EDF Luminus - Identity & Access Management Study

December 2017 till Feb 2018

Management Summary

Security plays an important part in any organization. The enforcement of a security policy is not only to shield yourself from the outside world, but also to properly manage those stakeholders (employees, partners, customers...) who do have a right to perform certain actions, or to access certain information. We need to ensure a proper balance between restricting data from widespread distribution and making certain that business continuity is not compromised by security measures that are too restrictive. Any approach that creates this balance generates an added value to the organization.

Balance between Security and Business Continuity

The main capability in such an endeavor is proper Identity & Access Management (IAM). This discipline has many different wording for the definition from many different sources, but the main idea of what it should be, surfaces in each of them:

IAM is the security discipline that enables the right individuals to access the right resources at the right times for the right reasons. (Source: Gartner)
IAM is a framework for business processes that facilitates the management of electronic or digital identities. The framework includes the organizational policies for managing digital identity as well as the technologies needed to support identity management. (Source: TechTarget)
IAM is the combination of processes, technologies, and policies to manage digital identities and specify how they are used to provide access to information. (Source: secureworks.com)

The study is used as preparation for a future RFP, and has to generate insights on several requirements which the future structure of EDF Luminus will have, such as tooling, federation, delegation, possibilities for Software-as-a-Service (or rather Security-as-a-Service), Single Sign On, password policies, audit trails, control mechanisms…

Team Composition

Lessons Learned

IAM as a discipline needs to address 4 pertinent points in order to cover the complete scope of needs. There can even be added an additional A with Application (as in the application of security) in contrast with Administration. When we map the core capabilities onto these 5 topics, we get the matrix as seen on the right hand side.

Concerns for Identity & Access Management IAM Core Capabilities

Assessment Security Utilities Sector