1 Hitachi ID Access Certifier. 2 Agenda. Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Transcription

1 1 Hitachi ID Access Certifier Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications Periodic review and cleanup of security entitlements. 2 Agenda Hitachi ID corporate overview. Hitachi ID Suite overview. The regulatory environment. The Access Certifier solution Hitachi ID Systems, Inc. All rights reserved. 1

2 3 Hitachi ID corporate overview Hitachi ID delivers access governance and identity administration solutions to organizations globally. Hitachi ID IAM solutions are used by Fortune 500 companies to secure access to systems in the enterprise and in the cloud. Founded as M-Tech in A division of Hitachi, Ltd. since Over 1200 customers. More than 14M+ licensed users. Offices in North America, Europe and APAC. Global partner network Hitachi ID Systems, Inc. All rights reserved. 2

3 4 Representative customers 2018 Hitachi ID Systems, Inc. All rights reserved. 3

4 5 Hitachi ID Suite 2018 Hitachi ID Systems, Inc. All rights reserved. 4

5 6 Regulatory environment Legislation requiring effective corporate governance and privacy protection impacts organizations world-wide. Sarbanes-Oxley SAS 70 Requires that publicly traded companies comply with the proper reporting of financial information and control access to this information. Allows service organizations to disclose their control activities and processes to their customers and their customers auditors in a uniform reporting format. HIPAA The Health Insurance Portability and Accountability Act of CFR11 GLB PIPEDA GDPR Electronic signature and system protection regulations by the FDA. Applies to financial institutions and securities firms, aimed at protecting the privacy of customer data. The Canadian Personal Information Protection and Electronics Document Act. Supersedes 2002/58/EC. Sets requirements for handling personally identifiable information including the right to be forgotten. These regulations call for better internal controls and a policy of least-privilege. 7 IAM is linked to regulations Many regulations, in many jurisdictions, call for internal controls: This implies effective AAA: Authentication, Authorization and Audit. Every system already has AAA. The weakness is bad user/access data. The missing link is business process: Appropriate access rights. Timely access termination. Effective authentication. Identity and access management process and technology are needed to bridge the gap between business requirements and AAA infrastructure Hitachi ID Systems, Inc. All rights reserved. 5

6 8 Compliance architecture Shared architecture to meet regulatory requirements: Externalize administration and governance of identities and entitlements. User-centric, not application-centric processes. Authentication Authorization Audit Infrastructure Password management. Federation. Multi-factor login. Privileged access management. Automatic deactivation. SoD policy enforcement. Request forms, approvals workflow. ID mapping. Access certification, remediation. Analytics reports. Perimeter defense. Anti-malware. DLP. SIEM. 9 Users accumulate access rights Over time, users change roles/responsibilities: Users change jobs, departments and locations. There are many users, each with access to many systems. With each transition, users accumulate entitlements: From what? There is no record of every right a user had before, so old rights are not removed. To what? Without a role model, it is impossible to say which of a user s old rights should stay and which should go. When? A reassigned user may back up his replacement for a while, so must retain old rights for an undefined period of time Hitachi ID Systems, Inc. All rights reserved. 6

7 10 Access certification Access Certifier automates periodic review and cleanup of entitlements: Leverages org-chart data. Delegates access review, cleanup and certification to managers. Automated reminders to managers and other stake-holders. Stake-holders review entitlements on a web form. Entitlements are either certified or flagged for removal. Stake-holders must sign off on completed reviews. 11 HiAC features Access Certifier automates periodic review and cleanup of user entitlements: Capture: Auto-discovery creates a clear picture of the actual state of user entitlements across the enterprise. Leverage org-chart: Management relationships can be used to structure a certification round. Allows delegation of access review, cleanup and certification to managers. Notify: Automated reminders to managers, app owners and other stake-holders. Certify: Entitlements are either certified or flagged for removal. Sign off: Stake-holders must sign off on completed reviews. Action: Upon approval (if required), the offending entitlements are automatically removed and the user is brought back into compliance. Report: Full reports to satisfy audit requests are available Hitachi ID Systems, Inc. All rights reserved. 7

8 12 Accountability up the org-chart Managers cannot sign off until all subordinate managers have signed off. Creates a chain of accountability, flowing up the org-chart. Managers are blocked from sign-off until their subordinate managers finish their own reviews. Creates downward pressure throughout the organization to complete the review process. Effective, low cost manager motivation. 13 Unique capabilities of HiAC Access Certifier can be used to review more than just entitlements assigned to users: Org-building campaigns: Managers are invited to review a list of their subordinates, add any that are missing and transfer those who have moved on. Attribute cleanup: Users or their managers can review and correct identity attributes, such as department codes, cost centers and more. Group hierarchy: Group owners can review and remediate not only what users are members of their groups, but also the parent/child group hierarchy. Policy violations: Policy owners and managers can review violations to segregation of duties (SoD) policies and either revoke contributing entitlements or request approved exceptions. RBAC and SoD policy: Owners of configuration objects can review the entitlements includes in roles and SoD rules and make adjustments as required. Automated remediation: Remediation requests that originate from reviews go through workflow, may require approvals and ultimately fire connectors, which make corrections on target systems automatically Hitachi ID Systems, Inc. All rights reserved. 8

9 14 Summary Access Certifier gives CFOs and CEOs assurance of compliance with privacy and governance regulations: Internal controls require clean data about users. Improve security by finding and removing orphan and dormant accounts. Eliminate unneeded login IDs and security rights left over after users changed jobs. Actively engage all managers in a periodic review process. Motivate managers to complete the process. This is accomplished quickly, without resorting to role engineering. Learn more at Hitachi-ID.com.... or... access-certifier@hitachi-id.com 500, Street SE, Calgary AB Canada T2G 2J3 Tel: Fax: sales@hitachi-id.com hitachi-id.com Date: File: PRCS:pres