Agenda

On the on hand cloud computing bares great opportunities for corporations. But if you take a closer look especially under identity management aspects a significant number of challenges arises.

We are trying to look into the possibilities of today, existing show stoppers and how a perspective of cloud computing in the automotive industry might look like.

At BMW, a large number of applications based on the major IT platforms Windows, Mainframe, CA, SAP... are in use. In the past several custom made management applications have been developed and deployed to manage accounts and access rights on these different platforms, sometimes using different processes. Over time these systems developed into a state of unsustainable complexity due to increasing business demands with correspondingly high support and maintenance costs.

This situation lead to a demand to improve the management of accounts in order to meet the evolving security needs of BMW Group. Furthermore changes in international law exacerbated the situation and the need for action.

IdAS – BMW’s new Identity and Access Management System – has been designed and developed to address this situation. With IdAS formerly disparate management and provisioning processes are integrated and automated fulfilling the needs for flexibility, security and speed. IdAS has been successfully launched in late summer 2009.The international step-wise migration and rollout has been conducted in a short time frame in the second half of 2009.

The presentation will cover the following topics:

• BMW Group – Facts and Figures
• BMW Identity Management from past to present
• Vision and Targets for the new IdM system IdAS
• Preconditions and Project Structure
• Building Blocks and Architecture
• Challenges for Go-Live
• Key Decisions
• IdAS Go-Live and Rollout
• Results
• Lessons learned

In the early years of this century, corporate telephone networks have become an integral part of unified communications systems operating as part of the IT infrastructure and no longer as a stand alone network. This second decade is seeing a new trend in IT resources rationalization driven in part by the fact that workers are more mobile and IT networks are being exposed to the outside world thus no longer making the physical perimeter of the company's facilities the boundary of the network. As a result, the physical access control system is progressively being merged into the IT infrastructure so the directory of users and their access rights become an additional user repository that is managed by centralized Identity Management Systems. HID will show how King ICT, Croatia is prototyping a system that integrates physical access control with their central Active Directory based infrastructure.

This talk will address the STORK project, its challenges, approaches followed and results achieved so far. STORK stands for Secure Identities Across Borders Linked, aiming to achieve interoperable electronic identities across Europe.

Against a background of the EC Treaty which establishes freedom of establishment and freedom of provision of service via the Services Directive (to be implemented by the end of 2009 – including remote aspects), there remain many challenges, particularly in the area of IAM. eGovernment is supporting the single market, and the Council Conclusions on eGovernment (20 Nov. 2003, 14671/03) underlines importance of interoperability. Furthermore, the ”Raising the game” of DG InfoSoc requires interoperable e-identity.

However …. while there is an e-signature directive, there is no e-identity directive. There are widely diverging approaches across the member states for National e-Identity (NeID), and as a consequence the current NeID’s are not interoperable.

STORK aims at establishing an EU-wide interoperable e-identity and access mechanism. As such, STORK is the common ground for other pilots, such as PEPPOL (electronic procurement).

SPOCS (Simple Procedures Online for Cross-border Services) is a pilot project launched by the European Commission which aims to improve the existing implementations of the Services Directive in Europe. It will deliver specifications and tools for a version 2.0 of the Points of Single Contact established throughout Europe by the end of 2009.

In order to build interoperable, seamless and smarter cross border services various components that require identity and access management have to be integrated. Some of the questions involved are: how to identify a legal person and bind a user to that person, how to verify electronic documents, how to authorise access to electronic document repositories (eSafes), how to identify a registered user of an electronic delivery service. These questions have to be answered in a cross border context between member states that have heterogeneous systems as well as legal frameworks in place.

SPOCS will make use of the results achieved by its "sister projects" STORK and PEPPOL in relation to mutual recognition for the use of electronic identity, documents and signatures.

At the Hospital of the University of Munich many different systems are used for sampling, storing, and processing data for clinical and administrative purposes. Hence several identity databases are existing, i.e. an SAP HR database for personnel management, Microsoft AD for user-registration on clients, a special SAP database for eprocurement, and some others. Now a new area-wide hospital information system (HIS, Siemens i.s.h.med) makes particular demands, because it handles with medical data which are directly used for treatment of patients. Therefore the HIS, its devices, and its network can be seen as a combined medical-engineering device with very high requirements on data security and data privacy by law (see DIN EN 80001). As a specific challenge the HIS handles not only with the identity of the actual user, but also with the identity of a “responsible person”, normally a high qualified physician who can order x-rays and invasive examinations. In many cases the “responsible person” is identical to the user, but not on cases like preparing clinical orders by medical assistants (i.e. order for x-ray examination). Because of limited personal resources in clinical daily routine users will not accept frequent re-registering: single-sign-on is highly recommended. We need one single system for authorization on many systems with very high safety requirements.

Method.
We set up a “Who's Who” identity database of our employees based on Siemens' identity and access management (IAM) X.500/LDAP product DirX, which is filled with data of the MS AD database. To verify the authorization, the system searches in the personnel managers' SAP HR database for equality of name, first name, date of birth, job title, ward, and other items. Little differences can be balanced via a defined “matrix of tolerance”. Only after authorization in MS AD and SAP HR the user is able to log in an access application by name and password. Driven by special attributes of MS AD and SAP HR databases, the user's clinical role and the correct “responsible person” are chosen and transmitted to the HIS. The access application is a very comfortable solution for our physicians and nurses, because it offers access not only to the HIS, but also to other applications of clinical interest, e.g. laboratory information system, radiology information system (RIS), picture information and communication system (PACS), applications for presentation of diagnostic findings, and others.

Lessions learned
The IAM system is still under construction, but integration tests (DirX, I.s.h.med, SAP, and MS AD) were successful performed. Approximately 20 percent of all uncovered errors and problems associated with the HIS belong to roles, identity and identity management (i.e. not to be able to do a specific clinical transaction like documentation of a diagnosis). Therefore IAM is an extremely important part of every HIS. Roll-Out of HIS with IAM and its portal application (over 4000 users, approximately 6000 clients and area-wide distributed sub-networks) is on April 7th 2010.

The presentation describes the developement of the identity management processes in the German Aerospace Center (DLR) within the last 5 years. It will in particular deal with the organisational aspects and present the individual solution of DLR:

• Creating structures in a heterogeneous IT - clearance is necessary
• Customer survey, understanding the usergroups, offering transperancy - that's how the IT gains trust
• The "need to know"-principle - Who has access to which services?
• End-to-end monitoring and service quality – Does it help to measure the single mouse click?

Migros, Switzerland's leading retailer and one of the top retailing groups in Europe successfully implemented a comprehensive security solution, that went far beyond the initial need for a solution intended to simplify logon procedures. Together with SafeNet, Migros was able to streamline employee logon and access to multiple corporate applications and portals.

While Migros’ strategic goal was to create a comprehensive security access solution that would increase employee productivity and security, user acceptance, ease-of-use and convenience were also critical factors in assessing a potential solution. By now, users need only a single SafeNet smart card to carry out multiple functions: single logon to multiple applications, secure remote access, corporate ID badge, building access to name just a few.