25
INFORMATION SECURITY FOR ACCESS PROVISIONING: THE BOEING COMPANY T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR June 6, 2009 06/06/2009
| Date post: | 21-Dec-2015 |
| Category: |
Documents |
| View: | 214 times |
| Download: | 1 times |
INFORMATION SECURITY FOR ACCESS PROVISIONING: THE BOEING COMPANY
T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR
June 6, 200906/06/2009
T-Bone & Tonic
What is Access Provisioning?ProvisioningTo create and maintain a subject's digital identity, accounts, credentials, and entitlements in response to automated or interactive business processes.
06/06/2009
2
IdentityA BEMSID (employee ID) and all related employee information
AccountA windows account for Jane Smith, Web Single Sign On (WSSO)
CredentialsBiometric identifier(s), Windows Password, Z-Token
EntitlementAccess to REDARS, A Boeing Badge, Access to newScale
T-Bone & Tonic
Recap of Problem
06/06/2009
3EPSS
CED
EPDWHRMS CARATS
EAP7/21/2008
NBR7/11/08
VSGATE
RADIUS
NBAR
SSA
DCAMS
CLAMS
ECARFMS
EEPPI
SEQUENT
TEAMS
APPREG
Policies
ATMA
BART
RSS
Boeing Apps UNIX
(USA-NIS)
NOFRT
ACF2
ACF2 SUITE
MARS
AA
MAD/eAD
EAF/ SAPM
GGM
PLGM
WART
OARS
AD
EDS
VRA AAA
RACF
ALF AIM ICS RACFQRYRACF PHILLY
Exchange
UNIX(STL)
AccessTo RP
COGNOS
UIDR
SSLVPN-FM
SSLVPN
SSGRP Domain
ToolSSGRP
CATIA SUITE
STAR
D1SDMARS
(MESA)
BLU/RAD
STAC
CSPR3
Partial System Retirement
Full System Retirement
Potential System RetirementSystems outside Information Security
Legend
Retiredmm/dd/yy
T-Bone & Tonic
Goal
06/06/2009
4
End Users
Technologists
End users focus on access to target systems like Windows, REDARS, etc.They don’t focus on what accounts they need to access Windows.
Technologists focus the accounts and permissions end users need to access Windows, etc .
CommonGround
Is A
With Access ToWith Access To
The goal of provisioning is to help Sally obtain
access to REDARS, etc.
Using the FollowingAccount(s)
Using the FollowingAccount(s)
newScale
T-Bone & Tonic
Why now?
• Boeing is a very large corporation– Processes antiquated and inefficient– If solution is not known, slow, or does not
meet requirements, new solutions are implemented
• No centralized, enterprise-wide security organization until recently– Information Security group– Security Priorities Access Provisioning
06/06/2009
5
T-Bone & TonicEEPPI
SEQUENT
SolutionEPSS
CED
EPDWHRMS
VSGATE
RADIUS
Policies
ACF2
EAF/ SAPM
AD
EDS
RACF
Exchange
UNIX(STL)
AccessTo RP
COGNOS UNIX(USA-NIS)
Boeing Apps
SSLVPN
SSGRP
EPSS
CED
EPDWHRMS CARATS
EAP
NBR
VSGATE
RADIUS
NBAR
SSA
DCAMS
CLAMS
ECARFMS
TEAMS
APPREG
Policies
ATMA
BART
RSS
Apps UNIX(USA-NIS)
NOFRT
ACF2
ACF2 SUITE
MARS
AA
MAD/eAD
EAF/ SAPM
GGM
PLGM
WART
OARS
AD
EDS
VRA AAA
RACF
ALF AIM ICS RACFQRYRACF PHILLY
Exchange
UNIX(STL)
AccessTo RP
COGNOS
UIDR
SSLVPN-FM
SSGRP Domain
Tool
CATIA SUITE
STAR
D1SDMARS
(MESA)
BLU/RAD
STAC
CSPR3
VSGATE RADIUSBoeing Apps
ACF2
AD
EDS RACFDatabase
Env.
AccessTo RP
Vendor Apps
UNIX(USA-NIS)
ExportPeople DevicesApps Policies Contracts
AUDIT / RECONCILATION
WORKFLOW REPOSITORY
DISPATCHING
APPLICATIONS & DATABASES DIRECTORIES OPERATING SYSTEMS GATEWAYS AND VPNS
Connector Connector Connector Connector
Boeing Enterprise Provisioning Tool (BEPT)Component Level View
WAREHOUSE
INTERFACES
ADMINISTATION GUI
SELF SERVICE GUI
REPORTING AND METRICS
Customized GUIs (e.g. AA)
or external federated
Provisioning Systems
Managers, Auditors, etc.
End Users, Focals, etc.
Solution Operator
SSLVPN
SSGRP
AUTO-REQUEST SUBMITTAL
T-Bone & Tonic
Solution
• Boeing has selected and purchased a COTS-based provisioning solution– Conducted an RFP and proof of concept in 2007– Selected Oracle Identity Manager (OIM)– Purchased product in January 2008
• Established the Enterprise Provisioning Program – Establish and implement an enterprise-wide
common process for identity and access management
– Implement a common tool (OIM) that is intuitive to end users
– Retire existing provisioning tools and systems06/06/2009
7
T-Bone & Tonic
Oracle Identity Manager Overview
06/06/2009
8
T-Bone & Tonic
Oracle Identity Manager (OIM)• Self Service and Delegated Administration– User configurable proxy
• Workflow and Policy– Workflow management– Transaction integrity
• Password Management– Self-service password changes
• Audit and Compliance Management– Comprehensive historical reporting
• Integration Solutions06/06/2009
9
T-Bone & Tonic
OIM Details
06/06/2009
10
T-Bone & Tonic
OIM Connectors and Compatibility– Connectors
• Oracle E-Business Suite• PeopleSoft• Siebel• JD Edwards Enterprise One• SunONE• Microsoft AD & Exchange• SAP
– Compatibility• Remote Manager Acts as a wrapper for legacy
applications06/06/2009
11
T-Bone & Tonic
Technology Benefits
• One System– Reduced personnel to maintain – Reduced maintenance costs
• Can plan a phased implementation• Cleaner Audit Controls
06/06/2009
12
T-Bone & Tonic
Expected Results
• Realized business case • Reduced cycle time by 75%*• Improved non-Boeing and Boeing access processes• Improved end user experience• Enhanced manager/approver experience• Minimized reliance on custom development• Increased automation
* Assumes automated interface to target system
06/06/2009
13
T-Bone & Tonic
Expected Results
• Reduced risk– Reduce the number of different means for
establishing identities, accounts, and entitlements– Ensure only approved access is granted– Ensure policies and rules are enforced through
automation rather than through human interaction
– Identify and relegate rogue accounts– Periodically audit and attest access– Reconcile differences between provisioning
systems (authoritative source for access) and target environments (real world)
06/06/2009
14
T-Bone & Tonic
How do we get there?
• The program will look for opportunities that will enable one or more of the following– Reduce current cycle time – Target largest business impacts – Focus on streamlining and automating the existing
manual work activities– Select tool that is well understood to facilitate learning – Reduce risk associated with application support (server
end of life and/or tool knowledge base exhausted)– Analyze large systems in parallel to mitigate complexity
and long lead items – Ensure resources for critical functions have trained
backups
06/06/2009
15
T-Bone & Tonic
Strategy
• Provisioning will continue as one of the key security services– Manage identities, accounts, and
entitlement– Publish data to the enterprise directory
and target systems (as required)– Referred to as identity management
service
06/06/2009
16
T-Bone & Tonic
Strategy
• The goal for these services is to publish security data to fewer target systems over time– Publish data to a central repository rather
than to individual application environments– Applications will consume authorization
data via well-defined APIs to minimize impact to application code over time
06/06/2009
17
T-Bone & Tonic
The Big Picture
06/06/2009
18Monitoring and Logging
Resource & Policy Mgmt.
Identity Management
AuthN
AuthZ
Identity Distribution
Policy Distribution
Token Exchange
Dat
a R
epos
itory
Ent
erpr
ise
Sec
urity
Ser
vice
s In
terf
ace
Authoritative Sources
Federated Identity Store
Target
PDP
PEP
Authentication Decision
Authorization Decision
Identity Data
Policies
Tokens
Authorization Decision
Log Events & Traps
Log Events & Traps
ResourceData
Access & AccountRequests
T-Bone & Tonic
Enterprise Access Provisioning Must incorporate the four cornerstones
of information security: Confidentiality, Authenticity, Integrity,
Availability
06/06/2009
19
A successful provisioning solution ensures individuals get access to necessary resources easily and quickly while ensuring the proper security protocols are completed.
06/06/2009
20
Supplemental Slides(not to be presented)
T-Bone & Tonic
OIM J2EE Architecture
06/06/2009
21
T-Bone & Tonic
Offline Processing
06/06/2009
22
T-Bone & Tonic
Legacy Application Support
06/06/2009
23
T-Bone & Tonic
Scheduling Engine
06/06/2009
24
T-Bone & Tonic
Secure Communications
06/06/2009
25
