1 Hitachi ID Password Manager. 2 Agenda. Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Transcription

1 1 Hitachi ID Password Manager Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications Integrated credential management: Passwords, security questions, certificates, tokens, smart cards and biometrics. 2 Agenda Hitachi ID corporate overview. Hitachi ID Suite overview. Password problems and Hitachi ID Password Manager benefits. The HiPM solution. Software demonstration Hitachi ID Systems, Inc. All rights reserved. 1

2 3 Hitachi ID corporate overview Hitachi ID delivers access governance and identity administration solutions to organizations globally. Hitachi ID IAM solutions are used by Fortune 500 companies to secure access to systems in the enterprise and in the cloud. Founded as M-Tech in A division of Hitachi, Ltd. since Over 1200 customers. More than 14M+ licensed users. Offices in North America, Europe and APAC. Global partner network Hitachi ID Systems, Inc. All rights reserved. 2

3 4 Representative customers 5 Hitachi ID Suite 2017 Hitachi ID Systems, Inc. All rights reserved. 3

4 6 PM differentiators Built-in Functionality: HiPM Password synchronization Password and PIN reset. Encrypted filesystem unlock. Manage tokens, smart cards. Update locally cached passwords. Others Password reset. A few offer synchronization. Always available: PC web browser, smart phone. PC login screen. Phone call. At work and off-site PC web browser. PC login screen. Only at work. Enhance security: 2FA for all users, no cost. Federated access (secure other apps). Personal password vault. Security questions, maybe SMS/PIN. Integrations: 120+ target types. 10+ ITSM ("ticketing") systems. Typically 1 to 10 connectors. No ticketing integration. Scalability: Multi-master, active-active, replicated. Load balanced, geographically distributed. Automatically discover users, manage enrollment. Single server, single location. Hope users enroll after a big mail blast Hitachi ID Systems, Inc. All rights reserved. 4

5 7 Problem: Too Many Passwords Every login account has its own: Password value. User interface. Strength rules. Expiration date. Password complexity creates business problems: High call volume : Users forget or lock out their passwords. This can be 30% of help desk workload. Sticky notes : Users write down their passwords and may leave them in public view. Bad passwords : Users choose simple, easily guessed passwords. 8 The HiPM Solution Hitachi ID Password Manager addresses the problems that arise from password complexity: Cost savings from simplified password management, rapid deployment, low TCO and fast ROI. Improved security from strong authentication, policy enforcement. Scalability to hundreds of thousands of users. Flexibility to integrate with existing infrastructure. 9 Problem: Password Management Costs End users: Support analysts: System administrators: Lose productivity when they have trouble logging in. Spend much of their time resolving password problem calls. Must be staffed for peak volume after holidays. Resolve escalated password problems Hitachi ID Systems, Inc. All rights reserved. 5

6 10 HiPM Cost Savings Synchronization: Self-service reset: Eliminates 60% to 90% of password problems. When adopted by 40% to 70% of users, diverts problem resolution away from the help desk. Assisted reset: Shortens remaining password reset HD calls by 50% or more, to about 1 minute/call. 11 Problem: Password Security Policy: Authentication: Delegation: Accountability: Encryption: Users prefer easily guessed passwords, write and share passwords. Weak caller authentication prior to HD password resets. Support staff require too many administrative logins. For support staff who perform resets. Passwords should not be sent or stored in the clear. 12 HiPM Security Benefits Policy: Synchronization: Authentication: Delegation: Accountability: Encryption: Hitachi ID Password Manager can enforce over 50 password rules, on every system. No need to write down multiple passwords. Users are identified before being allowed a HD password reset. Support staff no longer require administrative credentials. All password-related events logged. Sensitive data is sent and stored encrypted Hitachi ID Systems, Inc. All rights reserved. 6

7 13 The Hitachi ID Solution is Flexible Customize: Every aspect of the user interface Integrate with: Enforce: 120+ target system types Call tracking systems HR systems Authentication hardware Meta directories IVR servers Password policy Authentication rules 2017 Hitachi ID Systems, Inc. All rights reserved. 7

8 ! ( ' Slide Presentation 14 User Interface Flowchart # $ ) + # "! * + # ) "! $ & % 2017 Hitachi ID Systems, Inc. All rights reserved. 8

9 15 Included connectors Directories: Databases: Server OS X86/IA64: Server OS Unix: Server OS Mainframe: Active Directory and Azure AD; any LDAP; NIS/NIS+ and edirectory. Oracle; SAP ASE and HANA; SQL Server; DB2/UDB; Hyperion; Caché; MySQL; OLAP and ODBC. Windows: NT thru 2016; Linux and *BSD. Solaris, AIX and HP-UX. RAC/F, ACF/2 and TopSecret. Server OS Midrange: ERP, CRM and other apps: Messaging & collaboration: Smart cards and 2FA: Access managers / SSO: iseries (OS400); OpenVMS and HPE/Tandem NonStop. Oracle EBS; SAP ECC and R/3; JD Edwards; PeopleSoft; Salesforce.com; Concur; Business Objects and Epic. Microsoft Exchange, Lync and Office 365; Lotus Notes/Domino; Google Apps; Cisco WebEx, Call Manager and Unity. Any RADIUS service or SAML IdP; Duo Security; RSA SecurID; SafeWord; Vasco; ActivIdentity and Schlumberger. CA SiteMinder; IBM Security Access Manager; Oracle AM; RSA Access Manager and Imprivata OneSign. Help desk / ITSM: PC filesystem encryption: Server health monitoring: HR / HCM: Extensible / scriptable: ServiceNow; BMC Remedy, RemedyForce and Footprints; JIRA; HPE Service Manager; CA Service Desk; Axios Assyst; Ivanti HEAT; Symantec Altiris; Track-It!; MS SCS Manager and Cherwell. Microsoft BitLocker; McAfee; Symantec Endpoint Encryption and PGP; CheckPoint and Sophos SafeGuard. HP ilo, Dell DRAC and IBM RSA. WorkDay; PeopleSoft HR; SAP HCM and SuccessFactors. Hypervisors and IaaS: Mobile management: Network devices: Filesystems and content: SIEM: AWS; vsphere and ESXi. Management & inventory: Qualys; McAfee epo and MVM; Cisco ACS; ServiceNow ITAM; HP UCMDB; Hitachi HiTrack. BlackBerry Enterprise Server and MobileIron. Cisco IOS PIX and ASA; Juniper JunOS and ScreenOS; F5 BigIP; HP Procurve; Brocade Fabric OS and CheckPoint SecurePlatform. Windows/CIFS/DFS; SharePoint; Samba; Hitachi Content Platform and HCP Anywhere; Box.com and Twitter. CSV files; SCIM; SSH; Telnet/TN3270/TN5250; HTTP(S); SQL; LDAP; PowerShell and Python. Splunk; ArcSight; RSA Envision and QRadar. Any SIEM supporting SYSLOG or Windows events. 16 Rapid integration with custom apps Hitachi ID Password Manager easily integrates with custom, vertical and hosted applications using flexible agents. Each flexible agent connects to a class of applications: API bindings (C, C++, Java, COM, ActiveX, MQ Series). Telnet / TN3270 / TN5250 / sessions with TLS or SSL. SSH sessions. HTTP(S) administrative interfaces. Web services. Win32 and Unix command-line administration programs. SQL scripts. Custom LDAP attributes. Integration takes a few hours to a few days. Fixed cost service available from Hitachi ID Hitachi ID Systems, Inc. All rights reserved. 9

10 17 Active-active architecture Native password change Password synch trigger systems SaaS apps AD, Unix, z/os, LDAP, iseries Validate pw z/os - local agent Mobile UI Mobile proxy Manage Cloud IVR server TCP/IP + AES VPN server Various protocols Secure native protocol HTTPS Reverse web proxy system Load balancers MS SQL databases Notifications and invitations Ticketing system Hitachi ID servers Tickets HR Hitachi ID servers Replication System of record Firewalls Managed endpoints with remote agent: AD, SQL, SAP, Notes, etc Data center A Data center B Remote data center Proxy server (if needed) Managed endpoints 2017 Hitachi ID Systems, Inc. All rights reserved. 10

11 18 Scalability and fault-tolerance Multiple, load-balanced Hitachi ID Password Manager servers: Active/active architecture. Data replication between nodes: Built-in, easy to configure. WAN-friendly (high latency, low bandwidth, insecure channels). Reliable (multiple retry queues). Native code and SQL stored procedures run faster than Java and object persistence frameworks. Proxy servers resolve connection problems: Across firewalls. Over slow, insecure network routes. Large production deployments: 5M users. 130,000 managed systems. 12 load balanced IAM servers. 10,000 completed transactions/hour. 19 Password Synchronization Problem Users have too many passwords: On different systems, with different policies, expiring at different times. Complexity leads users to do bad things: Write down passwords ("sticky notes"). Forget/lock out passwords and call the help desk. Reuse old passwords. Solution Password synchronization pushes password updates from one system to another: Multiple physical passwords. Same value everywhere. Password synchronization allows users to: Remember a single password value. Manage it on a single schedule. Comply with a single password policy Hitachi ID Systems, Inc. All rights reserved. 11

12 20 Transparent password synchronization Password synchronization is designed to help users maintain a single, strong password across multiple login IDs. Transparent password synchronization leverages an existing user interface. Users change their passwords natively on: Active Directory. Unix servers. LDAP directories. OS400 / iseries servers. z/os mainframes (RACF, CA-ACF2, CA-TopSecret). Hitachi ID Password Manager enforces a global policy, blocking weak passwords. Approved passwords are synchronized to other accounts belonging to the same user. 21 Web Password Synchronization Password synchronization is designed to help users maintain a single, strong password across multiple login IDs. Web password synchronization exposes a new user interface. Access a Web-based password change screen using any browser. Enter a trusted network login ID and password. Select a new password for one or all systems and accounts. Review results from the password update on each system. 22 Prompting Users to Synchronize Users do not volunteer to change their passwords. Hitachi ID Password Manager can identify users who should change their passwords either based on upcoming expiration on a target system, or based on the last HiPM update. Users are asked to change their passwords: By , with an embedded URL to the HiPM server. By a Web browser, automatically opened during the network login script Hitachi ID Systems, Inc. All rights reserved. 12

13 23 Benefits of Password Synchronization Improved user service. Users have fewer password problems, so waste less time with login problems and call the help desk less frequently. New passwords meet global quality standards. All passwords are changed regularly. 24 Self-Service Password Reset Problem Some users continue to forget passwords or trigger lockouts. These users still call the help desk. High call volume is expensive. Solution Self-service password reset enables users to authenticate themselves with something else (a token, biometric, personal questions, etc.) and reset their own password(s). Hitachi ID Password Manager SSPR allows these users to resolve their own problems: This lowers help desk call volume. User service is available 24x7. Accessible via web browser, phone or from the login prompt. 25 Access from Login Prompt Problem Users who forget their network password cannot launch a Web browser to access the self-service password reset application. Solution Secure Kiosk Account (SKA): access to SSPR without client software ("guest" account). GINA service: access to SSPR from UI extension no GINA DLL. Hitachi ID Phone Password Manager: turn-key telephone access to SSPR. Temporary VPN: access to SSPR from outside the corporate network Hitachi ID Systems, Inc. All rights reserved. 13

14 26 Secure Kiosk Account (SKA) Support locked out users without deploying client software. User signs on with the login ID HELP No password is required to sign into the SKA. The SKA account has a special security policy. The policy specifies an alternate to the Windows shell. The Hitachi ID Password Manager shell opens a kiosk-mode Web browser to the self-service password reset Web page. Applies both to on-line and mobile users. Can be used to reset/unlock both local and networked passwords. No browser navigation, controls, border, etc. Closing the browser logs the user off. 27 GINA Extensions Support locked out users without a "generic" domain account: Extend the Windows Graphical Identification and Authentication (GINA) subsystem, which: is responsible for capturing Ctrl-Alt-Del, presents the login screen and handles screen savers. The Windows GINA can be replaced by third-party DLLs, such as: Novell NetWare. Strong authentication products (smart cards, biometrics, etc.). Hitachi ID Password Manager includes two GINA extension approaches, both of them: Launch a kiosk-mode web browser. Run the browser with an unprivileged account. The first is a GINA wrapper DLL that adds a password reset button in the login prompt. The second is a GINA service program that adds a password reset button without modifying the native GINA DLL Hitachi ID Systems, Inc. All rights reserved. 14

15 28 Self-service via phone call Identification options: Numeric ID (e.g., employee number). Numeric mapping of network login ID. Authentication options: Numeric security questions (e.g., driver s license, DoB). Biometric voice print verification. Hardware token. Features: Password reset / unlock. Token PIN reset. Encrypted filesystem unlock. Platform options: Use HiTPM (turn-key system). Extend call logic on an existing IVR, using Hitachi ID Password Manager API. Limitations: Cannot reset PINs on smart cards. Cannot update cached credentials on mobile PCs. 29 Flexible and secure authentication Hardware tokens: generated password + keyed PIN. Biometric: voice print, finger print. PKI: smart cards, software certificates. Challenge/response using: Built-in or external data source. Both user-defined and standard questions. A flexible algorithm to validate answers. Multiple sets of multiple questions. Open architecture: Easily integrate with new authentication systems Hitachi ID Systems, Inc. All rights reserved. 15

16 30 Benefits of Self-Service Password Reset Savings 40% to 70% of users resolve their own problem, and do not call the help desk. Security Stronger authentication prior to password resets. Reset passwords meet quality controls. Detailed audit trail of authentication attempts, resets. 31 Help Desk Password Reset Problem Even with synchronization and self-service password reset, some users continue to call the help desk. These calls can take 5-15 minutes to resolve and cost $25 $35. Solution Assisted password reset shortens password-related support calls. One process and UI handles everything: Authenticate the analyst. Authenticate the caller. Reset multiple passwords. Clear lockouts. Create/close a support incident (ticket). Reduce call duration to about 1 minutes. Lower incident cost. 32 Assisted Password Reset Process Help desk analysts use a Hitachi ID Password Manager Web page to: Login (authenticate the analyst). Look up the caller s record. Authenticate the caller. Reset one or more passwords. Automatically create a ticket in the call tracking system. Call resolution time is reduced to 1 2 minutes. Help desk analysts don t require direct access to target systems Hitachi ID Systems, Inc. All rights reserved. 16

17 33 Incident and integration Open architecture to push event notification to other systems. Simple configuration specifies what events to capture and what actions to take. Binary integration programs are included for: Altiris Assyst BMC Remedy SDE Footprints CA Unicenter Clarify HEAT HP Service Desk ServiceNow Tivoli Track-It! Extensible via SMTP, HTTP(S), XML, ODBC. 34 HiPM Assisted Service Notes Help desk analysts may: Either see, or be required to type answers to caller-authenticating questions. Either reset passwords, or reset-and-expire passwords. Enable or disable caller access to Hitachi ID Password Manager self-service. Be granted the ability to: See or edit answers to security questions. See or edit login ID profiles data. Manage SecurID tokens Hitachi ID Systems, Inc. All rights reserved. 17

18 35 Benefits of Assisted Password Reset Savings Remaining password reset calls are reduced to approximately 1 minute. Security Ensure that callers are always authenticated prior to password resets. Reduce the number of people with administrative rights. Improve accountability for help desk password resets. Enforce password policy over reset passwords Hitachi ID Systems, Inc. All rights reserved. 18

19 36 Impact of password synch vs. reset calls problems 2017 Hitachi ID Systems, Inc. All rights reserved. 19

20 37 RSA SecurID token management Problem Users with RSA SecurID tokens forget their PINs, lose their tokens, require clock synchronization, etc. Solution Users can clear, synchronize or reset their token PINs; synchronize their token clocks; enable/disable their tokens or get emergency access passcodes using the Hitachi ID Password Manager self-service token management feature. 38 Token Management Process Users authenticate with a password. Once authenticated, users can: Enable / disable tokens. Request emergency access codes. Clear / set their PIN. Re-synchronize tokens. 39 Benefits of Token Management Savings Fewer, shorter help desk calls for token problems. Security Fewer people with ACE administration privileges. Stronger authentication prior to token support Hitachi ID Systems, Inc. All rights reserved. 20

21 40 Managed User Enrollment Problem Deployment may require new user profile data: Question/answer pairs for authentication. Login ID reconciliation between systems. Biometric samples (e.g., voice prints). Solution Hitachi ID Password Manager includes a managed enrollment system, which identifies users that need to enroll and invites them to do so. 41 Reconcile Login IDs Between Systems Where login IDs are different on some systems, and there is no existing directory, meta directory, matching attribute or map file to connect them, users can be prompted to "claim" their own IDs: Users sign into a secure Hitachi ID Password Manager registration Web page. Users enter a login ID and password. HiPM finds unallocated instances of the login ID in the identity cache and tries to sign into those target systems with the password the user provided. The login ID / target system ID is added to the user s profile if the password worked. 42 Benefits of Managed Enrollment Savings Simple to setup, low-cost data gathering. Security Secure authentication prior to registration. Collect answers to security questions. Correlate login IDs across all systems. Identify orphan accounts Hitachi ID Systems, Inc. All rights reserved. 21

22 43 Rapid deployment and low TCO Optimized to minimize effort: HiPM: Initial deployment: 1 2 months. Ongoing maintenance: FTE. Using Hitachi ID Password Manager technology: Built-in discovery, mapping of IDs, entitlements. Managed user enrollment (e.g., Q&A). Client software optional. 120 connectors out of the box (more easy to add). 44 Technology advantages Unique features Intercept "Access Denied" errors to simplify requests. Formulate requests by comparing users. Rapid approvals, including from BYOD. Access rights based on relationships. Combine auto- and manual fulfillment. SoD engine actually works. Scalable platform Real-time data replication. Multi-master, active-active. Proxy server to cross firewalls. Native code + stored procedures. Rapid deployment Hitachi ID Identity Express accelerates deployment. Key features built-in: Request forms. Authorization workflow. Access certification. Customers actually automate processes, don t get stuck in "clean up" of legacy data. Integrations 120+ included connectors. Flexible/scriptable connectors. Incident management/ticketing. SIEM Hitachi ID Systems, Inc. All rights reserved. 22

23 45 HiPM Animated Demonstration The following animations illustrate core Hitachi ID Password Manager user interfaces and processes: Security question enrollment: A user authenticates and completes his personal profile of questions and answers. Alias enrollment: A user attaches non-standard login IDs to his profile. Password expiration: A user is invited, via , to change soon-to-expire passwords. Self-service password reset (SSPR) using Secure Kiosk Account: A locked out user resolves his own problem, from the login prompt, without client software deployment. SSPR with GINA Extension: A locked out user resolves his own problem, from the login prompt, using a GINA extension. SSPR with Vista credential provider: A locked out user resolves his own problem, from the login prompt, using a Windows Vista credential provider. Assisted password reset: A help desk analyst signs in with an RSA SecurID token and resets a caller s password. PIN Reset for an RSA SecurID token: A user resets his RSA SecurID token PIN with HiPM. 46 Windows login screen password reset - offsite Animation:../../pics/camtasia/v10/hipm-ssa-windows-10.mp4 47 Locked out Windows user resets own password (no software footprint) Animation:../../pics/camtasia/v10/hipm-pw-reset-ska.mp Hitachi ID Systems, Inc. All rights reserved. 23

24 48 Enrollment of security questions Animation:../../pics/camtasia/v10/hipm-qa-enrollment.mp4 49 Enrollment of non-standard login IDs Animation:../../pics/camtasia/v10/hipm-alias-enrollment.mp4 50 RSA SecurID Self Service Token Support Animation:../../pics/camtasia/v10/hipm-rsa-token-reset.mp4 51 Reminder to change passwords Animation:../../pics/camtasia/v10/hipm-pw-expired- .mp4 52 Assisted Password Reset Animation:../../pics/camtasia/v10/hipm-assisted-pw-reset.mp Hitachi ID Systems, Inc. All rights reserved. 24

25 53 Hitachi ID professional services Hitachi ID offers a complete range of services relating to Hitachi ID Password Manager, including: Needs analysis and solution design. Fixed price system deployment. Project planning. Roll-out management, including maximizing user adoption. Ongoing system monitoring. Training. Services are based on extensive experience with the Hitachi ID solution delivery process. The Hitachi ID professional services team is highly technical and have years of experience deploying IAM solutions. Hitachi ID partners with integrators that also offer business process and system design services to mutual customers. All implementation services are fixed price: Solution design. Statement of work. 54 Hitachi ID solution delivery approach Fixed-price: All work is delivered on a fixed-price, fixed-deliverables basis. The "meter" is never running. Phases, milestones: Hitachi ID recommends breaking up long projects into phases of 1 3 months. Work is reviewed and payment is due when milestones are met. Open assignment: Templates: Customer portal: Each phase may be undertaken by Hitachi ID, the customer, a systems integrator or a combination of the participants. Template documents and sample business logic are used to expedite work. A self-service portal supports discovery, client/partner/vendor interaction, document distribution and more Hitachi ID Systems, Inc. All rights reserved. 25

26 55 AdMax: Maximizing User Adoption Successful implementation of an identity and access management system must be supported by an effective user adoption program. AdMax is an Hitachi ID professional services program, used to plan for and execute effective user enrollment projects. AdMax is designed to maximize adoption of and ROI from Hitachi ID identity management solutions, using: Best practices, case studies and industry norms. Enrollment, user adoption and ROI measurement. Incentive and disincentive programs. Presentations and training materials for users and HD staff. Project roles and responsibilities. Sample project plans, promotional materials, s, graphics and other user communications. Workbooks for project implementation. 56 Summary An integrated solution for managing credentials: Immediate security benefit: password policy, help desk caller authentication. Low deployment cost, minimal ongoing investment, significant IT support savings. Always accessible: Web browser on PC, phone or tablet. Windows login prompt. Pre-boot encryption password prompt. Apps on ios, Android. Phone call / IVR. Available at work and while off-site connectors included. Learn more at Hitachi-ID.com/Password-Manager 500, Street SE, Calgary AB Canada T2G 2J3 Tel: Fax: sales@hitachi-id.com hitachi-id.com Date: File: PRCS:pres