统一身份认证的实现与应用 - ict.edu.cn
TRANSCRIPT
Copyright 2016, The University of Nottingham Ningbo China, All Rights Reserved.
统一身份认证的实现与应用
宁波诺丁汉大学信息技术服务处
Copyright 2016, The University of Nottingham Ningbo China, All Rights Reserved.
简介
第二阶段
ERP Mail OA …
Directory/Database
第三阶段
O365
ERP
BPM
OA
…
SSO
Directory/Database
第一阶段
ERP CRM BPM
OA Mail …
IdP
CN - CARSIUK - FederationUS - InCommonJapan – GakuNin
…
Copyright 2016, The University of Nottingham Ningbo China, All Rights Reserved.
3A –认证、授权和管理
Students
Staff
Guest
Alumni
Faculty 统一身份认证
(IDM)
Who Are You?What Can You Access?
Student Info
Copyright 2016, The University of Nottingham Ningbo China, All Rights Reserved.
连接内部和外部
Student Info
Internal内部/On-Premise
External外部/Cloud云端
英国诺丁汉大学宁波诺丁汉大学
统一身份认证(IDM)
Copyright 2016, The University of Nottingham Ningbo China, All Rights Reserved.
身份认证要素
确保正确的用户 在正确的时间段
拥有正确的授权 访问正确的资源
Ensures that the right users have the right access to the right resources at the right time
贯穿所有的系统和应用
Across all systems and applications
整体要求:管理认证和权限
Holistic approach: Manage identities and permissions.
提供身份认证及其策略、流程和治理行为的有效性评估报告
Provides assessment relating to the effectiveness of identity management and its policies, procedures and governance activities.
实现业务流程的高效、安全和无障运转
Enables the efficient, secure and compliant execution of business processes.
身份认证
Copyright 2016, The University of Nottingham Ningbo China, All Rights Reserved.
身份认证生命周期
USER LIFECYCLE
• 创建账户信息• 定义分组和角色• 分配访问权限
Provisioning/创建
• 认证通过/不通过• 匿名访问
Authentication/认证
• 密码重置和变更• 账户信息更新• 同步至其它系统
Self Service/自助服务
• 角色访问控制• 资源访问控制
Permissions/权限
• 访问控制• 安全和审计报告• 权限管理
Authorisation/授权
• 授权/权限撤回• 信息存档与删除
De-provisioning/删除
Relationship Begin
Relationship End
Copyright 2016, The University of Nottingham Ningbo China, All Rights Reserved.
系统架构
Attest
Unlock
Reset
Update
Rename
Transfer
Delete
Modify
Create
数据源
Identity Management & Security Infrastructure
User Provisioning Access Governance
Service Catalog Password Management
Identity Enforcer Group Requester Compliance Auditor Group Enforcer
Service Catalog Workflow Manager Self-Service Pwd Mgmt
SSO
Single Sign-On
IDM生命周期管理 访问管理
Databases
Import Files
Web Service
Data Feed
Automated
Administrator
Self-Service
People
Manual
Databases
Directories
University App
Cloud App
Bespoke App
Network Access
Federation
Dashboard Auditing Reporting
Copyright 2016, The University of Nottingham Ningbo China, All Rights Reserved.
应用案例 – Global IDM
Campus Solution
HCM
Staging DB
Associate Workflow
International Active Directory
University Directories
UNUK UNNC UNMC
ICN International Services三校共用服务
Self-Service Password
Admin Panel
Copyright 2016, The University of Nottingham Ningbo China, All Rights Reserved.
宁波诺丁汉大学University of Nottingham Ningbo China
应用案例 – Shibboleth SP/IdP
Students StaffFaculty
Identity
Provider (IdP)
Directory
Clusters
Service Providers (SPs)
Metadata Registrar
and Aggregator
Copyright 2016, The University of Nottingham Ningbo China, All Rights Reserved.
BU: business unit; IAM: identity and access management; PMO: program management office; EA: enterprise architecture;RACI: responsible-accountable-consulted-informed; GRC: governance, risk and compliance
建设 Developing 优化 Optimized起步 Initial 完成 Defined 运维Managed2 51 3 4IAM Program Maturity Level
Business Value商业价值
Architecture and Infrastructure DesignIT 架构和基础架构设计
Processes流程
Vision and Strategy愿景和战略
Organization 组织
Conceptual awareness at best
Certain business drivers identified;tactical priorities set
Business-aligned vision defined; strategic priorities set
IAM vision and strategy continually reviewed to track business strategy
Periodic optimization of vision and strategy
Informal, basic roles, responsibilities decentralized
Technical projects sponsored by BUs and CISO; informal inventory of IAM skills
IAM PMO established, IAM roles and training needs defined
IAM PMO active, RACI matrix defined; proactive skill development
Optimal integration with business; skills optimized
Ad hoc, informalSemiformal BU-specific and target-specific processes
Formal processes defined, consistent across BUs and target systems
Formal processes integrated and refined; aligned with business processes
Process optimization
Possible use of target-specificproductivity tools
Disjoint technical projects; technology redundancy likely
Discrete IAM architecture defined; rationalization and consolidation in hand
IAM architecture refined and aligned with EA
IAM architecture embedded within EA; optimization
None measurableTactical efficiency and (maybe) effectiveness improvements;low direct value
Sustained, quantifiable improvements tied to GRC imperative; moderate direct value
Sustained, quantifiable contribution to all key business imperatives; high direct value
Business value optimization; transformational direct value
BlissfulIgnorance
Awareness Corrective Operational ExcellenceLegacy ProgramMaturity Level
Governance 治理 Ad hoc, informal Subsumed within InfoSec (and InfoSec governance structures)
IAM governance structure defined and accepted
IAM governance structure fulfilled and refined
IAM governance optimization
The Gartner IAM Program Maturity Model