© 2013 IBM Corporation

Simpler, Smoother och Smarter Zecurity för affärsverksamhetens ekosystem

Pekka HagströmBusiness Area Manager SecurityEnfo Zipper Zecurity

Enfo Sweden AB

Enfo ZipperZecurity for business ecosystems

Drivers to enhance identity and access management

1. Internal users2. External users 3. Online business models4. IT architecture

Hvide Sand,Denmark

+ 25 Co

Business drivers to enhance IAM – part 1

Streamline the administration of internal usersAutomate the flow of identity related data, from HR into various systemsAutomate the adjustment to changes in job rolesEnforce access according to the job rolesReduce processing /onboarding time for new employeesSimplify administrative proceduresDelegate administration to different organizational units so that they can administer

their own users according to mutual agreementsCentralize the administration of internal users and federate them to external

(cloud)servicesFulfill administrative requirements with traceability and audit reportingEnhance the quality of identity-related data in different target systems

Streamline the administration of external users Eliminate/reduce administration costs Delegate all administration of external users to external stakeholders Ensure that external users have access only in accordance with their agreements Externalize the risks of administration external stakeholders Eliminate latency for changes to user / permission data Ensure ‘non-repudiation?' of all transactions conducted by external users

Business drivers to enhance IAM – part 2

Enable all online business and all online activities Provide single-sign-on to all users to all applications/services/systems Enable access to all processes for external users (according to agreements) Enable login/authorization with federated external identities Provide seamless integration to external (cloud)services Enhance the business within your ecosystem – customers, partners, brokers, etc.

Business drivers to enhance IAM – part 3

Parent company

Business Ecosystem

Wealth management

Credit bank

Investment bank

Fund company

Deposit bank

Insurance company

Challenge – business based access in ecosystems

Multi-tenant IAM is needed

External organization as a service provider

Embedded cloud services

Payment Card company

Cloud services

B2C customers B2B customers

Business partnersRegulators

Brokers

Re-sellers

Examples of federated identities in the ecosystem

Company

External authentication services

Employers of external users

External partners

Cloud services

External partners

Streamline your ICT architecture Utilize commercial services instead of in-house development Externalize the risks associated with internal solutions and maintenance Avoid dependencies to specialized IT-resources Provide modern claim-based access control services to new services/applications Integrate your existing (target) applications with source systems (i.e. HR) Externalize login into a common SSO service

ICT drivers to enhance IAM

Alternative solution models

1. Propagation from HR into applications2. Dynamic, business based access control

Provisioning into target applications

Dynamic access control

Conceptual IAM solution models

HR (1)

HR (2)

CRM (1)

CRM (2)IdM DB

IdM Portal

Master sources

Application 1

Application 2

Service 1

Service 2

Application 3

Application 4

AD

ABAC

Local authentication and authorization based on local replicated data

Dynamic authentication & authorization based on

attributes

Authentication and authorization based on centralized data (AD)

IdM Processes

Bus

ine

ss p

roce

sses

Target systems

Access Management

Service Management HR

IdM Synch. engine

AD Cloud Applications LDAP

Provisioning into target systems

HR 1

Master dataWeb services

Customers Intranet

Service mgmtHR 2Identity portal

IdM admin app

Source for internal users

Embedded administration

Centralized administration

Who gets access to what, on behalf of whom?IdM

1. e-Service management

3. Delegated Identity management

2. Business agreements as a foundation for access

Access Object

Service agreements

OnlineServices

Application

Service Consumers

User

PermissionUser account

PersonB

usi

nes

s in

teg

rity

Fou

ndat

ion

for

entit

lem

ents

A person can act as multiple users

Implicit & explicit

attributes

Conceptual model for dynamic access control

Service Providers

Services vs. customer specific development?

Cost comparison – service vs. on-premise

Economies of scale

Total cost of risk

Smarter ICT

Simpler with common services

Applicationservices

Integrationservices

SecurityServices

CommunicationServices

Service Desk

Workstationservices

Assetmanagement

Infrastructureservices

Business intelligence & Billing services

Smoother ICT platform for business applications

Business Applications Business PortalsBusiness processes

Simpler, smoother, smarter ICT

Smart value-added security services