Automated IAM in a directory-based security architecture

Initial situation

The international aviation group has an extremely extensive workforce spread across several subsidiaries: passenger transportation, cargo, technical service, IT service, and others. As a result of this widely dispersed structure, it had become increasingly difficult for the company to efficiently manage the 160,000 users across its diverse systems and applications.

In addition, the company needed a provisioning solution to keep the corporate directory up to date to meet the company’s security requirements and enable effective auditing. The aviation company realized that it needed an identity management system to centralize and automate user management. The tasks of the new system were to aggregate and process all user and corporate data from various sources and route it to the appropriate target systems.

After careful consideration, the company selected GARANCY because it offered powerful provisioning functionality, was highly scalable, and could be easily integrated into a directory-based environment.

The Challenge

The company operates one of the world’s largest Novell networks. Therefore, it needed an IdM solution that would interact well with the Novell NetWare environment and also integrate with various disparate systems such as RACF, four Windows NT domains, an SAP system, the corporate directory and other LDAP directories, as well as three in-house developed applications (a Unisys-based accounting system and two team management systems).

Another challenge was that all 160,000 user profiles in the corporate directory contain over 50 different attribute types per user. Therefore, the provisioning solution needed to be able to support a range of input sources to keep the directory permanently up to date, prevent security breaches, and enable precise monitoring of operations. These functions needed to be performed without manual intervention by administrators – hence the need for full automation of operations.

For administrative reasons, it was necessary to treat the connected subsidiaries as independent companies within the same IdM system, as this was the only way to ensure the confidentiality of data traffic and clean administration.

Implementation

In order to achieve ROI in the shortest possible time, the Group initially focused on optimizing and automating user administration. As a first measure, the Novell NetWare network, RACF as well as the Windows and Unisys systems were connected to SAM and the user administration of the group company for passenger transportation was automated. Five data sources were connected to GARANCY: two HR systems, one external partner database, and two data sources for company-related information. Changes in these systems were transmitted to GARANCY and converted into user accounts, group connections, and authorizations of the various connected security systems using a rule-based process.

The successful productive operation of the system for the first subsidiary encouraged the project team to include the extensive group company Cargo in the solution. Since GARANCY makes it very easy to manage multiple organizations within a single IdM solution, the added subsidiary was effortlessly integrated into the administration. At the same time, SAP was integrated as a further target system in order to benefit from the automated user administration here as well.

The company had already decided to introduce GARANCY as an IdM solution in 2000. Over the years, significant new functions were added, including biometric password reset via voice recognition, self-service functions, an SPML interface for user data, and integration options via web services. Thanks to the permanent further development of the solution used and continuous updates to the latest program versions, all current requirements in the area of IdM could be optimally fulfilled.

In the meantime, alternative solutions had also been evaluated, but due to the many years of good cooperation with Beta Systems, it was decided to stay with the previous technology supplier. Over the years, GARANCY has also been extended to other group companies – in the meantime, around 200,000 employees of the company and its subsidiaries are administered with the Beta Systems solution. Other application systems were also gradually integrated, including Peregrine Asset Center as one of the last.

Solution

The company runs its corporate directory, which includes 160,000 users, on Novell eDirectory. The internal PKI (Public Key Infrastructure) and numerous applications depend on the reliable and timely availability of user data. The advantages of seamless integration of the provisioning solution with the enterprise directory via the standard connector GARANCY eConnect were obvious from the very beginning: By bundling the data sources and thanks to the powerful functions of GARANCY eConnect, it was possible to achieve frequent updates of the users, user attributes and security definitions of the enterprise directory, which were regularly automated.

In addition to the provisioning features described above, GARANCY provides or supports numerous other user management functionalities. Central administrators, for example, can use GARANCY to perform complex administrative tasks manually. Support staff, on the other hand, can use GARANCY’s helpdesk functionality as a convenient interface for setting up and deleting users or changing passwords.

GARANCY is connected to the customer-specific intranet portal. This allows employees and external partners to request accounts and user rights via a coordinated approval workflow. Approved account and rights requests are submitted to GARANCY. GARANCY, in turn, executes them in the connected systems and directories. This process allows the IT department to provide a very high quality of service to its customers: Thanks to the technical embedding of a workflow system in GARANCY, all security systems can be updated just a few minutes after the approval is granted.

Using GARANCY’s cross-platform reporting and monitoring functions, the group’s own IT service provider can automatically generate monthly audit reports containing all relevant user and security settings and send them by e-mail to the respective responsible company managers. A weekly report on changed user attributes and deactivated or deleted accounts is also generated for each Group company for the security administrators of the various target systems.

Due to the centralized and automated user management, considerable cost savings could be achieved in administration. With GARANCY, the airline has a homogeneous provisioning solution for the corporate directory and the strategic security systems. GARANCY provides all connected systems reliably and promptly with the required user data. Thanks to GARANCY, the airline is able to efficiently perform comprehensive user management and guarantee a high level of service to the other group companies. The high scalability of GARANCY also makes it possible to expand the current solution as desired to include additional group companies or external customers, which has a very positive impact on the TCO.

The airline benefits in two ways from updates to the latest releases of the IdM solution from Beta Systems.
On the one hand, the GARANCY architecture fits perfectly into the group’s new target architecture. While the previous version was based on a mainframe platform, GARANCY runs on decentralized servers and also uses Microsoft databases. Because the operation of GARANCY in a decentralized Microsoft architecture is much cheaper than on a mainframe basis, the company now also saves significantly on costs by eliminating the mainframe DB2 and the and using GARANCY IAM.