3. 3
Access
control
is
on
top
of
priority
list!
As
stated
by
Deloi.e
in
their
GFSI
Security
Survey,
top
external
audit
findings
are
about
excessive
access
rights,
segrega>on
of
du>es
and
access
control
compliance.
h.p://www.deloi.e.com/gfsi/securitysurvey
4. 4
Why
access
control
remains
difficult?
Who are my users?
What do they have access to?
Are these accesses legitimate?
Objectives
Landscape
Business applications are developed in
silos. IAM implies horizontal integration.
Multiplication of # of users and
of # of applications.
Evolving landscape: cloud, mobile, social,
compliance, liability
6. 6
Structured
approach
of
Iden-ty
&
Access
Mgmt
1. Data
model
2. Func>ons
&
Processes
3. Key
components
4. Business
values
6
7. 7
1.
Data
model:
administer
IAM
data
Identity data
• Identities
• Attributes
(contractual status, dates, job description,
location)
• Manager
• Organization
• Accounts
Access data
• Business roles
• Technical roles (or profiles)
• Applications
• Entitlements
• Policies (or access rights)
(who, what, what for, condition)
Activity data
• Authentication requests
• Access requests
• Changes to Identity data
• Changes to Access data
9. 9
2.
Iden-ty
&
Access
Management
processes
Administer
IAM
data
Access
(or
use)
IAM
data
Control
IAM
data
Access
data
Identity
data
Authenticate
Authorize
Federate
Analyse
Audit
Comply
10. 10
2.
Iden-ty
&
Access
Management
processes
Administer
IAM
data
Access
(or
use)
IAM
data
Control
IAM
data
...
is
the
construc>on
phase
of
iden>ty,
and
subsequently
providing
it
with
a
"personality"
by
assigning
a.ributes,
en>tlements,
creden>als.
It
provides
the
create/maintain/
re>re
capabili>es
of
IAM.
Administra>on
also
provides
the
plaPorm
for
intelligence:
a
means
to
make
sense
of
the
iden>ty
and
access
events.
...
serves
as
a
founda>onal
plaPorm
to
facilitate
authen>ca>on
and
authoriza>on,
and
the
capabili>es
within
them,
from
single
sign-‐on
to
en>tlements
resolu>on
and
enforcement
of
access
decisions.
Access
is
the
"engine"
of
IAM
that
takes
iden>>es
and
their
informa>on
and
uses
them
to
effect.
... generates reports for auditors, provides real-time
monitoring for operations and delivers the analytics
necessary for analysts and business stakeholders to
make intelligent, actionable decisions in the business
and in IT.
14. 14
Paradigmo’s
proposal
is
process
based
Administer*
IAM*data*
Access*(or*use)*
IAM*data*
Control*
IAM*data*
Cendio®
ThinLinc
®
Boost**
user*mobility*
15. 15
Account
Administer
IAM
data
The
theory
Rules
Roles
Requests
Attributes
Actions
Objects
Policies
Conditions
Role management Policy management
16. 16
File Share
Active Directory
Microsoft
Applica>ons
Human
resources
Signaletic
Attributes
Coarse-grained
Fine-grained
User
form
(C,U,D)
Access
form
Mandates
Administer
IAM
data
A
standard
use
case
Databases
Profiles
17. 17
PAP
Policy Manager:
- Applications
- Roles
- URLs
- Business Transactions
- Conditions
- Coarse-grained access matrix
- Fine-grained access matrix
Corporate
LDAP
Mandates
FAS
AUributes
AUributes
Mandates
Roles
Scope:
~140 internal applications
~30 external applications
Policies
ac-va-on
Administer
IAM
data
Policy
Manager
19. 19
Access
(or
use)
IAM
data
Identity
Provider
(IDP)
Service
Provider
(SP)
Applica>ons
Concepts
20. 20
Why
ForgeRock?
ü All-‐in-‐one
Unified
Open
Iden>ty
Stack
ü Easy
to
install
and
to
operate:
one
single
process
delivers
all
func>ons
ü Simple
and
scalable
to
cope
with
Internet
scale
ü Simple
and
flexible
to
cope
with
new
concepts
ü Support
and
extensibility
capabili>es
(developer
friendly)
ü Subscrip>on
model,
no
cost
un>l
Enterprise
build
is
use
in
produc>on
Administer*
IAM*data*
Access%(or%use)%
IAM%data%
21. 21
FedICT
delivers
Federal
Authen>ca>on
Service
(FAS),
the
reference
public
IDP
service
in
Belgium,
based
on
OpenAM.
FPS
Finance
delivers
AuthN,
AuthZ
&
SSO
of
internal
(~140)
and
external
(~30)
applica>ons
based
on
OpenSSO.
Toyota
implemented
AuthN
&
AuthZ
of
“things”
on
OpenAM.
For
internal
apps,
the
migra>on
is
ongoing.
Luxair
provides
AuthN,
AuthZ
&
SSO
for
home-‐developed
applica>ons
using
OpenAM.
BNP
PIP
uses
OpenDJ
to
provide
central
authen>ca>on
of
Unix
administrators
and
users.
Clinique
Saint-‐Luc
provides
AuthN,
AuthZ
&
SSO
of
commercial
applica>ons
using
OpenAM.
Why
ForgeRock?
Administer*
IAM*data*
Access%(or%use)%
IAM%data%
22. 22
Use
cases
Control'
IAM'data'
Who are my users?
What do they have access to?
Are these accesses legitimate?
How do I communicate
on the role structure of
my organization?
How do I clean
up data before an
IAM deployment?
23. 23
ü Control
oriented
approach:
it
rebuilds
the
AM
theore>cal
model
from
<accounts,
en>tlements>
ü Low
footprint
on
organiza>on:
it
applies
ETL
method
for
data
loading
ü Data
model
is
complete
and
agnos>c
ü BI
principles
applied
to
Iden>ty
for
online
inves>ga>ons
or
repor>ng
ü Full
history
built
through
successive
snapshots
Ø Quickly
delivers
concrete
results
Why
Brainwave?
Control'
IAM'data'
D
a
t
a
24. 24
ü Provide
a
feature-‐rich
VDI
infrastructure
at
an
op>mized
cost
ü Provide
fast
hot-‐desking.
Typically,
nurses
in
hospitals
and
clinics
ü Support
remote
sites
or
home
workers
ü Implement
‘BYOD’
projects
ü Support
advanced
graphics
ü Op>mize
performance
of
Java
applica>ons
(when
there
are
network
latencies)
ü Support
Windows
and
Linux
desktops
ü Lower
noise
level
in
training
rooms
ü Secure
sterile
environments
Boost%%
user%mobility%
Use
cases
25. 25
Desktop(
access(
Desktop(
management(
Desktop(
virtualisa3on(
Cendio®
ThinLinc
®
• IGEL thin client
(Windows or Linux)
• IGEL UDC (Desktop converter)
• IGEL UMS (Mgmt suite)
• HW: Card reader, WIFI
• SW: PowerTerm, Codec
• All included in purchase price
• Desktop and application virtualization
• Session server, fast hot-desking support
• Mixed Windows and Linux desktop
support
• Advanced Graphics support
• Optimized network performance
• Concurrent licensing, subscription model
Boost%%
user%mobility%
Innova-ve
and
cost
effec-ve
solu-on
26. 26
Project
objec>ves
ü Replace
1200
desktops
whilst
op>mizing
costs
ü Support
current
business
requirements,
including
hot-‐desking
for
nurses
ü Build
capacity
to
ease
future
deployments
ü Support
emerging
concepts
(mobile,
cloud…)
Project
achievements
Ø IGEL
Thin
Client
+
IGEL
UDC
+
IGEL
UMS
Ø IGEL
/
Cendio
ThinLinc
/
Smartcard
integra>on
Ø Windows
2012
TS
server
farm
Ø Cendio
ThinLinc
mul>-‐
client,
network
op>mized
technology
Boost%%
user%mobility%
Reference
deployment:
27. 27
Olivier
Naveau
Managing
Director
olivier.naveau@paradigmo.com
Ques-ons
&
answers