Identity & Access Management System for INPS

The main activity of INPS (National Social Welfare Institution) consists in the settlement and payment of pensions and all benefits in support of income. Such activity is carried out through complex and pervasive IT tools through which it is possible to access and manipulate Personal, Healthcare, Confidential and Sensitive data or perform potentially fraudulent operations.

The information present in the large "information park" of the Social Welfare Institute may be subject to fraud, at the occurrence of which, the Entity is required to give evidence of all the IT operations that occurred in the processing of "sensitive" information relating to the data that is held to manage. This makes it necessary to adopt appropriate precautions to track access and information management activities so that the following activities are always possible:

  • Monitoring and control of compliance with data processing policies
  • Monitoring the correct execution of the processes for carrying out the services provided, through a service-oriented log analysis
  • Carry out behavioral analyzes to improve the effectiveness of the processes put in place and detect security attacks, internal or external
  • Support for Forensic Analysis or internal investigations or by authorized third parties (judiciary, Financial Police, etc.)
  • Prevention or identification of possible fraudulent activities (identity theft, unauthorized access from abroad or outside working hours)
  • Detection of information system security breaches
  • Detection of malfunctions of individual components of the information system
  • Statistics on the use of systems aimed at preventing the deterioration of the service offered to users or planning the evolution of the resources necessary for the information system
  • Productivity monitoring (aggregated by organizational unit or workplace)
  • Verification of the adequacy and compliance with specific regulations of the configuration of the information system

In partnership with Leonardo and HP ES, CODIN has designed, implemented and managed the Data Warehouse for the collection of audit application logs from the numerous applications present on the INPS information system.

The solution identified achieves the following features:

  • extraction and collection of information from an extremely heterogeneous application park (legacy applications in the IBM Z / OS environment, web based applications, logs of the webserver and access to the Institute's DBs, etc.)
  • transformation and loading of data within the data warehouse
  • consultation and reporting of logs using Business Intelligence tools
  • alerting for reporting abnormal situations

The system allows the management of a continuous ETL activity (Extract, Transform and Load) of all information regarding access to INPS sensitive data by structuring it within the Data Warehouse to produce heterogeneous types of reports. The system is constantly evolving from a functional and dimensional point of view. At this time, the DWH contains over 11 billion logs produced by more than 1000 applications and services, with a historical depth of 11 years.

The system components have been created through the use of Oracle products (Oracle RDBMS 11g Enterprise Edition), with the use of options and integrations for Oracle DB (Partitioning, Transparent Data Encryption, Advanced Comprension), Oracle Data Integrator, in addition to Oracle components for the Business Intelligence Enterprise Edition system and analysis of the data collected in the data warehouse.

 

secure_log

Services

The multi-year project sees CODIN staff engaged in the following services:

  • analysis of applications and data
  • design, development and maintenance of the Data warehouse for the Centralization of INPS security logs
  • design, development and maintenance of Data mart
  • implementation of data loading and transformation / normalization processes
  • support to INPS Management for the implementation of synthetic and analytical reports with Business Intelligence tools
  • Data Quality Management for the verification, during the application testing phase and after the deployment in operation, of the correct and exhaustive production of the logs of all the information subject to possible investigations
  • support to all teams for the development of new applications and / or re-engineering of existing applications, for the census activities of the events subject to audit-log, in order to avoid the proliferation of events and logs not significant for safety purposes
  • Testing of application logging before they go into production, by inserting a verification into the life cycle of the Institute's software that blocks the putting into production of non-compliant applications

 

Benefits

The project intervention led to the achievement of the following benefits:

  • facilitation of the threat analysis process
  • prevention of fraudulent actions, promptly detecting anomalous behavior on the applications
  • disponibilità, per i funzionari INPS, di uno strumento di business intelligence in grado di eseguire rapide analisi di dettaglio per indagini interne o su richiesta delle autorità
  • availability of dashboards with statistical reports both for specific Institute needs and for anti-fraud purposes