Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie Paradigmo specialised in Identity & Access Management
Ähnlich wie Paradigmo specialised in Identity & Access Management (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Paradigmo specialised in Identity & Access Management
- 1. Company presenta-on Olivier Naveau Managing Director
- 2. 2 Our history of IAM
- 3. 3 Access control is on top of priority list! As stated by Deloi.e in their GFSI Security Survey, top external audit findings are about excessive access rights, segrega>on of du>es and access control compliance. h.p://www.deloi.e.com/gfsi/securitysurvey
- 4. 4 Why access control remains difficult? Who are my users? What do they have access to? Are these accesses legitimate? Objectives Landscape Business applications are developed in silos. IAM implies horizontal integration. Multiplication of # of users and of # of applications. Evolving landscape: cloud, mobile, social, compliance, liability
- 5. Iden-ty & Access Management A structured approach
- 6. 6 Structured approach of Iden-ty & Access Mgmt 1. Data model 2. Func>ons & Processes 3. Key components 4. Business values 6
- 7. 7 1. Data model: administer IAM data Identity data • Identities • Attributes (contractual status, dates, job description, location) • Manager • Organization • Accounts Access data • Business roles • Technical roles (or profiles) • Applications • Entitlements • Policies (or access rights) (who, what, what for, condition) Activity data • Authentication requests • Access requests • Changes to Identity data • Changes to Access data
- 8. 8 1. Data model: the power of Brainwave
- 9. 9 2. Iden-ty & Access Management processes Administer IAM data Access (or use) IAM data Control IAM data Access data Identity data Authenticate Authorize Federate Analyse Audit Comply
- 10. 10 2. Iden-ty & Access Management processes Administer IAM data Access (or use) IAM data Control IAM data ... is the construc>on phase of iden>ty, and subsequently providing it with a "personality" by assigning a.ributes, en>tlements, creden>als. It provides the create/maintain/ re>re capabili>es of IAM. Administra>on also provides the plaPorm for intelligence: a means to make sense of the iden>ty and access events. ... serves as a founda>onal plaPorm to facilitate authen>ca>on and authoriza>on, and the capabili>es within them, from single sign-‐on to en>tlements resolu>on and enforcement of access decisions. Access is the "engine" of IAM that takes iden>>es and their informa>on and uses them to effect. ... generates reports for auditors, provides real-time monitoring for operations and delivers the analytics necessary for analysts and business stakeholders to make intelligent, actionable decisions in the business and in IT.
- 11. 11 Techno- logies 3. Key components ProcessesPeople rely on support sustain Cendio® ThinLinc ®
- 12. 12 4. Business values: iden-fy and measure KPIs KPIs Efficiency of opera>ons Effec>veness of security Enablement of business
- 13. Iden-ty & Access Management Iden-ty Intelligence Virtual Desktop Infrastructure Paradigmo’s proposal
- 14. 14 Paradigmo’s proposal is process based Administer* IAM*data* Access*(or*use)* IAM*data* Control* IAM*data* Cendio® ThinLinc ® Boost** user*mobility*
- 15. 15 Account Administer IAM data The theory Rules Roles Requests Attributes Actions Objects Policies Conditions Role management Policy management
- 16. 16 File Share Active Directory Microsoft Applica>ons Human resources Signaletic Attributes Coarse-grained Fine-grained User form (C,U,D) Access form Mandates Administer IAM data A standard use case Databases Profiles
- 17. 17 PAP Policy Manager: - Applications - Roles - URLs - Business Transactions - Conditions - Coarse-grained access matrix - Fine-grained access matrix Corporate LDAP Mandates FAS AUributes AUributes Mandates Roles Scope: ~140 internal applications ~30 external applications Policies ac-va-on Administer IAM data Policy Manager
- 18. 18 Applica-on Roles (LDAP filter) Coarse grained matrix URL Allow Deny Condi>on (LDAP filter) Roles (LDAP filter) Fine grained matrix BT Allow Deny Condi>on (LDAP filter) <URL, [GET|POST]> <Resource, Ac-on> Administer IAM data ABAC implementa-on Scope: ~140 internal applications ~30 external applications
- 19. 19 Access (or use) IAM data Identity Provider (IDP) Service Provider (SP) Applica>ons Concepts
- 20. 20 Why ForgeRock? ü All-‐in-‐one Unified Open Iden>ty Stack ü Easy to install and to operate: one single process delivers all func>ons ü Simple and scalable to cope with Internet scale ü Simple and flexible to cope with new concepts ü Support and extensibility capabili>es (developer friendly) ü Subscrip>on model, no cost un>l Enterprise build is use in produc>on Administer* IAM*data* Access%(or%use)% IAM%data%
- 21. 21 FedICT delivers Federal Authen>ca>on Service (FAS), the reference public IDP service in Belgium, based on OpenAM. FPS Finance delivers AuthN, AuthZ & SSO of internal (~140) and external (~30) applica>ons based on OpenSSO. Toyota implemented AuthN & AuthZ of “things” on OpenAM. For internal apps, the migra>on is ongoing. Luxair provides AuthN, AuthZ & SSO for home-‐developed applica>ons using OpenAM. BNP PIP uses OpenDJ to provide central authen>ca>on of Unix administrators and users. Clinique Saint-‐Luc provides AuthN, AuthZ & SSO of commercial applica>ons using OpenAM. Why ForgeRock? Administer* IAM*data* Access%(or%use)% IAM%data%
- 22. 22 Use cases Control' IAM'data' Who are my users? What do they have access to? Are these accesses legitimate? How do I communicate on the role structure of my organization? How do I clean up data before an IAM deployment?
- 23. 23 ü Control oriented approach: it rebuilds the AM theore>cal model from <accounts, en>tlements> ü Low footprint on organiza>on: it applies ETL method for data loading ü Data model is complete and agnos>c ü BI principles applied to Iden>ty for online inves>ga>ons or repor>ng ü Full history built through successive snapshots Ø Quickly delivers concrete results Why Brainwave? Control' IAM'data' D a t a
- 24. 24 ü Provide a feature-‐rich VDI infrastructure at an op>mized cost ü Provide fast hot-‐desking. Typically, nurses in hospitals and clinics ü Support remote sites or home workers ü Implement ‘BYOD’ projects ü Support advanced graphics ü Op>mize performance of Java applica>ons (when there are network latencies) ü Support Windows and Linux desktops ü Lower noise level in training rooms ü Secure sterile environments Boost%% user%mobility% Use cases
- 25. 25 Desktop( access( Desktop( management( Desktop( virtualisa3on( Cendio® ThinLinc ® • IGEL thin client (Windows or Linux) • IGEL UDC (Desktop converter) • IGEL UMS (Mgmt suite) • HW: Card reader, WIFI • SW: PowerTerm, Codec • All included in purchase price • Desktop and application virtualization • Session server, fast hot-desking support • Mixed Windows and Linux desktop support • Advanced Graphics support • Optimized network performance • Concurrent licensing, subscription model Boost%% user%mobility% Innova-ve and cost effec-ve solu-on
- 26. 26 Project objec>ves ü Replace 1200 desktops whilst op>mizing costs ü Support current business requirements, including hot-‐desking for nurses ü Build capacity to ease future deployments ü Support emerging concepts (mobile, cloud…) Project achievements Ø IGEL Thin Client + IGEL UDC + IGEL UMS Ø IGEL / Cendio ThinLinc / Smartcard integra>on Ø Windows 2012 TS server farm Ø Cendio ThinLinc mul>-‐ client, network op>mized technology Boost%% user%mobility% Reference deployment:
- 27. 27 Olivier Naveau Managing Director olivier.naveau@paradigmo.com Ques-ons & answers