enabling digitalization, cloud & mobile with [email protected] agenda - enabling...
TRANSCRIPT
Enabling Digitalization, Cloud & Mobile with IAM@SchaefflerImplementation of a Cross-System Identity- and Access Management Solution
Sebastian ScharfSchaeffler Technologies AG & Co. KG
2
Agenda - Enabling Digitalization, Cloud & Mobile with IAM@Schaeffler
Schaeffler at a Glance: A Leading Global Technology Company1History & Challenges2Scope & Focus of the Initial Project3Approach & Lessons Learned4Outlook5
#MFSummit201720.-21.06.2017
3
Agenda - Enabling Digitalization, Cloud & Mobile with IAM@Schaeffler
History & Challenges2Scope & Focus of the Initial Project3Approach & Lessons Learned4Outlook5
Schaeffler at a Glance: A Leading Global Technology Company1
#MFSummit201720.-21.06.2017
Schaeffler at a glance
Schaeffler in facts – Strong starting point
More than
86,600employees worldwide
More than 170 locations in 50 countries
1.1 m tons of processed steel p.a.
Strong customer basewith approx.
11,800 customers
1) Before one-off effects
Strong organic growth
5% p.a.Ø Sales growth2006-2016
More than
2,300patents filed in 2016
High quality of results
12.7% EBIT margin in 20161)
Far more than
10,000different products
75 plants
17 R&D centers
20.-21.06.2017 #MFSummit20174
Schaeffler at a glance
Schaeffler – A leading global technology company
20.-21.06.2017 #MFSummit20175
22,5
77,5
Industrial Automotive
53,1
10,5
15,4
21,0
Europe Asia/Pacific Greater China Americas
EUROPE: Incl. Germany, Western, Southern and Eastern Europe, Middle East, Africa, Russia and India
Sales by division and region in 2016 (in %)
Global footprint
Continuous sales growth from (in EUR bn)
#Plants #R&D Centers
Europe 48 9
Americas 14 5
Greater China 8 1
Asia / Pacific 5 2
Total 75 17
11,1 11,2
12,1
13,2 13,3
2012 2013 2014 2015 2016
75.800
78.300
82.30084.200
86.600
2012 2013 2014 2015 2016
Employees worldwide
29.500Germany 29.400 30.500 30.800 31.200
Schaeffler at a glance
Customer proximity – global plants and R&D centers
20.-21.06.2017 #MFSummit20176
1 In Europe
1) The regions represent the regional structure of the Schaeffler Group.
Regions 1)
R&D centers
Plants
Europe
9
48
Americas
5
14
Greater China
1
8
Asia/Pacific
2
5
South Africa
Port Elizabeth
Japan
Yokohama
Russia
Ulyanovsk
China
Anting
Nanjing
Suzhou
Taicang (4)
Yinchuan (2)
Vietnam
Biên Hòa City
Thailand
Chonburi
South Korea
Ansan
Changwon
Jeonju
India
Hosur
Pune
Vadodara (2)
Brazil
Sorocaba (2)
1
Canada
Stratford (2)
USA
Cheraw (2)
Danbury
Fort Mill (2)
Joplin
Spartanburg
Troy
Wooster
Mexico
Puebla
Irapuato
United Kingdom
Llanelli
Plymouth
Sheffield
Italy
Momo
Portugal
Caldas da Rainha
Spain
Elgoibar
Hungary
Debrecen
Szombathely
Romania
Braşov
Slovakia
Kysucké Nové Mesto
Skalica
Czech Republic
Lanškroun
Svitavy
Germany
Bühl
Elfershausen
Eltmann
Gunzenhausen
Hamm/Sieg
Herzogenaurach
Hirschaid
Höchstadt (2)
Homburg (3)
Ingolstadt
Kaltennordheim
Lahr
Luckenwalde
Morbach
Schweinfurt (2)
Steinhagen
Suhl
Unna
Wuppertal
Switzerland
Romanshorn
Austria
Berndorf-St. Veit
France
Calais
Chevilly
Haguenau (2)
Engine Systems
Schaeffler at a glance
Two divisions – Automotive and Industrial
20.-21.06.2017 #MFSummit20177
Automotive Aftermarket Industrial Distribution
Automotive (Systems) Industrial (Sector Clusters)
Transmission Systems
Off-roadAerospaceWind
Raw MaterialsTwo-WheelersRail
Industrial AutomationPower TransmissionHybrid and Electrical Drive SystemsChassis Systems
Schaeffler at a glance
Automotive – Broad product portfolio along the entire powertrain
20.-21.06.2017 #MFSummit20178
Schaeffler at a glance
Industrial – Broad product portfolio of standard and custom solutions
20.-21.06.2017 #MFSummit20179
Axial / radial roller bearings with
outside diameter of several meters
INA-FAG catalogwith 40,000 articles
Yoke type and stud typetrack rollers
Spherical plain bearingsCylindrical
roller bearingswith disc cage
Radial insert ball bearings
Linear guidancesystems
Cage-guided cylindrical
roller bearings
Rotary table bearingswith measuring system
Activemagneticbearings
Needleroller
bearings
Main spindle bearings
Sphericalroller
bearingsTapered
rollerbearings
Directdrives
Enginebearings
Smallest ball bearing with a 1 mm inside diameter
Housings
Schaeffler at a glance
Basis for strategic direction – Four focus areas
20.-21.06.2017 #MFSummit201710
11
Agenda - Enabling Digitalization, Cloud & Mobile with IAM@Schaeffler
Schaeffler at a Glance: A Leading Global Technology Company1
Scope & Focus of the Initial Project3Approach & Lessons Learned4Outlook5
History & Challenges2
#MFSummit201720.-21.06.2017
History & Challenges
2000-2017: Continuous Improvement of Identity & Access Management
20.-21.06.201712 #MFSummit2017
2000 2002 2010 2011 20132003 2005 2007 20142008 2017
Central User Administration for SAP
system landscape
Active Role Server for file access management
"Schaeffler Access Management System"
with User Life Cycle for SAP applications
Integration of role management for Engineering and
CRM tool into SAMS
Centralization ofSAP role
administration
Instructions &procedures in management
handbook
General processes for role change, role
request& role approval
Establish networkwith process-,
data- and application-owners
"Role-Sets" and automatic assigned
Business Roles
Governance
Applications
Initial Identity & Access
Management project
Establishing of ICS process for
recertification of User access
Meta-Store for distribution of central
user data
2004
SAProle request & approval tool
Integrationof FAG systems into
Schaeffler role management
Segregation between
organizational and functional roles in
SAP
Join
MoveLeave
2) Challenges derived from Cloud Computing1) Challenges derived from Schaeffler mission
History & Challenges
#MFSummit2017
Employee growth & fluctuationNew employees & organizational changes
Continuous growthNew business models & systems
“Hyper connectivity”Social media, eCommerce, etc.
Complex application landscapeHighly integrated systems
Identity Mgmt.
Challenges & Opportunities
Cloud applications bring their own "local" user and role management
Business requests many new cloud-based applications
Inadequate security in a provider network
Distributed applications can be accessed anytime and anywhere
Challenges for Identity and Access Management
13 20.-21.06.2017
Diversification of interfaces for user provisioning and authentication
14
Agenda - Enabling Digitalization, Cloud & Mobile with IAM@Schaeffler
Schaeffler at a Glance: A Leading Global Technology Company1History & Challenges2
Approach & Lessons Learned4Outlook5
Scope & Focus of the Initial Project3
#MFSummit201720.-21.06.2017
Scope & Focus of the Initial Project
15
Root Issues Leading to IAM Project
Identity & Access
Management
How can current access requirements be securely
fulfilled?
How can the future technologies Cloud & Mobility
be securely integrated?
How can identities and accesses be centrally managed
and controlled?
#MFSummit201720.-21.06.2017
Scope & Focus of the Initial Project
16
Focus & Targets of the Initial Project
Focus on a quick progress as many
business requirements are pending
Introduction of a central Identity andAccess Management
system (one tool)
Creation of infrastructure & basic processes for overall Identity Governance
Focus on identities for "Mobility", "Cloud" and "Digitalization"
Preparation of further integration of Cloud & Mobility applications into Schaeffler IAM
#MFSummit201720.-21.06.2017
User accounts and role assignments in majority of the systems are maintained centrally via IAM-system
Access Management is used for authentication
All user accounts and roles are requested in IAM system
Scope & Focus of the Initial Project
Target Architecture
17 #MFSummit201720.-21.06.2017
Provisioning of User Data & Role Assignments
Authentication
SAP Central User
Administra-tion
Digital Factory
Share Point
Business Intelli-gence
All SAP Systems
…
Integrated Systems
Active Directory
Collab. Cloud
Cloud Services
CRM
R&D
Licence Manage-ment
Identity Management
User Authentication Information
Employee DataHR
Request Access & Roles
Access Management
Scope & Focus of the Initial Project
Architecture before IAM project
18
User accounts and role assignments in majority of the systems used at Schaeffler are maintained locally/decentralized
User accounts and role assignments in SAP system landscape are centrally controlled via Schaeffler Access Management System ("SAMS"), SAP HR and SAP CUA
A few non-SAP-systems are integrated via CUA interface developed by Schaeffler
Active Directory is partially connected to SAP HR via user data database developed by Schaeffler
Authentication and SSO is only provided for some systems using ADFS
20.-21.06.2017 #MFSummit2017
Collab. Cloud
Cloud Services
User Authentication Information
Active Directory
Active Directory
Federation Services
Authentication Authentication
Digital Factory
Share Point
Business Intelli-gence
…
SAP Central User
Administra-tion
CRM
R&D
LicenceMgmt.
Systems integrated via Schaeffler Interface
Provisioning of User Data & Role Assignments
Provisioning of User Data & Role Assignments
Employee Data
All SAP Systems
Schaeffler Access
Management System
Request Access & Roles
Additional User Data
HR
Central User
Database
Identity & Access Management components have been set up and connected with each other
Employee data is synchronized to IDM and additional user data is added
Pilot systems, which had no central user & role management, have been integrated into IAM for authentication and provisioning of users and roles
Users can request roles for integrated systems via IAM
Scope & Focus of the Initial Project
Architecture at the End of IAM Project: in the intermediate time the architecture is more complex
19 #MFSummit201720.-21.06.2017
Active Directory
Federation Services
Authentication
User Authentication Information
Access Management
SAP Central User
Administra-tion
CRM
R&D
Licence Mgmt.
Systems integrated via Schaeffler Interface
Provisioning of User Data & Role Assignments
Provisioning of User Data & Role Assignments
Employee Data
All SAP Systems
AuthenticationDigital Factory
Share Point
Business Intelli-gence
…
Not integrated Systems
Active Directory
Collab. Cloud
Cloud Services
Integrated Systems
Provisioning of User Data & Role Assignments
Authentication
Schaeffler Access
Management System
Request Access & Roles
Additional User Data
HR
User-Data Database
Employee Data
Identity Management
Existing tools like "SAMS", "User-Data-Database", "SAP CUA interface to non-SAP systems" and ADFS have been replaced
Scope & Focus of the Initial Project
Target Architecture after program completion
20 #MFSummit201720.-21.06.2017
Provisioning of User Data & Role Assignments
Authentication
SAP Central User
Administra-tion
Digital Factory
Share Point
Business Intelli-gence
All SAP Systems
…
Integrated Systems
Active Directory
Collab. Cloud
Cloud Services
CRM
R&D
Licence Manage
ment
Identity Management
User Authentication Information
Employee DataHR
Request Access & Roles
Access Management
21
Agenda - Enabling Digitalization, Cloud & Mobile with IAM@Schaeffler
Schaeffler at a Glance: A Leading Global Technology Company1History & Challenges2Scope & Focus of the Initial Project3
Outlook5
Approach & Lessons Learned4
#MFSummit201720.-21.06.2017
Approach & Lessons Learned
#MFSummit2017
Schaeffler Approach to Introduce Identity & Access Management
22
Procedural methods
Implementation with tool provider and certified partner
Classic "waterfall-model"
Start with pilot-phase to verify tool capabilities
Basic conditions
Fast progress is important
Control all relevant systems with regards to security risk and business benefit
Establish one central IAM-System
Identity Governance
Focus on business & identity processes supported by state-of-the-art technical integration
User Experience
Modern User Interface essential for acceptance
GUI must be easy and intuitive to use and understand
IAM approach
20.-21.06.2017
Approach & Lessons Learned
23
Tool Selection
Tool selection process
Requirement specification
Request for proposal
Evaluation of responses
0
1
2
3
4
5Results
Create Shortlist
Tool presentations & workshops with providers
Supported by external Consulting
12 Tool providers
8 proposals
4 Tools remaining
Evaluation matrix
Final decision8 proposals
#MFSummit201720.-21.06.2017
Targets:
Integration of existing systems into IAM
Enhancement of IAM functionality
Shutdown of existing tools with isolated IAM-functions
Approach:
Collection of systems within Schaeffler system landscape
Categorization and evaluation regarding the following factors:
Number of users/accounts
Data & information classification (secret/…/public)
Risk assessment (current Identity processes)
Demand of application owner for integration into IAM
Collection of functionality to increase Identity Governance (e.g. administration of additional types of identities)
Prioritization and grouping into three "Rollout-Phases"
Approach & Lessons Learned
Creation of IAM-Roadmap
25 #MFSummit201720.-21.06.2017
Approach & Idea:
Several workshops with a tool provider, service partners and reference customers to gather and evaluate "Best Practices"
Central Governance for Identity and Access Management to provide one face to the business
IDM- & AM-Build will be supported by a long-term implementation partner
Access Management & Infrastructure is in responsibility of "Global Technology Services" which already provide 24/7 support for business critical services
Identity Management is in responsibility of Application Management
Approach & Lessons Learned
Defining of an IAM Operating Model
26
IAM – Governance
IDM - BUILD AM - BUILD
IDM - RUN AM - RUN
IAM – Infrastructure
Central Governance for Identity and Access Management
Responsibility for overall IAM Guidelines, concepts & processes
All Services and processes regarding infrastructure, e.g. Server, Operating-System, Backup, …
Integration of systemsinto IDM
Enhance IDM functionality
Integration of systemsinto AM
Enhance AM functionality
Technical operations of IDM-Tool, e.g. Monitoring, Incident Management, …
Technical operations of AM-Tool, e.g. Monitoring, Incident Management, …
Ap
plic
atio
n M
anag
emen
t
Glo
bal
Tec
hn
olo
gy S
ervi
ces
#MFSummit201720.-21.06.2017
No crucial advantage that both tools are provided by the same supplier!
Schaeffler strongly desired to get Identity Management and Access Management functionality within one tool
Within the project we learned that both components definitely need to be integrated and connected with each other
Although both components are provided by one supplier, from a technical perspective they can be considered as two separate and independent tools communicating via standardized interfaces
Approach & Lessons Learned
27
Lessons Learned
Identity Access
#MFSummit201720.-21.06.2017
Schaeffler received an effort estimation based on the requirements defined in the RFP-Documents
Requirements were detailed in a concept phase
It turned out that the first estimation was inaccurate
Prototype approach recommended!
Approach & Lessons Learned
28
Lessons Learned
€
In a complex subject area like Identity Management effort estimations have to be treated with caution! Results can be improved by implementing a prototype first.
#MFSummit201720.-21.06.2017
Schaeffler discovered several security bugs in the IAM Tools
Some could be fixed by configuration/hardening, but others had to be fixed by the tool supplier per providing patches & bug fixes
In several discussions with the tool provider it turned out that there was no clear and public communication/warning about detected security issues to other possibly affected customers before the official patch has been released. (Communication after patch has been released is accurate and good though).
The provided patches and bug fixes only contain very few information about the fixed security vulnerability
Approach & Lessons Learned
29
Lessons Learned
Security vulnerabilities and bugs are not communicated to the customers until a bug fix has been released! This approach differs from that of known from other large business software providers.
#MFSummit201720.-21.06.2017
30
Agenda - Enabling Digitalization, Cloud & Mobile with IAM@Schaeffler
Schaeffler at a Glance: A Leading Global Technology Company1History & Challenges2Scope & Focus of the Initial Project3Approach & Lessons Learned4Outlook5
#MFSummit201720.-21.06.2017
Outlook
31
Digitalization @ Schaeffler – Initial Situation
#MFSummit201720.-21.06.2017
Products: Added value through intelligence
Machine learning: “Industrie 4.0” becomes reality
Data analytics & simulation: Big data increases productivity
Digital interaction: The human-machine interface
Outlook
Digitalization – the 4 components of the digital agenda
20.-21.06.2017 #MFSummit201732
Outlook
33
Digitalization @ Schaeffler – Challenge for IAM
#MFSummit201720.-21.06.2017
Identity Mgmt.
Challenges & Opportunities
Identity in the partnership eco-systemGovernance for all identities, even across the company borders
More relevant identity types Consumers, devices and machinesbecome more important
Agile approachSearch for new insights prohibit long term planning & execution
Gain insights from integration of IAM and data managementUnderstand the customer / market wishes by analyzing identities and related business data
Outlook
34
Schaeffler Identity Management follows 3 streams
Migrate IAM systems landscape
Extend scope within IAM, e.g. on additional types of identities
Apply well-established processes and policies on all relevant Schaeffler systems
What new identities need to be managed, e.g. Consumers, Machines, Devices?
What additional lifecycles & processes are needed?
Integration needs for identities and other data?
Continue and establish available processes and extend scope
Understand business needs in the context of digitalization1 2 3 Improve processes based on
business needs
System enhancement and rules for automatic role assignment and account creation
Define Identity Governance for digitalization (manufacturing landscape, machine 4.0, …)
Provide quick & easy integration of new business applications into IAM
#MFSummit201720.-21.06.2017