

PAAS

IAAS

Building blocks of Identity & Access Management



What is Identity and Access Management?

• One integrated identity base.

• Automated user management

– Provision users to target systems based on available authoritative

sources and administration processes.

• Automated entitlement or authorization management

– Managing access based on user characteristics: e.g. function,

location, context, etc.

– Active monitoring of SoD violationsIdentity Management Project



– Active monitoring of SoD violations

• User self service

– Request and approval for access to resources

– Account password reset / forgotten password

– Update profile information in case no authoritative source exists

• (Web) Single Sign-on, Policy enforcement (WAM) and Strong

authentication

– On and off premise... (i.e. federated apps, cloud apps, (legacy) web

apps, anytime, anyplace, any device)

– Providing access based on user and context characteristics

Identity Management Project

Access Management Project

DSM is everywhere



Focus on Life Sciences and Materials Sciences

Health and

Wellness

Climate and

Energy

Functionality and

Performance

Emerging

Economies

Life Sciences Materials Sciences



EBAsNutrition Pharma

PerformanceMaterials

PolymerIntermediates

Focus on Life Sciences and Materials Sciences

DSM Mission

Planet Profit People



The planet is our Care™Hidden Hunger – a global challenge

Definition:

• Enough calories to stay alive, but

• Not enough vitamins and minerals to be

mentally and physically healthy


Classification: Only to be used in other publications after explicit approval of the authors10Recognition

Involvement

Over 2 billion people affected worldwide,

claiming 10 million lives every year

Partnering

Business

Nutrition Improvement Program

Innovation is our Sport™

DSM Composite Resins, Olympic sailing 470 class racing dinghyStiffness +120%, Strength +200%

2,5% less weight

Silver for Berkhout and de Koning !

Fabuless™, a breakthrough in weight controlDutch Consumers bought more than 5

Millions bottles Optimel® with

Fabuless™ in first three months of

market introduction!



DSM ICT BV

Organisation and Governance Some figures….

Basel

Sittard

New YorkShanghai

DSM-ICT Organization

Employees 500+

Nationalities 15

Affiliate locations 6



Singapore

Sao Paulo

Affiliate locations 6

Services

Sites 230

Countries 48

End-user workstations 19.000

SAP users 10.000

Business applications Ca.1600

World-wide

Centralized ICT organization

BG ICT spending ~90% by DICT

High level of Standardization Total DSM employees 23000

Agenda


• The challenge

– The new Strategic Vision

– The new Process Model

• The approach

• The solution

• Key takeaways



• Key takeaways

The new strategic vision: entering a new era of growth

High GrowthEconomies

from reaching out to

becoming truly global

Innovation Acquisitions& Partnerships

Sustainability

from responsibility

to business driver

from building themachine

to doubling the output

from portfolio

transformation to growth



DSM in motion: driving focused growth

Perf Mat growing via innovative sustainable solutions

Pol Int strengthening backward integration for DEP

Pharma leveraging partnerships for growth

Nutrition continued value growth

EBAs building new growth platforms

Life Sciences and

Materials Sciences

addressing

key global trends &

exploiting cross

fertilization

in One DSM

The necessity of change

• Better information and knowledge sharing

• Improving collaboration inside and outside the enterprise (e.g.

federation)

• Efficiency in our work

• Anticipate to organizational change and growth (agility)

• Quick on boarding of mergers and acquisitions



• Impacting …

People / Behaviors

Processes

Information Management

Tools

The new DSM Process Model: Apollo 2.0

• Aligning the Business Process Model with the “new DSM”



Agenda

• Setting the scene:

• The challenge

• The approach

– Architecture as structure

– Architectural Principles

• The solution

• Key takeaways



• Key takeaways

Critical success factors require good enterprise architecture

• Many people involved, 1

approach

• Create buy-in with all

stakeholders

• End to end

• Roadmap based incremental

implementation

TOGAF



implementation

• Each step needs to have a

business need

Architecture as structure

Architecture principles as guideline

Business

Strategy

IT Strategy

Design PrinciplesVisionary Principles



SustainabilitySustainabilityBusiness

Strategy

IT Strategy

Design PrinciplesVisionary Principles



SustainabilitySustainability



Design Principles

1. Standardization

2. Simplification

3. Share Unless

4. Evolutionary Implementation

5. Independent Service Blocks

6. Minimize On Site support

7. IT Responsibility

8. Transferable Services

9. Information Oriented

10. Data is an Asset

Visionary Principles

• Internet Centric

• On Demand

• Consumerization

• Design for Agility

Design Principles

1. Standardization

2. Simplification

3. Share Unless

4. Evolutionary Implementation

5. Independent Service Blocks

6. Minimize On Site support

7. IT Responsibility

8. Transferable Services

9. Information Oriented

10. Data is an Asset

Visionary Principles

• Internet Centric

• On Demand

• Consumerization

• Design for Agility

Explanation visionary principles

• Using Internet technology to connect end-nodes and strive to zero DSM-foot-printed end-user devices.

• On demand services that can be charged based on the usage.

• Consuming services with any tool, any product or any



• Consuming services with any tool, any product or any device which is common in the ICT consumer market.

• Dynamic services that can be easily and fast added, changed, or removed.

The core principle ‘Internet Centric’ visualized

Non-DSM-controlled

Computer

DSM-controlled

PDA

DSM-controlled

SmartPhone

DSM-controlled

Desktop

DSM-controlled

Laptop

Non-DSM-controlled

SmartPhone

Zero DSM-foot-printed end-user devices



Connectivity Based on Internet-technology

DSM Data Center(s)

Internet–resistance

SaaS Provider

• Moving to the consumer market means:– Brands & Intellectual property protection becomes more important– Reputation damage has bigger influence on shares and sales– FDA and other regulations become more important

• Changing the use of ICT which means ensure the level of trust:– Person/identity, be sure that the user is the person he/she claims

Leads to

Taking into account security risks & legal requirements



• Changing the use of ICT which means ensure the level of trust:– Person/identity, be sure that the user is the person he/she claims

• Multi factor authentication: e.g digital certificate on a token or derived from an authentication action (e.g. iris scan)

– Device /end-node, be sure that the device connected is OK• Certificate for DSM-end-user devices, • Certificates for end-nodes/servers

– Application, be sure that the application is the approved one for DSM• Check it is a trusted DSM-application with correct certificate licenses

– Data, be sure you can trust the (integrity of) data• Data Access Control, • Encryption,• Data Loss Prevention• Enterprise Right Management

Agenda


• The challenge

• The approach

• The solution

– Integrated Roadmap

– Identity & Access Management

– Example: Sharepoint 2010



– Example: Sharepoint 2010

• Key takeaways

Integrated Roadmap (key projects)

Newgeneration

ICT

Enterprise Search

Business ProcessManagement

SharePoint 2010

EDM

DLP/DRM

Master Data Management

today

ISM Self user Portal



Next Generation Network

Identity & Access ManagementNew Workplace

Data encryption

Site Server RedesignHR System of Record

Folder access Mgt

ISM Self user Portal

Objectives for IAM Solution

Support Internet Centric Vision and SAAS computing.

Different credential management and

authentication methods for different

applications and no secure authentication data

transfer over the internet to get access to

SAAS applications.

Common security / regulatory compliant

processes and tools that support secure uniform

data transfer for authentication over the

internet.

Integrated IAM process and tools (efficient and effective response to new/changed users)

Fragmented identity management systems

with separation of internal / external.

Multiple manual steps required for creation

and maintenance of identities and accounts.

Unreliable procedures for revoking access on

employee termination.

Integration of internal and external identities in

one process.

Automated process for user provisioning / de-

provisioning to main business applications.

Objectives From To



new/changed users) employee termination.

Easy of use / simplicity for all users (internal and external) who interact with DSM.

Network based access controls.

Multiple user id/passwords for different

applications.

No service based concepts (SOA / BPM).

Identify based access any time anywhere to

applications and services in the DSM network or

internet domain.

Single sign on based on common credentials, for

internal and external users.

Federated access/SSO to SAAS solutions

Reduce development and operational costs

Application specific implementations for

identity and account management, access

control. Multiple components requiring

complex (custom) integration.

A single platform for common functionality (e.g.

web access management). Integrated IAM

platform based on out of the box tooling.

Comply with security and regulatory requirements.

Different credential management and

authentication methods for different

applications. Lack of visibility and control over

access policies and use.

Common security / regulatory compliant

processes and tools. Low cost, easy to deploy

strong authentication when needed. Centrally

managed policy based access controls.

26IAM Program – Key relations to other initiatives

IAM Program

Aurora AD Email4All

System(s) of record:- Who should add?

- HR is monthly/ICT provision next day

Global

Employee Data

Management

User



IM Project AM ProjectApollo

ERP

ECM

Collaboration

Journey

BPMUser Portal:- IAM in relation to Service Management

- Integrated reporting?

User

Self-service

Portal

Identity & Access Management – a simplified picture

AccessModeling

Operational User Management2a

Tactical Identity & Access Model Management1

New user

‘Form’

Roles vs.

RightsProvisioning2b

Target

SystemTargetIdentity &

Who is responsible for which data field!



ProvisioningUser

vs.

rights

User

vs.

Role

Request

Form

Approvalprocess

Users / Admins

AuthenticationAuthorization

& ‘use’

Credentials

(e.g. Username /

Password)

Use3a

SystemTarget

SystemTarget

SystemTarget

System

HRSystems

4 DSM employee Management

New staff

Retirement

Resignation

Transfer

HRSystems

Identity &AccessStore

Check if identities

are in sync

What are the drivers for the business to quickly remove leavers and add joiners!

Requirements for the authentication process

• It should be as independent as possible of the authentication mechanism you are using (smart card token mobile phone) but should support strong/multifactor authentication (having something and knowing something)

• Could support physical access and logical access in one authentication mechanism / card / token

• External users from which we want to indentify them personally (not only trust the company so everybody of the company can access)



• External users from which we want to indentify them personally (not only trust the company so everybody of the company can access) should be possible

• When working externally or internally, the authentication process and the screen the DSM-user will see should be the same

• Business partners employees, contractors, and DSM employees should authenticate in the same way

• Solution should be as general as possible but DSM should strive to limit the amount of authentication process protocols

Moving towards an Open Enterprise

Protocol Stack:



Time

Protocol Stack:

1.SAML

2.WS federation

3.Radius

4.Kerberos (internal)

Example - SharePoint 2010

User Type /

Directory Service

DSM employee or3rd party hired by DSM

Device

DSM Workstation Any Device

3rd party nothired by DSM

Any Device

DSM

Directory

Extranet

Directory

Gradual addition of devices



Location Internal / VPN

Authentication SSO User name /

Password

Intranet

Team Sites

My Site

Internet

User name /

Password

Team SitesPresentation

Internet

All authorized

applications

Gradual addition of (cloud) services

Roll out of SSO / Federation /(Strong) Authentication

Roll out of Identity Management and Data Protection

Agenda


• The challenge

• The approach

• The solution

• Key takeaways



Key takeaways



DSM

Questions

Technology

stefan hendriks - erik ijpelaar infosecurity - identity access management in the cloud