the way we do it

Identity and AccessManagement

Contents

Business Rationale 2

Services 3

Benefits of Identity and Access Management 4

Our Solution 5

Our Approach 6

The Capgemini Advantage 7

Near-future Developments 8

About Us 9

Identity and Access Management is a central asset intoday’s enterprise landscape. It comprises processesand information technologies that are interrelatedand mutually dependent on all business areas. Ifplanned and implemented well, it ultimately helpsstrengthen regulatory compliance, secure operationsand improve operational agility.

Capgemini’s vision of Adaptive Security(SM) placesIdentity and Access Management technology as thecore component of the Integrated SecurityInfrastructure method.

Identity and Access Management 1

the way we do it

2

environment. Simultaneously, theymust do this in a way that provides asafe and secure platform upon whichthey can conduct their business.

Organizations have deployed—andcontinue to do so—a range of(information) systems that arechanging rapidly. They also extendbeyond organizational boundaries.There is increased and complexexchange of data, and more storage ofdata in various places and in differentformats. Data is increasingly dependentand there is more use of centraladministration. Today’s diversecommunities of users all need access tothe right information at the right time.

Legislators and regulators areincreasing the requirement fororganizations to demonstrate that theyare adequately managing risks to thevalue of their information assets. Thisvalue can be impacted by threats toinformation confidentiality, integrityand availability. Breaches toinformation security can cause directfinancial losses, directly impactcustomers, adversely affect reputationand brand, and even reduce the valueof shareholders’ equity. In addition,legislative and regulatory pressure iscreating increased demand forindividual traceability andaccountability. For these reasons,organizations need to place Identityand Access Management at the centerof their information security strategies.

This paper provides an insight intowhat Identity and Access Managementcomprises, what it can deliver, andwhat Capgemini can offer in thisspace. We also take a look at thefuture with our TechnoVision andnear-future developments.

Identity and Access Management fusestechnology and process in a way thatimpacts both the cost base andproductivity of an organization.

Business has always been aboutrelationships. Whether they’re withcustomers, employees or partners,relationships are one of the mostvaluable assets in business. Electronicidentities are increasingly used tocreate and maintain theserelationships and therefore are animportant enabler for e-business orpublic services.

There is also a close and vitalrelationship between businessprocesses, business functions, theorganizational structure, the identitiesand the resources used. As a result,data requires context-driven accessmanagement to support the interactionbetween different identities. ITdepartments need to be able to adaptaccess management to the ways inwhich systems are actually used.

The character of these relationshipshas changed substantially over theyears, making their effectivemanagement essential. First, therelationships now span beyond theorganizational boundary and form thebasis of extended business processesthat connect the organization with itssuppliers and customers. Second,their nature is becoming moredynamic, reflecting the changingbusiness models. Finally, the numberof relationships today is much biggerthan at any time in the past. As aresult, organizations today mustmaintain a network of dynamicrelationships between customers,employees and partners tocontinuously adapt to the changing

Business Rationale

Identity and Access Management 3

the way we do it

Services

An Identity and Access Managementsystem can administer theauthentication and entitlement ofusers to access a resource. It identifiesthe user and the context anddetermines what the user can access.It also determines what the user cando, and protects the information bysignaling when the security has beencompromised. However, an Identityand Access Management system needsto do much more than simply regulate

access; it must also manage thelifecycle of the user, the resources andthe access. Otherwise, every time acustomer, vendor, or employeechanges status, the process ofupdating access privileges wouldwaste precious man hours and driveup costs. To handle these differentrequirements, an Identity and AccessManagement system is composed ofdifferent services:

Service Functionality

Authenticate Subject(administrative functions behindidentities i.e. IdentityManagement)

� Identity Directory Service� Joiners/Movers/Leavers Services� Management of the user's identifiers� Identity Federation� White pages/Yellow pages� Management of (strong) authentication.

Access Resource(Entitlement i.e. AccessManagement)

� Rule Management, Business Role and ProfileManagement (what is a subject allowed to do with aresource, under what conditions/in what context)

� User Self-Services, Delegated Services and Admin� Workflows (management)� Provisioning of user accounts and access� Management of physical access� Application Policy Enforcement/Management� Single Sign On� Real-time control of access to objects/resources.

Monitoring � Audit and Reporting� Re-Certification (Attestation)� Alarm & Event Management

Benefits of Identity and AccessManagement

Identity and Access Management fusestechnology and process in a way thatimpacts both the productivity of anorganization and its bottom line. Thisgives an organization three differentways to justify a strong Identity andAccess Management strategy: onefocuses on the cost of avoidance,while the others describe the benefitof this approach:

1. Cost of Non-Investment (CONI)� Failure to improve businessfacilitation and service levels

� Inability to improve securitythrough lifecycle management ofjoiners, movers and leavers

� Regulatory non-compliance

� Inflexible IT infrastructure thatcannot adapt to changing usercommunities and behavior.

2. Total Cost of Ownership (TCO) –benefit� Reduced operational coststhrough automation andstreamlining of IT administrationprocesses

� Reduced lead time and cost ofnew application development.

3. Return on Investment (ROI) –benefit� Improved productivity and userexperience

� Enables secure (online) businessmodels

� Improved ability to cope withorganizational and businesschanges

� Savings on per-user softwarelicenses.

4

the way we do it

Identity and Access Management 5

Our Solution

Access Management and EnterpriseArchitecture as far as governance, riskmanagement and compliance areconcerned. Our Identity and AccessManagement Framework, which is atthe basis of our solution, providesviews of technical, organizational andbusiness aspects of Identity andAccess Management.

The unique aspect of Capgemini’sIdentity and Access ManagementFramework is its flexibility.Partitioning of the Identity and AccessManagement landscape into distinctprocess and technology parcelsdelivers flexibility. This provides asolution that allows for phasedimplementation and migration to thenew infrastructure and businessprocesses.

Capgemini’s vision for Identity andAccess Management sees it working asan Invisible Infostructure1 connectingand integrating various technologyand departmental islands. From atechnical perspective, identityinfrastructure consists of user securityand registration functionality that isunderpinned by directory andintegration services, and supported byadvanced administration services.Related business processes andservices then leverage the identityinfrastructure. From an organizationalperspective, Identity and AccessManagement elaborates on andextends the security and riskmanagement organization.

It is clear that there is a majordependence between Identity and

Figure 1: Identity & Access Framework

4. Business OperationsThe use and maintenance of authorizations madeavailable

9. Dailyuse

1. Security

Realization

3. AuthorizationmanagementPresenting authorizations in a form that thebusiness can understand and can act upon

CR catalog role

BR Business role

PSR Process sub role

OSR Organizational role

FSR Functional sub role

5. Service & ProvisioningRelease authorizations and/or information/extraresources

6. Systems andapplicationsNon-Personal Accounts -, ACL -, ProfileManagement

2. Application andInformation systemfunctional designDefining which authorizations are necessary forwhich activities.

7. Business ArchitectureOrganizational structure

10. Identity services8. HR- and processregistrationRegistration of:

•Which activities belong to which role

•Which employee has which role in which context

•Which role is available in what organizationalstructure

• Which process activities belong to whichorganizational structure

Design Completion Resources

A1A1A1 A2A2A2 A3A3A3 A4A4A4 A5A5A5 A6A6A6 A7A7A7 A8A8A8

Businessproces 1

A1A1A1 A2A2A2 A3A3A3 A4A4A4 A5A5A5 A6A6A6 A7A7A7 A9A9A9

Businessproces 2

A8A8A8

A1A1A1 A2A2A2 A3A3A3 A4A4A4 A5A5A5 A6A6A6 A7A7A7 A10A10A10

HR-proces

A9A9A9

A1A1A1 A2A2A2 A3A3A3 A4A4A4 A5A5A5

Afdelingsproces

A8A8A8

y

Functional Track

Design and Implementation of :• Security policy• Separation of Duty• Ownership• New IAM processes• Role model structure• Governance• Authoritive sources• Application-administration

Technical Track

Design and Implementation of :• User management tooling• IAM-tooling• IAM-tooling-governance• IAM reporting (Ist/Soll)

Execution Track

Design and Implementation of :• Roll out plan• Communication plan• Migration plan• Education / Awareness

1 Invisible Infostructure is the end-state of infrastructure as we currently know it, using virtualization, grid and automated management technologies to deliver infrastructural services as acommoditized—preferably invisible—utility.

6

We employ a three-stage approach tothe development of an Identity andAccess Management infrastructure.This begins with careful planning,which then transitions intopreparation, followed by the finalimplementation of the solution.

In the planning stage, we focus onunderstanding and capturing thehigh-level business (functional) andtechnical context. This is achieved byutilizing a combination of focusedinterviews and facilitated sessionswith key stakeholders. From thisinformation, we can identify benefitsand concerns and provide thejustification for the expenditure.

The preparation stage identifies theparticulars of the technical solutionand relevant user processes. We refinethe understanding of the currenttechnical landscape and develop atechnical solution blueprint. Productsare considered based on therequirements. Finally, a roadmapcomprising the initiatives required toimplement the blueprint is developed.

In parallel, we model the relevant userand business processes to ensurecohesion with the technical solution.This allows us to streamline theadministration processes to gainoperational efficiencies. Finally, wedevelop user training andcommunication modules to ensure asmooth rollout.

The implementation stage realizes thecomponents of the technical solution,such as directory integration andconsolidation, provisioning,authorization, authentication servicesand application integration. This stagealso puts in place the operationalprocesses for the governance ofIdentity and Access Management.

Our experience has taught us thatsecurity technologies are not ‘point’solutions. They require carefulplanning and should be considered asthe strategic component of anIntegrated Security Infrastructure.There is no ‘one size fits all’ solutionas the needs and characteristics ofeach organization vary widely. Thechosen model must fit with thecharacteristics of the organization.Identification and authentication havemore focus in the educational sector.Think about e-exams. Is the persontaking the exam really the student theexam is intended for? Access is thesame for all students. In other sectorsit is different. For example, in thehealth sector logging (audit basedaccess control) is more important. Afirst aid team needs instant access, butneeds to justify their access. In thefinance sector, least-privilege,compliance & separation of duties areimportant factors.

Our Approach

Identity and Access Management 7

the way we do it

It is crucial to be able to identity whatthe current situation is and to haveknowledge of the various approachesin use. One must also be able totranslate demands into technical,functional and organizational elementsin order to develop a consistent, safe,effective and efficient strategy forIdentity and Access Management.

Our advantage in the field of Identityand Access Management is built onour experience, our capabilities andstrategic alliances.

We have considerable experience withvarious types of Identity and AccessManagement engagements rangingfrom organization strategy, solutionarchitecture and business changeconsultancy assignments, through tothe implementation and integration oftechnical solutions. These engagementshave been carried out in diversecommercial and public environments.

Capgemini’s expertise embraces bothcommercial and public security. Wehave, for example, proven capabilitiesin iris identification at borders, mobiledigital fingerprinting supportingpolice departments on the front line,and automatic number platerecognition, video identification andintegration of physical and logicalaccess. These are all examples ofIdentity and Access Management.

Our consultants and engineers withvast expertise in this area arenetworked globally via our Identityand Access Management Center ofCompetence, actively sharingknowledge and experience. Tomaintain our advantage, we conductregular market surveys and internalproduct research studies. Capgeminialso closely follows the developmentof relevant emerging standards such asthose developed by OASIS and ourexperts have access to research byanalysts such as Gartner, IDC, Burtonand the Open Group. We oftenpresent aspects of Architecture andSecurity to and from these groups.

Our ability to deliver Identity andAccess Management solutions isfurther strengthened by our strongalliances with leading Identity andAccess Management vendors such asIBM, Microsoft, Sun, CA, SAP, Oracleand BMC. The scope and nature ofour alliance activities ensure that wemaintain impartiality in consultancyassignments, while leveragingmaximum advantage on systemsintegration assignments.

The Capgemini Advantage

The Intelligence Grid®

A recognition of the importance ofcollaborative behavior in response tothis complex environment promptedCapgemini’s launch of a new approachto Public Security technology in 2006.We called this concept the IntelligenceGrid©—an innovative concept thatimproves internal efficiencies andopens up enhanced avenues ofcollaboration. Founded on the soundprinciples of Service-OrientedArchitecture, the Intelligence Grid®approach allows the smoothinteroperability of Public Securitysystems, enabling the active andefficient collaboration needed betweendifferent government agencies as wellas different governments.

Capgemini Public Security recognizesIdentity and Access Management asthe core of the Intelligence Grid.©

Near-Future Developments

� Trend analysis and (real-time)monitoring

� Integration of physical & logicalidentities and access.

With the evolution of Web 2.0, whichis focused on the enablement ofunstructured collaboration, it will beharder to associate an identity to apredefined role. It will become morecritical for enterprises to secure theirinformation through management ofapplication policies. The system needsto be more responsive to autonomoussystem users in heterogeneousenvironments. Management ofapplication policies has to beidentified in a hierarchy structure thatis defined at the enterprise level, whileat the same time delegating granularpolicy definitions at the business unitlevel. Management of these policiescan be addressed through effectiveIdentity and Access Management andits consistent security services andbusiness rules.

Another development around Web 2.0is user centricity. Service-specificidentities are managed transparently.On the one hand, a user can create asmany identities as he or she wishesand has full control over his or herprivacy (e.g., pseudonyms). Identitiesand attributes become independentfrom identity providers, and can befreely moved between providers. Onthe other hand, life-long personalidentities store more personal dataabout someone, including biometric(non-changeable) aspects. Because ofthis, identity information (financial,medical, biometric, etc.) needs specialattention, and privacy friendly servicediscovery and search techniques areexpected to emerge in the near future.

Capgemini is deeply rooted in the fastchanging business and IT environment,and is constantly upgradingcapabilities to stay current with thelatest innovation in the marketplace.In many cases, we have taken a thoughtleadership role to lead the way. Thereare various new developments whereIdentity and Access Management playsan important function:

�Web 2.0

� Mashups

� Federation

� Trust(ed brokers)

� Data classification, Data leakage andDeperimeterization

� Rightshore®

� Shared services, one-authoritativesource

� Service Orientation

� Identity fraud/theft and Privacyprotection

� User Centricity and Lifelongpersonal identity

� Lifecycle Management

Figure 2• Education / Awareness

IT-centric

BusinessAligned

EcosystemIntegrated

Federation

BusinessProcess

Alignment

Role BasedAccess Control

DelegatedAdministration

IntegratedIdentity

Rule BasedAccess Control

AdvancedSelf Service

Context BasedAccess Control

User CentricIdentity

Reactive Managed Agile

Min

dse

t

Execution

8

the way we do it

The Open Group – JerichoForumCapgemini is a founder and memberof the Jericho Project Research Group(as part of The Open Group). Itfocuses on defining new securityarchitectures and a security roadmapfor implementing networks withoutperimeters. In order to design andbuild a de-perimeterized networksolution, a combination of at least thefollowing modules is needed: securecommunications, inherently-securecomputer protocols, endpoint security,adequate authentication andauthorization of all the entities,accounting, trust brokering services,and automatic data classification onmultiple security levels. It placesIdentity and Access Management as amajor cluster.

TechnoVision 2012Our “TechnoVision 2012” provides aclear picture of the informationtechnologies that are the most relevantto users and sheds some light on howthese technologies and their evolutionwill impact business. It places Identityand Access Management in variousclusters:

• ‘User Management’ as part of theYOU Experience

• ‘Real-Time Business Process Control’and ‘Composite Applications’ as partof Process-on-the-Fly

•Identity and Access Management isessential in order to be able to‘Thrive on Data’. This includes‘Mastered’ Data Management (DataGovernance)

• ‘Software-as-a-Service’ as part of theSector-as-a-Service

• ‘Deperimeterized Jericho styleSecurity and Identity’ as part of theInvisible Infostructure

•And the virtual Service Orientationcluster.

About Us

Capgemini, one of theworld’s foremost

providers of consulting,technology and outsourcing services,enables its clients to transform andperform through technologies.

Capgemini provides its clients withinsights and capabilities that boost theirfreedom to achieve superior resultsthrough a unique way of working - theCollaborative Business Experience® -

and through a global delivery modelcalled Rightshore®, which aims to offerthe right resources in the right location atcompetitive cost. Present in 36 countries,Capgemini reported 2007 globalrevenues of EUR 8.7 billion and employsover 86,000 people worldwide.

More information about our services,offices and research is available atwww.capgemini.com

About Capgemini

Identity and Access Management 9

Copyright © 2008 Capgemini. All rights reserved.

For more information contact:

Gord ReynoldsUtility Practice LeaderGlobal Smart Energy Servicesgord.reynolds@capgemini.com+1-416-732-2200

www.capgemini.com