Requirements for the project
Before the integration of an application into the eIAM service can take place, a number of specifications and other formal requirements must be met. Basically, the eIAM service makes specifications for the integration of applications. The eIAM dossier contains various elements for the collection of information. The structuring should help to record the information about the project process more easily and in a way that is more comprehensible according to the progress. The graphical eIAM project flow & control and the eIAM dossier should help you to involve your stakeholders correctly.Responsibilities eIAM <=> Application
The figure below shows schematically in which area eIAM and in which area the project has organisational responsibility. The figure shows a web application in the networks of the Federal Administration and an application outside the networks of the Federal Administration.-
- Responsibilities eIAM <=> Application
The BIT project manager, in cooperation with his stakeholders, is responsible for the following tasks:
- The ordering of load balancers as well as DNS entries and other infrastructure defiitions for the communication between eIAM-Web PEP and the application.
- The ordering of firewall rules for the communication between eIAM PEP and load balancer in front of the application, if the standard TCP port 443 is not used on the load balancer. If a firewall opening has to be requested by the application owner, the list of source IP addresses of the PEP can be requested from the responsible SIE of eIAM.
- The entire green area in the figure is the responsibility of the customer.
System environment requirements
The eIAM service three operating environments (stages(Instance). The reference or integration environment (REF), the acceptance or pre-production environment (ABN) and the production environment (PROD). These 3 environments are isolated from and independent of each other.Integrations with eIAM always and exclusively take place in the reference environment. Direct integration of an application in the acceptance or production environment is not possible. After approval by the customer, the reference environment is transported (staging) to the eIAM acceptance environment and then to the production environment within the Customer-Change-Plan (CC-Plan).
If another operating environment (in addition to REF, ABN, PROD) has to be integrated with eIAM for the same application, it is treated as an additional application from eIAM's point of view. Since eIAM cannot provide an additional environment, further integration must take place in the reference environment, followed by staging in the acceptance environment.
Confirm compliance with the IAMV
- Case: Operation of the application in the federal administration network.
The information security requirements are met in accordance with IAMV . - Case: Operation of the application in an external network.
For compliance with IAMV Art. 17 . Disclosure of personal data to an external operator (IaaS, PaaS, SaaS cloud solutions), the customer must apply for external IAM federation using the form built into the eIAM dossier, digitally signed by the CISO and uploaded to the eIAM dossier as a PDF.
User Authorisation Concept
It is also the responsibility of the project to create a user authorisation concept based on these documents.Security
The BIT is responsible for the security of the eIAM platform. The project or the person responsible for the application is responsible for the security of the application.Within the framework of patch and release management, the FOITT ensures that the eIAM platform is always up to date with the latest technology. It regularly applies security patches and new releases of software components in the operating system and in the middleware. The installation of these patches and releases shall be notified to the customer in advance (except in the case of emergency patches) so that the customer can adapt his application if necessary. The responsibility for this work lies exclusively with the customer.
Protection requirement
The project is responsible for the correct classification of the protection requirements of the application or its data. It must determine the protection requirement by means of a protection requirement analysis (SchuBAn). If the SchuBAn shows an increased need for protection, the application must be protected with a 2-factor authentication based on eIAM.Levels of protection
×
In the present context, protection levels (SN) refer to a classification of the security requirements for data processing in relation to the protection needs of the data processed, regulated by the specifications of the BK DTI. The data in eIAM (information in the user accounts) have SN1. The applications protected by eIAM can have SN2 if this level of protection does not result from the Information Protection Ordinance (IPO, ) (except if only ciphertext (Chiff-retext) is transmitted, as these only have SN1 by definition). In other words: If the SN2 results from the Data Protection Act (FADP, ), the business application concerned can obtain authentication services from eIAM, but no weak electronic identities may be used and data protection must be ensured by the application. In general, it should be noted that IAM services cannot establish confidential handling of data, but only provide authentication and, if necessary, authorisation of certain reliability and traceability. Confidentiality is to be achieved by measures on the data level, normally cryptography, independent of identity and access management.
The authentication strength per application Guest | Weak | Normal | Normalverified | Strong | Verystrong must be recorded in the eIAM dossier.