IAC 2024 - IA Fast Track to Search Focused AI Solutions
Stephan Hendriks Eric IJpelaar - Identity access management in the cloud -
1. DSM ICT
Not be used in any other publication after explicitly approval of presenters
0
Identity & Access Management in the cloud
Stephan Hendriks, Eric IJpelaar
November 3, 2010
Actual photo of Dubai City, taken from atop the Burj Tower.
2. DSM ICT
Not be used in any other publication after explicitly approval of presenters
1AgendaAgenda
• Setting the scene
• Who are we?
• Define the topics
• Getting to know DSM
• The challenge
• The approach
• The solution
• Key takeaways
3. DSM ICT
Not be used in any other publication after explicitly approval of presenters
2Stephan HendriksStephan Hendriks
4. DSM ICT
Not be used in any other publication after explicitly approval of presenters
3EricEric IJpelaarIJpelaar
5. DSM ICT
Not be used in any other publication after explicitly approval of presenters
4What is Cloud Computing?What is Cloud Computing?
• Wikipedia
You can search yourself
• ENISA report
Cloud computing is an on-demand service model for IT provision, often
based on virtualization and distributed computer technology
• Highly abstracted resources
• Near instant scalability and flexibility
• Near instantaneous provisioning
• Shared resources (hardware, database memory)
• Service on demand usually with “a pay as you go” billing system
• Cloud Security Alliance view:
SAAS
of IAAS
PAAS
SharedDedicated
ExternalInternal
6. DSM ICT
Not be used in any other publication after explicitly approval of presenters
5What is Identity and Access Management?What is Identity and Access Management?
• DSM definition: The business processes, policies
(including enforcement of these policies) and technologies
that enable organizations to provide the right people, with
the right access, at the right time to applications and
resources – while protecting confidential, personal and
business information against unauthorized users.
7. DSM ICT
Not be used in any other publication after explicitly approval of presenters
66DSM is everywhereDSM is everywhere
8. DSM ICT
Not be used in any other publication after explicitly approval of presenters
77Focus on Life Sciences and Materials SciencesFocus on Life Sciences and Materials Sciences
Health and
Wellness
Climate and
Energy
Functionality and
Performance
Emerging
Economies
EBAs
Life Sciences Materials Sciences
Nutrition Pharma
Performance
Materials
Polymer
Intermediates
Focus on Life Sciences and Materials Sciences
9. DSM ICT
Not be used in any other publication after explicitly approval of presenters
8DSM MissionDSM Mission
10. DSM ICT
Not be used in any other publication after explicitly approval of presenters
9
The planet is our CareThe planet is our Care™™
Hidden HungerHidden Hunger –– a global challengea global challenge
Definition:
• Enough calories to stay alive, but
• Not enough vitamins and minerals to be
mentally and physically healthy
Recognition
Involvement
Over 2 billion people affected worldwide,
claiming 10 million lives every year
Partnering
Business
Nutrition Improvement Program
11. DSM ICT
Not be used in any other publication after explicitly approval of presenters
1010Innovation is our SportInnovation is our Sport™™
DSM Composite Resins,
Olympic sailing 470 class
racing dinghy
Stiffness +120%, Strength +200%
2,5% less weight
Silver for Berkhout and de Koning !
Fabuless™, a breakthrough
in weight control
Dutch Consumers bought more than 5
Millions bottles Optimel® with
Fabuless™ in first three months of
market introduction!
12. DSM ICT
Not be used in any other publication after explicitly approval of presenters
1111DSM ICT BVDSM ICT BV
Organisation and Governance Some figures….
Singapore
Basel
Sittard
New York
Sao Paulo
Shanghai
DSM-ICT Organization
Employees 500+
Nationalities 15
Affiliate locations 6
Services
Sites 230
Countries 48
End-user workstations 19.000
SAP users 10.000
Business applications Ca.1600
World-wide
Centralized ICT organization
BG ICT spending ~90% by DICT
High level of Standardization 23000Total DSM employees
13. DSM ICT
Not be used in any other publication after explicitly approval of presenters
12AgendaAgenda
• Setting the scene
• The challenge
• The new Strategic Vision
• The new Process Model
• The architecture balancing act
• The approach
• The solution
• Key takeaways
14. DSM ICT
Not be used in any other publication after explicitly approval of presenters
13The new strategic visionThe new strategic vision:: entering a new era of growthentering a new era of growth
High Growth
Economies
from reaching out to
becoming truly global
DSM in motion: driving focused growth
Innovation Acquisitions
& Partnerships
Perf Mat growing via innovative sustainable solutions
Pol Int strengthening backward integration for DEP
Pharma leveraging partnerships for growth
Nutrition continued value growth
EBAs building new growth platforms
Sustainability
from responsibility
to business driver
from building the machine
to doubling the output
from portfolio
transformation to growth
Life Sciences and
Materials Sciences
addressing
key global trends &
exploiting cross
fertilization
in One DSM
15. DSM ICT
Not be used in any other publication after explicitly approval of presenters
14The necessity of changeThe necessity of change
• Better information and knowledge sharing
• Improving collaboration inside and outside the enterprise (e.g.
federation)
• Efficiency in our work
• Anticipate to organizational change and growth (agility)
• Quick on boarding of mergers and acquisitions
• Impacting …
People / Behaviors
Processes
Information Management
Tools
16. DSM ICT
Not be used in any other publication after explicitly approval of presenters
15The new DSM Process Model: Apollo 2.0The new DSM Process Model: Apollo 2.0
• Aligning the Business Process Model with the “new DSM”
17. DSM ICT
Not be used in any other publication after explicitly approval of presenters
16
Speed in
delivering new
functionality
Divestments / M&A
Complex IT
platform with many
components
End to end
testing en
documenting
Standard versus
harmonized
versus local
Impact assessment
of changes
Project
dependencies
Insight in
business controls
& compliance
The balancing act in platform managementThe balancing act in platform management ……
18. DSM ICT
Not be used in any other publication after explicitly approval of presenters
17AgendaAgenda
• Setting the scene:
• The challenge
• The approach
• Architecture as structure
• Internet Centric
• The solution
• Key takeaways
19. DSM ICT
Not be used in any other publication after explicitly approval of presenters
18
Critical success factors require good enterpriseCritical success factors require good enterprise
architecturearchitecture
• Many people involved, 1
approach
• Create buy-in with all
stakeholders
• End to end
• Roadmap based
incremental implementation
• Each step needs to have a
business need
Architecture as structure
TOGAF
20. DSM ICT
Not be used in any other publication after explicitly approval of presenters
19
Top down translation of the strategy to theTop down translation of the strategy to the
Business ModelBusiness Model
• Translate the business strategy in a Business Model /
Business Priorities Guide
• DSM: Information plans per Business Group as input
• Incremental delivery in 1 ½ - 2 years
Business Model & Business Priorities Guide
21. DSM ICT
Not be used in any other publication after explicitly approval of presenters
20IT Platform ManagementIT Platform Management
• From Business Model / Business
Priorities guide to Platform Discussion
Guide
• All consolidated Platform Discussion
Guides are translated in an integral ICT
Roadmap
• Platform development is following and
supporting the business priorities
22. DSM ICT
Not be used in any other publication after explicitly approval of presenters
21Architecture principles as guidelineArchitecture principles as guideline
Business Strategy
IT Strategy
Design Principles
1. Standardization
2. Simplification
3. Consolidation & Centralization
4. Evolutionary implementation
5. Independent Service Blocks
6. Minimize On Site support
7. DSM Ownership
8. Portability
9. Information Oriented
10. Data is an asset
Visionary Principles
• Internet Centric
• Cloud Computing/Utilization
• Consumerization
• Agility
23. DSM ICT
Not be used in any other publication after explicitly approval of presenters
22Explanation visionary principlesExplanation visionary principles
• Using Internet technology to connect end-nodes and strive
to zero foot printed end-user devices.
• On demand services that can be charged based on the
usage.
• Consuming services with any tool, any product or any
device which is common in the ICT consumer market.
• Dynamic services that can be easily and fast added,
changed, or removed.
24. DSM ICT
Not be used in any other publication after explicitly approval of presenters
23The core principleThe core principle ‘‘Internet CentricInternet Centric’’ visualizedvisualized
Non trusted
Computer
Trusted
PDA
Trusted
SmartPhone
Trusted
Desktop
Trusted
Laptop
DSM
Data Center
SaaS
Provider
Connectivity
Based on
Internet-technology
25. DSM ICT
Not be used in any other publication after explicitly approval of presenters
24Taking into account security risks & legal requirementsTaking into account security risks & legal requirements
• Moving to the consumer market means:
• Brands & Intellectual property protection becomes more important
• Reputation damage has bigger influence on shares and sales
• FDA and other regulations become more important
• Changing the use of ICT means ensure the level of trust:
• Person/identity, be sure that the user is the person he/she claims
• Multi factor authentication: e.g digital certificate on a token or derived from an
authentication action (e.g. iris scan)
• Device /end-node, be sure that the device connected is OK
• Certificate for DSM-end-user devices,
• Certificates for end-nodes/servers
• Application, be sure that the application is the approved one for DSM
• Check it is a trusted DSM-application with correct certificate licenses
• Data, be sure you can trust the (integrity of) data
• Data Access Control,
• Encryption,
• Enterprise Right Management
26. DSM ICT
Not be used in any other publication after explicitly approval of presenters
25AgendaAgenda
• Setting the scene
• The challenge
• The approach
• The solution
• Integrated Roadmap
• Identity & Access Management
• Example: Sharepoint 2010
• Key takeaways
27. DSM ICT
Not be used in any other publication after explicitly approval of presenters
26Integrated Roadmap (key projects)Integrated Roadmap (key projects)
New
generation
ICT
Next Generation Network
Identity & Access Management
Enterprise Search
New Workplace
Business Process
Management
SharePoint 2010
EDM
Data Protection
Site Server Redesign
HR System of Record
IRM/DRM
Master Data Management
today
28. DSM ICT
Not be used in any other publication after explicitly approval of presenters
27Identity and Access Management in the CloudIdentity and Access Management in the Cloud
Important element in an integrated roadmap
towards a new generation ICT
Next to a culture change / new WOW program
29. DSM ICT
Not be used in any other publication after explicitly approval of presenters
28Objectives for IAM SolutionObjectives for IAM Solution
Common security / regulatory compliant
processes and tools that support secure
uniform data transfer for authentication over
the internet.
Different credential management and
authentication methods for different
applications and no secure authentication data
transfer over the internet to get access to
SAAS applications.
Support Internet Centric Vision and
SAAS computing.
Common security / regulatory compliant
processes and tools. Low cost, easy to deploy
strong authentication when needed. Centrally
managed policy based access controls.
Different credential management and
authentication methods for different
applications. Lack of visibility and control over
access policies and use.
Comply with security and regulatory
requirements.
A single platform for common functionality (e.g.
web access management). Integrated IAM
platform based on out of the box tooling.
Application specific implementations for
identity and account management, access
control. Multiple components requiring complex
(custom) integration.
Reduce development and
operational costs
Identify based access any time anywhere to
applications and services in the DSM network
or internet domain.
Single sign on based on common credentials,
for internal and external users.
Federated access/SSO to SAAS solutions
Network based access controls.
Multiple user id/passwords for different
applications.
No service based concepts (SOA / BPM).
Easy of use / simplicity for all users
(internal and external) who interact
with DSM.
Integration of internal and external identities in
one process.
Automated process for user provisioning / de-
provisioning to main business applications.
Fragmented identity management systems
with separation of internal / external.
Multiple manual steps required for creation and
maintenance of identities and accounts.
Unreliable procedures for revoking access on
employee termination.
Integrated IAM process and tools
(efficient and effective response to
new/changed users)
Objectives From To
30. DSM ICT
Not be used in any other publication after explicitly approval of presenters
29Identity & Access ManagementIdentity & Access Management –– a simplified picturea simplified picture
Provisioning
User
vs.
rights
Access
Modeling
User
vs.
Role
Operational User Management2a
Tactical Identity & Access Model Management1
Request
Form
New user
‘Form’
Roles vs.
Rights
Approval
process
Provisioning2b
Users / Admins
Authentication
Authorization
& ‘use’
Credentials
(e.g. Username /
Password)
Use3a
Target
SystemTarget
SystemTarget
SystemTarget
System
HR
Systems
4 DSM employee Management
New staff
Retirement
Resignation
Transfer
HR
Systems
Identity &
Access
Store
Check if identities
are in sync
What are the drivers for the business to quickly
remove leavers and add joiners!
Who is responsible for which data field!
31. DSM ICT
Not be used in any other publication after explicitly approval of presenters
30Requirements for the authentication processRequirements for the authentication process
• It should be as independent as possible of the authentication
mechanism you are using (smart card token mobile phone) but should
support strong/multifactor authentication (having something and
knowing something)
• Could support physical access and logical access in one authentication
mechanism / card / token
• External users from which we want to indentify them personally (not
only trust the company so everybody of the company can access)
should be possible
• When working externally or internally, the authentication process and
the screen the DSM-user will see should be the same
• Business partners employees, contractors, and DSM employees
should authenticate in the same way
• Solution should be as general as possible but DSM should strive to
limit the amount of authentication process protocols
32. DSM ICT
Not be used in any other publication after explicitly approval of presenters
31End Goal for Authentication & Single Sign OnEnd Goal for Authentication & Single Sign On
• A single experience for employees and business partners in accessing
in house applications and outsourced functions
• One mainstream identity that is recognized by every application
Enterprise A Enterprise B
Enterprise C
User interaction
Web based interaction
Web service invocation
33. DSM ICT
Not be used in any other publication after explicitly approval of presenters
32Moving towards an Open EnterpriseMoving towards an Open Enterprise
Web SSO /
WAM
Enterprise
SSO
Cloud
SSO
Claims
Authentication
E-business SAP EDM
Saas applications
OpenID
Google (STS)
LiveID
Windows (STS)
Protocol Stack:
1. SAML
2. WS federation
3. Radius
4. Kerberos (internal)
34. DSM ICT
Not be used in any other publication after explicitly approval of presenters
33Access and AuthenticationAccess and Authentication –– a simplified picturea simplified picture
Time
35. DSM ICT
Not be used in any other publication after explicitly approval of presenters
34ExampleExample -- SharePoint 2010SharePoint 2010
User Type /
Directory Service
DSM employee or
3rd party hired by DSM
Device
DSM Workstation
Location Internal / VPN
Authentication SSO User name /
Password
Any Device
Intranet
Team Sites
My Site
3rd party not
hired by DSM
Any Device
Internet
User name /
Password
Team Sites
Presentation
DSM
Directory
Extranet
Directory
Internet
All authorized
applications
Gradual addition of devices
Gradual addition of (cloud) services
Roll out of SSO /
Federation /
(Strong) Authentication
Roll out of Identity Management and Data Protection
36. DSM ICT
Not be used in any other publication after explicitly approval of presenters
35AgendaAgenda
• Setting the scene
• The challenge
• The approach
• The solution
• Key takeaways
37. DSM ICT
Not be used in any other publication after explicitly approval of presenters
36Key takeawaysKey takeaways
• Delivery of the Business Strategy through
good enterprise architecture
• Internet Centric as a core principle towards
collaboration and innovation
• Old in use security requirements/measures
conflict or are unclear for internet centric,
collaboration and innovation and need to
be updated
• It is a continuous evolutionary process
• I&AM is an essential part
• You need to change culture (new WOW)
as well
38. DSM ICT
Not be used in any other publication after explicitly approval of presenters
37