 Hello everyone, I'm Slavic Lidshammer from Evolvium and today I want to introduce you Midpoint, which is open source identity management and identity governance platform. Let me start with the basic. Midpoint is fully open source. There are no strings attached, no proprietary parts, everything is really available as open source for public. It's maintained by company Evolvium and of course Evolvium as a company have to earn its money somehow. So the Evolvium business model is based on services on top of Midpoint. So the Midpoint as a product is completely open and available for the public and Evolvium is providing support or request for new features and similar products as a services for its business model. At the same time Evolvium is trying to support community. So we are maintaining maintaining a mailing list where the community can discuss, we are organizing webinars and sometimes we are even having some questionnaires or other ways how the community can interact with us and provide us some feedback. And at the same time we are providing documentation and we are even maintaining contribution to both some source code and the documentation from the community. And even with this it's quite hard to get enough engagement from the community because the identity management, identity governance community, people who are really doing their job in this area, there are not a lot of them. So it's quite hard to get them engaged but even though this we are trying to do our best job to work with the community on this product. And important thing is that Midpoint roadmap is also influenced by the community. You might see that because Evolvium has to earn its money somehow, of course the Midpoint roadmap is involved by the customers of Evolvium who are actually paid for the services. But we are also taking ideas for the future development from the community and combine all of this with our own vision how the product should be developed and steered in the future. So before we get to the technical part what the Midpoint can do, I cannot do, let me show you how widely Midpoint is used right now. As far as we know Midpoint is deployed across 16 industries and interesting one are education because the education in identity management area and identity governance has it's specific. It's usually more complicated than most of most of the deployments in other industries because in education for example universities don't need to work with just employees but they also need to work with students, with applicants, with alumni and sometimes students are becoming employees later so everything is more complex there. Then we have some government deployments and I would say the situation there is similar like in the education but luckily not that complex. And also quite large portion of our customers come from financial sectors and that's the probably reason I'm also participating on this conference and I will try to show you what features are interesting for the financial sector. Also to demonstrate the outreach of the whole Midpoint I would like to mention there are eight core developers in Evolveum who are developing Midpoint so it doesn't seem like much but eight professionals actually can do quite a lot of work and help to move the product forward. And also we have 28 partners of Evolveum which are companies that at least part of their business is built on top of Evolveum's product Midpoint so these companies usually are doing deployments of Midpoints or even some custom extension for the customers. And Evolveum we are trying in the same way as we are supporting the community we are trying to support and build our partner network to make sure that Midpoint can be available really for anyone and it's not just the one company who is behind all of this. So now I would like to get to the technical part and I will start to explain to you what identity management is. So main idea of identity management is to connect other systems and make sure that all the accounts are created where they supposed to be and same way with attributes of these accounts or also other objects like groups roles and so on. So you can see here in the gray colors are some systems and application which is part of the infrastructure in some in some company and then we have identity management platform Midpoint in this case in the middle in the blue color. So main principle from the left you can see HR system and some partner registry as our source systems which are connected to Midpoint and they are connected using a connector which is just an interface to to bridge the HR system or any any source system with Midpoint on a technical level because all of the systems have different APIs different ways to communicate with them and the connector is a piece of code which do exactly like that just translating from the systems internal language to the Midpoint internal language and same is on the right side on on the target side when the Midpoint is again able to provision the data to all the target system and it can be directly to the application or through some intermediate system like Active Directory or LDAP or even Midpoint can feed some authentication authorization surveys which might be for example single sign-on surveys which then users are using to access the applications and Midpoint itself is just gather all these data together and you can put their rules who should have access to what and maybe do some data transformation like create an email address out of the last name of the user or just create any identifiers user names passwords whatever is needed so all of this is centralized in the identity management and identity management make sure that based on these rules that you configured everything is then distributed where it's supposed to be and also when you fire someone for example identity management make sure that the account will be deactivated or deleted again based on the rules that you configured so what are the main benefits of identity management first one is building an infrastructure because if you have proper identity management you have the first break of your infrastructure then you can use this to build your address systems on top of it and of course this all helps you to automate as many things as possible so you can automate the processes where the users come to your company and base of his position all the accounts can be automatically created email address can be created there might be the process how to set up an initial password and force him to change it and so on and so on and so on and in the same way you can automate what happened when somebody is changing the position or when a user is fired from the company and you need to deactivate the account so this is all built on top of your existing processes in your company so you are just using identity management to automate parts of creating deleting and vibrating with accounts and at the end this all will strengthen your security because when you are not relying on manual processes that someone will remember to delete all the accounts if the employees leave in the company if everything is automated and controlled by the identity management of course it will huge it will be huge improvement to your security because there is no space for human error what is also nice benefit is in identity management you have unified view on identity related data so you can always check what is happening there who has account where what are the rules for creating deleting and and so on and so on and because you have lost automation you have to have some audit trail of what what happened so you can always check what was in the past what is and what is supposed to be so you have complete audit record what happened since the day one and all of this all of this benefits at the end leads to one single thing which is reducing cost because automation and having certain security means you don't have to invest to people who will do this manually and at the end deploying proper identity management will help you reduce either the direct cost or at least personal cost because a lot of stuff can be automated so what I also want to show you it's it's the main midpoint strength or even principles for the midpoint and its development and first one is adaptability that means midpoint is designed to fit into existing environment so when you are deploying midpoint you are you don't have to adapt because midpoint force you to do something in a certain way the exact opposite is the true the midpoint will fit into existing infrastructure into existing processes and you will just use it to model what you already have and what you just want to automate and for this it has to be really flexible and configurable and this is this is one of the philosophy of midpoint if anything can be configured it it should be and if it's not there it will be added later so we are trying to build the midpoint to be as flexible as possible so you can configure every detail that you might need and with that it might come quite a lot of complexity because you have a lot of configuration option but I think in this case when identity management is a basic building block of your infrastructure it's it's better to overcome that complexity than to be limited what by the system itself so we are always preferring configurability rather than have the system be easier to understand because with this slight increase in complexity the configurability always winning next ranked is consistency because midpoint is mainly developed by the fixed set of developers which has a common vision and common way to do things and even when they are merging external pull requests for example they still maintain this consistency across all the midpoint you you can you can be sure that all the features works in the similar way so when you understand one feature another similar feature will behave in the similar way will have similar UI to be configured and similar impact and the similar principles is internal coherence because midpoint is a single product it's not set of different applications just go together now it's a single product which is really carefully designed and developed everything there works together so it's internally coherent so either feature you will choose that you want to use can be combined with any other feature that midpoints provide everything is designed really to to work together work together and can be integrated into really complex workflows for example and of course because identity management is hard of the infrastructure it have to be stable and is connected to a lot of other system that we show on the picture so you need to be sure that it will be stable and even some problems on this integrated components won't break it down and with that come also robustness because you you want to rely on your identity management even if something happened externally for example you recover some target system from the backup you can rely on midpoint that it will detect this and fix the state of the accounts there and similar thing if some administrator delete some accounts by mistake or make some manual changes as long as midpoint is configured and it should be to be the primal source of true about accounts and accesses it will find it and fix it so it's very robust and the last principle that we are flowing in midpoint development is continuous improvement because the area of not just identity management but also the identity governance is quite rich and there are new systems coming each day and even more complicated workflows and complex system which which are relying on different components all of these have to be integrated into identity management and identity governance so we are trying to always improve and keep pace with this and try to make midpoint a better product and now when I explain the identity management part of midpoint I would like to move to the identity governance which which is I think the area that midpoints cover that might be more interesting for the financial sector so I'm showing the similar example like in the previous but now the midpoint which is in the blue color is labeled as identity governance and administration platform and what we add there are policies so internally in midpoint where you have all the data you can define additional policies which will be applied and checked and midpoint will work with them and to be able to connect this to your to your existing processes and workflows there is a connection for some ITS or workflow engine and also generic API for identity governance and administration so what are the typical features of identity governance you can support processes meaning really you for example when you hire a new employee there might be a process for that saying exactly if someone have to approve it first or which account can be created and maybe some other accounts might be created only after he or she will change his or her passport and even even then when you when you are sure that the account was properly created you will create the accounts on a sensitive system so integration of these type of processes then the policies which are already mentioned to be able to maintain some state in your system and check if some some states are always true then you might to verify compliance which is also related to processes and policies to make sure that you are compliant with some regulation for example and identity governance features will help you to do that you can have some approvals workflow which is also very handy then with if this if we've got identity governance you can you can make some analysis on all the data that you have because you have quite a lot of data data about your users their attributes about their roles accesses middle groups and other entitlements and you this is quite a lot of data and you can do quite a nice analysis on top of that and provide reports which can be reports to support your operation to make sure everything is running smoothly and there are no problem but it can be also reports for your security officers or managers to to let them know what what's happening and give them some overview identity governance also help you to build some life cycles of objects to make sure that everything is created and deleted as it's supposed to be flowing process and policies and it can also help you with personal data protection because when you have all this personal data and you know which accounts are created and when as a part of which process you can easily make sure that all the personal data are protected or even you can configure your processes that some data are provisioned and deep provision based on for example some agreements regarding personal data what are the benefits of identity governance again it's automation but now it's different type of automation when we discuss identity management we mostly discuss automation of processes for creating deleting accounts and make sure the infrastructure working if we check on the identity governance automation it helps you to automate your processes and what we are your not just identity processes but processes in the company what should happen when the new employees come or where employee is promoted to a different position what type of accesses he should have now should it be approved first and so on and so on and this again is strengthening your security because this is automated it was verified it was designed and at the end you can rely on it so there are there are less manual steps in the process so your security is is increased and it also gives you better control because if all these processes and policies in place you can delegate a lot of management into different people but these policies and processes to help you make sure that it's still consistent and nobody even if they have rights to change something will have the power to break something critical and when you delegate stuff you also might need to have some overview either to be prepared for some audits or have the data and check what's happening and what state was there like a week ago but also to check a compliance with some policies or or even even some regulations like GDPR and then you have this overview on your data and what's happening with them you can easily do that and again same it is within the identity management part all of this at the end is leading to reducing cost because everything that I just described can be done even without identity governance platform but you will have to spend more manpower to follow some audit or check compliance with some policies but here it can be automated so now in the final part of my presentation I would like to go into some in details of some identity governance features and I will start with overview on your data what you can do if you have this single platform with all the data all the processes and places I just described you can have there some dashboards which can be used for day-to-day operations and provide you an online view of important data so immediately can see what is happening there if everything is okay or if there is some manual steps that need to be done using the similar principles you don't have to have just the online view but you might have some periodical reports which are just aggregating the information what happened this week this month and you might easily provide this to your managers to security officers or anyone who is really interested in that and it can be fully automated the reports can be generated as a PDF and sent by email very easy and of course you can do it you can use it even for some technical features and for example for real-time monitoring of the accounts which can be great tool for your for your help desk because they probably don't have access to all the system so we are not able to verify the accounts were created and which parameters but if everything is integrated in the single platform like midpoint you can give them access only there and providing just the tools to check if everything is correct so just an example on the on the big screenshot on the top you have example of some simple dashboard which shows you status of the resources and what errors were there recently and on the lower part of the screen you have this report that I mentioned this is part of the certification campaign with someone have to review manually manually assigned roles and you can see who was the reviewer if the review was already there and if it'll accept it or not so this is just a visual how it I would might seem and this example this is some and the tool for the help desk I mentioned for example you can see the user Leonardo Da Vinci which has two accounts it is on the screenshot in the left part of the screen and if you click on it you will get to the right part of the screen on the different picture where you can see details of this account now there are very technical information but you can you can configure that and for example for help desk only show relevant data like the account is there maybe what email is there for some software you might display display licenses or groups or roles that the account has but I hope you can imagine what you can do with simple tools like that then another feature are the policies and policies are the great tool how to maintain order in some complex environment because if you imagine what everything what what is managed in the identity management it can be quite a lot you have you have your organization structure with some managers maybe some project structure custom groups a lot of attributes a lot of roles and one person cannot manage this also best thing is to delegate this to other people let managers manage their department and organization unit project manager manage their project give users some autonomy to change their password maybe change their email or depending what what you need but then you can build policies on top to make sure even if the if the whole management of the objects are somehow distributed that there will be some basic policies to make sure that they are still order for example you might have some segregation of duties that no one can be its own deputy or if you have some really important role like like I don't know CEO and security director it cannot be the same person so you can put policies like that in place to make sure this is enforced and of course you can set values enforcement option because for some actions like if I try to make myself my own deputy that can be just denied immediately but for other policies for example the policy that all organization unit needs to have a manager you don't you don't want to enforce this in all circumstances because sometimes you want to fire the current manager and you you don't want to prevent this action you just want to record it no it's broken and then you can you can fix it and this process of fixing is called remediation which is this process looking for broken policies and then you it's displayed to you or to some so some like a manager of the identity management identity governance platform who has to fix them somehow and of course this can be combined with other other features of midpoint for example notification so if a policy broken you can notify about it if the policies are broken anymore you can notify it again you can put it in the repository show on the previous page and so on and so on and so on and some examples segregation or duties already mentioned that you might have responsible person for entities it can be roles organization need whatever you can imagine or for example you can set even policies to watch for the numbers of licenses uses on some target system and even though the license management is automated because for example all of your managers should have a license somewhere you can still have the policies which is watching if you are not exceeding the number of licenses you are paying for and if you are getting close it can be again combined with some notification and if you are reached the limit it might again either show you the policies broken or deny the action which will which will break this policy so a lot of option what can you do with policies and again the main benefit is it's you are maintaining some order even though the environment is complex and the control of the environment settings is distributed between different person as long as you have these policies in place you can make sure that everything will be tight and run exactly as you are expect last last thing that I want to show you is compliance and consistency this will allow you to build some workflow in the identity management and identity governance platform and usually this is some some form of approvals so you can define that either users can request something on their own for example a role or even if it's managed by some manager it still needs to be approved for other people for example for some sensitive role it can be some some security officer who will check if really this person should have access to the sensitive role and then approve it and part of this workflow it can be always extended if something more for example escalation so if the if the person who is responsible for the approval is not acting on it it can be escalated to a different person's or even the even the approvals can be multi-stage so have different people of different level who have to approve it and so on and so on and so on another I would say really critical feature is arts and fit rest certification campaign this is a tool how to make sure that even manually managed entities are always keep in line because you always have something that is managed manually if it's a role it might be some group or some ad hoc projects which are short lived and are managed by the individual people and if something is manually managed there is always a risk that someone forgets to remove the person afterwards or delete the whole thing so this campaigns are a tool which will go through a selected objects for example go through all manually managed roles and then ask responsible people for that roles to check if the memberships in that roles are still valid and they will either confirm it or they might make chance for example remove some people and you can use the same principle and run it for example on top of your projects to make sure the projects are still live and then still should be there and if not again the responsible person will either mark it as a still wallet or will delete it so this is a very crucial tool how to make sure that even manually managed entities are still in order and the last thing are life cycles which are similar to this certification campaign but is more towards the automated part of the way I would think because defining life cycles will help you with onboarding and offboarding not just users but it might be also related to roles or your organization unit so you can define exactly what should happen and when so what should happen when users come should there be any notification any approval process it's again related to everything that I just described and this life cycle just help you to tie it up together and use it to help to define your internal processes and decide what will happen when the user will leave the organization and it can be even more complex because onboarding offboarding that sounds easy but sometimes you have reactivation if the employee for example goes on a maternity leave you want to deactivate the account because otherwise it will be a security risk but when she comes back from the maternity leave you want to reactivate the account and there should be process for that similar process should be there for for example for if the user is changing the position or if you are if someone leaves your company and comes back after after I don't know half a year maybe you don't want to create everything from scratch but you would rather reactivate the old account and if you if you are if you have life cycles defined properly it will help you to do that and it will be fully automated and you may be sure that only the accesses that should be valid will be valid and nothing else and this don't have to be related only to users but it might be related to part of your organization structure to your roles your projects service accounts and if it is possible so to sum up my whole presentation I show you the midpoint and I show you the identity management part and identity governance part and midpoint can combine both of this together midpoint is very feature-age so it can do it can do a lot of a lot of different things in the organization and for that is designed to be customizable so you can fit it in in your existing infrastructure into existing workflow and processes midpoint is fully open source there are no strings attached everything is available but is also backed up by evolvium and evolvium is make sure that it is designed and developed in the consistent way and also develop the evolvium is provide services on top of that but that's paid services but the product itself midpoint is completely free so at the end I would just like to provide you some resources that you can find more there's main web page about evolvium it's complete documentation which are mostly about midpoint but there are some side projects as well there is a whole book about identity management in midpoint so if you don't like to read documentation you might read it in a book and of course because it's open source there is a link to all the source codes at the end there are two contacts first email is mine I would be really happy if you reach to me and ask me any question or what about anything that might be interesting for you and generic info at evolvium.com where you can also reach and ask about anything thank you very much for your attention