SIcurity Identity and Access Management Hanover, Ce. BIT 2005
Why Siemens? The Security Challenge Security policy „find the loopholes“ Protection „block the bad guys“ Mega Trends Enabling „support the good guys“ Only an IT Security company like Siemens is able to cover everything © Siemens Ce. BIT 2005 2
Why Siemens? Challenges for Identity and Access Management § Avoiding security breaches § Cutting administrative costs § Avoiding productivity gaps § Maintaining data quality § Avoiding island solutions § Ensuring regulatory compliance © Siemens Ce. BIT 2005 3
Why Siemens? Scenario Highlights Automated, policybased and rolebased user provisioning Password management and password synchronization Access management and single sign-on for web portals and web-based applications Self-registration, approval workflow and delegated administration for web portals in B 2 B environments © Siemens Ce. BIT 2005 4
Scenario: Situation Today Why Siemens? Multiple users seeking access to numerous IT resources Employees Sales Customers Finance B 2 B Marketing Partners Resulting in many administrators repetitively establishing and revoking user access privileges Logistics © Siemens Ce. BIT 2005 5
Why Siemens? Scenario: Solution Tomorrow Employees Customers Identity Management Who needs access to what? n Identities n Organizations n Applications n IT systems n Resources n … Sales Meta Directory Who needs which rights? n User profiles Finance n Roles & privileges n Business processes Provisioning Partners Access Management B 2 B When is access granted? Marketing n Rules n Policies n Conditions Logistics Access Management © Siemens Ce. BIT 2005 6
Scenario End-to-End, Secure e. Business Processes Headquarters/Factory • Prices • Factories • Delivery dates • Supplier • Service partner • Customer structure Why Siemens? Customer Identity and Access Management • Equipment • Price list • Delivery date VPN rt o sw as P Partner • Prices • Equipment • Delivery dates • Suppliers • Service partner • End customer Supplier • Stückkosten • Kosten sonstige • Verkaufspreis VPN Self-registration VPN Delegated Administration • Prices • Equipment • Delivery dates • Partner • Service partner Who, When, What, Access to What ? © Siemens Ce. BIT 2005 7
Why Siemens? Your Benefits Lower costs § Automated, centralized user administration § Lower costs for helpdesk and hotline services § Enhanced cost transparency for asset management Increased productivity § Get new employees up and running quickly § Automated provisioning of accounts in connected systems 24 h § Ensure data quality by automatic synchronization § Increase in user productivity through fewer passwords Improved security § Enterprise-wide transparency of access rights § Quick revocation of access rights § Precise monitoring of access rights © Siemens Ce. BIT 2005 9
Why Siemens? Covering all vertical industry markets Media/Communications Insurance/Banking Services/Logistics Industry/Retail Public/Health/Education US ARMY ? © Siemens Ce. BIT 2005 10
Customer Reference Financial Services – Generali Why Siemens? Benefits § Improved productivity and availability § Minimized administration and operating costs § Lower costs thanks to simplified administration of user accounts Solution n Role-based rights management for IT systems with Dir. Xmeta. Role Challenge n Replacement of existing individual solutions for access and user rights for IT systems with a rolebased management solution © Siemens Ce. BIT 2005 11
Customer Reference Financial Services – Swiss. Re Why Siemens? Benefits § Secure e-business § Lower administration overhead savings § Improved quality of enterprise-wide data better service for customers Solution n Challenge n n Dir. X Metadirectory as a global directory service Web-based single sign-on solution Administration of customer and employee information User authentication A global system for user management in the customer portal for electronic reinsurance services © Siemens Ce. BIT 2005 12
Customer Reference Industry – Audi AG Why Siemens? Benefits § Consistent user data at all times across all directories at departments, plants and subsidiaries § Reliable access control thanks to unique, trusted identities § Low administration costs Solution Challenge § Modernization of the communications directories § Integration of the HR SAP R/3, Windows NT, Exchange and IBM OS/390 host directories § Reduction in administration costs § Stabile use in the Audi/Volkswagen group network full X. 500/LDAP compliance § Unique digital identities thanks to Metadirectory as a digital identity store § 60, 000 entries (2003) on internal and external employees; target: 250, 000 (Audi/VW network) § Provisioning of corporate processes © Siemens Ce. BIT 2005 13
Customer Reference Public Sector – GTZ (Gesellschaft f. Technische Zusammenarbeit) Why Siemens? Benefits § Improved international communications § Greater efficiency in administration § Seamless integration of directory and Office products efficiency at the workplace Solution n n Challenge n n n One central address book integrated in Microsoft‘s ADS and Office infrastructure Integration with SAP Migration from Novell office infrastructure to Windows 2000 / ADS n Dir. X Metadirectory as a central directory for employees, partners and projects worldwide Allows administration processes of ADS to be automated Convenient user access via intranet or Windows applications © Siemens Ce. BIT 2005 14
ROI / Example Calculation Company with 1000 Employees Rights of use / licenses: • Agents: • Hicom DMS / DS-Win • Microsoft ADS • Hi. Path 4000 Manager € 15, 000 Included in the basic package Why Siemens? Administration Savings in changing entries, including new employee entries and deletion of employee entries of: Service (non-recurring): € 29, 000 € 18, 000 € 14, 000 Total purchase price: € 1, 500 Savings p. a. Dir. Xweb: 20 hours a month: Monthly price (total, w/o service): € 826 (including software and other maintenance; basis: 3 -year lease factor) Monthly price (per user): € 0. 826 Total purch. price (1 st year): € 29, 000 Savings in administration (per year): Other effects n More efficient searching for communications addresses n Savings thanks to user self service n Lower costs for developing own applications and running them n Lower help desk / hotline costs (fewer passwords, i. e. fewer forgotten passwords) € 18, 000 The investment pays off within just over one-and-a-half years! © Siemens Ce. BIT 2005 15
ROI / Example Calculation Company with 1000 Employees – Monthly Savings Service Changes Internal standard rate Time/effort 8 hours Why Siemens? x Costs = € 75 € 600 Temporary provision of company resources to external consultants, for example, and changes to master data New employees 6 hours x = € 450 = € 75 € 450 When a new employee is hired, his or her master data must be entered in the systems Employees leaving 6 hours x € 75 Access to company resources must be withdrawn and the master data deleted Total € 1500 A return on the monthly lease is achieved given even slight savings in administration of user data! © Siemens Ce. BIT 2005 16
Why Siemens? Product Highlights Identity Management User and privilege management / delegated administration / approval workflow / role-based and rulebased provisioning / Metadirectory Synchronization / Password management / Audit and reporting Directory LDAPv 3 Directory Server / X. 500 Directory Server / Dir. X Manager – Graphical Administration Interface / Dir. X DSML – DSMLv 2 Server (Web Service/XML/SOAP) / Dir. Xweb for JSP Technology – Web Gateway (HTTP) Access Management Web Access Management / Authentication / Authorization / Web Single Sign-On / Selfservice / Selfregistration / Federation / Web Services Security / Audit © Siemens Ce. BIT 2005 17
Hi. Path - Total Business Communications Components Why Siemens? opti. Clients, opti. Points and Portals Business Applications Hi. Path SIcurity Common Application Platform Hi. Path Servers & Gateways Hi. Path Meta. Management and Hi. Path Qo. S Other Applications Hi. Path Ready Certified Applications Hi. Path Mobile. Office Hi. Path Open. Scape Hi. Path Pro. Center Hi. Path Com. Scendo Business Applications IP Infrastructure Huawei © Siemens Ce. BIT 2005 18
Why Siemens? Our Services Portfolio Consult Design Professional Services • Technology Consulting • Assessments • Customization • Systems Integration • Design • Project Mgmt Build Support Lifecycle Services Manage Educate Managed Services • Remote monitoring, diagnostics, reporting • Network Management • Hardware/software installation, maintenance, fixes, spare parts • Multi-Vendor Support • Security Management • Asset Management • Moves, Adds, Changes (MAC) • Communications Out. Tasking • Training • Service/Help Desk © Siemens Ce. BIT 2005 19
Why Siemens? Hi. Path SIcurity Identity and Access Management … … offers fully-integrated solutions for IT and real-time communication environments. … is the leader when it comes to PKI authentication, authorization and SAP integration © Siemens Ce. BIT 2005 20
Thank you! Your Questions please!
Back Up
Hi. Path SIcurity Portfolio Hi. Path SIcurity Security Analysis and Consulting The first step is always security Hi. Path SIcurity Solutions Network & System Security Protected in networks Smart Card. Based Solutions It’s all right to laugh for who is allowed in Identity & Access Management Only Mr. Right is welcome © Siemens Ce. BIT 2005 23
Hi. Path SIcurity End-to-end, secure e-Business processes End-to-end processes from a single source Content • End-to-end security solution • Integrated Product suite from authentication to Web access and SSO • Seamless software integration User Sales Secure Business Processes Marketing Logistic Network & Systems Security Authentication Identity Management Secure Token ID-Store and Provisioning Card. OS Card API Dir. Xmetahub Access Control Enforcement of Security Policies Dir. Xmeta. Role Dir. X Access © Siemens Ce. BIT 2005 24
Integrated Product Suite for Identity and Access Management Functionality Products Identity Management Self-Service User Management Workflow Meta directory Provisioning Dir. X Extranet Directory Authentication Directory Federation Audit Accountability Password Management Dir. Xmeta. Role Dir. Xmetahub Web Access Management Web Single Sign-on Web Services Security Access Management Dir. X Access © Siemens Ce. BIT 2005 25
Costs Without Identity and Access Management, costs rise dramatically * Initial costs without with Identity and Access Management Time Source: Bearing Point * Project, hardware/software costs, data cleansing © Siemens Ce. BIT 2005 26
Hi. Path SIcurity Dir. X - Live Presentation Identity and Access Management from a single source Provisioning Involved in process New hire Creating new employee as a new identity Making the identity known Distribution of identity to all IT/RTC systems Management User Admin Change management Password Changes (e. g. every 4 weeks) as per security policy Function change Change of function within company Promotion, change of location, organizational change. . . Order process Authorization workflow for procurement volume © Siemens Ce. BIT 2005 27
IAM Demo Enterprise and B 2 B Scenarios Human Resources Employee and change management Employee Self-service Supplier, Partner Self-registration Delegated administration Password management My. Company Intranet Windows & Exchange Dir. Xmeta. Role Applications My. Company Extranet HR Dir. Xmetahub Dir. X Access Hi. Path User Mgmt. Identity Management Access Provisioning Access Management Dir. X Extranet Edition Directory © Siemens Ce. BIT 2005 28
IAM Demo Steps 1. New employee Joe Doe joins My. Company – HR creates employee record 2. Joe Doe’s record is synchronized to IT identity management and roles are assigned automatically 3. Provisioning of Windows account, mailbox, telephone and access to employee portal for Joe Doe 4. Joe Doe has access to My. Company Intranet with default rights according to his role 5. Joe Doe requests additional privileges and approval workflow is initiated 6. Will Smith works for Ace Car Sales and registers for access to My. Company’s Extranet; an approval workflow is initiated 7. The delegated administrator at Ace Car Sales approves the registration 8. Will Smith has access to My. Company Extranet with default rights according to his role; Will Smith can manage his password and reset a forgotten password © Siemens Ce. BIT 2005 29
Making a New Employee Productive Quickly ERP administration n Master data in HR or order processing system is generated and automatically provisioned to central directory n Via the IAM platform, the appropriate roles are assigned to the employee n Rules are stored based on the company’s security policies Permissions n The permissions corresponding to the role are set automatically Hi. Path SIcurity Identity & Access Management n Individual criteria, e. g. lifecycle, are entered in IAM Productivity n Employee has the access rights and permissions defined in the roles In minutes Employee is hired Identity administration Provisioning process n In the destination systems, intranet/extranet access, e-mail account, (…and other) automatically generated n Individual rights for portals are set © Siemens Ce. BIT 2005 30
Flexible Change Management Change in function Function change n A Sales employee is switching to Marketing on Feb. 1. n This function change is entered by the personnel department in the HR system. n The IAM system passes the function change to the Corporate Directory. Sales activities in Sales Portal January 31 date change. . . Ready to move Marketing Portal February 1 n MARKETING PORTAL released n SALES PORTAL is no longer accessible Human Resources e. g. SAP HR Process Portal user management Hi. Path SIcurity Identity & Access Management Resolution of the role “SALES” - Granting of rights “MARKETING” (and other target systems) n The Corporate Directory synchronizes the new function – with new rights – on the connected target systems. © Siemens Ce. BIT 2005 31
Single Sign-on and Centralized Access Control Enforcement for all Web Applications Sales process Mr. Maier needs a monthly report Mr. Maier wants to enter a customer contact Mr. Maier wants to enter the day’s travel expenses Name Password Reports Quarter Month Customer Contact Order Costs KM entry Additional costs Benefits n n One-time authentication for all needed information, e. g. one password for all applications Fast, straightforward management of access rights n n n Increased security through secure session management and scalable authentication features Lighter load on the hotline Faster ROI through savings in administration and for user © Siemens Ce. BIT 2005 32
Flexible Change Management Uniform password for several applications Password management n The change of the password following prompt at first logon is recognized by the Dir. X Password Listener as a part of the IAM system. n The IAM system passes the password change to the central Corporate Directory First logon Change of password a little later. . . Windows 2000 ADS Dir. X Password Listener Process Identity & Access Management Dir. X Solutions Ready to Work Employee Portal The changed password is available for access to Employee Portal user management (and other target systems) n The Corporate Directory synchronizes the changed password on the connected target systems: Employee Portal © Siemens Ce. BIT 2005 33
Flexible Change Management Authorization of an order Authorization / order process n Sales employee needs and orders an analyst report that has to be authorized. n The IAM system handles the authorization process and automatically forwards the request to the management of Sales. Need for analyst Order of analyst report Release via Sales mgmt Workflow Process Identity & Access Management Dir. X Solutions Ready to use Sales Portal n Sales employee is informed by e-mail via the authorization workflow n The needed study is then acquired via the SALES PORTAL. Portal user management n Following authorization by the management of Sales, the IAM system synchronizes the change in rights in the portal user management system © Siemens Ce. BIT 2005 34
Setting a good example: References for Identity and Access Management Public Sector Europäische Union Service Providers / ASPs Gesundheitsnetz Stockholm Italienisches Innenministerium Deutsches Innenministerium Schweizer Bahn Ontario Provincial Police Stadtwerke München Deutsche Telekom Industry Volkswagen AG Financial Services Others AOK Bayern Deutsche Gesellschaft für Technische Zusammenarbeit LVA (deutscher Sozialversicherungsfonds) Hong Kong © Siemens Ce. BIT 2005 35
Скачать презентацию SIcurity Identity and Access Management Hanover Ce BIT
ff2710dfdaa6d0930f6237bcad30b2e5.ppt