Next generation identity and access management for Industrial Internet of Things and Industry 4.0

Evidian

02

Summary

Why read this white paper

Success factors of IIoT deployments

Industrial Internet of Things needs safety and security

Next-generation IAM must adapt to changing paradigms

New requirements and standardization - IAM for IIoT

Driving innovation for Industrial IAM

Securing the IIoT ecosystem

The integrated IAM-IIoT architecture

Conclusions

Glossary

04

05

06

07

08

09

10

11

13

14

03Industrial Internet of Things / Industry 4.0 and Identity and Access Management

Overview

The Internet of Things (IoT) has become a popular term for describing a network that connects uniquely identifiable things to the Internet.

In fields like manufacturing, utilities, building technologies, healthcare, energy, oil and gas, where the focus is on reliability, availability and the transfer of mission-critical information, IoT is usually referred to as the Industrial Internet of Things (IIoT) and is synonymous in many respects with terms like Industrial IT or Industry 4.0.

This white paper addresses the challenges for Identity and Access Management (IAM) in the context of IT and OT convergence and introduces concepts and architectures for thenext generation of IAM for the Industrial Internet of Things.

Operation Technology (OT) supports physical value creation and manufacturing processes. As such, it comprises the devices, sensors and software necessary to control and monitor plants and equipment.

Industrial control systems (ICS) establish an important segment within the OT sector, comprising several types of control systems and associated instrumentation used in industrial production. Examples include supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other smaller control systems such as programmable logic controllers (PLC) often found in the industrial sectors and critical infrastructures. Information Technology (IT), on the other hand, combines all of the technologies necessary for information processing.

For the past few decades, most industries have developed and managed OT and IT as two different domains, maintaining separate technology stacks, protocols, standards, security and governance models and organizational units. In recent years, however, OT has begun to progressively adopt IT-like technologies. Internet Protocol (IP), for example, has gained acceptance as an all-purpose networking protocol. This trend has paved the way for the convergence of IT and OT and the Industrial Internet of Things (IIoT).

Although the convergence of IT and OT in the Industrial Internet of Things brings clear advantages to companies, CIOs, COOs and CISOs must also be aware that once OT devices and OT systems are accessible via the Internet, these systems are now exposed to the same security risks as those for IT systems. And, with the tremendous growth of industrial Internet services, securing the connectivity between the industrial shop floor and the enterprise IT becomes mandatory. This white paper introduces an architectural blueprint of an IIoT ecosystem secured by multi-tenant, cloud-ready identity and access management (IAM) services that help to meet the challenges associated with securing the Industrial Internet of Things.

This white paper provides an overview of the factors that have influenced the design of IAM IIoT service architecture. The paper

• Summarizes the success factors and benefits of IIoT deployments based on various industry-specific sample scenarios.

• Examines how the industry view of security is changing and what the key challenges are to achieving a secure Industrial Internet of Things.

• Describes Identity and Access Management (IAM) as a key factor for securing the IIoT and asks the questions that IAM systems need to answer today and tomorrow.

• Specifies the characteristics of the paradigm shift required for the design principles of an integrated IIoT IAM architecture and lists the key features provided by the new generation of IAM systems for the IIoT. Discusses the background, expertise and benefits of Atos as a longstanding partner in industry-related IAM projects and its vision of the concept and architecture of IIoT-related IAM services.

04

Why read this white paper

New business models

Being available via the Internet, the data generated by devices and sensors enable new data-driven business models. Both industrial and Internet companies are extending their offerings by integrating data from sensors and devices or by combining physical products with Internet-based services. Applying big data analytics allows vendors to provide new types of business models, for example, performance-based contracts or outcome-based contracts in addition to classical time-and-material maintenance contracts.

Example In the power generation sector, big data analysis allows oil or gas turbine vendors to sign new service agreements with power plant operators, ensuring that customers have the same reliability but greater availability since remotely-monitored turbines can run longer between scheduled maintenance downtimes.

In the buildings and infrastructure sector, IIoT devices and sensors provide data for outcome-based contracting, where the outcome is measured in terms of reduced energy usage or a better environmental footprint.

Efficient resource management

Combining IT and OT technologies in the IIoT achieves cost reductions that result from more efficient management of human and natural resources as well as from better management of assets, materials and information.

Exemple IIoT tools support users of industrial products and services. Augmented and virtual reality software and hardware provide project engineers with the required technical know-how when they put industrial equipment and services to work or help technicians perform repair services. Companies that integrate augmented IIoT technologies into their operations significantly improve the productivity of their employees and customers.

Improved services

As information in IIoT deployments is available much faster than ever before, companies are now able to improve their customer services, maintenance services or field services based on data delivered by devices and sensors and satisfy their service-level agreements more reliably and cost-efficiently.

Example A predictive and preventive maintenance service for wind farms, healthcare or manufacturing equipment can forecast failures in the field. Preventive maintenance allows for minimizing repair-related down times and systematically planning maintenance deployments. A resource planning system ensures that the required spare parts are available and reserved, and it can connect to an internal or partner’s service work schedule system and logistics management system, as well as the customer’s, to schedule the field service.

In the mobility sector, data analysis enables train manufacturers to forecast malfunctions and provide predictive maintenance on trains, enhancing their punctuality.

The Industrial Internet of Things provides a variety of opportunitiesto companies in many industries, from manufacturing to utilities, from building technologies to transportation.

05Industrial Internet of Things / Industry 4.0 and Identity and Access Management

Success factors of IIoT deployments

In the Industrial Internet of Things world, the dependability of the system as a whole is key, where dependability can be defined as the ability to deliver service that can justifiably be trusted. In this context, dependability can be measured in terms of confidentiality and privacy,integrity, availability, reliability, security, safety and maintainability.

In the OT world, the focus has always been on safety; that is, the property of a system such that it will not endanger human life or the environment, like buildings, machines or production lines, to name a few of the important assets in the OT world. In the IT world, the focus is on security, which includes aspects such as the prevention of unauthorized access and/or handling of information, confidentiality (the absence of unauthorized disclosure of information), integrity (the absence of improper system alteration), authentication (allowing for confirmation of the identity of an entity) and nonrepudiation (the assurance that someone cannot deny something).

In a converged IT/OT and Industrial Internet of Things world, the dependability of the system as a whole is key, where dependability can be defined as the ability to deliver service that can justifiably be trusted. In this context, dependability can be measured in terms of confidentiality and privacy, integrity, availability, reliability, security, safety and maintainability.

Industrial IT/OT and Enterprise IT have different characteristics

Industrial IT/OT systems and enterprise IT systems have different characteristics in terms of component lifetime, availability requirements, real-time requirements,

physical security and security standards. As a result, enterprise IT security concepts and solutions are not directly applicable to industrial IT/OT systems.

Opening critical systems to the Internet requires a changed view of industrial security

Characteristics

Today

Security by segregation Secure islands Highly secure perimeter Blocks new use cases

Component Lifetime Up to 30 years 3-5 years

Availability requirement Very high Medium, delays accepted

Scalability requirement Very high, many devices High, mainly humans

Real-time requirement Critical Delays accepted

Automation requirement High, device registration Medium, user provisioning

Physical security Very variable High (for critical IT)

Security standards Under development Existing

Building a secure accesspoint Edge components Only one highly secure point of access Depends on secure perimeter protection

Security-enabled OT systemsand devices Secure interaction without perimeters Full support of Industry 4.0 use cases Depends on nextgeneration OT systems and devices

Industrial IT/OT

Tomorrow

Enterprise IT

Future

The Road to IIoT Security From secure islands to controlled IT/OT gateways to a fully-interconnected security infrastructure.

06

The Industrial Internet of Things needssafety and security

Identity and Access Management (IAM) is defined as the security discipline that enables the right entities to access the right resources, either hardware or IT applications, at the right times for the right reasons. Itaddresses the need to ensure appropriate access to resources across increasingly heterogeneous technology environments and to meet increasingly rigorous compliance requirements.

Legacy OT systems often lack the typical contemporary IT security capabilities common to modern IT systems

• In many cases, OT systems and devices use unencrypted passwords to both read and configure them and/or the passwords are well known and cannot be changed easily.

• OT systems and devices that are not protected properly by secure authentication methods are open to hacking by cybercriminals and can be used, for instance, as starting points for botnets that can take over thousands of other systems connected to the Internet.

• Four of the Top Six Weaknesses discovered recently by the Industrial Control System Cyber- Emergency Response Team (ICS-CERT) were centered around the handling of electronic identities.

The success of IIoT depends heavily on the existence of fitting IAM technologies and services

Tomorrow’s IIoT deployments will need to manage complex relationships between internal or external users, devices and related services.

• The new generation of IIoT IAM systems will provide security professionals with technologies to provision, authenticate, authorize and audit identities (“entities”) of IIoT devices and IIoT applications and their entitlements.

• The IAM component architecture provides the flexibility and elasticity to support deployments in a variety of scenarios,

Identity and Access Management is facing a significant paradigm shift

Areas of change

The concept of identity Scale IT Maturity Interconnectivity Human interaction

A natural or legal person, sometimes also technical users Largest numbers of IDs 109

Unlimited computing power, well established IT (security) processes All resources connected to the Internet. Perimeters don’t work. Access rights are requested andapproved by humans. Only limited automation.

Universal concept of an “entity” which encompasses anyone and anything that is uniquely identifiable and can be managed separately With connected devices the numbers grow > 1012 Isolated IT solutions, no automated update services, constraint devices Secure Islands, Loose coupling ofcentral IAM and connected satellites. Mostly as limited as possible.Automated enrollment and policy distribution needed.

IAM Today IAM for IIoT

07Industrial Internet of Things / Industry 4.0 and Identity and Access Management

Next-generation IAM Must adapt tochanging paradigms

The 4 big A’s: Administration, Authentication, Authorization and Audit, which are referred to by Identity and Access Management in the IT world, are equally important for the converged IT/OT world.

Scale, diversity and heterogeneity

All entities, attributes and their relationships to other entities must be stored and provided to other related entities. Entities could represent the whole diversity of humans, devices services and IIoT platforms.

Entity administration / lifecycle management

In the new generation of IAM for IIoT, additional features such as device management and user-device relationship management between all involved IIoT entities play a paramount role.

The onboarding/registration process must be completely automated. Technologies such as workflow and provisioning mechanisms (SCIM), data aggregation and correlation of entity data that is distributed through the IT/OT landscape will be adapted to fit the industrial environment.

Role and policy management as well as access certification, reporting, and analytics can also be reused.

Authentication and authorization

A unified approach to provide authentication and authorization must be built into all layers of IIoT solutions, including use cases such as authenticating and authorizing users, devices, applications or other entities to manage access in all connected entities and administer connected systems. Important well-defined standards include SAML, OpenID Connect and OAuth 2.0, which build the backbone of cloud IAM.

For OT communication between devices and between devices and servers/gateways, a new set of standards has emerged and is being developed for the different layers of the protocol stack to cover the requirements for constrained and unconstrained devices.

For example, the Authentication and Authorization for Constrained Environments (ACE) IETF draft standard defines a framework for authentication and authorization in Internet of Things (IoT) environments. The framework is based on a set of building blocks including OAuth 2.0 and Constrained Application Protocol (CoAP), thus making a well-known and widely-used authorization solution suitable for IIoT devices.

Analytics and reports

Activities associated with user and device administration and real-time enforcement are logged for day-to-day monitoring, regulatory and investigative purposes.

APIs for IIoT IAM

The IIoT needs developer-friendly identity and access management APIs for connecting users and devices to applications, systems and services. RESTful APIs based on frameworks standards such as OAuth and OpenID Connect are used to support user and device management/ registration/provisioning, authentication, and authorization, access control and data flow control between applications and systems of the IIoT and connected users and devices.

Standards are Key

The System for Cross-Domain Identity Management (SCIM) is an open standard for managing all types of entities.

Security Assertion Markup Language (SAML), OpenID Connect and OAuth are among the federation standards used for authentication or authorization.

User-managed access (UMA) is a new authorization standard that covers the growing demand for user-permissioned data access models.

08

New requirements and standardization -IAM for IIoT

Atos, the #1 European IAM vendor and Siemens, the market leader inindustrial automation join forces to define the next generation of IAM for the Industrial Internet of Things.

IAM vendors must extend their products and services beyond traditional IAM use cases.

Today, we see the first wave of IAM solutions targeting the convergence of IT and OT.

Atos and Siemens co-innovate in digitalization

Atos is one of the top 10 cybersecurity companies worldwide, with full-scale security expertise and over 4,500 cybersecurity experts. Each day, millions of identities are securely managed with Atos technologies, millions of lives are protected by Atos critical defense systems, and billions of security events are analyzed in Atos Security Operation Centers, resulting in hundreds of billions of euros of digital business being secured each day. Bull, as part of Atos technologies, provides Atos customers with an expanded portfolio of security offerings, ranging from risk assessment and consulting to managed security services with 14 global 24x7 Security Operation Centers to innovative product lines in Internet of Things security, data protection and encryption.

Atos is the leading European provider of identity and access management technology and services and supports compliant automated access and rights management for more than 1,000 customers worldwide. Atos IAM has a strong industrial footprint, implementing complex identity management processes with some of the largest manufacturing companies.

Siemens is a global powerhouse positioned along the electrification value chain – from power generation, transmission and distribution to smart grid solutions and the efficient application of electrical energy – as well as in the areas of medical imaging and laboratory diagnostics.

Atos, a leading player in IT, and Siemens, the market leader in industry automation have joined forces as the Siemens-Atos Alliance to push innovation for the fast-growing market of digitalization. This alliance offers the perfect combination of skills, capabilities and market reach to co-innovate on future IIoT IAM services and enabling technologies for the Industrial Internet of Things.

The Atos roadmap to the next-generation IAM

The path to the next-generation IAM will be characterized by two waves of innovation.

Wave 1 The focus of wave one is on the convergence of IT and OT. Mature IAM technologies like identity federation, strong authentication and role-based access control will find their way onto the shop floor. Gateways will control the communication between IT and secure OT islands. The upcoming solutions must evolve to meet the industrial requirements on robustness and availability.

Wave 2 In the second wave, we will see fully-interconnected IIoT scenarios, where humans, services and machines exchange process data to provide high-value services like prescriptive maintenance. Secure data exchange depends on the availability of a unique identity for each entity and the option to securely authenticate against each other. The next-generation IAM needs to deliver standardized protocols, APIs and RESTful interfaces to be integrated with each device, actor, sensor or system. Edge devices and gateways will become the translators of standardized IP-based communication protocols to the proprietary OT device communication protocol.

In the following section, we will take a closer look at the IIoT ecosystem and the underlying IT architecture.

09Industrial Internet of Things / Industry 4.0 and Identity and Access Management

Driving innovation for industrial IAM

Modern IIoT infrastructures are normally structured in a three-tierarchitecture connecting humans, services and machines.

Codex is a fully-integrated and cross-market end-to-end analytics solution that enables organizations to maximize the value of their data quickly and cost efficiently.

Securing the IIoT ecosystem demands an integrated IAM architecture that manages identities and access of users and entities of devices, sensors, gateways, controllers, applications and services in a uniform way.

The three tiers of the IIoT architecture

The IIoT ecosystem is built on a three-tier architecture: the shop floor layer, the IIoT service layer and the (human) user layer.

• Shop Floor and Gateway Layer: Secure gateways connect devices and systems on the shop floor (sensors, actors, controllers...). OT-side SCADA systems and engineering systems are also part of this layer. Today, all communication with the shop floor layer is strictly controlled through gateways or secure edge devices.

• The IIoT Big Data Service and Application Layer: The core IIoT services (for example, data integration management, big data modelling and analytics, connectivity and messaging, workflow and process management) process the OT data and provide higher quality data and analytics to the Use Case App Layer. This communication

Secure access to critical information must be managed in a transparent way on all three tiers of the IIoT infrastructure. Identity and Access Management facilitates secure access and provides strong support for compliance and audit. The challenge is to deliver an integrated approach instead of creating a patchwork of IAM solutions hard-wired with the IIoT modules.

demands secure authentication between the services (for example, as technical users) in a distributed environment. Business applications can be customized to fit the customer’s needs exactly without requiring changes to the core service level. Important use cases are, for example, as prescriptive maintenance, remote field services, zero downtime, product lifecycle management (PLM) optimization or federated experts. External cloud services must also be securely integrated (for example, billing).

• Interconnection or cloud layer: Users (humans or other technical users) connecting to the App Layer need to be securely identified and user-centric management services must be available for any tenant, like registration, profile management, ID synchronization or connectivity to Identity Providers (IDPs) in a federated environment.

Shop Floor / Things / MachinesSensors, actors, controllers, mobile devices, …

Interconnection/Cloud Layer –Employees, Partners, Auditors, Suppliers…

Codex supports the 3-tier architecture for IIoT

identify & protect

identify & protect

identify & protect

Core Big Data Enablement Platform

Workflow Management & BPM

Data Integration& management

Data Modeling& Analysis

Data Visualization& reporting

App Layer – adapting the business case

BI, CPM, Dashboards Exploration & discovery

Predictive analytics…Context-aware learning

The challenge – don’t create new isolated solutions

10

Securing the IIoT ecosystem

Identity management for customers, service partners and vendors is critical to facilitating the shift from isolated OT infrastructures to new serviceoriented solutions and for supporting their IT digitalization strategy. With the UISA blueprint, Atos provides a roadmap to integrated IAM services without investment in isolated solutions.

The Modular Identity Service Platform (MISP) software and service platform can be used as a managed cloud service. Manufacturers and OT system vendors can also embed MISP into the OT domain to providestand-alone IAM services.

The Atos blueprint for next-generation IAM services UISA

In the Atos UISA project, the target is to define a blueprint for commercial Identity as a Service (IDaaS) offerings with a focus on digitalization and the IIoT. The Atos Universal Identity Service Architecture (UISA) provides a framework for delivering secure identity and access management services for the industrial IT use cases in the extended enterprise. UISA defines a set of IAM services, functionalities, standard interfaces and protocols ready to be operated in the cloud or on premise. The IAM End User Services include identity assurance, dynamic risk analysis, risk tagging and risk-based authentication.

In an IIoT environment, several identity name spaces must be integrated and managed for multiple tenants (customers, system vendors, IIoT service partners or external organizations, for example).

The UISA architecture defines a set of open standards and protocols for connectivity, identity management, authorization, authentication and identity federation, such as SCIM, OAuth, OpenID Connect, SAML and multi-factor authentication. The services are accessible via RESTful interfaces. Adapting the UMA standard

supports the decentralized user-centric access control necessary for enhancing privacy and confidentiality.

In addition, UISA provides ancillary functions such as monitoring, analytics and reporting.

The key design principle is externalization of IAM functionality on all layers of the IIoT architecture. We assume that both the Use Case Apps and the IIoT Services will not operate self-sufficiently but will require an open security layer to interact with each other and new third-party services.

But there is still a missing link: to complete the picture, we need a software platform that enables the secure connection of externalized UISA services to the shop floor.

Connecting the Shop Floor: the Modular Identity Service Platform (MISP)

The Modular Identity Service Platform (MISP) delivers core IAM services such as user management and federated single sign-on (SSO) to connect industrial shop floor systems with external, customer IAM systems and to secure the access to data of connected industrial systems and services leveraging standard protocols such as OAuth, OpenID Connect, SAML and LDAP.

The service platform provides lifecycle management of users, secure risk-based authentication and single sign-on (SSO) for both IT and OT systems and Web applications and engineering systems on the shop floor of the industrial enterprise.

This platform can be used in different scenarios:

• As an IT/OT gateway, MISP facilitates the secure connection between externalized IAM services (like UISA) and the secure OT domain.

• OT system or device vendors may also decide to implement a core MISP appliance to reside in the secure OT domain to allow for loosely-coupled architectures where IAM services will be available even if the connection to the external service is not accessible.

Based on the UISA blueprint and the MISP software platform, Atos offers its customers a future-proof roadmap to secure digitalization services. The re-use of existing IAM enterprise services and the open standards-based architecture protects existing investments and makes the enterprise IT ready to support new use cases of the Internet of Things.

11Industrial Internet of Things / Industry 4.0 and Identity and Access Management

The integrated IAM-IIoT architecture

The following figure shows how UISA and MISP envelop all tiers of the IIoT ecosystems, providing full integration with existing on premise or external IAM service providers. At the same time, UISA and MISP offer a connection platform for new embedded OT services and edge devices and gateways.

UISA – Universal Identity Management Service Architecture including MISP

Interconnection/Cloud Layer –Employees, Partners, Auditors, Suppliers… on premise entreprise IAM

OAuth/SAMLconversion

IT/OT Gateway based on MISP

UISA

embedded MISP

identify protect

Registration, Strong multi-factor Authentification, SSO, multi-yenant

Risk--based access control, IoT protocol support, Audit

App Layer – adapting the business case

Core Big Data Enablement Platform

Shop Floor / Things / Machines

12

The integrated IAM-IIoT architecture

The convergence of IT and OT, the Industrial Internet of Things and industrial digitalization has generated new security issues along with additional interoperability and scalability requirements. Every THING that interacts in an IIoT process must be uniquely identifiable (as an entity). Security and compliance demands consistent management of who/whatentities have access to what resources, when, where and why. Consequently, the Internet of Things demands identity and access management mechanisms that can reduce the resulting security risks of unauthorized access by users and devices to applications, data, systems and other devices.

Identity and Access management in the IIoT not only deals with human identities acting as users of IT applications and services but also with device and operator identities of connected IIoT platforms and systems. Consequently, identity and access management for Industrial IIoT requires a paradigm shift compared with traditional IAM. Even so, many of the technologies and standards that have a proven track record in traditional IAM systems can easily be reused and adapted to meet the requirements of the Industrial Internet of Things.

For customers looking forward to securing their digitalization infrastructure, Atos will be the partner of choice. Besides its leading IAM

portfolio, Atos has a comprehensive offering covering security consulting, global security operation centers and complementary IoT security hardware and software solutions.

Atos is engaged across many industries in the provision of identity- and access-related products and services. To meet the identity and access management requirements of converged IT/OT scenarios and to provide IAM features at all levels and components of an IIoT ecosystem, this white paper defines an IIoT security architecture in which both the use case-specific digitalization services (for example, predictive maintenance) and the

core IIoT services (for example, big data collection and analytics) are secured by multi-tenant, cloud-ready IAM services that are based on a predefined set of open standards and protocols for connectivity, identity management, authorization, authentication and identity federation, such as SCIM, OAuth, OpenID Connect, SAML and multi-factor authentication. The IAM services are accessible via RESTful interfaces. As a result, the entire IIoT ecosystem benefits from the externalization of IAM services that support security in heterogeneous, distributed and perimeter-less environments in a uniform and consistent way..

13Industrial Internet of Things / Industry 4.0 and Identity and Access Management

Conclusions

Term Description Reference

CRM Customer Relationship Management

DCS Distributed Control System

Edge Device In the context of IIoT, edge devices or edge components can be regardedas

application layer gateways between the IT and OT domains. Edge devices may

translate between one type of network protocol and another.

Entity An entity is something that exists as itself, as a subject or as an object, actually or https://en.wikipedia.org/wiki/Entity

potentially, concretely or abstractly, physically or not.

ERP Enterprise Resource Planning

FIDO The Fast IDentity Online (FIDO) Alliance is a 501(c)6 non-profit organization https://fidoalliance.org

nominally formed in July 2012 to address the lack of interoperability among strong

authentication devices as well as the problems users face with creating and

remembering multiple usernames and passwords.

Identity A digital identity is information on an entity used by computer systems to https://en.wikipedia.org/wiki/Digital_identity

represent an external agent. The agent may be a person, organization,

application or device. ISO/IEC 24760-1 defines identity as a “set of attributes

related to an entity”.

ICS Industrial Control Systems

IIoT Industrial Internet of Things

IoT Internet of Things

MES Manufacturing Execution Systems

MFA Multi-Factor Authentication

MISP Modular Identity Service Platform See this document, page 10

OAuth The OAuth 2.0 authorization framework enables a third-party application https://tools.ietf.org/html/rfc6749

to obtain limited access to an HTTP service, either on behalf of a resource

owner by orchestrating an approval interaction between the resource

owner and the HTTP service, or by allowing the third-party application to obtain

access on its own behalf.

OpenID Connect OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. https://openid.net/connect/

It allows clients to verify the identity of the end user based on the authentication

performed by an authorization server and obtain basic profile information about

the end user in an interoperable and REST-like manner.

PLC Programmable Logic Controllers

PLM Product Lifecycle Management

REST Representational State Transfer (REST) or RESTful Web services are one way of

providing interoperability between computer systems on the Internet.

REST-compliant Web services allow requesting systems to access and manipulate

textual representations of Web resources using a uniform and predefined set

of stateless operations.

SCADA Supervisory Control and Data Acquisition

SCIM The System for Cross-domain Identity Management (SCIM) specification is an https://tools.ietf.org/html/rfc7644

HTTP-based protocol that makes managing identities in multi- domain scenarios

easier to support via a standardized service.

SSO Single Sign-On

UISA Universal Identity Service Architecture See this document, page 10

UMA User-Managed Access (UMA) is a profile of OAuth 2.0. UMA defines how resource

owners can control protected-resource access by clients operated by arbitrary

requesting parties, where the resources reside on any number of resource servers

and where a centralized authorization server governs access based on resource

owner policies.

https://docs.kantarainitiative.org/uma/rec- umacore.html

https://en.wikipedia.org/wiki/Represent

ational_state_transfer

14

Glossary

15Industrial Internet of Things / Industry 4.0 and Identity and Access Management

Notes

CT

_J26

41_

90

701_

RY

_WP

_EV

IDIA

N

Atos, the Atos logo, Atos Syntel and Unify are registered trademarks of the Atos group. June 2019 © Copyright 2019, Atos S.E. Confidential information owned by Atos, to be used by the recipient only. This document, or any part of it, may not be reproduced, copied, circulated and/or distributed nor quoted without prior written approval from Atos.

Find out more about us atos.net atos.net/careers

Let’s start a discussion together

About Atos

White Paper

Atos is a global leader in digital transformation with over 110,000 employees in 73 countries and annual revenue of over € 11 billion. European number one in Cloud, Cybersecurity and High-Performance Computing, the Group provides end-to-end Orchestrated Hybrid Cloud, Big Data, Business Applications and Digital Workplace solutions. The group is the Worldwide Information Technology Partner for the Olympic & Paralympic Games and operates under the brands Atos, Atos Syntel, and Unify. Atos is a SE (Societas Europaea), listed on the CAC40 Paris stock index. The purpose of Atos is to help design the future of the information technology space. Its expertise and services support the development of knowledge, education as well as multicultural and pluralistic approaches to research that contribute to scientific and technological excellence. Across the world, the group enables its customers, employees and collaborators, and members of societies at large to live, work and develop sustainably and confidently in the information technology space.

For more information: evidian.com