Presentation is loading. Please wait.

Presentation is loading. Please wait.

Virtual Directory Use Cases McKesson

Similar presentations


Presentation on theme: "Virtual Directory Use Cases McKesson"— Presentation transcript:

1 Virtual Directory Use Cases McKesson
Welcome General Welcome

2 The World of Identity Relationships Keeps Expanding
App sourcing and hosting SasS apps Apps in public clouds Partner apps Apps in private clouds On-premise enterprise apps Enterprise computers Employees Contractors Enterprise-issued devices wade Customers Public computers Partners Personal devices Members App access channels User populations

3 Existing Identity Infrastructure
Supporting Multiple Repositories is Costly: Traditional IDM Attempted to Mitigate Legacy Applications IDM To help manage these multiple end points of identity we added a Identity Management solution to provision user accounts and provide workflow. This helps relieve the manual tasks of creating users on every directory for a new or moving employee but does not relieve the underlying congestion or growing complexity. Existing Identity Infrastructure Forest/Domain A Databases Phone book Forest/Domain B HR LDAP Directories

4 New Applications and Customers Increase complexity, support, and risk
SaaS/Cloud/BYOD/ Partner Apps Legacy Applications IDM The answer is to Federate the identity into a single service provided by Radiant Logic. Radiant Logic Federated Identity Service, RadiantOne, allows each legacy platform to connect in its native format to RadiantOne and contribute identities and attributes to build a global user identity repository that can then provide that same identity information back out in the format and structure needed to support each application. RadiantOne makes full use of the existing investment in Active Directory, Oracle, LDAP, PeopleSoft, etc. and add a powerful and flexible layer that makes the once siloed identity data available to any application that can consume it. RadiantOne empowers IDM provisioning and IAG compliance platforms by presenting a single simple global view of users, it empowers IAM Access Management providing a unified profile from multiple sources in the format that PING, OAM, TAM, SiteMinder, etc. needs, and it empowers SharePoint by providing the additional attributes outside AD that are necessary to display a complete user profile. It empowers the Oracle database by centralizing Authentication and Authorization in Active Directory Users and Groups and finally gives visibility and familiar management to access to the hundreds of databases. Existing Identity Infrastructure Existing Identity Infrastructure Forest/Domain A Databases Phone book Forest/Domain B HR LDAP Directories

5 RadiantOne The Identity Hub
SaaS/Cloud/BYOD/ Partner Apps Legacy Applications IDM RadiantOne Existing Identity Infrastructure Forest/Domain A Databases Phone book Forest/Domain B HR LDAP Directories

6 Federated Identity Service Able to Sunset Identity Stores
SaaS/Cloud/BYOD/ Partner Apps Legacy Applications IDM Federated Identity Service And as RadiantOne is deployed legacy identity repositories such as the AD LDS, SunOne, and other LDAP directories and the local users and roles in each Oracle database can be retired. This freed up IT support resources, simplifies the environment, and reduced security risk by centralizing on a Federated Identity Service. In addition RadiantOne can now support applications and business initiatives that in the past were to difficult or impossible to provide because they required identity information from siloed sources that before could not be joined. Now the barriers to integration and translation are removed. Existing Identity Infrastructure Forest/Domain A Oracle Databases Phone book Forest/Domain B HR LDAP Directories

7 RadiantOne Abstraction Layer
Virtualization Acting as a Common Abstraction Layer             Databases Web Services Directories Enterprise Applications Sources of Identity RadiantOne Identity View Profiles Groups Audit and Compliance Web Access Management Consumers of Identity User Attribute Based Access Control (ABAC) Common Access Protocol (LDAP, SQL, Web Services, & REST) Entries, Attributes and Profiles Microsoft SharePoint Server Cloud LDAP SQL WebServices REST/SCIM XML/JSON Federated Access Cloud/SaaS Radiant Logic’s Federated Identity Service provides a layer of abstraction between the sources of identity, (your directories, AD and LDAP, databases, applications, and the cloud) and your applications that need to access those identity profiles for users to determine who they are and what they are entitled to access inside and outside the network. Adding this flexible layer between these interdependent systems provides the ability to leverage and combine identity sources in new ways to meet the specific needs of the application. Without this layer it is often necessary to create a new directory of identities from a master source to support an new application. This then requires another set of directory servers, synchronization of changes, auditing and attestation of a new identity store, and additional support and management costs. Many times the needs of an application or business unit are too costly or difficult to provide and the requests are denied. This creates a large bottleneck in the IT support of business initiatives and leads people to find less secure and managed alternatives often with third parties in the Cloud. RadiantOne not only can create the global identity with attributes from each identity silo this data can be transformed and translated and augmented so that for example an AD user account can be combined with data from an HR database and an SAP ERP table to a user profile that does not exist natively in the enterprise and then transform that schema and attribute labels to an LDAP inetOrgPerson and provide it to PING to build a claim for access to a SaaS application or to a Web Access Management solution to provide Dynamic Group memberships for authorization based on user attributes across multiple systems. RadiantOne enables solutions and simplified deployment of every facet of the Identity Management infrastructure. Radiant Logic’s Federated Identity Service enables IT to be a business enabler and in the case of Intel has reduced business application support hard costs by 70%, allows them to do in days what used to take months, and provide solutions originally denied due to cost of complexity.

8 McKesson is one of America’s oldest and largest services company
McKesson At-a-Glance Founded in 1833 Ranked 14th on Fortune’s list, with $140.0 billion in revenues Headquartered in San Francisco More than 42,000 employees Two segments: Distribution Solutions and Technology Solutions Total focused on health care . McKesson is one of America’s oldest and largest services company McKesson Corporation

9 Leadership Positions in Both Segments
Distribution Solutions Technology Solutions #1 pharmaceutical distributor in U.S. and Canada #1 generics distributor #2 in specialty distribution and services #1 in medical-surgical distribution to alternate care sites 2,900+ Health Mart® retail pharmacy franchisees Comprehensive retail information systems and automation offerings Serve 52% of all U.S. hospitals Leader in clinical, revenue-cycle and resource-management solutions Leading RelayHealth™ claims- processing and connectivity business 200,000+ physician customers #1 in physician revenue cycle and practice management #1 in medical-management software and services to payers Speaker's Notes We have leadership positions in pharmaceutical distribution and healthcare technology solutions. McKesson Corporation

10 Information Security Architecture & Services
We Deliver Security Solutions to Enable and Protect Businesses by: Offering a comprehensive portfolio of security services supported by core security capabilities that meet McKesson customers’ regulatory, industry and internal requirements Enabling McKesson business units establish trust between organizations, partners, third party users, and customers through federation, certificate services and secure collaboration Increasing our competitive advantage in security solutions through ongoing analysis of the latest security architecture trends and product offerings such as cloud security and security as a service We are members of McKesson’s Information Security and Risk Management, providing a range of services including security consulting and operations, IT risk management and incident management. McKesson Corporation

11 The Four Pillars of Identity Services
Management Identity Data Services Access Management Audit, Role & Compliance User Self-Service & Password Management Virtual Directory Web Access Management/SSO Centralized Audit Delegated Administration Meta Directory Federated Identity Management/SSO Logging and Monitoring Automated Approvals and Workflows Synchronization/ Replication Authentication & Authorization Access Certification Enterprise Role Definition Directory Storage Standard APIs Reporting Reduced administrative tasks Reduced help desk calls Improved security Accountability Cost savings Reduced administrative tasks Reduced help desk calls Improved process efficiency Central user information Enhanced user experience Improved management of security risks Efficient development/ deployment of applications Reusable integration HIPAA, SOX compliance Common access logs Improved accountability Common reporting McKesson Corporation

12 Identity Data Foundational Element for IRM
RadiantOne is able to connect to each of the siloed sources of identity in the enterprise, both on premise and in the cloud through standards based protocols including LDAP, JDBC, Webservices and REST. Once connected to each identity source RadiantOne will extract the schema or database structure to facilitate creating a global profile for each user across each of the identity sources. RadiantOne can associate the same user across different systems with a different user id format (Jsmith and John.smith) or distinguish between the same user ID (Jsmith) on to different sources that belongs to two different people. Once the global identity is created the profile can be enhanced with additional data for other sources including data not stored elsewhere in the environment. RadiantOne will then publish a “View” of the identity data to each application in the format, structure, and standard protocol (LDAP, SQL, REST) that is needed on an application by application basis. In this way the same set of data can provide authorization and authentication identity data to a SiteMinder Web Access Manager solution, a PING Federate Cloud SaaS or OpenAM access manager and the reporting, audit, and attestation tools used by the compliance team. RadiantOne can also act as a provisioning platform by properly translating and formatting adds, moves, and changes to each of the connected backend identity sources. When an identity source is not highly available, slow to respond to requests such as a database, or has to be logically created in the RadiantOne solution a locally stored copy of that data set with near real time change detection can be configured. The locally stored data can be combined with proxy data from highly available sources such as AD to provide authentication data at the speed of a directory. HR Databases LDAP Directories Cloud Apps Applications Databases

13 Business Case for Virtual Directory
Use Cases Benefit Enterprise Role & Compliance Simplifies user access review application integration Business units subject to PCI and/or HIPAA Privacy/Security regulations One place to report across all platforms Hybrid Cloud SSO & SaaS Identity Management Facilitates SSO to cloud based services (e.g. Azure/Office 365, Salesforce, Box, WebEx) Provides global view of identity SSO Enterprise & Customer Facing Across Multiple Identity data stores Reduce development effort in migrating to a single directory Simplify migration to IAM platform R & C Why is it Important to the Business Auditors need know Who has Access to What? Identities siloed across multiple platforms Created Persistent Global Consolidated View of Identity One place to report across all platforms One place to manage identity and compliance Backend sources are not disturbed Filtered and grouped reporting data available in near real time Cloud SSO: Why is it Important to the Business Office 360 and other Cloud applications are rolling out Users need Single Sign On to Cloud applications Users have to be provisioned to each Cloud application Cloud apps create more identity silos to provision, de-provision, and audit Adding Cloud identity to Global User Profile simplifies provisioning and de-provisioning, provide access and license audit Users gain Single Sign On to all managed Cloud applications Can Leverage AD accounts from multiple Forests and Domains McKesson Corporation

14 Business Case for Virtual Directory
Use Cases Benefit Mergers & Acquisitions Reduction of migration cost due to minimization of identity data consolidation and custom coding Reduced engagement of external M&A specialists No violation of EU Data Protection Directives due to the M&A activities with Identity data Attribute-based Access Control Provides more granular access control Attributes are easier to Attest then Groups and Roles Database Security Improve user experience and security by enabling SSO to databases using corporate credentials Attribute Based Access Control: ABAC: Why is it Important to the Business Basing Access on Attributes provides more granular access control Attributes are easier to Attest then Groups and Roles Attribute labels and values are not uniform across organizations Effective policies cannot be created around large attributes populations Create a Global Attribute rich Profile from multiple identity sources Normalize attributes across organizations and between partners Provide normalized attributes to PAP and PDP McKesson Corporation

15 Achieving SSO across Identity Silos
McKesson Corporation Confidential and Proprietary

16 Situation #1: Scattered Attributes
McKesson Corporation

17 Situation #2: Scattered Passwords
17 McKesson Corporation

18 Approach#1: SSO with OpenAM/DJ/IDM Alone
Design OpenDJ schema to store all the user attributes within targeted SSO application(s) – A significant effort if targeted applications have various overlapping user attributes Migrating existing user authentication store to OpenDJ (leave the user authorization local to the individual applications) – this is a significant effort, especially when user store is RDBMS instead of LDAP Use OpenAM for access management for the SSO portal Change each individual application to integrate with OpenAM McKesson Corporation

19 Federated Identity Service
Approach#2: OpenAM and VDS Common Access Point and Common Identity Multiple sources of identity with different schemas, protocols, format, and structure. Application(s) expects a single normalized source App 1 Database Thanks to the union and join operation performed by the RadiantOne VDS, OpenAM can access a single connection to one virtual identity store. This enables OpenAM to receive the identifiers and credentials it needs in order to provide single sign-on to cloud, web, and legacy applications; reverse proxy services; or even mobile devices. A variety of authentication methods can be used, including WS* and REST APIs, policy agents, , and password replay, depending on what the application is expecting. Federated Identity Service LDAP/Other App 2 Database App 3 Database SaaS and Web Applications McKesson Corporation

20 Step#1: Join Identities Across Data Sources
Federated identity service works by creating a hub that unites all of the identity information stored within individual data sources—LDAP directories, SQL databases, AD forests, or almost any other fi le format—into one virtualized directory. Then all these identity sources are inventoried to pull their data into the new virtual directory in a coherent way. The virtualization engine creates an authoritative global list of all users across the system, and unifies overlapping user representation. It tags each user with a unique identifier and correlates those identifiers across silos (regardless of format), creating a single global list of all users in the network, without collision. So there’s no need to build scripts directing authentication toward different data repositories. Now users from different identity stores, including multiple AD forests, are all accessible via the same common list. McKesson Corporation

21 Benefits of RadiantOne and ForgeRock
Improved user experience where user only needs to login once and be able to access one or multiple applications SSO implementation has minimal impact on existing applications since there is no user data migration Self-service password user management enhances usability while increasing security and reduces the need for helpdesk support Standards-based solution reduces vendor lock-in Established Identity Data Service benefits mobile and cloud services Provide an easy to use implementation, whereby internal users and external customers/partners only need to login once to allow access to data for which they are authorized Provide a centralized account management system to enforce standard password policies, both for internal employees and external customers/partners (customer / business / QA / Developer benefit) Users manage their own password activities, including creating passwords, resetting passwords, changing passwords, etc. Audit User activity Implementation of Single Sign On service will have minimal impact on existing applications. Standards-based solution Optimize Helpdesk / Implementations Efficiency McKesson Corporation

22 Joining Data across AD Domains
McKesson Corporation Confidential and Proprietary

23 Challenge – Two Autonomous Domains
McKesson employees primarily reside in one AD domain (IT) A business unit’s (BU) employees are being migrated from their AD domain to the IT AD domain The BU domain also includes non-employee accounts that cannot be migrated to the IT domain Distribution lists originating in the BU and migrated to IT may contain non- employee accounts that will remain in the BU Changes made to the BU distribution lists are automatically replicated to the corresponding IT distribution lists Distribution lists cannot be managed across the BU and IT domains without logging into each domain separately to add and remove uses in each domain Requiring logging in and out of each domain to make a single update introduces unacceptable management overhead and increases risk of error. McKesson Corporation

24 Solution Radiant Logic Virtual Directory Service (VDS) is installed and configured to access both AD domains VDS extracts the users and groups from both domains A view is created in the VDS as a branch that includes the groups and users from the BU domain including the non-employee accounts Another view is created in the VDS as a branch that includes the groups and users from the IT domain Use the VDS Groups Builder to add and remove users to distribution lists in the BU and IT domains in a single interface Groups Builder allows add user function to provide a pick-list of available user accounts to add or remove. Creating new distribution groups is also an option 25 McKesson Corporation

25 Mergers and Acquisitions (M & A)
McKesson Corporation Confidential and Proprietary

26 Mergers & Acquisitions
Why is it important to the business? Value of M&A impacted by rate of assimilation of users and resources M&A targets have vastly different IT structures and conventions Need a layer to provide translation and transformation Maintain business continuity (first do no harm!) Provide access to applications across both environments Migrate applications and users at desired pace 27 McKesson Corporation

27 Mergers & Acquisitions
US Company Population European Company Population US Co. Eur. Co. US Company View European Company View When two organization merge or collaborate there is often a challenge in granting the users in one environment access to the applications that exist in their counterpart. Domains, Forests, different organization structures, extended schemas and even naming contexts can make integration difficult. RadiantOne provides an abstraction layer between each environment that leaves the original structures in place while also allowing for the dynamic reorganization and transformation of users, groups, attributes, and hierarchies into the structures compatible with then new environment. Performing this abstraction and transformation in both directions allow each user to access the resources of the other company without needing to alter the applications or merging the users into one directory. RadiantOne allows for almost immediate integration and allows for time to plan and execute the proper merger of the companies. McKesson Corporation

28 Configuration and Security
Existing synchronization will duplicate additions made to groups in the BU domain to the corresponding groups in the IT domain Filter initial views from BU and IT to only provide access to specific distribution groups and exclude security groups Filter the attributes of the user accounts in the view to simplify display and hide any sensitive data Use ACL’s in VDS to tailor access to the BU and IT views Limit access to view or update the users and distribution groups only to select individuals or members of select security groups This slide does a good job of illustrating the point around how the ability to filter and remap the objects in RadiantOne allow for the filtering of specific users, objects, and attributes that an organization may not want to expose to certain applications or across certain borders. 29 McKesson Corporation

29 Technical Benefits of Virtual Directory Approach
Build a global list of all identities and a complete profile of each identity usually in days — not months. Eliminate any manual re-architecting, schema extensions, synchronization, or construction of complex code in order to achieve future state identity repository. Safely expose true identities to external applications and partners through a secure virtual layer. Reduce or eliminate the need to establish new trusts across AD domains and forests. Migrate existing groups, and dynamically create new groups based on attributes found in legacy repositories. Guarantee directory-like performance McKesson Corporation

30 Flexibility in Defining Groups by attributes Based on Joining Attributes for a user
Dynamic Groups View Correlated Identity View employeeNumber=2 samAcountName=Andrew_Fuller objectClass=user mail: uid=AFuller title=VP Sales clearanceLevel=1 region=PA departmentName=Sales memberOf=PA Sales cn=PA Sales member=Andrew_Fuller **Based on identities that have: ClearanceLevel=1 title=VP Sales Region=PA Once overlapping user accounts have been detected, the integration layer performs a join to pull in attributes from a user’s disparate accounts to populate a global profile This global profile is the basis for defining groups and assigning membership, as well as for feeding fine-grained authorization engines. LDAP Directory Active Directory Database uid=AFuller title=VP Sales givenName=Andrew sn=Fuller departmentNumber234 employeeNumber=2 samAccountName=Andrew_Fuller objectClass=user mail: departmentNumber=234 USERID REGION EMPID DEPTID CLRLEVEL Andrew_Fuller PA 234 1 31 McKesson Corporation

31 Flexibility with Groups: Leveraging/Re-Mapping Existing Groups
o=VDS ou=AD1 ou=AD2 ou=Sun ou=people ou=groups cn=john cn=marketing cn=users ou=groups ou=west ou=groups cn=bob cn=sales ou=ca cn=HR cn=nancy member=cn=john,ou=people,ou=AD1,o=vds member=cn=nancy,ou=ca,ou=west,ou=Sun,o=vds member=cn=bob,cn=users,ou=AD2,o=vds dc=us ou=people ou=groups cn=john cn=marketing dc=europe cn=users ou=groups cn=bob cn=sales o=corp ou=west ou=groups cn=nancy cn=HR ou=ca member=cn=john,ou=people,dc=us member=cn=bob,cn=users,dc=europe uniqueMember=cn=nancy,ou=ca,ou=west,o=corp Active Directory US Domain Active Directory Europe Domain Sun Directory 32 McKesson Corporation

32 Flexibility in Defining Groups: Groups memberships that change with your Users
o=VDS Group members are built dynamically based on the department attribute in the user entries cn=HR objectClass=group member=leah_scott member=Scott Thalon cn=Marketing objectClass=group member=todd_jones member=ssmith cn=Sales objectClass=group member=john_smith member=lgreen member=Jim Samon Rather than make group membership changes manually at the group entry, administrators need only to define the parameters for membership in the group as a filter, using attributes that can be found in user’s global profiles. The members will be automatically populated into the appropriate groups based on the defined filter for the group. And then, any time the attribute used as the group definition parameter changes, it will be reflected in the user’s membership status automatically. While policies can be based on attribute values, they can also be based on group membership. When SiteMinder has access to complete and up-to-date groups, it’s easy to define policies around them. But accurately managing groups or creating new groups within your enterprise can be a time-consuming and tedious task, and the more identity sources in the mix, the higher the administrative burden becomes. What happens when you need to create a group consisting of members that span different user repositories? If you have a business policy that says: “everyone in sales can access this resource,” SiteMinder expects a group called “sales” that includes all the members. But what if your business dictates that your sales group is made up of employees stored in AD and contractors stored in LDAP? How do you create a single group called “sales” that SiteMinder can consume, when you have members from diverse sources? With RadiantOne, you can create and manage groups much more flexibly—including groups with members from disparate data sources. LDAP Directory Active Directory Database userID=12952 cn=john_smith department=Sales EmployeeID=16473 samAcountName=ssmith department=Marketing DEPT_ID DEPT_MGR DEPT OFFICE 129 Jim Samon Sales Seattle userID=12954 cn=leah_scott department=HR 954 Scott Thalon HR LA EmployeeID=16453 samAcountName=lgreen department=Sales userID=12943 cn=todd_jones department=Marketing 33 McKesson Corporation

33 Q&A


Download ppt "Virtual Directory Use Cases McKesson"

Similar presentations


Ads by Google