Identity & Access Management

KuppingerCole recently has unveiled its view on the IT: The KuppingerCole IT Model. This model focuses on fulfilling the business needs: Providing the services business really needs – and ensuring that corporate information is adequately protected. Based on these targets, the model segments IT in three layers and allows mapping virtually anything. It supports in increasing the agility of IT in terms of quickly fulfilling business service requests. It explains on how to build your IT infrastructure as well as the Governance framework. It is the answer on how to best deal with the hybrid environments organizations have today, mixing different cloud environments with the existing on-premise IT. Thus it provides the logical answer for the strategic use of the Cloud. And it provides the cornerstones for building efficient on-premise environments. The model is a lean concept on which you can base your future-proof, business-driven IT.

IAM (Identity & Access Management) is one of the cornerstones of Information Security. Thinking in identities and putting the security of information and the access to information in the center of attention is the foundation for improving information security. Moving away from device-centric and network-centric security to information-centric security allows to better understand information risks and the required actions to mitigate these risks and better secure your enterprise. Leading industry experts, all with an analyst background, and KuppingerCole analysts discuss the role IAM plays for information security and the future of IT Security in general in this panel.

IT Organizations are on the move. The Cloud requires new skills in procurement, service orchestration and service management. An increasing number of CEOs nowadays aren’t IT veterans anymore but young managers which understand the CIO role as an important career step. And the demand for more Business/IT alignment drives the change of IT organizations as well. In this session, you will learn of how to fundamentally restructuring your IT, following the KuppingerCole IT Model. This results in an IT organization which is business-driven and focused. This also supports efficiency gains in IT production. It is about an agile organization, ready for the future.

Most organizations have done quite some investment into IAM and Access Governance. But they need much more. They need to integrate, they need to extend what they have done, and tey need to levarage developments like geographically dispersed infrastructures, mobile computing and cloud. Thus good solutions should add value to what these organizations have instead of putting most effort in redoing things which did cost a lot of money. In this panel, we will discuss strategies for IAM and Access Governance which focuses on adding value, enhancing what customers have and filling the gaps they might have, without ending in vendor clashes.

In recent times where the term "federation" is slipped into the conversation as if it were a straight forward hassle free process, there lurks a multitude of technical challenges. Chief amongst those are the "session state" issues of SLO and idle time-out. This panel session will unpick the problem and touch on various approaches being used to solve it, manage it, or avoid it.

Privileged accounts like root, sysadmin or Oracle system, are necessary to run and manage databases, middleware and operating systems. These accounts are the most powerful within an organisation as they allow access to any type of business and in most cases ‘critical’ information. So if somebody wanted to severely damage your business, attacks targeting these privileged accounts would be the way to do it.

This leads us to the question: Would you at least find out if a privileged account is being misused? In other words: Do you actually know, who is using such accounts and whether this usage is necessary and allowed? If this is a question you are asking yourself from time to time - the auditor would dive much deeper and also ask, ‘Exactly what was done during a certain session?’ Considering, that according to the Ponemon Institute 2012 Cybercrime Survey, 62% of respondents reported malicious insider breaches, we can assume that the auditor´s questions are reasonable and it would be good to have an answer

In this panel discussion, we will look into the reliability of currently available solutions and talk about the different approaches to reach compliance with PCI-DSS, SOX, Basel and comparable regulations.

Working across six continents, Teleflex provides medical devices used in critical care and surgeries across the globe. Their products help protect patients from infections and enables surgeons to do safer, less invasive procedures ranging from vascular access, anesthesia and airway management among many others.

Teleflex Incorporated (www.teleflex.com) has a core identity management strategy: one point of access. Beginning as just a temporary fix to decommission the company's Sun LDAP directory, Teleflex began their use of a virtual directory. The virtual directory allowed the company to link all of their separate directory information into one enterprise directory. Using directory virtualization, Teleflex was able to eliminate custom scripting, serving up employee data from SQL databases to the receiving applications without scheduling synchronization tasks.

The enterprise directory has now become a significant part of Teleflex's identity management strategy to improve facilitation of acquisitions, eliminate custom scripting to obtain employee data from Teleflex's HR Vista system and to unify and simplify both application access and the end user experience.

Modern identity infrastructures are a tangled web of identity sources, protocols, and varies security means. This panel discussion will focus on the challenges around unifying a disparate identity infrastructure for identity management and federation initiatives. The panel will explore how an identity service, enabled by virtualization, can be used to tackle many kinds of identity management challenges, and facilitate the addition of new identity stores and populations. Nick Sabinske’s experience at Teleflex will serve as a catalyst for the panel discussion, while Ulrich Schulz of Radiant Logic will extend the discussion with other real-life deployments, and Fulup ar Foll from KuppingerCole will provide an objective, third party view of the industry.

Some of the points to discuss:

• Integrating identities stored in Active Directory with the rest of the identity infrastructure, including multiple directories, databases, and web-based applications
• Why a single access point is an essential starting point for many identity management and federation initiatives
• When to choose an on-premise identity management solution compared to a hosted solution
• Achieving single sign on across disparate identity sources and federated systems
• Improving user experience by minimizing credentials and providing uniformity

Identity and Access Management like most of the organizations have implemented is on change. Provisioning as the core element in former days still plays some role, but with Access Governance becoming established, new concepts like Access Intelligence (in its still somewhat undefined form), integration to SIEM, re-thinking of established IT concepts like Message Queueing for the role they can play in Identity and Access Management and many other influencing factors, Identity and Access Management has to be re-thought where it is still established. The art of re-engineering is the balance between an advanced solution and architecture on one hand and the protection of investments. How can you leverage what you have towards a more mature, more flexible, more future-proof, business-focused solution? What will you need in the future and what does it need ot go there? And what about dealing with new groups of users like your customers and trends like BYOD (bring your own device)? And how about the changing requirements around privacy and information security?

KuppingerCole strongly believes that it is time to re-engineer Identity and Access Management and to rethink the established approaches. Martin Kuppinger will present the future view of Identity and Access Management and explains how to best re-engineer it.

This session will explore how Trento Autonomous Province is working to establish standards that make it easy for (local and central) government agencies and businesses to consume identities with confidence in their quality.
Fabrizio Russo, Trento IAM Project's chair, will discuss the local government's role in establishing a trustworthy identity infrastructure.
This session will explore: 1: The importance of a comprehensive identity and access governance strategy targeted and the highest risk areas within the organization. 2: How Trento IAM provided the glue to incorporate business oriented aspects , data protection, activity and risk management. 3: The challenges, impact, lessons learned and next steps in Trento IAM journey.

Many companies are making IAG projects a high priority because of the business benefits the governance-based approach delivers. In this session, Rabobank International’s Global head of security operations, Jethro Cornelissen, presents an IAG case study and discusses best practices for demonstrating business value in each phase of an IAG implementation.

François-Pierre Regamey, CIO of CHUV, a large Swiss university hospital, will describe how Identity Management takes a central part in CHUV's strategic drive toward digital healthcare.

The presentation will cover the strategic and practical aspects of Identity management deployment in a hospital. It will present the lessons learned, main recommendations and key success factors.

CHUV's strategic plan calls for a strong development and integration of the hospital's health information through the deployment of a hospital wide electronic patient record. Health personnel, including 1,400 MDs, must access 200 applications from CHUV's 8,000 workstations. The growing role of IT in the quality of care creates confidentiality risks - therefore efficient identity management is mandatory to find a balance between security and ease of access.

The project required a technical implementation, but also a streamlining of the hospital's authorization procedures.  An important aspect was an inventory and redefinition of stakeholders, roles, authorizations rules and procedures. As a guideline, Identity Management must target the simplicity and speed of the hospital's most common and critical processes, such as patient arrival, temporary health practitioner authorization and personnel move.

Based in Lausanne, Centre Hospitalier Universitaire Vaudois (CHUV) is one of Switzerland's largest university hospitals with over 1,400 beds,10,300 employees and 4'000 external consultants.

From our Advisory Services, KuppingerCole has a long and comprehensive experience in how to do Information Security Projects in a lean, efficient, and focused way. This session will provide you advice on how to mitigate your project risks, how to solve the IT/Business alignment challenge in such projects, and how to ensure that you end up with the solution you need – and not the solution your auditor’s preferred consultants or the technology vendor have in mind. There is a lot of room for improving your projects to better meet your targets while keeping the projects lean.

Security is now as much a question of visibility as it is of controls. Enterprises need to be able to see what’s happening throughout their physical and virtual environments, including both in house and in the cloud. This session discusses the role of identity management in security intelligence, including the kinds of information that enterprises need to collect, the kind of analysis that needs to be performed and the ways that the resulting security intelligence can be applied in making effective security decisions.

• Most things we look at in IAM systems like Identity Provisioning are focused on creating logs and historical reports, but not on analyzing real-time activities
• Most things we do for example in SIEM (Security Information and Event Management) or (even worse) at the firewall level (despite some advances in “next generation firewalls”
• Integrating IAM with DLP, SIEM, Firewalls thus is a must – security intelligence without taking identity into account is security stupidity
• When moving forward with new concepts like claims-based authentication and the underlying authorization another aspects comes into play – how do you monitor and analyze what is happening here? Things become even more complex and providing Governance and Intelligence here from the very beginning appears to be important
• In addition there will be some discussion about how to deal with “dynamic authorization management” environments from that perspective – when looking at XACML or claims-based concepts, we don’t rely on static access control lists but on policies and decisions made based on attributes/claims provided at real-time, which is a new aspect. That is probably a little outside of the key topic, nevertheless it makes sense
• Besides this there is the notion of Access Intelligence now which some vendors interpret just as using Business Intelligence technologies on identity-related log data (beyond reports) while other include real-time information from DLP or SIEM or whatever. You might discuss whether there is a need for that; whether this is really new (I’d say it is something which is just part of Access Governance); and what it should cover

In order to comply with internal and external regulatory requirements, Telecom Italia had built a "Traceability & Secure Logging Framework."

During this session we will cover this framework as a basis for a ‘best practice’ approch on how to implement a good Ideneity and Access solution.

Access Management is a hot topic. It is about controlling who has access to what or, in other terms, who is entitled. Entitlements are what we need to manage. A common approach on that is Role Management. Role Management is established, there is a lot of experience. However, this experience led to two important learnings:
1) You need more than roles - you need to understand competencies, context, and the businesses processes.
2) Role Management approaches are typically to coarse grain for a complete access management down to the system level. The result is that there is the high level management done by roles. The lowest level of this role model (which typically is 2- or  3-tiered) then is mapped to the highest level within the different systems: SAP roles, Active Directory groups or whatever else.
A better Access Management, really and fully managing the entitlements, needs to go beyond roles and beyond a static assignment of entitlements. It is about moving foward to a Dynamic Authorization Management that integrates with what you have. That is a longer journey, but you should start now. The session will provide best practices, experiences and advice on how to move forward to real entitlement management.

Authorization seems to still be one of the dirty secrets of IT. There is a lot of work around managing identities and accessing them. There are standards for that, like LDAP, SPML or SCIM. There is a lot of work done around managing authentication, with far too many standards like OAuth, OpenID, Kerberos, and all the others. Vendors are heavily investing, startups are popping up, and end user organizations are jumping on that topic.

However, when it comes to authorization, there are only few vendors engaged. There is a standard - XACML is the common language for authorization. There are some additional standards like RBAC NIST which are limited both in what they cover and how good they are to use in practice. But if you look at end user organizations, there are still few really jumping on that train.
On the other hand, there are three major drivers for putting more emphasis on solving the authorization problem:
1) IT has to support more users, especially end users. But they are all accessing the same systems and information. Thus, authorization has to be far more granular and flexible. A key to agile business is the ability to manage this better than today.
2) Regulatory Compliance is about managing access. It is about authorization. Better authorization helps meeting the requirements in that space.
3) Applications are increasingly distributed and we need an efficient approach to manage authorization for all applications. Just using SCIM or SAML with a SaaS application like salesforce.com isn't sufficient when we still have to manage all the authorization rules using the proprietary management interfaces or APIs of the SaaS provider. We need to provide rules.
Thus, authorization has to change. It has to get cloud-ready (and not only that), to support all the users from the Cloud, all the apps in the Cloud, and all the new regulatory requirements which will pop up due to the inherent risks of the Cloud.
This is a challenge for both Cloud Service Providers and End User Organizations. They have to adopt the way they are doing authorization.
This session will talk about what you have to do for a Cloud Ready Authorization Architecture and how that could look like.