Enabling Digitalization, Cloud & Mobile with [email protected] Agenda - Enabling Digitalization,...

Enabling Digitalization, Cloud & Mobile with IAM@SchaefflerImplementation of a Cross-System Identity- and Access Management Solution

Sebastian ScharfSchaeffler Technologies AG & Co. KG

2

Agenda - Enabling Digitalization, Cloud & Mobile with IAM@Schaeffler

Schaeffler at a Glance: A Leading Global Technology Company1History & Challenges2Scope & Focus of the Initial Project3Approach & Lessons Learned4Outlook5

#MFSummit201720.-21.06.2017

3


History & Challenges2Scope & Focus of the Initial Project3Approach & Lessons Learned4Outlook5

Schaeffler at a Glance: A Leading Global Technology Company1

#MFSummit201720.-21.06.2017

Schaeffler at a glance

Schaeffler in facts – Strong starting point

More than

86,600employees worldwide

More than 170 locations in 50 countries

1.1 m tons of processed steel p.a.

Strong customer basewith approx.

11,800 customers

1) Before one-off effects

Strong organic growth

5% p.a.Ø Sales growth2006-2016

More than

2,300patents filed in 2016

High quality of results

12.7% EBIT margin in 20161)

Far more than

10,000different products

75 plants

17 R&D centers

20.-21.06.2017 #MFSummit20174


Schaeffler – A leading global technology company

20.-21.06.2017 #MFSummit20175

22,5

77,5

Industrial Automotive

53,1

10,5

15,4

21,0

Europe Asia/Pacific Greater China Americas

EUROPE: Incl. Germany, Western, Southern and Eastern Europe, Middle East, Africa, Russia and India

Sales by division and region in 2016 (in %)

Global footprint

Continuous sales growth from (in EUR bn)

#Plants #R&D Centers

Europe 48 9

Americas 14 5

Greater China 8 1

Asia / Pacific 5 2

Total 75 17

11,1 11,2

12,1

13,2 13,3

2012 2013 2014 2015 2016

75.800

78.300

82.30084.200

86.600

2012 2013 2014 2015 2016

Employees worldwide

29.500Germany 29.400 30.500 30.800 31.200


Customer proximity – global plants and R&D centers

20.-21.06.2017 #MFSummit20176

1 In Europe

1) The regions represent the regional structure of the Schaeffler Group.

Regions 1)

R&D centers

Plants

Europe

9

48

Americas

5

14

Greater China

1

8

Asia/Pacific

2

5

South Africa

Port Elizabeth

Japan

Yokohama

Russia

Ulyanovsk

China

Anting

Nanjing

Suzhou

Taicang (4)

Yinchuan (2)

Vietnam

Biên Hòa City

Thailand

Chonburi

South Korea

Ansan

Changwon

Jeonju

India

Hosur

Pune

Vadodara (2)

Brazil

Sorocaba (2)

1

Canada

Stratford (2)

USA

Cheraw (2)

Danbury

Fort Mill (2)

Joplin

Spartanburg

Troy

Wooster

Mexico

Puebla

Irapuato

United Kingdom

Llanelli

Plymouth

Sheffield

Italy

Momo

Portugal

Caldas da Rainha

Spain

Elgoibar

Hungary

Debrecen

Szombathely

Romania

Braşov

Slovakia

Kysucké Nové Mesto

Skalica

Czech Republic

Lanškroun

Svitavy

Germany

Bühl

Elfershausen

Eltmann

Gunzenhausen

Hamm/Sieg

Herzogenaurach

Hirschaid

Höchstadt (2)

Homburg (3)

Ingolstadt

Kaltennordheim

Lahr

Luckenwalde

Morbach

Schweinfurt (2)

Steinhagen

Suhl

Unna

Wuppertal

Switzerland

Romanshorn

Austria

Berndorf-St. Veit

France

Calais

Chevilly

Haguenau (2)

Engine Systems


Two divisions – Automotive and Industrial

20.-21.06.2017 #MFSummit20177

Automotive Aftermarket Industrial Distribution

Automotive (Systems) Industrial (Sector Clusters)

Transmission Systems

Off-roadAerospaceWind

Raw MaterialsTwo-WheelersRail

Industrial AutomationPower TransmissionHybrid and Electrical Drive SystemsChassis Systems


Automotive – Broad product portfolio along the entire powertrain

20.-21.06.2017 #MFSummit20178


Industrial – Broad product portfolio of standard and custom solutions

20.-21.06.2017 #MFSummit20179

Axial / radial roller bearings with

outside diameter of several meters

INA-FAG catalogwith 40,000 articles

Yoke type and stud typetrack rollers

Spherical plain bearingsCylindrical

roller bearingswith disc cage

Radial insert ball bearings

Linear guidancesystems

Cage-guided cylindrical

roller bearings

Rotary table bearingswith measuring system

Activemagneticbearings

Needleroller

bearings

Main spindle bearings

Sphericalroller

bearingsTapered

rollerbearings

Directdrives

Enginebearings

Smallest ball bearing with a 1 mm inside diameter

Housings


Basis for strategic direction – Four focus areas

20.-21.06.2017 #MFSummit201710

11


Schaeffler at a Glance: A Leading Global Technology Company1

Scope & Focus of the Initial Project3Approach & Lessons Learned4Outlook5

History & Challenges2

#MFSummit201720.-21.06.2017

History & Challenges

2000-2017: Continuous Improvement of Identity & Access Management

20.-21.06.201712 #MFSummit2017

2000 2002 2010 2011 20132003 2005 2007 20142008 2017

Central User Administration for SAP

system landscape

Active Role Server for file access management

"Schaeffler Access Management System"

with User Life Cycle for SAP applications

Integration of role management for Engineering and

CRM tool into SAMS

Centralization ofSAP role

administration

Instructions &procedures in management

handbook

General processes for role change, role

request& role approval

Establish networkwith process-,

data- and application-owners

"Role-Sets" and automatic assigned

Business Roles

Governance

Applications

Initial Identity & Access

Management project

Establishing of ICS process for

recertification of User access

Meta-Store for distribution of central

user data

2004

SAProle request & approval tool

Integrationof FAG systems into

Schaeffler role management

Segregation between

organizational and functional roles in

SAP

Join

MoveLeave

2) Challenges derived from Cloud Computing1) Challenges derived from Schaeffler mission

History & Challenges

#MFSummit2017

Employee growth & fluctuationNew employees & organizational changes

Continuous growthNew business models & systems

“Hyper connectivity”Social media, eCommerce, etc.

Complex application landscapeHighly integrated systems

Identity Mgmt.

Challenges & Opportunities

Cloud applications bring their own "local" user and role management

Business requests many new cloud-based applications

Inadequate security in a provider network

Distributed applications can be accessed anytime and anywhere

Challenges for Identity and Access Management

13 20.-21.06.2017

Diversification of interfaces for user provisioning and authentication

14


Schaeffler at a Glance: A Leading Global Technology Company1History & Challenges2

Approach & Lessons Learned4Outlook5

Scope & Focus of the Initial Project3

#MFSummit201720.-21.06.2017

Scope & Focus of the Initial Project

15

Root Issues Leading to IAM Project

Identity & Access

Management

How can current access requirements be securely

fulfilled?

How can the future technologies Cloud & Mobility

be securely integrated?

How can identities and accesses be centrally managed

and controlled?

#MFSummit201720.-21.06.2017


16

Focus & Targets of the Initial Project

Focus on a quick progress as many

business requirements are pending

Introduction of a central Identity andAccess Management

system (one tool)

Creation of infrastructure & basic processes for overall Identity Governance

Focus on identities for "Mobility", "Cloud" and "Digitalization"

Preparation of further integration of Cloud & Mobility applications into Schaeffler IAM

#MFSummit201720.-21.06.2017

User accounts and role assignments in majority of the systems are maintained centrally via IAM-system

Access Management is used for authentication

All user accounts and roles are requested in IAM system


Target Architecture

17 #MFSummit201720.-21.06.2017

Provisioning of User Data & Role Assignments

Authentication

SAP Central User

Administra-tion

Digital Factory

Share Point

Business Intelli-gence

All SAP Systems

…

Integrated Systems

Active Directory

Collab. Cloud

Cloud Services

CRM

R&D

Licence Manage-ment

Identity Management

User Authentication Information

Employee DataHR

Request Access & Roles

Access Management


Architecture before IAM project

18

User accounts and role assignments in majority of the systems used at Schaeffler are maintained locally/decentralized

User accounts and role assignments in SAP system landscape are centrally controlled via Schaeffler Access Management System ("SAMS"), SAP HR and SAP CUA

A few non-SAP-systems are integrated via CUA interface developed by Schaeffler

Active Directory is partially connected to SAP HR via user data database developed by Schaeffler

Authentication and SSO is only provided for some systems using ADFS

20.-21.06.2017 #MFSummit2017

Collab. Cloud

Cloud Services


Active Directory

Active Directory

Federation Services

Authentication Authentication

Digital Factory

Share Point


…

SAP Central User

Administra-tion

CRM

R&D

LicenceMgmt.

Systems integrated via Schaeffler Interface



Employee Data

All SAP Systems

Schaeffler Access

Management System


Additional User Data

HR

Central User

Database

Identity & Access Management components have been set up and connected with each other

Employee data is synchronized to IDM and additional user data is added

Pilot systems, which had no central user & role management, have been integrated into IAM for authentication and provisioning of users and roles

Users can request roles for integrated systems via IAM


Architecture at the End of IAM Project: in the intermediate time the architecture is more complex

19 #MFSummit201720.-21.06.2017

Active Directory

Federation Services

Authentication


Access Management

SAP Central User

Administra-tion

CRM

R&D

Licence Mgmt.

Systems integrated via Schaeffler Interface



Employee Data

All SAP Systems

AuthenticationDigital Factory

Share Point


…

Not integrated Systems

Active Directory

Collab. Cloud

Cloud Services

Integrated Systems


Authentication

Schaeffler Access

Management System


Additional User Data

HR

User-Data Database

Employee Data

Identity Management

Existing tools like "SAMS", "User-Data-Database", "SAP CUA interface to non-SAP systems" and ADFS have been replaced


Target Architecture after program completion

20 #MFSummit201720.-21.06.2017


Authentication

SAP Central User

Administra-tion

Digital Factory

Share Point


All SAP Systems

…

Integrated Systems

Active Directory

Collab. Cloud

Cloud Services

CRM

R&D

Licence Manage

ment

Identity Management


Employee DataHR


Access Management

21


Schaeffler at a Glance: A Leading Global Technology Company1History & Challenges2Scope & Focus of the Initial Project3

Outlook5

Approach & Lessons Learned4

#MFSummit201720.-21.06.2017

Approach & Lessons Learned

#MFSummit2017

Schaeffler Approach to Introduce Identity & Access Management

22

Procedural methods

Implementation with tool provider and certified partner

Classic "waterfall-model"

Start with pilot-phase to verify tool capabilities

Basic conditions

Fast progress is important

Control all relevant systems with regards to security risk and business benefit

Establish one central IAM-System

Identity Governance

Focus on business & identity processes supported by state-of-the-art technical integration

User Experience

Modern User Interface essential for acceptance

GUI must be easy and intuitive to use and understand

IAM approach

20.-21.06.2017


23

Tool Selection

Tool selection process

Requirement specification

Request for proposal

Evaluation of responses

0

1

2

3

4

5Results

Create Shortlist

Tool presentations & workshops with providers

Supported by external Consulting

12 Tool providers

8 proposals

4 Tools remaining

Evaluation matrix

Final decision8 proposals

#MFSummit201720.-21.06.2017

Targets:

Integration of existing systems into IAM

Enhancement of IAM functionality

Shutdown of existing tools with isolated IAM-functions

Approach:

Collection of systems within Schaeffler system landscape

Categorization and evaluation regarding the following factors:

Number of users/accounts

Data & information classification (secret/…/public)

Risk assessment (current Identity processes)

Demand of application owner for integration into IAM

Collection of functionality to increase Identity Governance (e.g. administration of additional types of identities)

Prioritization and grouping into three "Rollout-Phases"


Creation of IAM-Roadmap

25 #MFSummit201720.-21.06.2017

Approach & Idea:

Several workshops with a tool provider, service partners and reference customers to gather and evaluate "Best Practices"

Central Governance for Identity and Access Management to provide one face to the business

IDM- & AM-Build will be supported by a long-term implementation partner

Access Management & Infrastructure is in responsibility of "Global Technology Services" which already provide 24/7 support for business critical services

Identity Management is in responsibility of Application Management


Defining of an IAM Operating Model

26

IAM – Governance

IDM - BUILD AM - BUILD

IDM - RUN AM - RUN

IAM – Infrastructure

Central Governance for Identity and Access Management

Responsibility for overall IAM Guidelines, concepts & processes

All Services and processes regarding infrastructure, e.g. Server, Operating-System, Backup, …

Integration of systemsinto IDM

Enhance IDM functionality

Integration of systemsinto AM

Enhance AM functionality

Technical operations of IDM-Tool, e.g. Monitoring, Incident Management, …

Technical operations of AM-Tool, e.g. Monitoring, Incident Management, …

Ap

plic

atio

n M

anag

emen

t

Glo

bal

Tec

hn

olo

gy S

ervi

ces

#MFSummit201720.-21.06.2017

No crucial advantage that both tools are provided by the same supplier!

Schaeffler strongly desired to get Identity Management and Access Management functionality within one tool

Within the project we learned that both components definitely need to be integrated and connected with each other

Although both components are provided by one supplier, from a technical perspective they can be considered as two separate and independent tools communicating via standardized interfaces


27

Lessons Learned

Identity Access

#MFSummit201720.-21.06.2017

Schaeffler received an effort estimation based on the requirements defined in the RFP-Documents

Requirements were detailed in a concept phase

It turned out that the first estimation was inaccurate

Prototype approach recommended!


28

Lessons Learned

€

In a complex subject area like Identity Management effort estimations have to be treated with caution! Results can be improved by implementing a prototype first.

#MFSummit201720.-21.06.2017

Schaeffler discovered several security bugs in the IAM Tools

Some could be fixed by configuration/hardening, but others had to be fixed by the tool supplier per providing patches & bug fixes

In several discussions with the tool provider it turned out that there was no clear and public communication/warning about detected security issues to other possibly affected customers before the official patch has been released. (Communication after patch has been released is accurate and good though).

The provided patches and bug fixes only contain very few information about the fixed security vulnerability


29

Lessons Learned

Security vulnerabilities and bugs are not communicated to the customers until a bug fix has been released! This approach differs from that of known from other large business software providers.

#MFSummit201720.-21.06.2017

30


Schaeffler at a Glance: A Leading Global Technology Company1History & Challenges2Scope & Focus of the Initial Project3Approach & Lessons Learned4Outlook5

#MFSummit201720.-21.06.2017

Outlook

31

Digitalization @ Schaeffler – Initial Situation

#MFSummit201720.-21.06.2017

Products: Added value through intelligence

Machine learning: “Industrie 4.0” becomes reality

Data analytics & simulation: Big data increases productivity

Digital interaction: The human-machine interface

Outlook

Digitalization – the 4 components of the digital agenda

20.-21.06.2017 #MFSummit201732

Outlook

33

Digitalization @ Schaeffler – Challenge for IAM

#MFSummit201720.-21.06.2017

Identity Mgmt.

Challenges & Opportunities

Identity in the partnership eco-systemGovernance for all identities, even across the company borders

More relevant identity types Consumers, devices and machinesbecome more important

Agile approachSearch for new insights prohibit long term planning & execution

Gain insights from integration of IAM and data managementUnderstand the customer / market wishes by analyzing identities and related business data

Outlook

34

Schaeffler Identity Management follows 3 streams

Migrate IAM systems landscape

Extend scope within IAM, e.g. on additional types of identities

Apply well-established processes and policies on all relevant Schaeffler systems

What new identities need to be managed, e.g. Consumers, Machines, Devices?

What additional lifecycles & processes are needed?

Integration needs for identities and other data?

Continue and establish available processes and extend scope

Understand business needs in the context of digitalization1 2 3 Improve processes based on

business needs

System enhancement and rules for automatic role assignment and account creation

Define Identity Governance for digitalization (manufacturing landscape, machine 4.0, …)

Provide quick & easy integration of new business applications into IAM

#MFSummit201720.-21.06.2017

Thank youfor your attention

35

Sebastian [email protected]

#MFSummit201720.-21.06.2017

mailto:[email protected]

Enabling Digitalization, Cloud & Mobile with [email protected] Agenda - Enabling Digitalization,...

Documents

Transcript of Enabling Digitalization, Cloud & Mobile with [email protected] Agenda - Enabling Digitalization,...