paradigmo specialised in identity & access management
TRANSCRIPT
![Page 1: Paradigmo specialised in Identity & Access Management](https://reader034.vdocuments.net/reader034/viewer/2022052522/554ba1fbb4c905b3618b4b20/html5/thumbnails/1.jpg)
Company presenta-on
Olivier Naveau Managing Director
![Page 2: Paradigmo specialised in Identity & Access Management](https://reader034.vdocuments.net/reader034/viewer/2022052522/554ba1fbb4c905b3618b4b20/html5/thumbnails/2.jpg)
2
Our history of IAM
![Page 3: Paradigmo specialised in Identity & Access Management](https://reader034.vdocuments.net/reader034/viewer/2022052522/554ba1fbb4c905b3618b4b20/html5/thumbnails/3.jpg)
3
Access control is on top of priority list!
As stated by Deloi.e in their GFSI Security Survey, top external audit findings are about excessive access rights, segrega>on of du>es and access control compliance.
h.p://www.deloi.e.com/gfsi/securitysurvey
![Page 4: Paradigmo specialised in Identity & Access Management](https://reader034.vdocuments.net/reader034/viewer/2022052522/554ba1fbb4c905b3618b4b20/html5/thumbnails/4.jpg)
4
Why access control remains difficult?
Who are my users? What do they have access to?
Are these accesses legitimate? Objectives
Landscape
Business applications are developed in silos. IAM implies horizontal integration.
Multiplication of # of users and of # of applications.
Evolving landscape: cloud, mobile, social, compliance, liability
![Page 5: Paradigmo specialised in Identity & Access Management](https://reader034.vdocuments.net/reader034/viewer/2022052522/554ba1fbb4c905b3618b4b20/html5/thumbnails/5.jpg)
Iden-ty & Access Management
A structured approach
![Page 6: Paradigmo specialised in Identity & Access Management](https://reader034.vdocuments.net/reader034/viewer/2022052522/554ba1fbb4c905b3618b4b20/html5/thumbnails/6.jpg)
6
Structured approach of Iden-ty & Access Mgmt
1. Data model
2. Func>ons & Processes
3. Key components
4. Business values
6
![Page 7: Paradigmo specialised in Identity & Access Management](https://reader034.vdocuments.net/reader034/viewer/2022052522/554ba1fbb4c905b3618b4b20/html5/thumbnails/7.jpg)
7
1. Data model: administer IAM data
Identity data • Identities • Attributes
(contractual status, dates, job description, location)
• Manager • Organization • Accounts
Access data • Business roles • Technical roles (or profiles) • Applications • Entitlements • Policies (or access rights)
(who, what, what for, condition)
Activity data • Authentication requests • Access requests • Changes to Identity data • Changes to Access data
![Page 8: Paradigmo specialised in Identity & Access Management](https://reader034.vdocuments.net/reader034/viewer/2022052522/554ba1fbb4c905b3618b4b20/html5/thumbnails/8.jpg)
8
1. Data model: the power of Brainwave
![Page 9: Paradigmo specialised in Identity & Access Management](https://reader034.vdocuments.net/reader034/viewer/2022052522/554ba1fbb4c905b3618b4b20/html5/thumbnails/9.jpg)
9
2. Iden-ty & Access Management processes
Administer IAM data
Access (or use) IAM data
Control IAM data
Access data
Identity data Authenticate
Authorize
Federate
Analyse
Audit
Comply
![Page 10: Paradigmo specialised in Identity & Access Management](https://reader034.vdocuments.net/reader034/viewer/2022052522/554ba1fbb4c905b3618b4b20/html5/thumbnails/10.jpg)
10
2. Iden-ty & Access Management processes
Administer IAM data
Access (or use) IAM data
Control IAM data
... is the construc>on phase of iden>ty, and subsequently providing it with a "personality" by assigning a.ributes, en>tlements, creden>als. It provides the create/maintain/re>re capabili>es of IAM. Administra>on also provides the plaPorm for intelligence: a means to make sense of the iden>ty and access events.
... serves as a founda>onal plaPorm to facilitate authen>ca>on and authoriza>on, and the capabili>es within them, from single sign-‐on to en>tlements resolu>on and enforcement of access decisions. Access is the "engine" of IAM that takes iden>>es and their informa>on and uses them to effect.
... generates reports for auditors, provides real-time monitoring for operations and delivers the analytics necessary for analysts and business stakeholders to make intelligent, actionable decisions in the business and in IT.
![Page 11: Paradigmo specialised in Identity & Access Management](https://reader034.vdocuments.net/reader034/viewer/2022052522/554ba1fbb4c905b3618b4b20/html5/thumbnails/11.jpg)
11
Techno-logies
3. Key components
Processes People
rely on support
sustain
Cendio®
ThinLinc®
![Page 12: Paradigmo specialised in Identity & Access Management](https://reader034.vdocuments.net/reader034/viewer/2022052522/554ba1fbb4c905b3618b4b20/html5/thumbnails/12.jpg)
12
4. Business values: iden-fy and measure KPIs
KPIs
Efficiency of opera>ons
Effec>veness of security
Enablement of business
![Page 13: Paradigmo specialised in Identity & Access Management](https://reader034.vdocuments.net/reader034/viewer/2022052522/554ba1fbb4c905b3618b4b20/html5/thumbnails/13.jpg)
Iden-ty & Access Management
Iden-ty Intelligence
Virtual Desktop Infrastructure
Paradigmo’s proposal
![Page 14: Paradigmo specialised in Identity & Access Management](https://reader034.vdocuments.net/reader034/viewer/2022052522/554ba1fbb4c905b3618b4b20/html5/thumbnails/14.jpg)
14
Paradigmo’s proposal is process based
Administer*IAM*data*
Access*(or*use)*IAM*data*
Control*IAM*data*
Cendio®
ThinLinc®
Boost**user*mobility*
![Page 15: Paradigmo specialised in Identity & Access Management](https://reader034.vdocuments.net/reader034/viewer/2022052522/554ba1fbb4c905b3618b4b20/html5/thumbnails/15.jpg)
15
Account
Administer IAM data
The theory
Rules
Roles
Requests
Attributes
Actions
Objects
Policies
Conditions
Role management Policy management
![Page 16: Paradigmo specialised in Identity & Access Management](https://reader034.vdocuments.net/reader034/viewer/2022052522/554ba1fbb4c905b3618b4b20/html5/thumbnails/16.jpg)
16
File Share Active Directory Microsoft
Applica>ons
Human resources
Signaletic Attributes
Coarse-grained Fine-grained
User form (C,U,D)
Access form
Mandates
Administer IAM data
A standard use case
Databases
Profiles
![Page 17: Paradigmo specialised in Identity & Access Management](https://reader034.vdocuments.net/reader034/viewer/2022052522/554ba1fbb4c905b3618b4b20/html5/thumbnails/17.jpg)
17
PAP
Policy Manager: - Applications - Roles
- URLs - Business Transactions - Conditions
- Coarse-grained access matrix - Fine-grained access matrix
Corporate LDAP
Mandates
FAS
AUributes
AUributes
Mandates
Roles
Scope: ~140 internal applications ~30 external applications
Policies ac-va-on
Administer IAM data
Policy Manager
![Page 18: Paradigmo specialised in Identity & Access Management](https://reader034.vdocuments.net/reader034/viewer/2022052522/554ba1fbb4c905b3618b4b20/html5/thumbnails/18.jpg)
18
Applica-on
Roles (LDAP filter) Coarse grained matrix
URL Allow Deny
Condi>on (LDAP filter)
Roles (LDAP filter) Fine
grained matrix
BT Allow Deny
Condi>on (LDAP filter)
<URL, [GET|POST]>
<Resource, Ac-on>
Administer IAM data
ABAC implementa-on
Scope: ~140 internal applications ~30 external applications
![Page 19: Paradigmo specialised in Identity & Access Management](https://reader034.vdocuments.net/reader034/viewer/2022052522/554ba1fbb4c905b3618b4b20/html5/thumbnails/19.jpg)
19
Access (or use) IAM data
Identity Provider
(IDP)
Service Provider
(SP)
Applica>ons
Concepts
![Page 20: Paradigmo specialised in Identity & Access Management](https://reader034.vdocuments.net/reader034/viewer/2022052522/554ba1fbb4c905b3618b4b20/html5/thumbnails/20.jpg)
20
Why ForgeRock?
ü All-‐in-‐one Unified Open Iden>ty Stack
ü Easy to install and to operate: one single process delivers all func>ons
ü Simple and scalable to cope with Internet scale
ü Simple and flexible to cope with new concepts
ü Support and extensibility capabili>es (developer friendly)
ü Subscrip>on model, no cost un>l Enterprise build is use in produc>on
Administer*IAM*data*
Access%(or%use)%IAM%data%
![Page 21: Paradigmo specialised in Identity & Access Management](https://reader034.vdocuments.net/reader034/viewer/2022052522/554ba1fbb4c905b3618b4b20/html5/thumbnails/21.jpg)
21
FedICT delivers Federal Authen>ca>on Service (FAS), the reference public IDP service in Belgium, based on OpenAM.
FPS Finance delivers AuthN, AuthZ & SSO of internal (~140) and external (~30) applica>ons based on OpenSSO.
Toyota implemented AuthN & AuthZ of “things” on OpenAM. For internal apps, the migra>on is ongoing.
Luxair provides AuthN, AuthZ & SSO for home-‐developed applica>ons using OpenAM.
BNP PIP uses OpenDJ to provide central authen>ca>on of Unix administrators and users.
Clinique Saint-‐Luc provides AuthN, AuthZ & SSO of commercial applica>ons using OpenAM.
Why ForgeRock? Administer*IAM*data*
Access%(or%use)%IAM%data%
![Page 22: Paradigmo specialised in Identity & Access Management](https://reader034.vdocuments.net/reader034/viewer/2022052522/554ba1fbb4c905b3618b4b20/html5/thumbnails/22.jpg)
22
Use cases Control'IAM'data'
Who are my users? What do they have access to?Are these accesses legitimate?
How do I communicate on the role structure of my organization?
How do I clean up data before an IAM deployment?
![Page 23: Paradigmo specialised in Identity & Access Management](https://reader034.vdocuments.net/reader034/viewer/2022052522/554ba1fbb4c905b3618b4b20/html5/thumbnails/23.jpg)
23
ü Control oriented approach: it rebuilds the AM theore>cal model from <accounts, en>tlements>
ü Low footprint on organiza>on: it applies ETL method for data loading
ü Data model is complete and agnos>c
ü BI principles applied to Iden>ty for online inves>ga>ons or repor>ng
ü Full history built through successive snapshots
Ø Quickly delivers concrete results
Why Brainwave? Control'IAM'data'
Data
![Page 24: Paradigmo specialised in Identity & Access Management](https://reader034.vdocuments.net/reader034/viewer/2022052522/554ba1fbb4c905b3618b4b20/html5/thumbnails/24.jpg)
24
ü Provide a feature-‐rich VDI infrastructure at an op>mized cost
ü Provide fast hot-‐desking. Typically, nurses in hospitals and clinics
ü Support remote sites or home workers ü Implement ‘BYOD’ projects ü Support advanced graphics
ü Op>mize performance of Java applica>ons (when there are network latencies)
ü Support Windows and Linux desktops ü Lower noise level in training rooms
ü Secure sterile environments
Boost%%user%mobility%
Use cases
![Page 25: Paradigmo specialised in Identity & Access Management](https://reader034.vdocuments.net/reader034/viewer/2022052522/554ba1fbb4c905b3618b4b20/html5/thumbnails/25.jpg)
25
Desktop(access(
Desktop(management(
Desktop(virtualisa3on(
Cendio®
ThinLinc®
• IGEL thin client (Windows or Linux)
• IGEL UDC (Desktop converter) • IGEL UMS (Mgmt suite) • HW: Card reader, WIFI • SW: PowerTerm, Codec
• All included in purchase price
• Desktop and application virtualization • Session server, fast hot-desking support • Mixed Windows and Linux desktop
support • Advanced Graphics support • Optimized network performance
• Concurrent licensing, subscription model
Boost%%user%mobility%
Innova-ve and cost effec-ve solu-on
![Page 26: Paradigmo specialised in Identity & Access Management](https://reader034.vdocuments.net/reader034/viewer/2022052522/554ba1fbb4c905b3618b4b20/html5/thumbnails/26.jpg)
26
Project objec>ves ü Replace 1200 desktops whilst op>mizing costs
ü Support current business requirements, including hot-‐desking for nurses
ü Build capacity to ease future deployments
ü Support emerging concepts (mobile, cloud…)
Project achievements Ø IGEL Thin Client + IGEL UDC + IGEL UMS
Ø IGEL / Cendio ThinLinc / Smartcard integra>on
Ø Windows 2012 TS server farm
Ø Cendio ThinLinc mul>-‐client, network op>mized technology
Boost%%user%mobility%
Reference deployment: