Identity & Access Management System for INPS
The growing diffusion and evolution of information technology, the recent regulations that sanction the need for Public Administration Bodies to equip themselves with digital tools and services for the benefit of simplifying the dialogue between PA, citizens and businesses, has created a real transformation towards a new, digital and more efficient administration. The INPS Authority, for some time, has determined the centrality of the IT system as a whole of its organizational structure, as the primary tool for the production and distribution of services offered, identifying in its correct functioning the main critical factor for the achievement of institutional purposes.
All this requires a correct distribution and management of information, in order to ensure the integrity and quality of the data and, at the same time, to ensure that each user is provided with all and only the information of their competence.
Therefore, new and more demanding needs to protect the integrity of the information system from various risk factors (accidental access, willful misconduct, errors, etc.) have become evident.
In partnership with Leonardo, CODIN has designed and implemented the IT infrastructure for the management of the identity of the INPS information system and access control to applications for users of around 35,000 employees and collaborators and 1700 Heads of Directors and their Delegates.
Among the main features supported by the IAM (Identity and Access Management) solution implemented by CODIN we can mention the following:
- complete management of the life cycle of all users of the various components of the INPS information system (creation, modification, suspension, revocation of access credentials and authorization profiles);
- acquisition of users' personal data from external information sources (integration with the IT system for staff management and internal organization);
- management of access credentials and authorization profiles assigned to users of the information system, necessary to access IT subsystems integrated with the IDM platform (IBM Z / OS, Microsoft Active Directory, IBM Lotus Notes, Web Access Manager, proprietary legacy subsystems, etc. .);
- management of access credentials and authorization profiles for intranet web applications (about 150 web based applications, created with heterogeneous technologies);
- support of different authentication methods for access to intranet web applications ("weak" authentication, strong authentication based on OTP, integrated authentication with the Active Directory domain, etc.);
- identity federation with information systems of external entities through the support of the SAML protocol (e.g. Interforze, INPDAP, ENPAV, ENPAB, ENASARCO, and others).
The implementation of the Identity Manager system led to the creation and customization of provisioning workflows and connectors for the integration of numerous heterogeneous systems:
- Network and Group users directory (Microsoft Active Directory);
- e-mail and collaboration system IBM Lotus Domino;
- IBM RACF user management system and access profiles to legacy procedures in a host environment;
- user management system for ex-AS / 400 applications;
- Unique Registry Archive (National and Local ARCA);
- SAP SRM module for access to the e-procurement system;
- other legacy systems owned by the Institute (National Single Registry Archive, accounting system for legacy applications in the Pensions area, etc.).
The Identity and Access Management platform was created using the Oracle SUN Identity Manager, Access Manager, Directory Server, Application Server and Gateway products for Active Directory and Lotus Domino; the implementation of the system required a very thorough customization of the basic software components, carried out by the CODIN project team.
As part of the project, CODIN took care of the following services:
- analysis of the technical and organizational context of INPS for the identification of the organizational authorization and delegation processes to be implemented on the Identity Management system;
- analysis of IT subsystems and security policies to be adopted for the correct implementation of the provisioning procedures;
- design and implementation of the identity management system;
- design and implementation of the Web Access Management system, the single sign-on context, identity federation procedures and strong authentication plug-ins;
- corrective and evolutionary maintenance of the platform;
- user assistance (Directors of INPS offices, IT operators located at local offices, end users of the various components of the Institute's information system);
- specialist and system support for the integration of the IAM system with third-party applications;
- system management and monitoring, software component upgrades, patch installation, etc.
The project intervention led to the achievement of the following benefits:
- remediation of pre-existing user archives, an operation that has highlighted a high number of obsolete users that have never been deactivated.
- creation of a unified console, intended for Head Office Managers, for the centralized management of identities and access authorizations to the various components of the information system.
- management of the integrity, quality and availability of data, in compliance with the processes and policies of the organization, while simultaneously protecting the data from unauthorized access.