Upgrade to Pro — share decks privately, control downloads, hide ads and more …

End to End Identity Management in a Cloud-First Landscape

End to End Identity Management in a Cloud-First Landscape

With ever more enterprise data and functions moving from on-premises data centres to the cloud, the corporate firewall is no longer an effective demarcation of company-internal assets from the rest of the world. Identity has rapidly become the next security perimeter – the passport which systems inspect to grant or deny access to information assets. But such an approach demands robust processes for managing identities throughout their lifecycle.

This presentation outlines how Orica evolved from largely manual processes without much visibility, to fully-automated identity management, with provisioning and de-provisioning of job-based authorisations in both SAP and non-SAP systems, how this changed the way we look at security, and what challenges remain.

A5604f2015f157ee20ceb1ea6e609bc9?s=128

Sascha Wenninger

July 28, 2021
Tweet

Transcript

  1. End to End Identity Management in a Cloud-first Landscape Sascha

    Wenninger http://slides.sufw.me/e2eidentity
  2. A Long Time Ago… Image credit: Henry de Saussure Copeland

  3. More Recently… Image credit: Linux Screenshots

  4. 👹 🧑💻 👨💻 👩💻 🏴☠ 👺 👑 🐉

  5. 👹 🧑💻 👨💻 👩💻 🏴☠ 👺 👑 🐉

  6. 👹 🧑💻 👨💻 👩💻 🏴☠ 👺 👑 🐉

  7. 👹 🧑💻 👨💻 👩💻 🏴☠ 👺 👑 🐉

  8. 👹 🧑💻 👨💻 👩💻 🏴☠ 👺 👑 🐉

  9. 👹 👑 🧑💻 👨💻 👩💻 🏴☠ 🐉 👺

  10. 👹 👑 🧑💻 👨💻 🏴☠ 🐉 👺 👩💻

  11. Identity is the new Perimeter + Image credit: Tim Reckmann

    and Shankar S.
  12. Lots to Consider… • Who works in the company? •

    Onboarding • Access provisioning • Authen:ca:on • Monitoring • Data security • O=oarding 👩⚕👨💼👩💼🧟👩🏭 🧕👷👷🧑⚕👩💻 🧑🏭👩💻👩🔧👨💼🥷 👩🔬🧑💼👨💻👩💼🧑💻 ?
  13. None
  14. In 2016 🧑💻 👨💻 👩💻 👑

  15. User Provisioning (2016) Service Now Office 365 SAP ECC Etc.

    👩💼 👩💻 👨💻 🧑💻 Ac6ve Directory
  16. The Problem • Extremely manual • Leaky o=oarding process •

    “Copy from template user” approach • IT Security seen as a board-level enterprise risk
  17. The Opportunity

  18. The Opportunity 25-year old system ➧ Greenfield system Dis-integrated processes

    ➧ Integrated processes within & across systems Undocumented processes ➧ All processes modelled in BPMN 0 workflows ➧ 54 workflows Security by copying users ➧ Deterministic security Username/password login ➧ Single Sign-On everywhere
  19. IBP C4C 🧑💻

  20. Technology is the Easy Part… Login accounts & Office 365

    ➧ SailPoint Identity IQ SAP User accounts ➧ SAP Identity Management Single Sign-On ➧ SAML & Azure AD Segregation of Duties ➧ SAP GRC
  21. Technology is the Easy Part… relatively

  22. Technology is the Easy Part… relatively

  23. Technology is the Easy Part… Technology Process Data

  24. Data One single org structure covering all workers. ! "

    # $
  25. Data One single org structure covering all workers. …including contractors!

    ! " # $ %
  26. Data 34 HR/Payroll systems ➧

  27. Process How to make sure data is maintained? 🤔

  28. Process How to make sure data is maintained? Imperative Processes!

  29. Process How to make sure data is maintained? Make it

    easy to do the right thing Make it hard to do the wrong thing
  30. Process How to make sure data is maintained? Must be

    in SuccessFactors to get a Login Single Sign-On everywhere Access to SAP systems determined by Job and Org assignment Automated provisioning - no manual exceptions
  31. Change is Hard! • HR didn’t want contractors in “their”

    SuccessFactors • No business owner for identity • Some people didn’t “need” logon account • Exceptions – “we are special”
  32. Executive Support Technology Process Data Exec Support

  33. Executive Support We are changing how people work.

  34. Art by Hugh MacLeod: www.gapingvoidart.com/gallery/dinosaur

  35. What Worked for us • Influence from Non-HR Execs whose

    processes rely on accurate Org Data • Multiple systems run workflows • Compliance monitoring of safety training for all workers • Audit pressure
  36. User Provisioning (2020) SuccessFactors Office 365 SAP S/4HANA etc. 👩💼

    👨💻 Active Directory Fieldglass SAP IdM SailPoint IIQ ServiceNow SAC IBP SAP GRC AC etc. SCCM AD Groups 🖥
  37. One Source of Truth SuccessFactors Office 365 SAP S/4HANA etc.

    👩💼 👨💻 Ac0ve Directory Fieldglass SAP IdM SailPoint IIQ ServiceNow SAC IBP SAP GRC AC etc. SCCM AD Groups 🖥
  38. Make it Imperative SuccessFactors Office 365 SAP S/4HANA etc. 👩💼

    👨💻 Active Directory Fieldglass SAP IdM SailPoint IIQ ServiceNow SAC IBP SAP GRC AC etc. SCCM AD Groups 🖥
  39. You may have > 1 Tool… SuccessFactors Office 365 SAP

    S/4HANA etc. 👩💼 👨💻 Ac0ve Directory Fieldglass SAP IdM SailPoint IIQ ServiceNow SAC IBP SAP GRC AC etc. SCCM AD Groups 🖥
  40. SAP IdM vs. SailPoint IIQ

  41. SAP IdM vs. SailPoint IIQ Different strengths Different licensing models

    Skill availability Pick your battles…
  42. SAP IdM vs. SAP Cloud Identity Services • SAP IdM

    is abandonware, but known & extensible • SAP Cloud Iden:ty is new & unknown è Use the boring tool. Is this where you want to spend your innova2on budget? ⚖ 👺 👹
  43. Challenges • SAP IdM Skills Availability • Missing connectors to

    SaaS systems à custom Java code • Incomplete APIs in SaaS systems à clunky provisioning • Mindset shift for Support and End Users
  44. Future Opportunities Manage Identities Protect Iden00es Protect Data Secure BYOD

    etc.
  45. Enabler for More: Data Protection

  46. Summary Data One Org Chart Process Make it hard to

    do the wrong thing Executive Sponsorship From outside IT and HR! Tooling Be pragmatic – use what works Change Management for IT Change Management for Business users
  47. How to Connect with Me E: sascha.wenninger@softwareone.com M: +65 8799

    1446 Li: linkedin.com/in/saschawenninger @sufw