1 Hitachi ID Suite. 2 Agenda. Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Transcription

1 1 Hitachi ID Suite Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications Administration and governance of Identities, entitlements and credentials. 2 Agenda Introductions. Hitachi ID corporate overview. Hitachi ID Suite overview. Architecture and technology. MSP advantages Hitachi ID Systems, Inc. All rights reserved. 1

2 3 Hitachi ID corporate overview Hitachi ID delivers access governance and identity administration solutions to organizations globally. Hitachi ID IAM solutions are used by Fortune 500 companies to secure access to systems in the enterprise and in the cloud. Founded as M-Tech in A division of Hitachi, Ltd. since Over 1200 customers. More than 14M+ licensed users. Offices in North America, Europe and APAC. Global partner network Hitachi ID Systems, Inc. All rights reserved. 2

3 4 Representative customers 2019 Hitachi ID Systems, Inc. All rights reserved. 3

4 5 Managed service providers Managed service providers outsource IT services, such as help desk call resolution Almost all major MSPs have standardized on Hitachi ID solutions to automatically resolve password problems for their customers. Many MSPs are now adding Hitachi ID solutions to automate identity and access management as well. Hitachi ID MSP partners include: 6 Hitachi ID Suite 2019 Hitachi ID Systems, Inc. All rights reserved. 4

5 7 Integration with other IAM products Automation HitachiID Password Manager E/SSO CORE INFRASTRUCTURE Self-service requests Authorization workflow Consolidated reporting Auto-discovery Reliable updates Target connectors Help desk integrations HitachiID Login Manager HitachiID Phone PW Manager HitachiID Privileged Access Manager HitachiID Identity Manager HitachiID Group Manager HitachiID Access Certifier WebSSO/WebAM Directory Meta Directory Virtual Directory System of Record Database replication HitachiID Org Manager 8 Problem: Too many passwords Every login account has its own: Password value. User interface. Strength rules. Expiration date. Password complexity creates business problems: High call volume : Users forget or lock out their passwords. This can be 30% of help desk workload. Sticky notes : Users write down their passwords and may leave them in public view. Bad passwords : Users choose simple, easily guessed passwords Hitachi ID Systems, Inc. All rights reserved. 5

6 9 HiPM features Password synch: Reduce the number of passwords per user. Self-service: Password change, reset and unlock. Token or smart card PIN reset. Unlock encrypted drive with forgotten pre-boot password. Value-add: 2FA built-in for all users, including via mobile app. Federated access replace other apps login screens. Password vault users can store unmanaged passwords. Access from: PC browser or login screen. At the office or off-site. Smart phone app or self-service phone call. Assisted service: Password, token PIN, intruder lockout. Policy enforcement: Two-factor authentication for all users. Password complexity, expiry, history. Non-password authentication. Managed enrollment: Security questions. Login IDs. Mobile phone numbers Hitachi ID Systems, Inc. All rights reserved. 6

7 10 Access needs evolve Digital identities require frequent updates to reflect business changes: Who? (Types of users): Employees, contractors, vendors, partners, customers. Why? (Business events): Hire, move, change job function, terminate. What? (Change types:) Create/move/disable/delete user, update identity data and entitlements, reset passwords. Where? (Applications:) AD, Exchange, Notes, ERP, Linux/Unix, database, mainframe, physical assets. Complexity creates delay and reliability problems: Productivity: Slow onboarding, change fulfillment. Cost: Many FTEs needed to implement security changes. Security: Unreliable access termination, inappropriate user entitlements. Enforce SoD policies. Accountability: Who has access to what? How/when did they get it? 2019 Hitachi ID Systems, Inc. All rights reserved. 7

8 11 HiIM features Automation: Monitor one or more systems of record (SoR). Generate requests to grant, revoke access. Integrations: 120+ bidirectional connectors, included. Manage resources including mail boxes, home directories and badges. Incident management, SIEM, , 2FA. Manage building access, physical assets. Request portal: Users can request for themselves or others. Access control model limits visibility, requestability. Accounts and groups: Create, manage and delete accounts & groups across systems. Update attributes and assign/revoke group memberships. Workflow: Invite authorizers, implementers, certifiers to act. Built-in reminders, escalation, delegation and more. Selects participants via policy, not flow-charts. Policies, controls: RBAC, SoD. Risk scores, analytics. Approvals, recertification. Certification: Initiated by the system (event, schedule). Stake-holders review identities, entitlements. Generates deprovisioning requests Hitachi ID Systems, Inc. All rights reserved. 8

9 12 Users accumulate access rights Over time, users change roles/responsibilities: Users change jobs, departments and locations. There are many users, each with access to many systems. With each transition, users accumulate entitlements: From what? There is no record of every right a user had before, so old rights are not removed. To what? Without a role model, it is impossible to say which of a user s old rights should stay and which should go. When? A reassigned user may back up his replacement for a while, so must retain old rights for an undefined period of time. 13 HiAC features Hitachi ID Access Certifier automates periodic review and cleanup of user entitlements: Capture: Auto-discovery creates a clear picture of the actual state of user entitlements across the enterprise. Leverage org-chart: Management relationships can be used to structure a certification round. Allows delegation of access review, cleanup and certification to managers. Notify: Automated reminders to managers, app owners and other stake-holders. Certify: Entitlements are either certified or flagged for removal. Sign off: Stake-holders must sign off on completed reviews. Action: Upon approval (if required), the offending entitlements are automatically removed and the user is brought back into compliance. Report: Full reports to satisfy audit requests are available Hitachi ID Systems, Inc. All rights reserved. 9

10 14 Problem: Too many security groups Medium to large organizations have directories with thousands of groups: AD and LDAP. Security groups and mail distribution lists. Challenging to manage at scale: Requests to create new groups (do users know what to ask for?). Ambiguous authorization process (who owns? who approves?). Calculated versus requested membership. When should groups be deleted/archived? When should memberships expire? Nesting / hierarchy? Loops? Appropriate metadata (owner, description, risk,...). 15 HiGM features Hitachi ID Group Manager enables self-service administration of groups and access to resources like shares and folders: Group lifecycle: Create new groups and manage existing ones. Navigate: Intercept "Access Denied" error messages and help users navigate to requests for an appropriate group. Request: Group create, modify and delete. Changes to metadata such as ownership and description. Add/remove members. Authorize: Changes by a workflow request is created dynamically and sent to the group s owner plus anyone else specified by policy. Provision: Upon approval, create/modify a group or add/revoke members Hitachi ID Systems, Inc. All rights reserved. 10

11 16 Orgchart data is scarce Hitachi ID estimates that: 30% of organizations have no data about each employee or contractor s manager. 90% of organizations have incomplete, inaccurate or out-of-date OrgChart data. HR systems rarely include contractors, vendors, etc. Organizations are dynamic and HR often doesn t have the means to accurately or quickly record changes. Staff may have multiple managers, but it s best if only one manager is ultimately responsible for their actions, privileges, pay, etc. Bottom line: while OrgChart data is valuable, it is rarely available, complete or reliable. 17 Summary Hitachi ID Org Manager leverages the Hitachi ID Suite infrastructure to effectively manage OrgChart data: Get managers to name their own subordinates. Clean up errors in current OrgChart data. Fill in gaps in existing data contractors, vendors, temps, etc. Enable processes that depend on complete and accurate OrgChart data, such as IAM workflow and access certification. 18 Privileged accounts not secured Workstations and servers often have the same, unchanging administrator passwords. These passwords are used by desktop support staff, data center staff and other IT resources to manage hardware, operating systems, etc. With thousands of workstations and servers, it is difficult or impossible to ever change these passwords. As IT staff turn over, ex-staff retain keys to sensitive assets Hitachi ID Systems, Inc. All rights reserved. 11

12 19 HiPAM features Auto-discovery: Find systems, accounts. Automatically attach policies via rules. Passwords: Randomize on a schedule and after use. Store in an encrypted, replicated, distributed vault. Authorization: Policy-driven rules. Pre-authorized and request/approval workflow if not routine. Grant access: Single sign-on (login once, launch many). Request multiple accounts, run commands across them. Launch SSH, RDP, vsphere, SQL, etc. Direct connection, VDI proxy or HTML5 proxy. Password display and copy buffer integration. Temporary group membership or SSH trust. Application passwords: Notify SCM, IIS, Scheduler, DCOM of new passwords. API replaces embedded passwords. Logging: Requests, approvals, logins to privileged accounts. Session monitoring: Screen, keyboard, webcam, process ID, window title, etc. Keylog censorship protects passwords, SSN, CC numbers, etc. Request/approval workflow protects staff privacy Hitachi ID Systems, Inc. All rights reserved. 12

13 20 E-SSO deployment challenges Deploying client software to each and every workstation. Building and securing a high-availability database or directory in which to store application passwords. Populating and keeping current user application passwords. Updating encrypted passwords after password resets. Enabling application access from Internet kiosks, PDAs and other non-sso-enabled devices. 21 HiLM features Reduced Signon Compatible Applications Advantages:... never Capture the user s login ID and password from the workstation login. Extract alternate login IDs from AD. Detect dialogs where the user types the known login IDs/password. Automatically fill in user ID/password prompts. Native Windows dialog boxes. HTML forms using IE and Firefox and 5250 terminal sessions. Lotus Notes R6 R8. SAP R/3 GUI. Store passwords. Hand-code scripts. Contact a central server. Set an application password to something the user doesn t know Hitachi ID Systems, Inc. All rights reserved. 13

14 22 Active-active architecture Native password change Password synch trigger systems SaaS apps AD, Unix, z/os, LDAP, iseries Validate pw z/os - local agent Mobile UI Mobile proxy Manage Cloud IVR server TCP/IP + AES VPN server Various protocols Secure native protocol HTTPS Reverse web proxy system Load balancers MS SQL databases Notifications and invitations Ticketing system Hitachi ID servers Tickets HR Hitachi ID servers Replication System of record Firewalls Managed endpoints with remote agent: AD, SQL, SAP, Notes, etc Data center A Data center B Remote data center Proxy server (if needed) Managed endpoints 2019 Hitachi ID Systems, Inc. All rights reserved. 14

15 23 Included connectors Directories: Databases: Server OS X86/IA64: Server OS Unix: Server OS Mainframe: Active Directory and Azure AD; any LDAP; NIS/NIS+ and edirectory. Oracle; SAP ASE and HANA; SQL Server; DB2/UDB; Hyperion; Caché; MySQL; OLAP and ODBC. Windows: NT thru 2016; Linux and *BSD. Solaris, AIX and HP-UX. RAC/F, ACF/2 and TopSecret. Server OS Midrange: ERP, CRM and other apps: Messaging & collaboration: Smart cards and 2FA: Access managers / SSO: iseries (OS400); OpenVMS and HPE/Tandem NonStop. Oracle EBS; SAP ECC and R/3; JD Edwards; PeopleSoft; Salesforce.com; Concur; Business Objects and Epic. Microsoft Exchange, Lync and Office 365; Lotus Notes/Domino; Google Apps; Cisco WebEx, Call Manager and Unity. Any RADIUS service or SAML IdP; Duo Security; RSA SecurID; SafeWord; Vasco; ActivIdentity and Schlumberger. CA SiteMinder; IBM Security Access Manager; Oracle AM; RSA Access Manager and Imprivata OneSign. Help desk / ITSM: PC filesystem encryption: Server health monitoring: HR / HCM: Extensible / scriptable: ServiceNow; BMC Remedy, RemedyForce and Footprints; JIRA; HPE Service Manager; CA Service Desk; Axios Assyst; Ivanti HEAT; Symantec Altiris; Track-It!; MS SCS Manager and Cherwell. Microsoft BitLocker; McAfee; Symantec Endpoint Encryption and PGP; CheckPoint and Sophos SafeGuard. HP ilo, Dell DRAC and IBM RSA. WorkDay; PeopleSoft HR; SAP HCM and SuccessFactors. Hypervisors and IaaS: Mobile management: Network devices: Filesystems and content: SIEM: AWS; vsphere and ESXi. Management & inventory: Qualys; McAfee epo and MVM; Cisco ACS; ServiceNow ITAM; HP UCMDB; Hitachi HiTrack. BlackBerry Enterprise Server and MobileIron. Cisco IOS PIX and ASA; Juniper JunOS and ScreenOS; F5 BigIP; HP Procurve; Brocade Fabric OS and CheckPoint SecurePlatform. Windows/CIFS/DFS; SharePoint; Samba; Hitachi Content Platform and HCP Anywhere; Box.com and Twitter. CSV files; SCIM; SSH; Telnet/TN3270/TN5250; HTTP(S); SQL; LDAP; PowerShell and Python. Splunk; ArcSight; RSA Envision and QRadar. Any SIEM supporting SYSLOG or Windows events. 24 Integration with custom apps Hitachi ID Suite easily integrates with custom, vertical and hosted applications using flexible agents. Each flexible agent connects to a class of applications: API bindings (C, C++, Java, COM, ActiveX, MQ Series). Telnet / TN3270 / TN5250 / sessions with TLS or SSL. SSH sessions. HTTP(S) administrative interfaces. Web services. Win32 and Unix command-line administration programs. SQL scripts. Custom LDAP attributes. Integration takes a few hours to a few days. Fixed cost service available from Hitachi ID Hitachi ID Systems, Inc. All rights reserved. 15

16 25 Multiple servers and instances Hitachi ID Suite supports multiple servers: Built-in automation replicates data, software and configuration. Both real-time and nightly checkpoint replication. Any off-the-shelf load balancer, or just DNS round-robin, can be used to distribute user sessions across servers. Fail-out, not fail-over: Use all servers normally. Remove unresponsive servers from circulation only if required. Deploy to multiple sites, get DR/BC for free. Hitachi ID Suite supports multiple instances per server: Different instances for different policies (ex: users vs. administrators). Multi-tenant deployment for outsourcers. 26 MSP technology advantages Hitachi ID solutions make our partners more competitive. More features and functionality for less money: Lower initial and ongoing investment (License scheme) Lower on-going administration costs Technology (not services) drives lower deployment costs: Reference implementations. All features, connectors included. Auto-discovery of systems, accounts, entitlements. Automated and self-service ID mapping. Policy-driven workflow easier to manage. No need to engage in costly role engineering Hitachi ID Systems, Inc. All rights reserved. 16

17 27 Hitachi ID Suite summary Three integrated IAM products, licensed to over 14M users, that can: Discover and connect identities across systems and applications. Securely and efficiently manage identities, groups, entitlements and credentials. Secure and monitor access to privileged accounts. Provide strong authentication and federated sign-on. Improve security to comply with regulations. Reduce IT support cost and improve user productivity. Consolidate management of on-premises and SaaS apps. 500, Street SE, Calgary AB Canada T2G 2J3 Tel: hitachi-id.com Date: File: PRCS:pres