Identity Convergence & Integration Among Platforms

Hello and good morning everyone. So first thing I would like to say thank you to to Inger to allow me be here one more year and I would like to deliver a session as much practical as possible. This is somehow my style, this is my intention that at the end of the session you guys will be able to take some ideas, some insight, and even you will be able to apply once you will be in the office most likely next week. So I'm going to speak today about the identity convergence and integration among platform.

This is about identity fabric as you could imagine or better say this is about the foundation to implement identity fabric. So let's go, let's me start.

Okay, so the first thing that I would like to mention today in order to start somehow summarizing and transmitting a, a main insight as part of this session is that the identity fabric begins with the identity integration among platform. So this is the natural first step. This is the first thing that you guys will need to do in order to be able to have an identity fabric as net step. So once I have done this brief introduction, let us go quickly through the agenda. So for today we have four main topic. First thing is to explain you guys who we are in whole thing.

Second thing is to serve with you an identity fabric definition. Next topic will be identity convergence. And last but not least, I would like to leave here some main takeaways that you will be able to get after this, this session. Okay. Who we are in holding. So more of some of you already know the company. So we are a company in the building material sector. So we have been producing cement readiness, aggregate another country material for year. And now we are moving to a more greener and sustainable cost material.

So as of today, we are more than 60,000 people around the world and our main ambition is to improving the living standard for everyone. So let me explain what we are doing with ta. Quick video.

Okay, this is a, a little bit more impactful when there is the sound playing, but I understand that allow you guys to have a, an overview about what we are doing. So let me now try to explain what we are doing in, in TE of it. So in TE of IT, we have three digital center. We have one in Columbia in Bogota supporting Americas. We have another one in India. And the last one is physically in Madrid. This is where I am working and where we are providing services to our internal customer in the ME region. So speaking a little bit about ea, so we are offering services to 40 countries.

We have 30,000 employees more or less and we are supporting user speaking in 19 different language. So introduction Don, let us go to the, to the technical part. Let me sell this. So nothing is to explain what is identifi. So to explain what ate, why not to ask to the expert. So let us ask to D expert. Okay? So it is always a good idea to polite with such DPT so you will get better answer if you saw your education. So in my case I ask to charge DP what is ate? So this is an easy question. So I said what it is.

So I would like to learn a little bit more about it and charge DPT speak about the Quest system and the integration about different system. It also mentioned that it is offering centralized identity management integration capabilities. It is also offering single sign on policy enforcement. I have loose the video here. Yeah and look like the mover is not fully working. So maybe you guys can move from there.

Okay, I will wait. I can continue talking guys in the meantime that you are trying to finish in. So as briefly explained it, so the answer that it was providing is that it is a kind of central platform aggregating information from different identity platform and it says that it is providing a centralized identity management integration capabilities. Let me see if it is moving.

No, not yet. So if you can move to the next light is is also good enough?

Okay, something is moving. Okay, now it is moving.

Okay, let us try to continue. So as I said, single sign on policy informant identity lifecycle management, adaptive authentication. So they are features that are supposed to be provided by a fabric. Okay? So I read this thing and say well I want to have one, why not? So I say to GBT, this is great. What I could buy an identity fabric, I want to have one i I I have budget this year so I want to go for one. But here guys, it's important to understand that it is just a concept. This is not a single product that you can buy. It is something that you guys will have to be able to build.

This is something that you will be able to deploy and constru using your tool. So let us explain a little bit more about an identity fabric. So most likely you are recognizing some of the acronyms that we have here. So those are identity platform that we have in the vast majority of our companies. So the identity fabric is about the integration of all of them and it is also about to put a larger in top which will be able to provide lifecycle federation protection and integration from a common perspective. So now let us move to the, to the next charter.

And the next charter to build an identity fabric is to identify the use cases that you guys want to have in the identity fabric. And here my idea is to explain three of the main use cases where we have already implemented convergence between platform. So you will be able to understand the use case, the challenge, and how we are addressing it. So fair one is related to the identity governance and c an integration. That's one that I'm going to talk is about A e, A pan and SAP integration.

And the last one is related to the EGA and the mature learning and intel ian intelligent platform integration. So let us go one by one and let us try to explain what enough level of detail. So EGA and CIN. So the first thing here is to understand the use case. So why we might be interested to integrate E-G-I-N-C-I-N, okay? And the main use case and at least the main use case that we have in our company is the need to be able to provide our internal employees access to the application. Normally use it by third parties, normally used by customer, supplier, driver.

So we have cases for example where the sales department has to be enabled to access to our application, especially design it for customer because they have to be enabled to guide to the customer in the profit. So this is, this is a natural integration, okay? And if you do not perform this integration, you will have orphan account, you will not be able to control the lifecycle, you will have security threat.

You likely will have cases where the peoples in the cell department to continue with the same example will be leaving the organization and they will maintain the assets because it is in an application mainly designed for customers where the lifecycle process are not so strong. Okay? So there is a clear need to integrate. So nesting inter of integration is the architecture design. So this is the, the diagram that I created with my team. It is not only detailing about the CIN and the EEA integration but it is only detailing other integration that we have around the CIM platform.

So as you can see we have a user management in order to offer additional capabilities to the CM platform. Additional delegation capability, we have for sure the application integrated, we have monitoring tool, we have reporting tool and for sure we have an integration layer where we are able to leverage APIs and webhook in order to make aion in the target application if required. Okay? So having said that, the next thing for me is to explain in four simple step how to perform this integration. What are the step to perform an integration between the A GA platform and the CIM platform.

So the third one or the first step in our integration is well when we have a new joiner, an identity has to be created in the A GA platform. Okay? So this is the first natural step. The second step an after request has to be created for the CN application but in the A GA platform. So we are creating the after request exactly in the same manner than for any other application in the workforce. The next thing is obviously followed approval profit. They're saying that we may have in other application and large but not least the provision in is happening from the A JA platform to the to the CIN.

Okay? So this is the first use case that I would like to explain to you today. So let us move to the next one then next one is about the EGA and privilege task management integration. Some of the colleague who has been working before in one of the keynote this morning has been speaking about EGA and PAN integration and and look like natural look like something that is necessary to do. So what I'm going to do here is to explain how we are doing this integration. Okay? So another time a diagram that we have here explaining in simple instead how we are doing it. Okay?

So we have our user as you can see in really good painting so is one of my main feature I will say. So we have the user going to the EGA platform and doing an another request. In this case the EGA platform is doing the provision in in LDAP director. This is an active directory, okay? So we have or we are managing group members. So something simple in active directory we are managing the group and after that the user tried to connect to the pan in this cases to the privileged session manager. So it is checking against theda directory.

If the user have the proper right then it is retrieving the credential and allow the user the possibility to connect to the system. So it means that the integration between a GA and pan, it is not necessarily complex. Okay? So nothing guys, I would like to stop a bit talking for a bit and I to have a kind of interaction with you guys and ask a quick question. So I'm going to ask you who is more risky and I'm going to provide you for example, okay? So I have here the fair guy who say I have domain admin right on active directory.

Our second guy here is able to operate all the asset in the public cloud. Okay? Our third guy here is SAP authorization operation and it is able to operate user roles and profiles on SAP and our four guy here have the boot chain raise on SIP. So quick question guys, who is more risky for you?

Hanat, who is thinking that the number one is more risky? One guy, two guys, okay, more or less few. What about the second? Who is thinking that the second is the more risky one you? So it mean that if you are able to do everything in the public cloud it it's nothing. Even if you have all the server there, even if you can extract that directory database, it is, it is not so powerful. The next one is related to the SAP authorization profile. Who think that the more risky it is the number three.

Okay, and what about the four? So I suppose that most of you are thinking that the number four is more risky. This is correct. This is your feeling.

Okay, so guys I am not here to say you who is more risky but I'm here to tell you that you guys are more likely protecting one and two, this is the typical use case of the privileged hazard management. So consider if 3M four are risky and implement a way to protect them. So I'm going to explain you in a short video how we are protecting the SAP administrator in our case using a PAN solution. So as commented, this is a a quick video. So here the user has is trying to access to a transition in SAP SM 30. This is a quite privileged transaction.

This a transaction which allowed to edit data on table and the user is not able to do so. So with the standard user has not ed. So the user is forced to connect to a YA server which is integrated with the privileged management solution. And as using the first screen, the user were requested to select the SAP system where the user need to connect.

So an RI is running and this RI is very simply rotating the credential for the extended author user assigned to this person picking up the credential for the password ball connecting to the SAP system where the user had requested to connect and injected the credential in the same. So now the user has been able to elevate within the pan session and as you can see here now the user is able to execute the SN 30. So it is only able to execute once the session go through pan. Okay? So main message, do not thin only to protect one and two and reflect if you need to protect three and four as well.

Okay, next thing, the last use case that I have here if you guys allow me, I will extend one minute more due to the small technical problem that we have have. This is about the A GA and the integration with the machine learning and artificial intelligent platform. So it is true that the EGI vendor are offering much learning and physical intelligent capabilities, but it is also true that not in all the case are fulfilling the requirements. It is also true that they are not all we covering all the use cases.

So the first thing that we have to do here is to analyze our use cases and once they have been analyzed it, let's see what is the best solution that we can put in place. So in our case when we started this assessor site, the main use cases that we expected to be covered was fair. One approval recommendation on another request. So if someone is requested access to to something, to any research, any role or whatever being able to provide as recommendation. Third one is as recommendation but not for as request for certification or for as review.

Okay, more or less link it with the third one. Next one is our larger identification of being able to detect the user who has permission quite different to other and last what automatic role assignment. So very simply, anytime that we have a joiner, the idea is to analyze the permission assigned to the peers and creating automatic request for the user if all the personas in the same depart and position have already some role.

So it allowed to get a lot of efficiency from business and security point of view because that request will be automatically created based on the common assets that we have in the department. Okay, this is the good. So now it's also important to understand the challenge or the concern. So as I briefly explained it before, the IE model in some of the platform maybe are not always covering all the capabilities that we have. The second thing is that some of the calculation must be done or performative background.

So it might take some time in order to to run and, and the next one is that the output has to be user freely. So the output has to be something that any single user has to be able to understand. So to start the concern that we have in our mind when we are started this adventure. So approval recommendation. So taking in consideration the use cases and the time that I have. So I am going to explain you how we are implemented. Approval recommendation and the challenges that we face during the process. So third one is that the position in our case is a free test field.

It's a free test field that the HR department is typing in the HR system. So sometimes the position even being the same is not right in the same format. So we have cases such as procurement specialist and in one case writing with an underscore. In other case with the space on the middle and in other case in upper, in other language, other ones sorted a little bit. So not writing in the same manner, even the position is the same.

So we need to find a way in order to make some cluster and to group this position in order to have a position LA label and being able to group together and to have their recommendation. The next thing is that the approval recommendation are expected to be provided by country department and position. So we have cases where the position is the same but in different countries the organization is slightly different and they are not doing the same. So we need to being able to provide this level of granularity. And last thing here is to see the solution in action. So this is just an screenshot.

So you can see here the approval recommendation for one of the user. You can see the employee type, the department, the position, and giving the ation based on manager based on on position. And this is something that it is able to spread. So main takeaway, just 32nd more. So the first thing that I would like that you get from here is that the identity fabric begins with platform integration. Second one is that identity fabric is not something that you can buy. So you guys have to start building the platform. Integration must be done in line with the use case. A large but not the least.

The platform is the main component of the identity fabric and the integration that you will need to do between platform. So nothing else one minute ahead. So thank you so much for your time. Thank you. Thank you so much.