Wolfgang Zwerch, MunichRe
April 18, 2012 14:30
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Wolfgang Zwerch, MunichRe
April 18, 2012 14:30
Wolfgang Zwerch, MunichRe
April 18, 2012 14:30
This was the first of two presentations regarding best practices in identity and access management. Next presenter will be Han back from Munich, re Han has a background, a consulting background in identity and access management. And just shortly has joined Munich re to complete what he has started as a consultant over there. And he still looks happy. So we will now hear his experiences. Do you need this or have you known one Very much? Okay. Just some further words. My name is I'm the project manager of the am implementation project at nure.
And with some slides, I want to show you the experience after more than one year of running system. And I have only one slide, just a short introduction about the project. Okay. So our trend, just a background and then click overview, then some main challenges of the project and the, the operation of the system, some the experience and the best practices we want to share with you. And then just one slide with conclusion of yeah. One year operation of our system. Okay.
Implementation of just for the overview of the project we started in May, 2010 and after yeah, seven months, we get live with our first as a P system. This was an really big event with our, with a small SAP system with status.
It's an, you know, Porwal, I dunno, the, the English world. And in the first days of December, we go to the business and they had a new employee and we generate a new user account and gave him the right entitlement within the IM tool. The manager has approved to request and with a big surprise, the account was provisioned into the SAP system and work probably. So this was starting point of, of our uhm, Tool from the business side, from the business objectives. We want to sustainably fulfill the compliance requirements within, as the Munich, we, this was our big point we want to solve.
And of course, to enhance security, to reduce the costs. And the last point is to, to provide business agility, which means if you have some new acquisitions that you can provide accounts and the right entitlements, much quicker than some manual process. Okay. This slide is just for you to give you a short overview of our processes and the organization. We have implemented several processes within the am tool, just for the provisioning or requesting of entitlements and user accounts.
And especially also for the reporting of entitlements for, for line managers, for the business people, and also for the, the internal auditors Right now, we manage more than 16,000 digital identities. What does this mean digital identity? I will expand it a little bit in a further slide a little bit later. And right now we have more than 70 50,750,000 accounts managed in the system. This account are SAP accounts and active directory accounts. And this number is still growing from, from the project scope.
First we want to, to include or to integrate all applications we maintain in Munich and our first attempt just to include all users in Munich, but within the project time, we had to, to, to use a more global target yeah. To, to, to integrate all of our users because we see that the systems in Munich were used globally. And so we can, could not separate them within, within our system. From the data perspective, we manage 15,000 SAP roles and more than 20,000 active directory groups right now.
And this means from the application point of view, 18 SAP application modules right now, within the am tool. And you could request entitlements for this applications and over 90 net applications. Okay. I think so the last line, 70 SAP systems, we are integr. We have integrated into the system and three active directory domains. And this is just a, a vision of our infrastructure. And this slide was drawn at the beginning of the project. And right now we have nearly implemented this vision. Only the point was the management of the externals we want right now, the externals are managed or yeah.
Are managed in the HR systems, just here on the, on the left side, we have two HR systems and all the employee information will be initially loaded in the HR and then transferred to the central global org management system. It's just an SAP P system here in the middle. And we have an export then to the system. And in our version, we want to, to manage all the externals globally within a and then to transport this information to our global org management system so that our HR systems are only used for internal accounts, connected to the system are several SAP systems.
As you could see in the slightly before we have more than 80 P systems with more than 250 clients finding it. And the active directory is linked to the tool. So challenges How to request entitlements for specific account, because if you have more than 750,000 accounts available into system, it's, it's not quite easy to select the right one maybe, and how to make more than 35,000 entitlements audible. This means how could a normal user find the right entitlement in a system?
And the third one was how to support the SAP systems because we have a very big development landscape for, for our SAP system, because we have an own SAP development environment with more than 30 systems, more than 70 clients. And what they do is always to, to bring up new clients, to copy some clients from the productive clients, to some quality assurance clients, to, to set up new clients, to, to, to downgrade clients and so on, and must be always integrated into the AAM, must be reflected by the AAM system.
And this is a lot of work then how to make reports about entitlements comprehensible and understandable or transparent for line managers over users. And very, very interesting point is how to handle exceptions. Okay.
First, how to handle entitlements or for entitlements from specific account. Our solution is here to define, to implement the concept of the digital identity, which means we have an central account. It's a digital identity and two users account, all technical accounts on the SAP system on the active directory are linked together with the org information and with maybe some information about enterprise roles and so on. And this architecture, we have the possibility that the web Porwal could identify you with a single sign on mechanism.
And then you can request and entitlement for different accounts. As an example, if you have an active directory, your normal business account, then maybe you are developers and you have a development account, then administration account, and now you want to request a special role for your development account. And then you go into the system to see it here. This is our Porwal. You have to select the right digital identity. It's in the first point here, show it's work. Then you can select different digital identities from different persons and send the second step.
You can select your entitlement. And we have a structure based on the application. The first level is if it's a.net application or an S P application or an it infrastructure component here, we have selected the.net application. And here's a kiss. It's a special application.
And down, you can see all the entitlements, which are requestable. And if you select one entitlement, you put it in your, in your card. And if you press a request button, the tool tells you, okay, this product could be ordered for different accounts and send, you can select the account.
Yeah, you, you want to have this request would be, be ordered. And here in this list, you can see, we have several deaf accounts and partner accounts and so on. And this concept, we, we tested with our it coordinators. And after one year of really operation of this concept, we see that that it will work and they get used to it and could easily request entitlements also for different accounts.
And this concept is also very important for our reporting because with a digital identity, we have the opportunity to see was to give an complete report overall accounts and their assigned entitlements over the complete it infrastructure. We have a connection to, okay, so second, how to make more than 35,000 entitlements audible. In the beginning of our project, we have our ecosystem. As the total told us they have over 5,000 roles and they have no idea how to It's it.
So I, yes. Okay. And I have no idea how to reduce is this. And we have implemented an, an, we call it application access control structures, just an Excel document AACS document. And in this Excel spreadsheet with a defined structure, the, the business has to document their entitlement for their application. So in this Excel spreadsheet, they document the approver groups, which means who has to approve the entitlement, if this will be requested.
And they could select, if this entitlement is audible, which means if this entitlement is visible in the, in the workshop or is not visible, or it could be requested why a workshop or not, and they could provide a way detailed description of this entitlement. And this information says access spreadsheet will be more or less automatically updated transfer, imported into the AAM system. And then from this information, there will be an automatic process will be started. And then the requestable products will be generated and updated.
Of course, yes. With this Excel spreadsheet, we have, I think, a good solution for, for the problems that we have, not the knowledge and not manpower to document all the different authorization concept for all the applications. And we made some kind of an outsourcing to the business people and say, okay, they have to provide us the right information. And we are only like a supermarket giving the space and the business or the application one have to provide us the right product. And the products are defined within a C S spreadsheets. Okay. And in our Porwal, it looks like this.
If you select from the main topic, maybe some kind of a from application business.net application and SAP application, then you'll select the right application. And then you get a list of all the available entitlements. As I seen before, you can use some kind of a filter function to search for the right entitlement. And even you can search in your, in the documentation field also for some information. So for big, big applications say, use the documentation field for, for implementing some further information, like some side Porwal, you know, for, for some facilities.
And since the guys could use this search search function. So SAP system client on and offboarding, as I mentioned before, we have a large development SAP landscape. And as a solution we, we have, or we have, we have an ticketing system, which the system operation use for, for getting the request for copy a new client, deleting a client, generating a new client. And in this process process steps we have been linked to so that we get the right information. If an S a P client will deleted or will be, will be new set of this client or a new copy of the client.
And then within am, we defined a lot of automatic processes that can clean up our database. So if an S a P client will be deleted, we could delete all the corresponding information, the AAM system. Okay. Then the next point is about the reporting. A big point is, is in closer look of this AACS spreadsheet. And here you can see a good example of the, of more or less good documentation of this entitlements, because in the first role, or in the first line, you can see the AACS element name is just a sub role.
And then the description is very long, which means, first of all, say selected the branch. And then you can see what you can do with this role. And this gives also the line manager and good overview of this role. One thing we have in the beginning of the project, we just want to, to define PDF reports. And we had a lot of effort and discussions about the right layout of PDF reports and it's, and we have a PDF report defined.
And I, from my point of view, it looks very nice. But if you go first to the business and the first business guys has opened this PDF report, he thinks, okay, nice, but I cannot filter anything. And I need an Excel report. We do not have an Excel report with a no. And we have implemented an Excel report.
Now, several Excel reports. And the conclusion is forget PDF Just to define justifying Excel report, because it's much more easier to define an Excel report because you have not to think about layout things, just think of the right column settings. And this report will be, or is more useful for the business than any PDF report. This is screenshot from our PDF report. You can see in the, in the first line, this organizational information, and then every system, every production system, if a system with any, any account and the assigned rules.
And then you can see if this role is assigned by a rule, or is it wallet from the valid, from date, if it's available and a flag is this critical or not, but more or less, this PDF report will not be used by the business they have. Instead this report, it looks a little bit more complex, but it's the same information. And the business for could request this report via the web, and then could use all the Excel functionalities to make their own reports and get their own filter settings. Okay.
Last point, how to handle exceptions exceptions could occur from, from the, from data, from, or from missing data from persons, organizational information, maybe that for one person, maybe a line manager information is missing or anything else, or from processes that's range. If you have, or if you need to Def you have set up an stand up process, how to request entitlements or how to define how to request accounts. And after going live after two or three months, somebody comes and say, okay, here we have a special account, and we need a special process step just for this account.
And this is always a problem because you have an standard process in the, in the yeahm tool. And I think everybody could imagine that it's this very, very, very painful to integrate some exceptions in this process, especially if you think that you have to maintain this processes over many years. So our solution is just defines standard processes for requesting approvals or cancellation of accounted entitlements, and try that this standard process fits all requirements.
And if somebody comes then you need the big management attention, the, and the decision that this will be transferred to the standard process. And for every process, us define a, a fall back scenario, which means if some information is missing or something will not work, define an fall back, which means assign it maybe to a special group so that this group can, can take care of this problem. This is our standard workflow for requesting all the entitlements we have seen in our web Porwal.
And we manage that all really all requests are done with this approval workflow, Which Means in the, in the first step we have the requests. Then we do some kind of an sod segregation of duty check. And then we have the possibility to, to include via the AACS sheet three separate approval steps. And this complete process will be managed by, by the, by the information of the AACS sheet and in the end of line, by the definition of the business, okay.
Conclusion, you have to standardize all the user management processes, which means for the requesting approval cancellation of accounts, resisted is Fu which means is tech loss. And this is one of the really, really important point. And therefore you need management attention, because if you will make one exception, then the next will come and you can forget your standardized process. And then a, a very, for my point of view, a very painful point is presents a project.
And even if the tool is, is running, you will find plenty of skeletons in the close it, and you will be blamed for because you are the guy who have introduced the am system and therefore this process step, and this little work around maybe forgetting this special request or this special account, and this special system will not work. And you have to take care of, you have to take care of that this person will get his Request done.
And this is always very, very interesting how first to find out that there is an exception of the process and how this was done in the, in the, in the past, and then to find the right solution to get this special process to the standard process. But it's the sun. After some time, user will thank you for the easy and efficient way to request entitlements. And that's a complete process is more transparent and more efficient than before. And right now it's MUN point that we have an regular meetings with our it coordinators.
And they're very, very, very critical about the project, but sometimes they give us the feedback that's better than before. Okay, then thank you very much. Thank you. Welcome. Thank you for the very insightful and also detailed presentation. And I'm sure you will have lots of questions. We are a little short of time, but I think we have time for one or two questions. Are there any where, ah, sorry, Please. Thank you. You dinner, abortion, Siemens household appliances. What technology are you using for this IEN tool?
What are the products built In that we're using active entry four, two, it's. Now there's a quest tool, Further Questions. And I have one looking at your approach. I would assume that you have a heavy reliance on the, on the high quality of, of HR data, because if this is wrong, obviously the whole thing goes best. What's your experience here? Most of the time it'll work, but if it will not work, we will hear it Very soon. Yeah. Yes. This is a problem because, well, yes, problem.
If the HR data is not reliable, this has a very dramatic impact on the accounts and entitlements, because if some people are not in the HR export file, we assume that they're leaving the company and the tool works as designed and their accounts will be deleted. So would you say that's even a self-healing process? So once this happens once in a while, then the motivation even increases to, to, to keep the data correct. I think Sam grid was well prepared for this solution because we have since 2001 and an own development called ADP, which transfers HR data to the active directory.
And there was an automatic process. And therefore the HR department knows that if they do something wrong or have some, some test issues on the system, that they will have an effect on the, the active directory, therefore this lessons learned were done over the years. So right now, this happens in the last 15 months, only once. And we have defined some, some import rules to check the HR export file so that we are very confident that if we do some imports, they are correct.
And if we think the import file is not correct, we stop the import and we have some, some safety measures within the tool so that the deletion processes and something like this will be scheduled or set of in the future Team Miller HP. I'm not sure if I got it correct, but my impression was that it was kind of a big bang starting with we application. So wouldn't it be easier to, to start this strategic, strategic subset of application and take more and more? Now we take, no, we have no big bang approach here. We have just set a small S SAP application live and a small net application.
Then we have learned something. And then after the next two months, we have a go live procedure with the next, a little bit bigger S P application. And so we are growing and in November last year, we have integrated our biggest SAP environment successfully. So this maybe one point don't ever think about a big bang approach with am. There's last question. So my question is when you decided on, on how you put into for pilot or for requirements and testing of all the user acceptance, what decision criteria did you, did you do?
Did you select somebody who was very important, very visible for the acceptance of the project, or was it more, very practical or application centric? People, This was more or less application centric. We trust discusses with the management. What are the best managed small applications for SAP and for active directory? And with Munich are always, as they told me two applications, which are always doing the, the pilots for different projects. And this is how this was a decision. And then it was the first applications were selected by how complex is authorization concept.
And how about the, the rulings of the, of the business people, if they are have the right trust in the project, there were the first and the more critical ones came a little bit later. Okay. Thank you. Both was very good. Give a big hand to work, please.