KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Ralf Knöringer, Manager Business Unit IAM, Atos IT Solutions and Services GmbH
April 19, 2012 8:30
Ralf Knöringer, Manager Business Unit IAM, Atos IT Solutions and Services GmbH
April 19, 2012 8:30
This morning, we're delighted to have three keynotes to set the tone for the day. And I'm very pleased to introduce our first presenter who is Ralph ER, manager of the business unit IAM at Atos. His title is a somewhat briefer and more focused one than the one in the program. Service oriented IAM enables agile and compliant cloud adoption. And we look forward very much to his presentation. Thank you very much. That is the clicker. Okay. And I'll give you a shout about five minutes before the time. Okay. Thank you. So thank you very much for everybody who made it. It's this hour.
I really, in the morning I was asking myself if we shouldn't made the round table out of it's the first step, but I think now it's filling up a little bit. So I hope you all the wife to ping party yesterday. And it's a pleasure for me to give you a short introduction into today. My name is Neringa. It's not made for globalization, this name. So it's always difficult on the international stage. Yeah. My shorter title is about bringing identity management into the enterprise, into the cloud.
And it's more about what can we do to make identity management more ready for the challenges which are before us. First of all, if we see that today out of the internet usage, a relevant group of the people under 40, which I'm not in is using social media to a very high level. We will see that CS will change the way people work also in private and in business and how they use and communicate and chair information. So this will definitely have effects on all our work, wherever we are, at least if we are in companies which have a valuable asset, which is information.
So other things we talked about this yesterday in a lot of the sessions, our own device, bring your own device. What should you do about it? A no do attitude will not work. So people who want to, to bring their mobile devices into work and who are used to share information through, let's say cloud based services, they will expect to get a service level comparable in the enterprise. And what does it mean for us now, for us, it means that we have to embrace this new technologies and find a way to get our new employees on board, to help them work with this new media.
And that's the value for us as enterprise. We are able to share ideas with the brightest people inside and outside of the enterprise. And in the end in the global competition, we only can win if we choose so brightest people and the brightest ideas. The second trend of course is cloud itself. There are cloud experience by private users. If you have a device from a big company, we all know you are offered cloud services to share your music, to share your photos, to share whatever you want. And this cloud experience doesn't stop at S firewall of the enterprise.
It comes down to the workplace and in the workplace, we have some situation that decisions for enterprise applications quite often are made based on financial facts. So a lot of enterprises are looking to go to the cloud selectively to select quick wins, where they go to a hybrid environment.
Now, No matter if you are in a hybrid environment, in a full cloud environment or in the middle, the compliance regulations and the whole restraints of the enterprise remains the same. That means that companies and enterprises have to provide the same level of trust, the same level of investment into regulatory compliance enterprise on premise into hybrid cloud and in the cloud service arena. Therefore the initial way of working, which we see quite often in every transition of technology that we use selective services and do it, yeah, let's say manually.
So a cloud service will be implemented from outside and users will be provisioned on a more manual way, but this stops as soon as a number of active users reach a level which makes automation and managed user and role management necessity. And at least at this time identity and access management comes into play. And for a real cloud hybrid environment, you need automated provisioning and singles on, on A search trend we heard about is about availability of E I D solutions. A lot of nations countries, organizations invest in the E I D space.
So we see E I D solutions coming up in a lot of European countries and all across the world. Now the availability of strong authentication talking of course gives totally new opportunities to the way businesses to government or government, to, to citizens interact and communicate and together with the cloud technology in the single that on technology from Federation, this opens up totally new ways of authentication and authorization. And we've heard yesterday very brilliant presentation from Denmark showing how hub based services can work.
Our customer Swisscom will in the afternoon present the be practice on using Swiss ID card together with externalized authorization service to provide a claim based access control. Now bringing all this together.
Of course, we know that these companies who are most successful are normally innovators, and when they are innovators, they have to accept risk. They are risk takers and they normally embrace new technologies where they think that makes sense, and they need to employ the best people which are on the market. But on the other side, bringing new technology in without the needed compliance and restraints and technologies can, yeah, can have negative impact on the most valuable asset. We all have trust. No company can survive in the global market without trust.
So our goal is to transform, to help this companies, to transform the risks they take into value without damaging or endangering their core businesses. So all this new colorful things we should use, we should embrace, but we should be able to do this in a control manner. So as everything is about risk, first of all, we have to understand what risk is and therefore large corporations, large enterprises for a long time now have invested in analysis according to, to ISO standards.
Whereas they really get a good picture, whereas the financial controls, whereas the technical controls, what can they do to prevent a too high risk to occur in the business processes? And if done, probably out of this risk assessment, we have a very good understanding what we should do on the side of technical architecture, it security and risk management, and then comes when the architecture is done, then comes selection of tools, implementation tasks, okay. We have a way, a broad range of security product and tools.
And normally I would say identity and access management is a mature technology because I'm in identity management. Now, since the word was invented, I think more than 15 years, and it's quite mature, we have a lot of tools.
They, they have wonderful functionalities and a lot of features, but still sometimes we don't achieve the goals. Why is it now, first of all, I think quite often we see identity and access management as a Swiss knife of it. That means it has so many possibilities that so many features, so many controls that it's nearly Fitting to every use case we can imagine and come up with now cloud of course is challenging this in some aspects, but still, I think we have a lot of technology away.
The problem is That in this rich functionality and this flexibility mode, we in the project implementation see quite often that for project specific implementations, there comes out enormous complexity, which can be based on, on customer specific requirements. But quite often simply is the case because we, we see all these possibilities and we want to use it. And it architects are in this business because they are architects. They love to do complex things, not easy things.
So the goal in the beginning was to make our life easier to have a tool set, which helps us and us means it administrator it stuff, but also management and normal users to get the information, access to the resources in need and time. But the big question still arrives. How do we solve this? How do we avoid this trap?
Now, my belief is the only chance to go out of this situation is standardization and service orientation standardization. This is maybe not the best example, but standardization can help to let's say at least reduce the level of possible complexity. And on the other hand, service orientation is key because whatever we will deliver in the cloud will be based as a service. Now we had also a lot of talks about technology standards. Why didn't technology help us so much?
Why, why are the standards not solving our key problem? We had discussion about SPM L SPM L was a great thing when it was invented. And I was really hoping that this would solve a lot of standardization issues at a target system integration point, but we haven't seen a lot of broad implementation of the standard. And like every standard, the level of implementation is the level of success and the value for the customer and the vendors and everybody involved in the ecosystem. So the next level was very low. It was on the data access standard L up.
So still today, a lot of implementation in the enterprise base based on L up on the central L up service to make central authentication and authorization information available to every part and every application of enterprise in general, this is a perfect solution, but having a single point where all this information sits is of course also putting a tremendous, let's say danger on the excess control of the system.
So when you choose to implement such a solution, you have to have a very solely sought and implemented access control on the service with upcoming pro web service protocols, SAMO, we have seen now a broad implementation of Z single and on for cross domain authentication. And this is very successful. That's a real step into the direct in the direction in the cloud integration space, but still what it's missing is provisioning.
Yeah, we have today not ideal model to provision users in the cloud to move them around, to bring them as fast. And in real time is the only thing which is fast enough from one cloud service to the other, or deprovision term, if it's not necessary anymore. So now skim is upcoming, and I hope in a belief, I'm always a positive person that skim will offer new opportunities to standardize all those way of provisioning for on premise and cloud services.
Now, when technology is not the answer, what can be the answer? Now, I think we have to take a holistic view in the beginning of designing and implementing iron solutions. So first view should be the user-centric view. And at least in the, in the past, quite often, this view was the last one to be really implemented. And this was a big mistake in a lot of projects and where, where management didn't see the value and the most important factor of IM project management, commitment and support was quite often lost.
So user centric approach shows you and I come to this in a minute that you can have, let's say a 90% chance of selecting the same user services for nearly every M implementation. And if you do this right, you have a big chance of standardization in this part, access security.
If you, we see all the aspects of cloud, bring your own device and E I D, and what, what brings the future? We don't know. We have to define access security in a different matter. It's not about parameters anymore. It's not about a static definition of access security. We have to come up with something more innovative, more intelligent, and for the service management part, as that's, from my point of view, the most important driver, we have to define same service level agreements, across all aspects of security services and across all platforms, processes, and solutions.
Now, I I'm choosing the picture of the magic cube because you have so unlimited possibilities to turn it around and, and come up with different patterns. But in the end, there are only a few colors in it, which always come up again. And the same appears to me from hundreds of IM implementation. I've seen you, you see in a different yeah, colors and you see it in different patterns, but in the end you have a pattern of services which really are delivered and have to be delivered to the user.
First of all, of course, request an approval of entitlements roles, access rights, CIS normally is done by our Porwal or now increasingly through mobile access. And you have a lot of safe services, which really nearly every project demands like password research, reactivation of users, changing of own data control about the process. When you want to, to, to, to request the approval, you want to know who is the guy who wants to, who has to approve it. And if after two days, approval is not true. You want to know what's the status is all.
This is nearly, let's say, I would say more than 90% of the project. I've seen request this functionality. And the same is true for the more advanced users for the auditors, for the administrators, they need adaptation reation services.
They read, they need tools to monitor, to audit, to report. Of course, we all know that the way and the form of the reports can differ dramatically, but in general, it has always to answer the questions who had access to what information at what time and based on what decision made by what person's roles or organizations. So also in this area, I believe that we have a chance to come up with a standard model of implementation now, access security in the cloud. I hope nobody of us will face the situation when we are on heavens gate, because I can't remember my password. Anyhow.
So in the end, passwords are still the main, yeah. The main method of authentication in the enterprise still. And we have to come up definitely now out of the silo and we have to come up with something more intelligence, more flexible.
And yeah, it has to be a combination of different methods. It has a com be a combination of access control, which is dynamically designed with a multifactor authentication, which in the end answers the question. What is the level of access I have based on the questions where I am, what role do I have, of course, but also do I have a mobile device in my, I am in a enterprise network, I'm in the internet. Do I have access on Sunday or on working day I in the office environment or not all this will come together to create the success control model.
And today we have some means, but we don't have the services implemented to really makes this easy and easy to implement. If you look at the cloud security model, this is by the way, is a cloud security model of which is based for our cloud security consulting. When you reach through the bullet points, which is a little bit small here, it's a good thing is everybody who is not in cloud will see the same topics coming up, which we know from on-premise security. Anyhow. So it's not totally new, but what is cloud bringing to the game is that cloud is helping standardization.
Every application, which has the right to be called the cloud application or cloud service is normally designed to work as a service, which is standardized can be virtualized, can be flexible and is designed in a way that it can be now used across all applications way and across the whole enterprise. And this of course has to be true for all security services. We design for the cloud.
And this, from my point of view, brings a real push into the direction of implementation of cloud standardized security services. And especially also for the IM part in identity and access management. One of the biggest obstacles we have seen is that when at the implementation time, people have to decide about what, yeah, what kind of implementations they choose. They quite often look at a phase model. And this phase model normally is defined about the biggest quick wins or compliance issues or whatever. And of course, this leads quite often to a very specialized implementation.
This not necessarily as bad, but in the architecture of you, there are basic services which have to be defined in a way that they serve all these specialized implementations. One example for this is so solution at Siemens ag, by the way, that's got an award yesterday and say, if you're interested this afternoon will be a session where this best practice will be presented thoroughly. But let me put, say attention on two points. One of the points are that Siemens ag is international enterprise with more than 400,000 employees across more than 150 countries.
And you can't make an identity management system work in such an global player, which is, let's say build monolithic. You need to have a hierarchical, modular structure where you have some services provided for the whole enterprise real service based security services. And you have some services which really serves the business needs of some business owners. In this case, the business owner was a global HR and global HR is one of the most critical areas in it where you have privacy, you have data security issues, you have compliance issues and all this stuff.
And if we would have implemented this without existing services in place, the costs and the implementation time of the project would have doubled or, or dribbled, I think, but what we had in place already was a strong authentication service based on PKI. We had already in place identity life cycle service for all employees of Siemens. So what we could do is we could plug in an authorization service for all HR departments and all HR processes based on the way services and this reduced of course, implementations, this reduced complexity.
And on the way of implementation, we, we had a, a good view on what is possible if you have a modular approach. And one of the interesting things here was that also the compliance and compliance, which was necessary to, to be proven throughout the process was quite easy to be achieved because the other central services are already accepted and controlled Five minutes. Thank you. I make it. But identity and access management alone will not complete the picture.
Of course, what we need is also a kind of control monitoring service, what we all know under sea or other, other acronyms. So, but also this quite often is implemented as a project. I don't know if you know, is since 10 years the partner for it, security of Olympic games. So this is one also most high profile hacker targets worldwide and out of CIS, there was a development for a high performance security service, and this service was not broken down to be offered as a service to enterprise customers.
Because what we see is that's a complexity of security environment today is putting high pressure on another area of security and enterprise, the hiring of competent people. It's quite hard, maybe not for the global players, but for mid-size companies to come up with a level of experience and, and, and knowledge to cover all areas of it. Security.
So what's, they really look for is a managed service, which helps them to act and react on incidents when they occur and set in real time. And I believe that managed identity services managed security services for incident management forensics will be more popular in the time to come because the complexity from the outside world will not be able to be managed by most enterprises by the themselves. Now to summarize this life will not get easier in it security.
So we will see more challenges to come, and we will see that identity and access management is on a critical pass In the let's say in the parameters of the enterprise up to now identity and access management has a very clear orchestrating role. Now I see that identity and access management has to interact with identity and access management systems outside the enterprise. We have to come up with different interpretations of identity, private and business, and this will push implementations of new technology also in our area.
On the other side, the good news is that bringing identity and access management into the cloud helps to standardize identity and access management in all areas of the application of in-premise on-premise to the cloud for the cloud or in the cloud, and to achieve real value. This was a discussion yesterday to achieve real value. I believe that we have to bring together all aspects of security and risk management and identity management then has a chance to be delivered as a standardized service and create big value wherever the enterprise is needed.
Thank you for your attention at this early time. And I see the room has filled a little bit more and as discussed, we have the opportunity for you to these, the two examples I mentioned this afternoon, so Swisscom will have a presentation, but it's not Mr. VICA. That's the old version. It's Mr.
Cara, who is doing the presentation and the compliance identity management for HR and is presented by Ms. ER and Mr. Shafer in the afternoon. Thank you very much. Thank You very much.
