INFORMATION SECURITY FOR ACCESS PROVISIONING: THE BOEING COMPANY T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR 06/06/2009 June 6, 2009
What is Access Provisioning? T-Bone & Tonic 2 Provisioning To create and maintain a subject's digital identity, accounts, credentials, and entitlements in response to automated or interactive business processes. Identity A BEMSID (employee ID) and all related employee information Account A windows account for Jane Smith, Web Single Sign On (WSSO) Credentials Biometric identifier(s), Windows Password, Z-Token Entitlement Access to REDARS, A Boeing Badge, Access to new. Scale 06/06/2009
Recap of Problem 3 HRMS Policies EPSS EPDW T-Bone & Tonic APPREG EDS EEPPI EAP 7/21/2008 TEAMS CARATS SEQUENT CED NBR 7/11/08 VSGATE ATMA AA RADIUS Access. To RP NBAR BART FMS Boeing Apps UNIX (STL) NOFRT Exchange SSA COGNOS RSS EAF/ SAPM ECAR UIDR MAD/e. AD MARS DCAMS UNIX (USA-NIS) CLAMS SSLVPNFM GGM WART OARS SSGRP Domain Tool SSGRP STAC CATIA SUITE STAR CSPR 3 MARS (MESA) ACF 2 SUITE Full System Retirement Partial System Retirement BLU/RAD ACF 2 PLGM Legend SSLVPN D 1 SD AD Potential System Retirement Systems outside Information Security RACF Retired mm/dd/yy VRA AAA ALF AIM ICS RACFQRY RACF PHILLY 06/06/2009
Goal T-Bone & Tonic 4 End Users End users focus on access to target systems like Windows, REDARS, etc. They don’t focus on what accounts they need to access Windows. Is A With Access To Common Ground The goal of provisioning is to help Sally obtain access to REDARS, etc. With Access To new. Scale Using the Following Account(s) Technologists focus the accounts and permissions end users need to access Windows, etc. 06/06/2009
Why now? T-Bone & Tonic 5 • Boeing is a very large corporation – Processes antiquated and inefficient – If solution is not known, slow, or does not meet requirements, new solutions are implemented • No centralized, enterprise-wide security organization until recently – Information Security group – Security Priorities Access Provisioning 06/06/2009
Solution People Policies EPSS Apps Devices Export HRMS Policies EPDW Contracts CARATS EAP Solution Operator End Users, Focals, etc. ATMA SELF SERVICE GUI CED Component Level View NBR RADIUS Access. To RP NBAR FMS WORKFLOW MARS REPORTING AND METRICS UNIX (USA-NIS) UIDR SSLVPNFM AUDIT / RECONCILATION WART DISPATCHING ACF 2 OARS ACF 2 SUITE Connector OPERATING SYSTEMS RACF UNIX (USA-NIS) AD Database VRA Env. WAREHOUSE CLAMS DIRECTORIES APPLICATIONS & DATABASES Vendor Apps REPOSITORY DCAMS Exchange GGM Boeing Apps SSA NOFRT AD PLGM Connector ECAR COGNOS UNIX (STL) RSS MAD/e. AD Managers, Auditors, etc. VSGATE BART Boeing Apps INTERFACES T-Bone & Tonic Boeing Enterprise Provisioning Tool (BEPT) EDS AUTO-REQUEST SUBMITTAL ADMINISTATION GUI Systems SEQUENT TEAMS APPREG AA Customized GUIs (e. g. AA) or external EAF/ federated SAPM Provisioning EEPPI AAA EDS ALF RACF AIM ACF 2 ICS SSLVPN BLU/RAD SSGRP Domain Tool SSGRP STAC CATIA SUITE STAR CSPR 3 Connector MARS D 1 SD GATEWAYS AND VPNS (MESA) Access. To RP RACFQRYVSGATE PHILLY SSLVPN RADIUS SSGRP
Solution 7 T-Bone & Tonic • Boeing has selected and purchased a COTS-based provisioning solution – Conducted an RFP and proof of concept in 2007 – Selected Oracle Identity Manager (OIM) – Purchased product in January 2008 • Established the Enterprise Provisioning Program – Establish and implement an enterprise-wide common process for identity and access management – Implement a common tool (OIM) that is intuitive to end users – Retire existing provisioning tools and systems 06/06/2009
Oracle Identity Manager Overview 8 T-Bone & Tonic 06/06/2009
Oracle Identity Manager (OIM) T-Bone & Tonic 9 • Self Service and Delegated Administration – User configurable proxy • Workflow and Policy – Workflow management – Transaction integrity • Password Management – Self-service password changes • Audit and Compliance Management – Comprehensive historical reporting • Integration Solutions 06/06/2009
OIM Details 10 T-Bone & Tonic 06/06/2009
OIM Connectors and Compatibility T-Bone & Tonic 11 – Connectors • • Oracle E-Business Suite People. Soft Siebel JD Edwards Enterprise One Sun. ONE Microsoft AD & Exchange SAP – Compatibility • Remote Manager Acts as a wrapper for legacy applications 06/06/2009
Technology Benefits T-Bone & Tonic 12 • One System – Reduced personnel to maintain – Reduced maintenance costs • Can plan a phased implementation • Cleaner Audit Controls 06/06/2009
Expected Results T-Bone & Tonic 13 • • Realized business case Reduced cycle time by 75%* Improved non-Boeing and Boeing access processes Improved end user experience Enhanced manager/approver experience Minimized reliance on custom development Increased automation 06/06/2009
Expected Results T-Bone & Tonic 14 • Reduced risk – Reduce the number of different means for establishing identities, accounts, and entitlements – Ensure only approved access is granted – Ensure policies and rules are enforced through automation rather than through human interaction – Identify and relegate rogue accounts – Periodically audit and attest access – Reconcile differences between provisioning systems (authoritative source for access) and target environments (real world) 06/06/2009
How do we get there? 15 T-Bone & Tonic • The program will look for opportunities that will enable one or more of the following – Reduce current cycle time – Target largest business impacts – Focus on streamlining and automating the existing manual work activities – Select tool that is well understood to facilitate learning – Reduce risk associated with application support (server end of life and/or tool knowledge base exhausted) – Analyze large systems in parallel to mitigate complexity and long lead items 06/06/2009 – Ensure resources for critical functions have trained backups
Strategy 16 T-Bone & Tonic • Provisioning will continue as one of the key security services – Manage identities, accounts, and entitlement – Publish data to the enterprise directory and target systems (as required) – Referred to as identity management service 06/06/2009
Strategy 17 T-Bone & Tonic • The goal for these services is to publish security data to fewer target systems over time – Publish data to a central repository rather than to individual application environments – Applications will consume authorization data via welldefined APIs to minimize impact to application code over time 06/06/2009
The Big Picture T-Bone & Tonic 18 Monitoring and Logging Log Events & Traps Resource Data Authentication Decision Authorization Decision PEP Target Authorization Decision Identity Data PDP Policies Tokens Enterprise Security Services Interface Access & Account Requests Resource & Policy Mgmt. Identity Management Auth. N Auth. Z Authoritative Sources Data Repository Log Events & Traps Federated Identity Store Identity Distribution Policy Distribution Token Exchange 06/06/2009
Enterprise Access Provisioning T-Bone & Tonic 19 Must incorporate the four cornerstones of information security: Confidentiality, Authenticity, Integrity, Availability A successful provisioning solution ensures individuals get access to necessary resources easily and quickly while ensuring the proper security protocols are completed. 06/06/2009
20 Supplemental Slides (not to be presented) 06/06/2009
OIM J 2 EE Architecture 21 T-Bone & Tonic 06/06/2009
Offline Processing 22 T-Bone & Tonic 06/06/2009
Legacy Application Support 23 T-Bone & Tonic 06/06/2009
Scheduling Engine 24 T-Bone & Tonic 06/06/2009
Secure Communications 25 T-Bone & Tonic 06/06/2009
Скачать презентацию INFORMATION SECURITY FOR ACCESS PROVISIONING THE BOEING COMPANY
4fc814996d85c1b9cf89032e98c2a345.ppt