Evidian. Shared IAM Solutions

Transcription

1 Evidian Shared IAM Solutions

2 Shared Identity and Access Management solution An adaptative approach to identity and Access Management Digital Transformation is one of the main drivers of innovation. In the age of collaborative working and hyper-mobility, Identity and Access Management (IAM) solutions provide secure access to company applications and resources from any location and on any device. The digital challenge is crucial for organizations that want to modernize their infrastructure and rationalize their costs. This modernization means choosing innovative solutions and redesigning operating modes, both of which are complementary. For large groups and public institutions alike, one of the main vectors of innovation is the pooling of resources and the harmonization of business processes. Sharing Identity Management requires software suitable for the implementation of common processes and functions that are to several entities. While «As-a-Service» is becoming a new standard in Digital Transformation, this deployment mode can also reveal the limits of certain structures with their own operating modes. Organizations can avoid the pitfall of imposed choices by opting for service modes that directly meet their business needs. As an IAM solutions provider, Evidian offers dedicated deployment modes so that its clients freedom of innovation can be matched with their growth ambitions. 2 Trusted partner for your Digital Journey

3 Adaptable Solutions Increasingly demanding environments are leading to profound changes for companies. Digital transformation projects aim to meet these new requirements in terms of performance and regulation. Among the strongest dynamics of change, infrastructure modernization and cost rationalization often lead to shared solutions : pooling of resources and harmonization of information systems within the same organization. For Identity and Access Management, an implementation issue arises: what is the right approach to implement a shared IAM solutions? Everything-as-a-Service The trend in digital transformation is the shift from on-site hosted solutions to outsourced, configurable, and shared resources and services; more commonly referred to as Cloud or SaaS (Software as a Service) solutions. The Cloud follows the principle pooling of resources. Ideally, shared resources can optimize acquisition and ownership costs and improve processes and should result in economies of scale. Despite the advantages of Cloud solutions, market experience and mixed client feedback indicate that for some organizations, the choice is still to be made; and this for several reasons: While the choice of an IAM Cloud solution appears to promise flexibility and cost control through operating expenditure (OPEX); this phenomenon can be reversed as the client s needs and business evolve. An unsuitable Cloud model will always be more expensive in the long term than a customized on-premise solution (hosted locally). Some groups already have the infrastructure and expertise and prefer to keep control of their system for reasons of sovereignty, reliability, and also availability (the lack of service level agreements (SLAs) with Cloud service providers remains a barrier to the adoption of certain solutions).. Heterogeneous Structures Faced with these problems of adopting Cloud solutions, on-premise solutions (hosted locally) remain an alternative for large groups. However, this choice leads to other constraints. The smallest entities in the group often do not have the critical size to support IAM projects, due to a lack of human, technical, and financial resources. Depending on financing practices, small business entities must rely on their own capital to finance their management tools. On-premise solutions may be too expensive to purchase and maintain. In addition, the implementation of a local solution in each entity would hold back the harmonization of management processes and the application of a common security policy for the entire group. A shared IAM approach is a complex project that requires a dedicated deployment model. Shared IAM Solutions 3

4 Shared IAM Solutions Combine security and control of an on-premise solution with the adaptive approach and scalability of the Cloud. According to NIST*, a Private Cloud is a Cloud infrastructure for the exclusive use of an organization with multiple clients (business units). The solution can be hosted, managed, and operated by the organization (central administration), a third party (outsourced administration), or a combination of both (transverse). A shared IAM solution is therefore a Private Cloud in which the main entity hosts the resources, is responsible for the security policy, and selects the on-premise solution. It acts as a hosting platform for all other entities of the organization. A shared solution can be hosted in the organization or by an external service provider. Indeed, the service modes are also the vectors of innovation in Digital Transformation. For clients who increasingly wish to outsource their non-core activities to focus on their core business, the adoption of managed service solutions is growing. According to Gartner**, service-based solutions (hosted and managed) have been increasing since 2017, and IAM as a Service will predominate by Advantages Feasibility First and foremost, the solution allows subsidiaries that have not reached the critical size to benefit from an IAM solution. Security Whether the system is hosted on site or remotely, the organization retains control of its system, making the solution easier to secure. Harmonization The solution improves and standardizes the Group s security policy and processes, while respecting the specific functions of each subsidiary. Economies of Scale The model optimizes implementation and operating costs. (25% savings compared to unit solutions). Challenges A shared IAM solution may be the ideal choice, if specific challenges are considered. Customization will give functional flexibility to the organization. It can be achieved in two ways: through the functional flexibility of the solution (standard customization) or through specific developments (specific customization). Adoption by subsidiaries will depend on the solution s level of customization. The higher the cost, the more willing the subsidiaries will be to adopt the solution. Technical Debt The higher the level of specific (non-standard) customization, the more difficult it will be to maintain the shared solution. The ideal IAM solution will allow each subsidiary to be independent, while remaining within product standards, to ensure that the solution can be maintained. *National Institute of Standards and Technology, U.S. Department of Commerce: The NIST Definition of Cloud Computing, Peter Mell, Timothy Grance, 09/2011 **Gartner Magic Quadrant 2018 for Identity Governance & Administration, Kevin Kampman, Brian Iverson, 02/ Trusted partner for your Digital Journey

5 Choosing a shared IAM solutions A shared solution sets up processes and functions common to several entities. While the reasons for deploying an IAM solution are clear, the choice of a shared IAM comes from needs that are directly related to the structure of the organizations. Decompartmentalizing Identities In a group, identities are often managed by structure (countries, subsidiaries, hospitals, etc.). The development of organizations leads to the creation of diverse data silos and many barriers: Growth barrier: differences between subsidiaries processes due to takeovers, consolidation, etc. Structural barriers: different sectors of activity, different professions, different entities. Political barriers: no sharing of information between businesses, specific security policy. When the barriers are not only digital but also physical, a shared IAM solution targets entity silos and decompartmentalizes identity management by creating a single repository for all institutions. Access to data and applications, both in the Cloud and onpremise, is achieved through a single solution. Sharing brings value by decompartmentalizing identity management in the group, and then harmonizing management policies and business processes. Harmonization of Business Processes A shared IAM acts as a true vector of business value. The harmonization of management processes is made possible by the administration of a single solution delegated to the administrators in each group entity. With the implementation of a single IAM solution, subsidiaries can share simple and intuitive business processes. Sharing an IAM solution is also a way for the central entity of a group to impose common processes in all its subsidiaries. The solution will guarantee sharing and will be at the service of business developments. For example, changes to the role structure automatically applied to all entities or an application accessible from any workstation. Mobility solutions (SSO, strong authentication) will maximize the user experience with a high level of service in security and resource accessibility Cost Rationalization Above all, behind the shared solution lies a desire to rationalize infrastructure costs. The central organization purchases a single license for a solution that is locally hosted and managed. Capital expenditure (CAPEX) can be shared between entities or centralized and operating expenditure (OPEX) is optimized. Shared IAM Solutions 5

6 Shared IAM: Specific Challenges A shared IAM solution can be the ideal choice of service provided that the risks inherent in the project are properly analyzed. In some cases, projects may fail or poorly designed IAM solutions may not provide the expected operational efficiency. In a shared IAM project, the complexity of implementation increases according to the functional needs and the number of entities to be included in the future system. There are two major risks that are co-dependent and specifically related to shared systems: Adoption by the United Entities Acceptance by the united entities will depend on the level of customization (functional autonomy) that the solution gives them. Whatever level of freedom they have, it will be necessary to include support and a change management program in the project to train users in the new business processes. Often the multiplicity of entities to be integrated can result in a great deal of complexity. There is a high number of stakeholders in a shared system project, and this will generate risks, especially if the product vision is not shared. Shared IAM projects involve entities that differ in their internal policies and business processes. The stakeholders may speak different languages and come from different cultures, and they may not design an IT project in the same way. This means project teams must be stabilized as far as possible and the functionalities to be developed must be defined together. As with most IT projects, it is necessary to manage a phase of change, particularly when the desire to unify business processes at group level requires changes to the uses and tools of certain entities. Depending on the client s requirements, the solution designer may allow the united entities to configure part of the solution, which will be administered locally. On the other hand, the central entity that seeks to control the group s processes may impose very limited freedom on its subsidiaries. Technical Debt According to W. Cunningham s definition*, technical debt results from a poorly controlled software design that will degrade the overall quality of a solution. Originally used in IT development, the technical debt is the result of an inconsistent design and will lead to problems with corrective maintenance (bugs) and progressive maintenance (maintaining functionality) in a solution. The client will have to pay fees, comparable to interest, to be able to use the solution. Applied to shared IAM solutions, technical debt is directly linked to the level of customization of the solution for local entities: specific workflows per subsidiary, interfaces, dedicated functionalities, etc. A development that is too specific will be a challenge to central/delegated administration and standardization. Avoiding technical debt requires a careful consideration of needs to define the functional scope and the level of freedom granted to the different entities. Functional Scope This type of project goes beyond the simple issues of security, compliance, and cost rationalization. The client will be able to implement new governance models by extending the functional coverage of the IAM to other entities. Sharing means the IS can be aligned with the group s strategy to meet internal and external requirements. The level of freedom per subsidiary and the level of sharing of the solution must be precisely defined. The scope of configuration can range from simple shared machines and software to a fully configured IAM solution with strict governance and unique processes. Functional distinctions between subsidiaries and the degree of customization granted impact the identity lifecycle, the application lifecycle, the authorization lifecycle, and the administration function. * The WyCash Portfolio Management System, Ward Cunningham, March 26, 1992, OOPSLA 92 Experience Report **Gartner: Measure and Manage Your IT Debt, Andy Kyte, August 9, Trusted partner for your Digital Journey

7 Consolidation checklist Software publishers must therefore be perfectly aligned with the needs of their client for the projects to succeed. Evidian has developed a specific quality process for shared IAM projects in the form of a questionnaire: the consolidation checklist. Several functional layers must be considered to take into account the primary needs and allow the transversality, harmonization, and industrialization of processes through the IAM security model. Functional Scope Functional Expectations Physical Architecture Identity Lifecycle Application Lifecycle Lifecycle of Assignment of Rights Administration and Delegation Function Shared IAM Solutions 7

8 Evidian Functional Scope Functional Expectations Understanding the nature of the relationship between the entities to be included is important in identifying the functional scope. Do the entities share an umbrella administrative structure (parent company, holding company, etc.)? Is there a competitive dynamic between entities (e.g. economic interest groups)? Should entities have strong security isolation? Can users from one entity migrate from one structure to another (while keeping their identities, e.g. transfer between subsidiaries)? Can entities be merged or split (merger/acquisition)? There may be requirements for service and administrative delegations between the entities to be united Are the entities bound by a contract or agreement or mutual service delegation (user of entity A accessing the resources of entity B)? Is there any delegation of administration between entities (entity A administers entity B)? Physical Architecture Identity Lifecycle The distribution of resources between the central facility and the entities sharing the solution (central applications in data center vs. local applications) is a crucial issue. The definition of an appropriate architecture must be considered from the point of view of security, quality of service, and applicable local legislation if it is different (e.g. shared solutions in different countries) Data hosting and localization are also subject to SLA constraints. In the contest of identity lifecycle analysis, different communities of practice must be considered by taking into account the functional differences between the entities to be united. Is the category-based inventory of target communities available? Are there harmonized procedures for management scopes (e.g. internal, external, trainee, etc.)? Can the movement management dynamics be harmonized (e.g. outsourced HR, different stakeholders but identical process)? Can identity models also be shared between entities? Is the number of stakeholders in a workflow (arrival, modification, departure) homogeneous? 8 Trusted partner for your Digital Journey

9 Lifecycle of Applications Lifecycle of Assignment of Rights The applications can be located at different levels: The local application level, at the discretion of the structure (country, or subsidiary or geographical area). The central application level, applicable to all united structures. The transverse application level: the application of a united structure to all or part of its peers. The lifecycle of rights issuance is generally provided by automatic rules from the security policy and/or manual requests through the user portal. Is the level of insurance f exceptional rights determined locally at central or transverse level? Is there a local definition of the security policy? Is there a central definition of the security policy? Is there a transverse definition of the security policy? In each of there cases, can a structure be identified as the controller or is the responsibility distributed? Administration Function Delegated Administration In a shared solution project, three levels of administration must be considered: Technical administration: the IAM platform. Operational administration: creation of roles and resources, connectors, definition of security policy, implementation of automated assignment rules. Functional administration: who requests and approves the access rights and identities.. Depending on the level of administration to be delegated in each subsidiary and the needs in terms of isolation and segregation between them, several possible architecture choices must be defined. A technical administration level is defined centrally with different levels of administration delegated locally. Depending on how flexible the solution is, some features are only available to the central administrator (for example, changing the server configuration file when adding a connector). To take local needs into account, internal logistical and operational administration procedures must be established (e.g. ticketing tools, sending files in a specific formats, etc.) to coordinate local requests and central administrations. Shared IAM Solutions 9

10 Use Cases (Re)thinking IAM for Regional Hospital Groups (GHT) In France, the law that modernized the health system led to the creation of Regional Hospital Groups (GHT). This transformation involved reflection on new forms of governance based on the sharing of resources. Convergence between information systems and the harmonization of processes between institutions would be impossible without the implementation of shared IAM solutions that allow: Adapting the IAM to the Complex Structures of Large Groups Today, organizational structures can be very complex. Large groups are often split up into heterogeneous subsidiaries, according to their size and operating methods. To optimize costs and meet security needs, organizations seek to extend governance capabilities while aligning processes across the group. A shared IAM solution is particularly suitable for this use case and allows: Wider availability of the IAM In large groups, smaller subsidiaries often do not have the critical size to support IAM projects on their own. Sharing is the only response to the lack of human, technical, and financial resources that are the first obstacles to the deployment of this type of solution. Mobility between institutions The shared IAM solution makes it easy to consolidate the various existing sources of identity in a non-intrusive way, thus respecting the management autonomy of each institution to constitute a common repository including all persons accessing the IS. This allows the definition of a unique identifier for the entire GHT, thus allowing mobility between institutions. Universal governance, administration, and trackability Applications can be administered at a universal level for all GHT institutions and/or in each institution locally. The applications administered by one institution can also be made available to another institution. A unique login for all applications The IAM allows doctors to access patient information from their offices in complete security. It also allows staff to log in on the move, close to the hospital bed. Process standardization Following the logic of standardization and respect for internal policies, large groups often seek to implement a common solution with standard functionalities. Different levels of autonomy The central administrator can empower the subsidiaries through delegated administration. The shared solution meets the need for autonomy of the subsidiaries by allowing them to establish their own governance policies without going beyond the standard functionality of the solution (maintainability). 10 Trusted partner for your Digital Journey

11 Conclusion A shared Identity Management project requires strong governance and the full commitment of the stakeholders in each entity. The execution capacity of the teams must be optimal to properly define the functional scope and support change in the various structures. This IAM deployment model is not new, but its innovation lies in its flexible approach in a market where SaaS solutions are becoming more and more comprehensive. A shared IAM solution provides an answer where fully outsourced solutions are inadequate, offering security and control while maintaining the adaptive approach and scalability of the Cloud. As a major stakeholder in the IAM sector, Evidian supports this choice and is committed to offering increasingly innovative solutions and service methods specific to the problems of extended companies. We preserve our clients environments by ensuring that their business needs are covered as a priority, to create the foundations for a successful Digital Transformation. Shared IAM Solutions 11

12 White paper About Atos Atos is a global leader in digital transformation with 120,000 employees in 73 countries and annual revenue of 13 billion. European number one in Cloud, Cybersecurity and High-Performance Computing, the Group provides end-to-end Orchestrated Hybrid Cloud, Big Data, Business Applications and Digital Workplace solutions through its Digital Transformation Factory, as well as transactional services through Worldline, the European leader in the payment industry. With its cutting-edge technologies and industry knowledge, Atos supports the digital transformation of its clients across all business sectors. The Group is the Worldwide Information Technology Partner for the Olympic & Paralympic Games and operates under the brands Atos, Atos Syntel, Unify and Worldline. Atos is listed on the CAC40 Paris stock index. Find out more about us atos.net Let s start a discussion together CT_J1596_181107_RY_WP_SHAREDIAMSO All trademarks are the property of their respective owners. Atos, the Atos logo, Atos Codex, Atos Consulting, Atos Worldgrid, Bull, Canopy, equensworldline, Unify, Worldline and Zero are registered trademarks of the Atos group. Atos reserves the right to modify this document at any time without notice. Some offerings or parts of offerings described in this document may not be available locally. Please contact your local Atos office for information regarding the offerings available in your country. This document does not represent a contractual commitment. November Atos