Identity and Access Management

Identity and Access Management

Network access control and identity management for an insurance company.

Improved security architecture thanks to access control and identity management

Due to the increased IT threat situation in recent years, a Hessian insurance company was faced with the challenge of increasing the security of its infrastructure while at the same time improving scalability, transparency and maintenance costs. After a detailed analysis of the existing security architecture by BEUL, heterogeneous access control and the visibility of users, end devices and access were identified as the greatest potential for IT security optimization.

A completely revised IAM concept was developed in workshops with the customer, which included centralized NAC (Network Access Control) on a certificate basis for the internal wired, wireless and external network (VPN and cloud access). In addition, services such as Profiling (automatic recognition of the type and affiliation of connected end devices by the network) and a Quarantine Zone (temporary network area for clients that, for example, do not meet the current software version) were included. The core of the solution is the Cisco Identity Services Engine (ISE).

BEUL guided the customer through the conception and workshops, supported the definition of a global set of rules and guidelines and implemented the solution in all of the customer's main locations as well as numerous branches and offices. Comprehensive monitoring and change management in the system environment is permanently ensured by a BEUL managed service.

Motivation

  • Reduction of the administrative effort by replacing distributed, heterogeneous user administrations in favor of a unified, centrally managed network access
  • Improving transparency by establishing certificate-based identity management with end-to-end processes
  • Increase in IT security by implementing advanced functions such as device profiling, quarantine zone and fine-grained authorization

Challenges

  • Extensive actual analysis of the network and user landscape due to difficult documentation
  • Updating and expanding the company's security policy in coordination with numerous internal departments of the customer
  • Integration of older end systems without integrated NAC support such as legacy servers, printers and telephony
  • Revision of the existing macro network segmentation on a VLAN basis

Technologies

images/technologien/cisco.png
images/technologien/microsoft.png
images/technologien/paloalto.png

The project in figures

3
Distributed, redundant authentication nodes
75
Migrated customer sites
350
Network access systems
3.500
Internal and external employees
6.500
Protected ports, access points and gateways
8.000
User and machine certificates