1 Hitachi ID Suite. 2 Agenda. 3 Corporate. Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Transcription

1 1 Hitachi ID Suite Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications Administration and governance of Identities, entitlements and credentials. 2 Agenda Corporate Hitachi ID Identity Manager Hitachi ID Password Manager Recorded Demos Technology Implementation Differentiation 3 Corporate 2018 Hitachi ID Systems, Inc. All rights reserved. 1

2 3.1 Hitachi ID corporate overview Hitachi ID delivers access governance and identity administration solutions to organizations globally. Hitachi ID IAM solutions are used by Fortune 500 companies to secure access to systems in the enterprise and in the cloud. Founded as M-Tech in A division of Hitachi, Ltd. since Over 1200 customers. More than 14M+ licensed users. Offices in North America, Europe and APAC. Global partner network. 3.2 Representative customers 2018 Hitachi ID Systems, Inc. All rights reserved. 2

3 3.3 Hitachi ID Suite 4 Hitachi ID Identity Manager 4.1 Compliance / internal controls Challenges Slow and unreliable deactivation when people leave. Orphan and dormant accounts. Users with no-longer-needed access. Access that violates SoD policies or represents high risk. Unreliable approvals for access requests. Audit failures and regulatory risk. Solutions Automate deactivation based on SoR (HR). Review and remediate excessive access (certification). Block requests that would violate SoD. Analyze entitlements to find policy violations, high risk users. Automatically route access requests to appropriate stake-holders Hitachi ID Systems, Inc. All rights reserved. 3

4 4.2 Access administration cost Challenges Multiple FTEs required to setup, deactivate access. Additional burden on platform administrators. Audit requests can add significant strain. Solutions Automate access setup, tear-down in response to changes in systems of record (SoRs). Simple, business-friendly access request forms. Route requests to authorizers automatically. Automate fulfillment where possible. Help auditors help themselves: With certification, auditors focus on process, not entitlements. Reports and analytics. 4.3 Access changes take too long Challenges Approvers take too long. Too many IT staff required to complete approved requests. Service is slow and expensive to deliver. Solutions Automatically grant access: Where predicted by job function, location,... Eliminate request/approval process where possible. Streamline approvals: Automatically assign authorizers, based on policy. Invite participants simultaneously, not sequentially. Enable approvals from smart-phone. Pre-emptively escalate when stake-holders are out of office. Automate fulfillment where possible Hitachi ID Systems, Inc. All rights reserved. 4

5 4.4 Access requests are too complicated Challenges Requesting access is complex: Where is the request form? What access rights do I need? How do I fill this in? Who do I send it to, for approval? Complexity creates frustration. Solutions Auto-assign access when possible. Simplify request forms. Intercept "access denied" errors: Navigate lead users to appropriate request forms. Compare entitlements: Help requesters select entitlements. Compare recipient, model user rights. Select from a small set of differences. Automatically assign authorizers based on policy. 4.5 Too many groups Challenges Too many security groups and mail distribution lists. Groups represent business functions but are only manageable by IT. Hard to tell whether membership and access are appropriate. Assigning privileges is complex and costly. Groups and memberships persist long after needed. Solutions Empower business users to create, manage groups directly. Apply policy to requests, naming, metadata. Make groups and memberships temporary where possible. Calculate group membership where there is supporting data. Use request/approval and review/revoke workflows to clean up. Apply analytics to find too-small, too-large, overlapping, etc. 5 Hitachi ID Password Manager 2018 Hitachi ID Systems, Inc. All rights reserved. 5

6 5.1 Too many passwords Challenges Users have too many passwords. Write them on sticky notes. Forget and call the help desk. Pick trivial, insecure values. Solutions Synchronize passwords. Reduce to 1 or a few. Easier to remember. Less likely to write down. Opportunity to mandate stronger passwords. 5.2 Help desk call volume Challenges Users forget their passwords. Lock themselves out. Highest volume incident type. Peak volume at start of week. Solutions Self-service password reset. Clear intruder lockouts. PIN resets and emergency pass-codes for tokens Hitachi ID Systems, Inc. All rights reserved. 6

7 5.3 Automated user enrollment Challenges Self service depends on non-password credentials: Security questions. Mobile phone number. Personal address. App on smart phone. This data rarely exists prior to deployment. New hires must enroll too. ROI depends on user adoption: Users tend to ignore invitations. Solutions Identify users with incomplete profiles. Invite them to sign up. Send reminders with increasing urgency: . Open browser at login time. Forced enrollment (full screen, locked browser.) Throttle invitations: Per user (e.g., once a week). Overall (e.g., 500/day). 5.4 Password reset from difficult contexts Challenges Users have trouble logging in: Forget their password. Trigger an intruder lockout. User context can complicate assistance: Pre-boot? No OS yet! Login screen? How to navigate to self-service? Off-site? Locally cached password. Solutions Pre-boot: Smart phone app or voice call to access service. Encrypted drive unlock. Windows login screen: Credential Provider extends the Windows login UI. Smart phone app or voice call. Secure kiosk account if client software is a problem. VPN integration: Update locally cached password for off-site users Hitachi ID Systems, Inc. All rights reserved. 7

8 5.5 Need consistently strong authentication Challenges Few apps natively support multi-factor logins. Mandate strong authentication before self-service password reset. Solutions Offer 2FA to all users: PIN to phone/ . Smart phone app. Existing OTP. Browser fingerprint (reduces the nuisance of 2FA). Built into Hitachi ID Suite Leverage existing 2FA if available. Introduce zero-cost 2FA otherwise. Extend 2FA to other apps via federation: Hitachi ID Password Manager includes a built-in SAML IdP 6 Recorded Demos 6.1 Access request (new contractor) Animation:../../pics/camtasia/v10/hiim-onboarding-contractor-original-resolution.mp4 6.2 Create group Animation:../../pics/camtasia/suite11/higm-group-create.mp4 6.3 Access review by managers Animation:../../pics/camtasia/suite11/org-cert.mp4 6.4 Intercept Access denied dialogs Animation:../../pics/camtasia/suite11/higm-A-request-folder.mp Hitachi ID Systems, Inc. All rights reserved. 8

9 6.5 Compare user entitlements Animation:../../pics/camtasia/v10/hiim-model-after-ui.mp4 6.6 Mobile request approval Animation:../../pics/camtasia/v10/approve-request-group-membership-via-mobile-access-app-1.mp4 6.7 Actionable analytics: Disable orphans Animation:../../pics/camtasia/v10/report2pdr-disable-orphan-accounts-1.mp4 6.8 Password reset with WiFi, VPN and 2FA Animation:../../pics/camtasia/v10/hipm-ssa-windows-10.mp4 6.9 Federated access launchpad Animation:../../pics/camtasia/v10.1/federated-launchpad.mp Activate Mobile Access app Animation:../../pics/camtasia/suite11/enable-mobile-device-1.mp Unlock pre-boot password Animation:../../pics/camtasia/v10/mcafee-drive-encryption.mp Add contact to phone Animation:../../pics/camtasia/v9/add-contact-to-phone-1/add-contact-to-phone-1.mp4 7 Technology 2018 Hitachi ID Systems, Inc. All rights reserved. 9

10 7.1 Active-active architecture Native password change Password synch trigger systems SaaS apps AD, Unix, z/os, LDAP, iseries Validate pw z/os - local agent Mobile UI Mobile proxy Manage Cloud IVR server TCP/IP + AES VPN server Various protocols Secure native protocol HTTPS Reverse web proxy system Load balancers MS SQL databases Notifications and invitations Ticketing system Hitachi ID servers Tickets HR Hitachi ID servers Replication System of record Firewalls Managed endpoints with remote agent: AD, SQL, SAP, Notes, etc Data center A Data center B Remote data center Proxy server (if needed) Managed endpoints 2018 Hitachi ID Systems, Inc. All rights reserved. 10

11 7.2 Key architectural features BYOD enabled On premises and SaaS SaaS apps Cloud Replicated across data centers Horizontal scaling Load balanced TCP/IP + AES Various protocols Secure native protocol Reach across firewalls Data center A Data center B Remote data center HTTPS 7.3 Internal architecture Multi-master, active-active out of the box. Built-in data replication between app nodes: Fault tolerant. Secure - encrypted. Reliable - queue and retry. App nodes need and should not be co-located. Native, 64-bit code: 2x faster than.net. 10x faster than Java. Stored procedures: For all data lookups, inserts. Fast, efficient. Eliminates client/server chatter. Modern crypto: AES-256, SSHA Hitachi ID Systems, Inc. All rights reserved. 11

12 7.4 BYOD access to on-premises IAM system The challenge Users want access on their phones. Phone on the Internet, IAM on-prem. Don t want attackers probing IAM from Internet. Hitachi ID Mobile Access Install + activate ios, Android app. Proxy service on DMZ or cloud. IAM, phone both call the proxy - no firewall changes. IAM not visible on Internet. Internet Personal device Firewall Firewall IAM server (2) HTTPS request: Includes userid, deviceid Outbound connections only DMZ (1) Worker thread: Give me an HTTP request Private corporate network Cloud proxy (3) Message passing system 2018 Hitachi ID Systems, Inc. All rights reserved. 12

13 7.5 Included connectors Directories: Databases: Server OS X86/IA64: Server OS Unix: Server OS Mainframe: Active Directory and Azure AD; any LDAP; NIS/NIS+ and edirectory. Oracle; SAP ASE and HANA; SQL Server; DB2/UDB; Hyperion; Caché; MySQL; OLAP and ODBC. Windows: NT thru 2016; Linux and *BSD. Solaris, AIX and HP-UX. RAC/F, ACF/2 and TopSecret. Server OS Midrange: ERP, CRM and other apps: Messaging & collaboration: Smart cards and 2FA: Access managers / SSO: iseries (OS400); OpenVMS and HPE/Tandem NonStop. Oracle EBS; SAP ECC and R/3; JD Edwards; PeopleSoft; Salesforce.com; Concur; Business Objects and Epic. Microsoft Exchange, Lync and Office 365; Lotus Notes/Domino; Google Apps; Cisco WebEx, Call Manager and Unity. Any RADIUS service or SAML IdP; Duo Security; RSA SecurID; SafeWord; Vasco; ActivIdentity and Schlumberger. CA SiteMinder; IBM Security Access Manager; Oracle AM; RSA Access Manager and Imprivata OneSign. Help desk / ITSM: PC filesystem encryption: Server health monitoring: HR / HCM: Extensible / scriptable: ServiceNow; BMC Remedy, RemedyForce and Footprints; JIRA; HPE Service Manager; CA Service Desk; Axios Assyst; Ivanti HEAT; Symantec Altiris; Track-It!; MS SCS Manager and Cherwell. Microsoft BitLocker; McAfee; Symantec Endpoint Encryption and PGP; CheckPoint and Sophos SafeGuard. HP ilo, Dell DRAC and IBM RSA. WorkDay; PeopleSoft HR; SAP HCM and SuccessFactors. Hypervisors and IaaS: Mobile management: Network devices: Filesystems and content: SIEM: AWS; vsphere and ESXi. Management & inventory: Qualys; McAfee epo and MVM; Cisco ACS; ServiceNow ITAM; HP UCMDB; Hitachi HiTrack. BlackBerry Enterprise Server and MobileIron. 7.6 Integration with custom apps Cisco IOS PIX and ASA; Juniper JunOS and ScreenOS; F5 BigIP; HP Procurve; Brocade Fabric OS and CheckPoint SecurePlatform. Windows/CIFS/DFS; SharePoint; Samba; Hitachi Content Platform and HCP Anywhere; Box.com and Twitter. CSV files; SCIM; SSH; Telnet/TN3270/TN5250; HTTP(S); SQL; LDAP; PowerShell and Python. Splunk; ArcSight; RSA Envision and QRadar. Any SIEM supporting SYSLOG or Windows events. Hitachi ID Suite easily integrates with custom, vertical and hosted applications using flexible agents. Each flexible agent connects to a class of applications: API bindings (C, C++, Java, COM, ActiveX, MQ Series). Telnet / TN3270 / TN5250 / sessions with TLS or SSL. SSH sessions. HTTP(S) administrative interfaces. Web services. Win32 and Unix command-line administration programs. SQL scripts. Custom LDAP attributes. Integration takes a few hours to a few days. Fixed cost service available from Hitachi ID Hitachi ID Systems, Inc. All rights reserved. 13

14 7.7 HiTPM: self-service via phone call Self-contained: Hitachi ID Phone Password Manager runs on a Windows server with a Dialogic phone card or with HMP software Dialogic solution. No IVR software is required. Integrated with Hitachi ID Password Manager: Manage user enrollment. Map network login ID to digits. HiPM ties to target systems. Flexible: Fully scriptable and can implement any call logic. Multi-lingual: just record more voice prompts. The default call logic is powerful and easy to customize. Scalable: Multiple load balanced HiTPM servers. Multiple load balanced HiPM servers. 7.8 Language support The Hitachi ID Password Manager UI can be rendered in many languages: Languages are easy to add. Hitachi ID will do it for a nominal fee and customers can do it themselves. 8 Implementation 2018 Hitachi ID Systems, Inc. All rights reserved. 14

15 8.1 Hitachi ID professional services Hitachi ID offers a complete range of services relating to Hitachi ID Suite, including: Needs analysis and solution design. Fixed price system deployment. Project planning. Roll-out management, including maximizing user adoption. Ongoing system monitoring. Training. Services are based on extensive experience with the Hitachi ID solution delivery process. The Hitachi ID professional services team is highly technical and have years of experience deploying IAM solutions. Hitachi ID partners with integrators that also offer business process and system design services to mutual customers. All implementation services are fixed price: Solution design. Statement of work. 8.2 ID Express Before reference implementations: Every implementation starts from scratch. Some code reuse, in the form of libraries. Even simple business processes have complex boundary conditions: Onboarding: initial passwords, blocking rehires. Termination: scheduled vs. immediate, warnings, cleanup. Transfers: move mailboxes and homedirs, trigger recertification. Complex processes often scripted. Delay, cost, risk. With Hitachi ID Identity Express: Start with a fully configured system. Handles all the basic user lifecycle processes out of the box. Basic integrations pre-configured (HR, AD, Exchange, Windows). Implementation means "adjust as required" not "build from scratch." Configuration is fully data driven (no scripts). Fast, efficient, reliable Hitachi ID Systems, Inc. All rights reserved. 15

16 8.3 Identity Express - Corporate Edition Integrations: SQL-based HR SoR. AD domain Exchange domain (mailboxes) Windows filesystem (homedirs) Entitlements: Login IDs. Group memberships. Roles. User communities: Employees. Contractors/other. Configuration: Based on user classes, rules tables and lookup tables. Near-zero script logic. Automation: Onboard/deactivate based on SoR. Identity attribute propagation. Self-service: Password, security question management. Update to contact info. Request for application, share, folder access. Delegated admin: Same as self-service, plus recert. Approval workflows: IT security (global rights). HR/managers (approve for each-other). Recertification: Scheduled. Ad-hoc. 9 Differentiation 2018 Hitachi ID Systems, Inc. All rights reserved. 16

17 9.1 HiIM differentiation (1/3) Feature Details Competitors Hitachi ID Identity Express Pre-configured processes, policies. Full implementation or menu of components. Rich processes. Faster deployment. Low implementation risk. Slow, risky deployment. Never get around to J/M/L process automation. Requester usability Intercept "access denied" errors. Compare entitlements of recipient, model users. Usability aid for requesters. Hard to find request portal. Users don t know how to request access. Low user adoption. Reduced ROI. SoD actually works Hierarchy of roles, groups. Roles can contain groups, more roles. Groups can contain other groups. SoD defined at one level, violation may happen at another. Hitachi ID Identity Manager reliably detects, prevents violations. Fail to detect some violations. Users can bypass controls. False sense of security. Audit failures. Regulatory risk Hitachi ID Systems, Inc. All rights reserved. 17

18 9.2 HiIM differentiation (2/3) Feature Details Competitors Active-active architecture Multiple servers. Load balanced. Geographically distributed. No single point of failure. Scalable. Single points of failure. Costly to scale. Slow to recover from disasters. Smart phone access Android and ios apps. Cloud-hosted proxy. No public URL. Approvals, 2FA, contact download, etc. Require a public URL. Less secure / rarely permitted. No viable BYOD strategy. Impacts security, approval SLA. Actionable analytics Link report output to request input. Automated remediation. Immediate or scheduled. No coding. Fewer reports, analytics. No automated remediation Hitachi ID Systems, Inc. All rights reserved. 18

19 9.3 HiIM differentiation (3/3) Feature Details Competitors Group lifecycle management Included. Absent from most competitors. Governance, provisioning in one product Governance: requests, approvals, certification, SoD, RBAC, analytics. Provisioning: connectors, J/M/L process automation. Single, integrated solution. Some focus on governance (no remediation, no J/M/L process automation). Others focus on provisioning (no certification, limited analytics). Higher total cost. Integration risk. Policies built on relationships Relationships drive all policies in Hitachi ID Identity Manager. Who can a user search for? What data is visible? What changes are requestable? Who will be asked to approve? Escalation path? Hierarchical access controls. Script code for exceptions. Costly, risky. Hard to configure, maintain Hitachi ID Systems, Inc. All rights reserved. 19

20 9.4 HiPM differentiation The most features Always available Manage all credentials: Passwords on directories, servers, apps, DBs. On-premises and SaaS. Pre-boot passwords. Smart cards and tokens. 2FA for all users. Personal password vault. Federated single sign-on (SAML IdP) connectors included. Corporate PCs: Pre-boot unlock screen. Windows/MacOSX login screen. Desktop browser. Smart phone app. Voice call to IVR. At work and off-site. Scalable The best ROI Multi-master, active-active. Load balanced, replicated. Geographically distributed. Multi-lingual. Reduce problem frequency Address root cause. Don t just download problem resolution to users. Managed enrollment to maximize adoption. Rapid deployment, minimal maintenance. 9.5 The leading PM vendor Innovation Ongoing support Low cost Self-Service, Anywhere. Drive unlock via smart phone app or call to IVR. Integrated password wallet. Integrated federated access and SSO. 2FA for everyone. Responsive and skilled customer support. Unattended operation: Auto-discovery. Managed enrollment. Metrics and trend analysis. SIEM, help desk integration. Fixed-price implementation. Minimal need for ongoing maintenance Hitachi ID Systems, Inc. All rights reserved. 20

21 10 Hitachi ID Suite summary Three integrated IAM products, licensed to over 14M users, that can: Discover and connect identities across systems and applications. Securely and efficiently manage identities, groups, entitlements and credentials. Secure and monitor access to privileged accounts. Provide strong authentication and federated sign-on. Improve security to comply with regulations. Reduce IT support cost and improve user productivity. Consolidate management of on-premises and SaaS apps. 500, Street SE, Calgary AB Canada T2G 2J3 Tel: Fax: hitachi-id.com Date: File: PRCS:pres