统一身份认证的实现与应用 - ict.edu.cn

Copyright 2016, The University of Nottingham Ningbo China, All Rights Reserved.

统一身份认证的实现与应用

宁波诺丁汉大学信息技术服务处


简介

第二阶段

ERP Mail OA …

Directory/Database

第三阶段

O365

ERP

BPM

OA

…

SSO

Directory/Database

第一阶段

ERP CRM BPM

OA Mail …

IdP

CN - CARSIUK - FederationUS - InCommonJapan – GakuNin

…


3A –认证、授权和管理

Students

Staff

Guest

Alumni

Faculty 统一身份认证

(IDM)

Who Are You?What Can You Access?

Student Info


连接内部和外部

Student Info

Internal内部/On-Premise

External外部/Cloud云端

英国诺丁汉大学宁波诺丁汉大学

统一身份认证(IDM)


身份认证要素

确保正确的用户在正确的时间段

拥有正确的授权访问正确的资源

Ensures that the right users have the right access to the right resources at the right time

贯穿所有的系统和应用

Across all systems and applications

整体要求：管理认证和权限

Holistic approach: Manage identities and permissions.

提供身份认证及其策略、流程和治理行为的有效性评估报告

Provides assessment relating to the effectiveness of identity management and its policies, procedures and governance activities.

实现业务流程的高效、安全和无障运转

Enables the efficient, secure and compliant execution of business processes.

身份认证


身份认证生命周期

USER LIFECYCLE

• 创建账户信息• 定义分组和角色• 分配访问权限

Provisioning/创建

• 认证通过/不通过• 匿名访问

Authentication/认证

• 密码重置和变更• 账户信息更新• 同步至其它系统

Self Service/自助服务

• 角色访问控制• 资源访问控制

Permissions/权限

• 访问控制• 安全和审计报告• 权限管理

Authorisation/授权

• 授权/权限撤回• 信息存档与删除

De-provisioning/删除

Relationship Begin

Relationship End


系统架构

Attest

Unlock

Reset

Update

Rename

Transfer

Delete

Modify

Create

数据源

Identity Management & Security Infrastructure

User Provisioning Access Governance

Service Catalog Password Management

Identity Enforcer Group Requester Compliance Auditor Group Enforcer

Service Catalog Workflow Manager Self-Service Pwd Mgmt

SSO

Single Sign-On

IDM生命周期管理访问管理

Databases

Import Files

Web Service

Data Feed

Automated

Administrator

Self-Service

People

Manual

Databases

Directories

University App

Cloud App

Bespoke App

Network Access

Federation

Dashboard Auditing Reporting


应用案例 – Global IDM

Campus Solution

HCM

Staging DB

Associate Workflow

International Active Directory

University Directories

UNUK UNNC UNMC

ICN International Services三校共用服务

Self-Service Password

Admin Panel


宁波诺丁汉大学University of Nottingham Ningbo China

应用案例 – Shibboleth SP/IdP

Students StaffFaculty

Identity

Provider (IdP)

Directory

Clusters

Service Providers (SPs)

Metadata Registrar

and Aggregator


BU: business unit; IAM: identity and access management; PMO: program management office; EA: enterprise architecture;RACI: responsible-accountable-consulted-informed; GRC: governance, risk and compliance

建设 Developing 优化 Optimized起步 Initial 完成 Defined 运维Managed2 51 3 4IAM Program Maturity Level

Business Value商业价值

Architecture and Infrastructure DesignIT 架构和基础架构设计

Processes流程

Vision and Strategy愿景和战略

Organization 组织

Conceptual awareness at best

Certain business drivers identified;tactical priorities set

Business-aligned vision defined; strategic priorities set

IAM vision and strategy continually reviewed to track business strategy

Periodic optimization of vision and strategy

Informal, basic roles, responsibilities decentralized

Technical projects sponsored by BUs and CISO; informal inventory of IAM skills

IAM PMO established, IAM roles and training needs defined

IAM PMO active, RACI matrix defined; proactive skill development

Optimal integration with business; skills optimized

Ad hoc, informalSemiformal BU-specific and target-specific processes

Formal processes defined, consistent across BUs and target systems

Formal processes integrated and refined; aligned with business processes

Process optimization

Possible use of target-specificproductivity tools

Disjoint technical projects; technology redundancy likely

Discrete IAM architecture defined; rationalization and consolidation in hand

IAM architecture refined and aligned with EA

IAM architecture embedded within EA; optimization

None measurableTactical efficiency and (maybe) effectiveness improvements;low direct value

Sustained, quantifiable improvements tied to GRC imperative; moderate direct value

Sustained, quantifiable contribution to all key business imperatives; high direct value

Business value optimization; transformational direct value

BlissfulIgnorance

Awareness Corrective Operational ExcellenceLegacy ProgramMaturity Level

Governance 治理 Ad hoc, informal Subsumed within InfoSec (and InfoSec governance structures)

IAM governance structure defined and accepted

IAM governance structure fulfilled and refined

IAM governance optimization

The Gartner IAM Program Maturity Model


谢谢！

宁波诺丁汉大学信息技术服务处

统一身份认证的实现与应用 - ict.edu.cn

Documents