Strong, flexible identity and access management, built collaboratively

Solving complex identity and access management issues for an organization often requires finesse, collaboration and the ability to creatively meet the needs of all aspects of the business with a single solution. One global biopharmaceutical company discovered the power of collaboration as it worked to replace an existing access management implementation, harmonizing two distinct populations(enterprise and manufacturing) representing 47,000 users.

The company knew it needed to replace its single sign-on (SSO) solution, as its existing technology was neither flexible nor strong enough for the organization’s complex network of relationships and environments. Although each of the work groups presented its own unique challenges, the manufacturing team’s needs were considerably more complex.

  • Enterprise users represented a more traditional federation in which access to applications was integrated for SSO, leveraging existing network authentication.
  • Manufacturing users required greater network security and deployment of a separate, dedicated global tenant with no trust. Access from the corporate network to the manufacturing network was also restricted, and direct access to the internet was forbidden in certain layers of the architecture.
  • A primary concern in the manufacturing environment was ensuring control for users when registering a device for multi-factor authentication (MFA).

A leading security provider was identified to supply technology and expertise after confirming the provider’s platform met all the business and technical requirements for identity and access management (IAM) of the internal workforce, business partners and customers.

Together, the company, identity security provider and Protiviti architected, installed, configured and tested 18 sites and 48 servers across three environments, and replaced an existing access management implementation for its 120 federations comprised of 47,000 users.

After confirming the alignment of business and technical requirements, the company’s IAM team, along with the security provider’s solution architects and Protiviti resources, completed a collaborative and successful proof-of-concept (POC). The POC enabled the company to illustrate a new approach to its manufacturing users as a solution for their specific MFA needs. This POC gave the company confidence in the design and solution stack, after which it engaged the security provider and Protiviti to deliver a new identity and access management architecture, design and implementation project.

Together, the company, identity security provider and Protiviti architected, installed, configured and tested 18 sites and 48 servers across three environments. The team also replaced an existing access management implementation for its 120 federations comprising those 47,000 users. This required eight enterprise federation servers globally located in different network layers that also integrated an MFA solution and adaptors for registration, impersonation and environment selection.

The resulting solution was more complex and feature-rich, making it possible to improve services to the organization. This will allow the company to integrate applications using a variety of identity and access management methods. 

  • Within the enterprise group, managing policies for step-up authentication were used as needed, depending on whether the policy for the application required it or access was authorized from external network connections, or both. The flexibility of the MFA solution and device methods improved the user experience.
  • The manufacturing solution required MFA to the production environment to access the applications on thin clients. Outbound requests to facilitate MFA leveraged global enterprise application delivery controllers (ADCs) to proxy the requests. Inbound communication from the MFA solution to the enterprise federation server engines leveraged separate manufacturing ADCs. Remote access was facilitated with Security Assertion Markup Language (SAML) based connectivity through a firewall.
  • Additionally, in the manufacturing environment, the registration adapter and provisioning of users from the identity management system secured the registration of the initially provisioned device. Limitation of devices was also enforced. Initially, users were restricted to short message service (SMS) texts; only after successful multi-factor authentication could they select a secondary device and potentially switch primary devices. The impersonation and registration adapters were deployed in parallel to allow preregistration of security keys and hardware authentication devices.

The resulting solution was more complex and feature-rich, making it possible to improve services to the organization. This will allow the company to integrate applications using a variety of identity and access management methods.

Additional benefits will accrue in future phases of the project, including:

  • Separation of populations with different user lifecycle management needs, application access needs and authentication policy requirements. These benefits will be realized with deployment of the identity security stack and identity management services.
  • Consistent global services across the organization’s group of companies, allowing the withdrawal of technologies and consequential license-cost savings. These benefits will be realized with deployments to the organization’s sister company and its key global manufacturing, research and clinical applications.

As enterprises develop new approaches and engage third parties to fulfill new roles, the complexity of identity and access management presents a growing challenge. By collaborating with best-of-breed third parties to achieve a strong, flexible solution to complex identity and access management requirements, this company forged a new path that enabled their broad network of collaborators to engage with their network of systems.

Loading...