Embed Size (px)
Citation preview
Company presenta-on
Olivier Naveau Managing Director
2
Our history of IAM
3
Access control is on top of priority list!
As stated by Deloi.e in their GFSI Security Survey, top external audit findings are about excessive access rights, segrega>on of du>es and access control compliance.
h.p://www.deloi.e.com/gfsi/securitysurvey
4
Why access control remains difficult?
Who are my users? What do they have access to?
Are these accesses legitimate? Objectives
Landscape
Business applications are developed in silos. IAM implies horizontal integration.
Multiplication of # of users and of # of applications.
Evolving landscape: cloud, mobile, social, compliance, liability
Iden-ty & Access Management
A structured approach
6
Structured approach of Iden-ty & Access Mgmt
1. Data model
2. Func>ons & Processes
3. Key components
4. Business values
6
7
1. Data model: administer IAM data
Identity data • Identities • Attributes
(contractual status, dates, job description, location)
• Manager • Organization • Accounts
Access data • Business roles • Technical roles (or profiles) • Applications • Entitlements • Policies (or access rights)
(who, what, what for, condition)
Activity data • Authentication requests • Access requests • Changes to Identity data • Changes to Access data
8
1. Data model: the power of Brainwave
9
2. Iden-ty & Access Management processes
Administer IAM data
Access (or use) IAM data
Control IAM data
Access data
Identity data Authenticate
Authorize
Federate
Analyse
Audit
Comply
10
2. Iden-ty & Access Management processes
Administer IAM data
Access (or use) IAM data
Control IAM data
... is the construc>on phase of iden>ty, and subsequently providing it with a "personality" by assigning a.ributes, en>tlements, creden>als. It provides the create/maintain/re>re capabili>es of IAM. Administra>on also provides the plaPorm for intelligence: a means to make sense of the iden>ty and access events.
... serves as a founda>onal plaPorm to facilitate authen>ca>on and authoriza>on, and the capabili>es within them, from single sign-‐on to en>tlements resolu>on and enforcement of access decisions. Access is the "engine" of IAM that takes iden>>es and their informa>on and uses them to effect.
... generates reports for auditors, provides real-time monitoring for operations and delivers the analytics necessary for analysts and business stakeholders to make intelligent, actionable decisions in the business and in IT.
11
Techno-logies
3. Key components
Processes People
rely on support
sustain
Cendio®
ThinLinc®
12
4. Business values: iden-fy and measure KPIs
KPIs
Efficiency of opera>ons
Effec>veness of security
Enablement of business
Iden-ty & Access Management
Iden-ty Intelligence
Virtual Desktop Infrastructure
Paradigmo’s proposal
14
Paradigmo’s proposal is process based
Administer*IAM*data*
Access*(or*use)*IAM*data*
Control*IAM*data*
Cendio®
ThinLinc®
Boost**user*mobility*
15
Account
Administer IAM data
The theory
Rules
Roles
Requests
Attributes
Actions
Objects
Policies
Conditions
Role management Policy management
16
File Share Active Directory Microsoft
Applica>ons
Human resources
Signaletic Attributes
Coarse-grained Fine-grained
User form (C,U,D)
Access form
Mandates
Administer IAM data
A standard use case
Databases
Profiles
17
PAP
Policy Manager: - Applications - Roles
- URLs - Business Transactions - Conditions
- Coarse-grained access matrix - Fine-grained access matrix
Corporate LDAP
Mandates
FAS
AUributes
AUributes
Mandates
Roles
Scope: ~140 internal applications ~30 external applications
Policies ac-va-on
Administer IAM data
Policy Manager
18
Applica-on
Roles (LDAP filter) Coarse grained matrix
URL Allow Deny
Condi>on (LDAP filter)
Roles (LDAP filter) Fine
grained matrix
BT Allow Deny
Condi>on (LDAP filter)
<URL, [GET|POST]>
<Resource, Ac-on>
Administer IAM data
ABAC implementa-on
Scope: ~140 internal applications ~30 external applications
19
Access (or use) IAM data
Identity Provider
(IDP)
Service Provider
(SP)
Applica>ons
Concepts
20
Why ForgeRock?
ü All-‐in-‐one Unified Open Iden>ty Stack
ü Easy to install and to operate: one single process delivers all func>ons
ü Simple and scalable to cope with Internet scale
ü Simple and flexible to cope with new concepts
ü Support and extensibility capabili>es (developer friendly)
ü Subscrip>on model, no cost un>l Enterprise build is use in produc>on
Administer*IAM*data*
Access%(or%use)%IAM%data%
21
FedICT delivers Federal Authen>ca>on Service (FAS), the reference public IDP service in Belgium, based on OpenAM.
FPS Finance delivers AuthN, AuthZ & SSO of internal (~140) and external (~30) applica>ons based on OpenSSO.
Toyota implemented AuthN & AuthZ of “things” on OpenAM. For internal apps, the migra>on is ongoing.
Luxair provides AuthN, AuthZ & SSO for home-‐developed applica>ons using OpenAM.
BNP PIP uses OpenDJ to provide central authen>ca>on of Unix administrators and users.
Clinique Saint-‐Luc provides AuthN, AuthZ & SSO of commercial applica>ons using OpenAM.
Why ForgeRock? Administer*IAM*data*
Access%(or%use)%IAM%data%
22
Use cases Control'IAM'data'
Who are my users? What do they have access to?Are these accesses legitimate?
How do I communicate on the role structure of my organization?
How do I clean up data before an IAM deployment?
23
ü Control oriented approach: it rebuilds the AM theore>cal model from <accounts, en>tlements>
ü Low footprint on organiza>on: it applies ETL method for data loading
ü Data model is complete and agnos>c
ü BI principles applied to Iden>ty for online inves>ga>ons or repor>ng
ü Full history built through successive snapshots
Ø Quickly delivers concrete results
Why Brainwave? Control'IAM'data'
Data
24
ü Provide a feature-‐rich VDI infrastructure at an op>mized cost
ü Provide fast hot-‐desking. Typically, nurses in hospitals and clinics
ü Support remote sites or home workers ü Implement ‘BYOD’ projects ü Support advanced graphics
ü Op>mize performance of Java applica>ons (when there are network latencies)
ü Support Windows and Linux desktops ü Lower noise level in training rooms
ü Secure sterile environments
Boost%%user%mobility%
Use cases
25
Desktop(access(
Desktop(management(
Desktop(virtualisa3on(
Cendio®
ThinLinc®
• IGEL thin client (Windows or Linux)
• IGEL UDC (Desktop converter) • IGEL UMS (Mgmt suite) • HW: Card reader, WIFI • SW: PowerTerm, Codec
• All included in purchase price
• Desktop and application virtualization • Session server, fast hot-desking support • Mixed Windows and Linux desktop
support • Advanced Graphics support • Optimized network performance
• Concurrent licensing, subscription model
Boost%%user%mobility%
Innova-ve and cost effec-ve solu-on
26
Project objec>ves ü Replace 1200 desktops whilst op>mizing costs
ü Support current business requirements, including hot-‐desking for nurses
ü Build capacity to ease future deployments
ü Support emerging concepts (mobile, cloud…)
Project achievements Ø IGEL Thin Client + IGEL UDC + IGEL UMS
Ø IGEL / Cendio ThinLinc / Smartcard integra>on
Ø Windows 2012 TS server farm
Ø Cendio ThinLinc mul>-‐client, network op>mized technology
Boost%%user%mobility%
Reference deployment:
