1 Værdien af Identity & Access Governance Identity as The New Perimeter Henrik Mohr, Director, Global IT Operation NNE Pharmaplan A/S Dubex Security & Risk Management Update 2015 May 21th 2015
2 Agenda Who is NNE Pharmaplan? Perimeter paradigm Traditional vs. new network Traditional vs. new - IT service stack What is it IAM can do? Technical Benefits why IT want it! Compliance Benefits why QA want it! Economic Benefits why the CFO want it! Why do I want it? Dell 1 IM examples How to build the case for IAM Privileged Account Management Learnings compiled by the project manager Presenter Further reading & contacts
4 Traditional Perimeter Paradigm Applications File Servers Human Resource Active Directory The Evil Internet CRM
5 Traditional Perimeter Paradigm File Servers Human Resource Applications Active Directory VPN Tunnel The Evil Internet CRM
6 New Perimeter Paradigm Applications File Servers Human Resource Active Directory The Evil Internet? CRM What now!? elearning
7 New Perimeter Paradigm? File Servers Applications Human Resource Active Directory The Evil Internet HTTPS CRM elearning
8 IT service stack - in general Governance, Risk & Compliance Software / SaaS Applications, Data Platform / PaaS Operating System, Databases Infrastructure / IaaS Network, Storage, Servers, Hypervisor Identity IAM Privileged Acc. Mgmt.
9 IT service stack example: Intranet Governance, Risk & Compliance Software Intranet, Corporate News Platform Windows 2012, MS-SQL, IIS Infrastructure Cisco, EMC 2, Blades, VMware Identity Active Directory root IAM Privileged Acc. Mgmt.
10 IT service stack - In general Governance, Risk & Compliance Software / SaaS Applications, Data Platform / PaaS Operating System, Databases Infrastructure / IaaS Network, Storage, Servers, Hypervisor Identity IAM Privileged Acc. Mgmt.
11 IT service stack example: Microsoft Online (O365) Contract Management Governance, Risk & Compliance Microsoft O365 Black Box Black Box Identity Microsoft ADFS Microsoft IAM
12 Human Resource - Create new employees - Delete terminated employees - Change roles Workflows WEB Shop / end-user self service - Employee requests for access - Workflow based approval flow - Manager approvals - Data owner approvals - System owner approvals HR System PAM - Privileged access approval system - Reporting on privileged accesses usage - Session monitoring Privileged Account Management TPAM Identity & Access Management Access Governance User Administration Role Administration warnings, reports, etc. Active Directory Access governance based on system integrations (both standard and adapted) ADFS Document Management Collaborate (extranet) (Sharepoint Online based) Navision ERP SalesForce IT Security/Compliance Officer - Compliance Dashboard - Reporting on compliance for access and access rights to data/information File Servers Internal IT Services Microsoft Online (O365) , Lync Cloud based IT Services
13 Technical Benefits why IT want it! All user administration is automated and done in a timely manor HR system integrated with IAM Most processes are detailed as workflows you only think once it s very complicated to build the workflows! Source separation (kildesortering) data and system owners know their data much better than IT - and they do all the work! Better service to business workflows with automated processes and selfservice for customers are far better than manual processes handled via s, Servicedesk, post-it s, phone calls, Excel,.. self service for a few services Fever mistakes. No more embarrassing audit findings.
14 Compliance Benefits why QA want it! Compliance dashboard real-time. Know where the biggest risks are. Audit trails for all accesses and access changes - for file servers worldwide Extensive reporting capabilities built-in Audit/reporting can prove compliance to auditors Access rights of unstructured data - such as file servers - can be cleaned up ( reattestation ) on a regular basis First run done for 800 (of 1000) active shares worldwide shares in total Revision of - e.g. ERP/Finance - systems can be automated, and system owners can be alerted of unwanted access attempts - planned Policies ensuring segregation of duties can be enforced in workflows planned for ERP systems
15 Economic Benefits why the CFO want it! Arguing tangible benefits for IT projects is a dangerous endeavor. Building a business case for IAM requires a lot more than proving 300 hours/year saved in IT. An IAM system will free up time currently used for user and access administration! at least 1 FTE in China. More to come? You can try investigating the approximate time spend on daily/weekly/monthly tasks. Remember ALL systems. Not just AD, the ERP system and the odd file server. All of them. It is a challenging task! And it s hard to win. other companies may be different! Using IAM to clean up your user DB s, removing terminated users, dual accounts etc. can help prevent over-licensing of software (e.g. Microsoft CAL s). ongoing, waiting for full integration with O365 (Powershell scripts) Agility in processes. Self-service. Time to market for LoB will be faster than waiting for manual processes.
16 Why do I want it? Clean up legacy mess Too much unstructured data on file servers (>25 TB) governed by homemade IAM system - automate data owner identification, user access re-attestation, and continuous reporting to data owners, is a dream come trough access logging have been running for the last year, first re-attestation being done now Future proofing IT New Sharepoint Online based extranet (Collaborate) done including external users identities New Document Management System done in UAT New ERP system - ongoing Single sign-on for all new applications utilizing an Authentication API we may use TPAM to control application SQL access for web.config s instead Control cloud services (like O365 or SalesForce) - ongoing IT Security/Compliance Security and compliance I can trust for (almost) all systems. No admin can change accesses undetected supplemented with TPAM we reach full transparency Efficiency A transparent and consistent (web shop look-and-feel) user self-service for all requests Dell1IM Workflow engine will enable a more holistic user administration. Why not add users to all relevant system in one process instead of numerous manual processes?
17 Create external user for Collaborate - A transparent and consistent (web shop look-and-feel) user self-service for all requests web shop more difficult to customize and much less flexible than expected!
18 File shares New share and re-attestation
19 How to build the case for IAM As-Is Analysis - list all the things that doesn t work properly today - with emphasis on audit findings (if you have any) To-Be Scenarios - time saved both in IT and LoB - IT security and compliance - ready for cloud services Implementation Risks Very difficult project technically. Many system integrations have to be done. No guarantied success for all those legacy systems we all struggle with High demand for change management and communication to LoB Possibly an uphill battle teaching IT security alongside the project. Remember: no system will ensure compliance if end users are ignorant or ignore the rules!
20 Privileged Account Management Management of privileged accounts on all IT systems - Including shared administrative accounts for servers & services, service accounts, database accounts, network equipment etc. Administrators are granted only the rights they need - nothing more, nothing less - and all activity is tracked and audited Recommended extra tools
21 The truth about IAM IAM solutions are too expensive! Market is finally evolving, but vendors have difficulties finding the right price. Identity as a Service solutions will come soon. Expect e.g. Microsoft to move into the area. Financial institutions have been doing IAM for a while. The public sector and the pharmaceutical business are next. Beware some vendors make even more money helping you do the implementation than selling the software!
22 Learnings compiled by the project manager Sørg for at undervise alle involverede grundigt i, hvorledes den overordnede struktur i IAM er Undervis udviklere sørg for at gøre dem selvkørende så der kan økonomiseres med konsulenttimerne. [Interne ressourcer: 2x Developer (75%), 1x IT Architect (75%), 1x PM (50%)] Udnævn en løsningsarkitekt, som kan designe de enkelte løsninger og tage grundlæggende designbeslutninger fra start Anvend standard undgå customization! Begræns funktionaliteten keep it simple! Afdæk og ryd op i AD før du går i gang Start med en kravspecifikation, fortsæt med et løsningsdesign Underbyg dit løsningsdesign med prototyper; i første omgang måske blot med screen dumps Vis protoyperne for stakeholders ellers kan de ikke forholde sig til funktionaliteten Sørg for en grundig test eventuelt i produktion, hvor alle systemer er til stede. Men begrænset til få personer og områder, som ikke gør skade Sørg for at kommunikere til slutbrugerne ved FAQ eller anden information på intranet
23 Presenter Henrik Mohr Director, Global IT Operation NNE Pharmaplan IT Manager UK NDS Ltd (now Cisco) Southampton, United Kingdom From June 2015: Henrik Mohr Afdelingsleder KMD Group Security IT Manager DK NDS Denmark Copenhagen, Denmark AGENCY.COM Visionik Copenhagen, Denmark IT University of Copenhagen Master, IT Management and Strategy (ILS) LinkedIn dk.linkedin.com/in/hmohr University of Copenhagen B.Sc. Chemistry
24 Further reading Is Identity The New Perimeter? Gartner Identity and Access Management Summit Magic Quadrant for User Administration and Provisioning, Gartner Research (G ), December 2012 Author: E. Perkins A6: Cost, Consequence and Value: The Economics of IAM Speaker: Earl Perkins Contacts: Anders Funch Østergaard Software Account Executive Dell Software Group How do we measure the value of IAM? For many, justifying IAM has been elusive. It remains a horizontal concern in the vertical world of business services, something shared by all business functions but owned by none. How can an IAM project be reconciled with the budgets of business? Project group: Project Manager: Ebbe René Hjort IT Architect: Jakob Rohrmann Strøm Henriette Lykke Sales Manager - Enterprise Dubex A/S Gyngemose Parkvej 50 DK-2860 Søborg Developers: Cheng Zhang & Huai Zhi Sheng Consultant: Kristian Birk Thim, Dubex
A new Breed of Managed Hosting for the Cloud Computing Age A Neovise Vendor White Paper, Prepared for SoftLayer Executive Summary Traditional managed hosting providers often suffer from issues that cause
IT@Intel White Paper Intel IT IT Best Practices Cloud Computing and Information Security January 2012 Virtualizing High-Security Servers in a Private Cloud Executive Overview Our HTZ architecture and design
BEST PRACTICES WHITE PAPER Measuring Success Service Desk Evaluation Guide for the Midsized Business: How to Choose the Right Service Desk Solution and Improve Your ROI Table of Contents INTRODUCTION...1
identity as the new perimeter: securely embracing cloud, mobile and social media agility made possible IT transformation and evolving identities A number of technology trends, including cloud, mobility,
Cloud Computing Tutorial CLOUD COMPUTINGTUTORIAL by tutorialspoint.com tutorialspoint.com i ABOUT THE TUTORIAL Cloud Computing Tutorial Cloud Computing provides us a means by which we can access the applications
Google Apps as an Alternative to Microsoft Office in a Multinational Company The GAPS Project Thesis presented in order to obtain the Bachelor s degree HES by: Luc BOURQUIN Supervisor: Thierry CEILLIER,
Enterprise Mobility How the mobile world drives business Enterprise Mobility How the mobile world drives business white paper 1 Executive summary More and more employees carry their own smartphone into
WHITE PAPER Securing Virtualized Environments and Accelerating Cloud Computing May 2010 securing virtualized environments and accelerating cloud computing Nimrod Vax CA Security Management we can table
Investigation of IT Auditing and Checklist Generation Approach to Assure a Secure Cloud Computing Framework Rajni Maheshwari M.Tech (Computer) College of Engineering, Bharati Vidyapeeth Deemed University
Cloud Chasing 101: Planning And Preparing For Your Move To Cloud Collaboration Marie L. Scott Virginia Commonwealth University Agenda Introduction Why are organizations moving to the cloud? Planning and
An introduction and guide to buying Cloud Services DEFINITION Cloud Computing definition Cloud Computing is a term that relates to the IT infrastructure and environment required to develop/ host/run IT
Chapter 2 Basic Cloud Computing Types Abstract Cloud computing s marquee feature is the availability of all required software on the web. The principal service that provides this feature is Software as
CRM Forum Resources http://www.crm-forum.com Critical Steps to Successful Customer Relationship Management Staffware ecrm, Inc. Developers of MarketForce Copyright Staffware ecrm, 2000 Critical Steps to
An Introduction to Customer Relationship Management Software A White Paper by Contents 1. What Is Customer Relationship Management? 2 2. An overview of three CRM products 5 3. In Summary 8 4. About Governor
Service Description: Customer relationship management (CRM) is a crucial function for most organisations. If a customer is left unsatisfied, it is up to the customer relationship specialists to resolve
Cloud Computing: Transforming the Enterprise Cloud computing is not just a trend. It is changing the way IT organizations drive business value. THINK SMART. ACT FAST. FLEX YOUR BUSINESS. EXECUTIVE SUMMARY
CYBER SECURITY OPERATIONS CENTRE APRIL 2011, UPDATED SEPTEMBER 2012 Cloud Computing Security Considerations Table of Contents Cloud Computing Security Considerations... 3 Overview of Cloud Computing...
The Microsoft Office 365 Buyer s Guide for the Enterprise Guiding customers through key decisions relative to online communication and collaboration solutions. Version 2.0 April 2011 Note: The information
Workbook EXIN Cloud Computing Foundation Edition May 2012 2 Colophon Title: EXIN CLOUD Computing Foundation Workbook Authors: Johannes W. van den Bent (CLOUD-linguistics) and Martine van der Steeg (The
Kent State University s Cloud Strategy Table of Contents Item Page 1. From the CIO 3 2. Strategic Direction for Cloud Computing at Kent State 4 3. Cloud Computing at Kent State University 5 4. Methodology
ICC CYBER SECURITY GUIDE FOR BUSINESS ICC CYBER SECURITY GUIDE FOR BUSINESS Acknowledgements The ICC Cyber security guide for business was inspired by the Belgian Cyber security guide, an initiative of
White Paper Getting ahead in the cloud A White Paper by Bloor Research Author : Fran Howarth Publish date : March 2013 Users are demanding access to applications and services from wherever they are, whenever