Identity Management SmartCities Thursday May 7th 2009
Information Security at Digipolis SaRMA-model: Self Assessment, Risk-analysis, Maturity and improvement Actions Based on the ISO 17799 standard Code voor Informatiebeveiliging : Security policy Organization of information security Inventory, management and classification of information assets Security aspects linked to human resources Physical and environmental security Communications and operations management Access Control Information systems acquisition, development and maintenance Business Continuity Management Compliance Long term project: started in 2007, subprojects per topic Continuous improvement process
Introduction Who? For the customers of Digipolis Ghent and Antwerp and Digipolis itself City of Antwerp City of Ghent OCMW Ghent OCMW Antwerp Local Police Antwerp VZW s, Autonoom Gemeentebedrijven, a.o. By SIEMENS IT Solutions & Services with the DirX-solution and by Digipolis
Purpose of the IDM system Automatic creation of identities based on HR data Automatic creation of identities based on manual input Automatic creation of accounts in target systems Automatic distribution of standard access rights Automatic withdrawal of accounts and access rights when the person is leaving or when a change in assignment occurs Request, process, grant and withdraw access rights upon request. Self-Service: password reset, request for access rights
Prerequisites & Dependencies Centralized management of the identities (logging & auditing) Target systems remain autonomous Accounts are being linked to groups in target systems Target systems control and decide which access rights are granted to the groups Domain separation Ghent/Antwerp (on user and management level) Identical platform for Ghent and Antwerp Redundant setup in 2 datacenters in Antwerp using virtualisation Possible expansion of the scope with additional target and source systems Take existing processes and procedures into consideration which are being used within the different administrations and which are related to HR.
Integration Antwerp/Ghent Antwerp: Source systems: Peoplesoft HR system SDWORX SAP HR Manual input Target systems: Active Directory Exchange DTB (.NET-applications) Manual Ghent: Source systems CEVIPS city Ghent CEVIPS OCMW Ghent Manual input Target systems: Active Directory Exchange Wie is Wie Stad Gent applications Manual provisioning/ INFRA
Integration Antwerp/Ghent
Digipolis Platform topology - AD Bronsystemen Handmatige Invoer SDWORX Peoplesoft HR CEVIPS Stad Gent CEVIPS OCMW Gent Handmatige Invoer DirX Web Center DirX Identity DirX Directory Identity Store Centraal Digipolis DirX Systeem Antwerpen Gent Handmatige Forest Trust Antwerpen.local Forest Trust Forest Trust Forest Trust GIGA Interforest Trust ADOCMW GENT Handmatige DIGANT STAD OCMW Interforest Trust GENT GRP Active Directory Doelsystemen DEV RTE Active Directory Doelsystemen Doelsystemen
Components Diagram of the Solution Digipolis IAM Beheerder Beheerders Eindgebruikers Bronsystemen AD Beheer Self-Service Applicaties Werkplektoegang Peoplesoft HR SDWORX Handmatige Invoer Cevips Stad Gent Cevips OCMW Gent Handmatige Invoer Sync Sync Sync Sync Directory Manager DirX Directory Directory Server & Data Repository LDAP Server DSA Server DBAM Database Monitoring Logging Clients Identity Manager Identity Server Identity Services Identity Integration Framework Scheduling Recovery & Retry Notification Auditing, Logging & Statistics Monitoring DirX Identity Web Admin Policy Execution Privilige Execution Request Workflows Event Triggered & Scheduled Workflows Web Center DirX Identity Web Center Connector Integr. Framework Agent Integration Framework Identity Web Services & API SPML, LDAP, SOAP, Message Queues, DirX Server Platforms, LAN, WAN Agents & Agents & Connectors Connectors DirX Product Suite MS AD AD Password Listener MS AD AD Password Listener MS AD AD Password Listener MS AD AD Password Listener MS AD AD Password Listener digant.antwerpen.local stad.antwerpen.local ocmw.antwerpen.local gentgrp.gent.be adocmwgent.be Handmatige Antwerpen Monitoring & Auditing Beheerder Overige Doelsystemen Handmatige Gent
Functional Domain Separation
IDM Evolution in 2010 RBAC Roll Based Access Control Integrate SAP as a target system Single Sign On (SSO) Additional application integrations (physical access control, time registration) Federation
Q&A?