Requirements for the project

Before the integration of an application into the eIAM service can take place, a number of specifications and other formal requirements must be met. Basically, the eIAM service makes specifications for the integration of applications. The eIAM dossier contains various elements for the collection of information. The structuring should help to record the information about the project process more easily and in a way that is more comprehensible according to the progress. The graphical eIAM project flow & control and the eIAM dossier should help you to involve your stakeholders correctly.

Responsibilities eIAM <=> Application

The figure below shows schematically in which area eIAM and in which area the project has organisational responsibility. The figure shows a web application in the networks of the Federal Administration and an application outside the networks of the Federal Administration.

Responsibilities eIAM <=> Application
Responsibilities eIAM <=> Application

The BIT project manager, in cooperation with his stakeholders, is responsible for the following tasks:
  • The ordering of load balancers as well as DNS entries and other infrastructure defiitions for the communication between eIAM-Web PEP and the application.
  • The ordering of firewall rules for the communication between eIAM PEP and load balancer in front of the application, if the standard TCP port 443 is not used on the load balancer. If a firewall opening has to be requested by the application owner, the list of source IP addresses of the PEP can be requested from the responsible SIE of eIAM.
  • The entire green area in the figure is the responsibility of the customer.

System environment requirements

The eIAM service three operating environments (stages(Instance). The reference or integration environment (REF), the acceptance or pre-production environment (ABN) and the production environment (PROD). These 3 environments are isolated from and independent of each other.

Integrations with eIAM always and exclusively take place in the reference environment. Direct integration of an application in the acceptance or production environment is not possible. After approval by the customer, the reference environment is transported (staging) to the eIAM acceptance environment and then to the production environment within the Customer-Change-Plan (CC-Plan).

If another operating environment (in addition to REF, ABN, PROD) has to be integrated with eIAM for the same application, it is treated as an additional application from eIAM's point of view. Since eIAM cannot provide an additional environment, further integration must take place in the reference environment, followed by staging in the acceptance environment.

Confirm compliance with the IAMV

  1. Case: Operation of the application in the Federal Administration network.
    The information security requirements are met in accordance with IAMV

  2. Case: Operation of the application in an external network.
    For compliance with IAMV Art. 17 . Disclosure of personal data to an external operator (IaaS, PaaS, SaaS cloud solutions), the customer must apply for external IAM federation using the form built into the eIAM dossier, digitally signed by the CISO and uploaded to the eIAM dossier as a PDF.

User Authorisation Concept

It is also the responsibility of the project to create a user authorisation concept based on these documents.

Security

The BIT is responsible for the security of the eIAM platform. The project or the person responsible for the application is responsible for the security of the application.
Within the framework of patch and release management, the FOITT ensures that the eIAM platform is always up to date with the latest technology. It regularly applies security patches and new releases of software components in the operating system and in the middleware. The installation of these patches and releases shall be notified to the customer in advance (except in the case of emergency patches) so that the customer can adapt his application if necessary. The responsibility for this work lies exclusively with the customer.

Protection requirement

The evaluation of the protection requirements is the responsibility of the application owners and is NOT depicted in the eIAM dossier. The application owners are responsible for ensuring that the quality of authentication (QoA) ordered in this dossier and - independently of eIAM - the hosting meet the protection requirements and that this and any downward deviations are clearly mapped in the ISDS concept. The checklist is recommended for this topic.

ISDS Concept

The project is responsible for creating an ISDS (Information Security Data Protection) concept if required by the results of the protection needs analysis. This must be available at the latest before the transfer of a solution to the acceptance environment of the BIT.

Architecture Conformance Statement

The project is responsible for the preparation of an architecture conformance statement. This must be available at the latest before the transfer of an application into the acceptance environment.

eIAM provisioning of cloud solutions

The provisioning of applications in AWS and Azure and other clouds is successfully practiced. SaaS and other cloud patterns are also subject to usage obligation.