2 agenda 3 overview - hitachi-id.com– open browser at login time. – forced enrollment (full...
TRANSCRIPT
1 Hitachi ID Suite
Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications
Administration and governance ofIdentities, entitlements and credentials.
2 Agenda
• Hitachi ID Suite• Technology• Implementation• Differentiation
3 Overview
© 2017 Hitachi ID Systems, Inc. All rights reserved. 1
Slide Presentation
3.1 Hitachi ID Suite
4 Hitachi ID Identity Manager
4.1 Compliance / internal controls
Challenges Solutions
• Slow and unreliable deactivation whenpeople leave.
• Orphan and dormant accounts.• Users with no-longer-needed access.• Access that violates SoD policies or
represents high risk.• Unreliable approvals for access requests.• Audit failures and regulatory risk.
• Automate deactivation based on SoR(HR).
• Review and remediate excessive access(certification).
• Block requests that would violate SoD.• Analyze entitlements to find policy
violations, high risk users.• Automatically route access requests to
appropriate stake-holders.
© 2017 Hitachi ID Systems, Inc. All rights reserved. 2
Slide Presentation
4.2 Access administration cost
Challenges Solutions
• Multiple FTEs required to setup,deactivate access.
• Additional burden on platformadministrators.
• Audit requests can add significant strain.
• Automate access setup, tear-down inresponse to changes in systems of record(SoRs).
• Simple, business-friendly access requestforms.
• Route requests to authorizersautomatically.
• Automate fulfillment where possible.• Help auditors help themselves:
– With certification, auditors focus onprocess, not entitlements.
– Reports and analytics.
4.3 Access changes take too long
Challenges Solutions
• Approvers take too long.• Too many IT staff required to complete
approved requests.• Service is slow and expensive to deliver.
• Automatically grant access:
– Where predicted by job function,location, ...
– Eliminate request/approval processwhere possible.
• Streamline approvals:
– Automatically assign authorizers,based on policy.
– Invite participants simultaneously,not sequentially.
– Enable approvals from smart-phone.– Pre-emptively escalate when
stake-holders are out of office.
• Automate fulfillment where possible.
© 2017 Hitachi ID Systems, Inc. All rights reserved. 3
Slide Presentation
4.4 Access requests are too complicated
Challenges Solutions
• Requesting access is complex:
– Where is the request form?– What access rights do I need?– How do I fill this in?– Who do I send it to, for approval?
• Complexity creates frustration.
• Auto-assign access when possible.• Simplify request forms.• Intercept "access denied" errors:
– Navigate lead users to appropriaterequest forms.
• Compare entitlements:
– Help requesters select entitlements.– Compare recipient, model user
rights.– Select from a small set of
differences.
• Automatically assign authorizers basedon policy.
5 Hitachi ID Password Manager
© 2017 Hitachi ID Systems, Inc. All rights reserved. 4
Slide Presentation
5.1 Too many passwords
Challenges Solutions
• Users have too many passwords.• Write them on sticky notes.• Forget and call the help desk.• Pick trivial, insecure values.
• Synchronize passwords.• Reduce to 1 or a few.• Easier to remember.• Less likely to write down.• Opportunity to mandate stronger
passwords.
5.2 Help desk call volume
Challenges Solutions
• Users forget their passwords.• Lock themselves out.• Highest volume incident type.• Peak volume at start of week.
• Self-service password reset.• Clear intruder lockouts.• PIN resets and emergency pass-codes for
tokens.
© 2017 Hitachi ID Systems, Inc. All rights reserved. 5
Slide Presentation
5.3 Automated user enrollment
Challenges Solutions
• Self service depends on non-passwordcredentials:
– Security questions.– Mobile phone number.– Personal e-mail address.– App on smart phone.
• This data rarely exists prior todeployment.
• New hires must enroll too.• ROI depends on user adoption:
– Users tend to ignore invitations.
• Identify users with incomplete profiles.• Invite them to sign up. Send reminders
with increasing urgency:
– E-mail.– Open browser at login time.– Forced enrollment (full screen,
locked browser.)
• Throttle invitations:
– Per user (e.g., once a week).– Overall (e.g., 500/day).
5.4 Password reset from difficult contexts
Challenges Solutions
• Users have trouble logging in:
– Forget their password.– Trigger an intruder lockout.
• User context can complicate assistance:
– Pre-boot? No OS yet!– Login screen? How to navigate to
self-service?– Off-site? Locally cached password.
• Pre-boot:
– Smart phone app or voice call toaccess service.
– Mediate filesystem unlock.
• Windows login screen:
– Credential Provider extends theWindows login UI.
– Smart phone app or voice call.– Secure kiosk account if client
software is a problem.
• VPN integration:
– Update locally cached password foroff-site users.
© 2017 Hitachi ID Systems, Inc. All rights reserved. 6
Slide Presentation
5.5 Need consistently strong authentication
Challenges Solutions
• Few apps natively support multi-factorlogins.
• Mandate strong authentication beforeself-service password reset.
• Offer 2FA to all users:
– PIN to phone/email.– Smart phone app.– Existing OTP.– Browser fingerprint (reduces the
nuisance of 2FA).
• Built into Hitachi ID Suite
– Leverage existing 2FA if available.– Introduce zero-cost 2FA otherwise.
• Extend 2FA to other apps via federation:
– Hitachi ID Password Managerincludes a built-in SAML IdP
6 Hitachi ID Privileged Access Manager
6.1 Passwords to privileged accounts
Challenges Solutions
• Shared accounts with elevated privileges.• Static passwords:
– Long window of opportunity forattackers.
• Passwords known to many people:
– No accountability for use.– Departed workers still have access?
• Randomize passwords:
– No longer shared or static.
• Store values in a vault:
– Control access to accounts bylimiting access to passwords.
© 2017 Hitachi ID Systems, Inc. All rights reserved. 7
Slide Presentation
6.2 Accountability for use of elevated privileges
Challenges Solutions
• Who used this account?• What changes were made?• Was use of the access reasonable?• Did anything break?• Was security compromised?
• Personally identify users prior to access.• Require strong, multi-factor
authentication.• Authorize access:
– Pre-approved for system admins.– One-time approval for infrequent
users.
• Audit activity:
– Access event.– Session recording.
6.3 Grant access only temporarily, when needed
Challenges Solutions
• Granting permanent access increasesrisks:
– Abuse.– Accidents.– Malware.
• Better to grant access:
– On-demand.– For short periods.– Only when required.
• Randomize passwords after use.• Launch sessions and inject current
credentials.• Do not disclose passwords to users:
– Users can’t share what they don’tknow.
© 2017 Hitachi ID Systems, Inc. All rights reserved. 8
Slide Presentation
6.4 Multiple ways to grant access
Challenges Solutions
• Different tasks call for different tools.• Alternatives to the standard mechanism:
– Shared accounts.– Randomized passwords in a vault.– SSO with password injection.
• Grant multiple credentials at once.
• Multiple types of access disclosure.• Group sets:
– Temporarily grant one or more groupmemberships.
– Elevate rights of an existing,personal ID.
• SSH trust:
– Temporary trust relationship.– Add user’s public SSH key to
privileged account’s.ssh/authorized_keys file.
• Account sets:
– Check out multiple accounts at once.– Named accounts or search results.– Single request, single approval.– Launch multiple logins.– Run script across accounts (SIMD).
6.5 Scaling up: thousands of assets, many types
Challenges Solutions
• Admin accounts on every asset.• Windows, Unix, Linux, network device,
hardware monitor, laptops, databases,apps, midrange, mainframe, ...
• On-premise and cloud.• Fixed and moveable/personal assets.• Number of assets = 2X or 3X head-count.• Security is only as good as the weakest
link.
• Connectors to various kinds of systems.• Auto-discovery to find them.• Import rules to manage them.
© 2017 Hitachi ID Systems, Inc. All rights reserved. 9
Slide Presentation
6.6 Connectivity challenges
Challenges Solutions
• 3 communication paths:
– User to PAM.– PAM to managed system.– User to managed system.
• Each path could be blocked:
– Systems behind firewalls or NAT.– Unroutable addresses.– DNS names that do not resolve.– Laptops move and get powered
down.
• PAM to endpoint:
– Direct connection.– PAM to proxy, proxy to endpoint.
• User to endpoint:
– Direct to target (launch admin UI,inject creds).
– RDP to proxy, any protocol to target.– HTML5 to proxy, SSH or RDP to
target.
• Endpoint to PAM:
– Local service calls home.– Suitable for laptops, VMs.
User
Managed
endpoint
PAM
server
?
?
?
6.7 High availability / minimal down-time
Challenges Solutions
• Consider what happens in a physicaldisaster:
– Vault recovery time delays recoveryof all other services.
• Have to recover the vault first:
– Cannot afford delays in vaultrecovery.
• Human intervention in recovery would addtoo much delay.
• The system must survive disasters.• Requirements:
– Real-time data replication.– Geographically distributed.– Active-active architecture.
© 2017 Hitachi ID Systems, Inc. All rights reserved. 10
Slide Presentation
6.8 Non-human users of privileged accounts
Challenges Solutions
• Service accounts are used to runprocesses.
• Scripts and applications use embeddedpasswords to connect to databases andother services.
• These accounts also have high privilege.• Non-human account passwords may be:
– Plaintext, static or well-known
• Discover service accounts.• Randomize and vault passwords;
– Inject new passwords into servicesubscribers.
• Expose an API to retrieve passwords.
– Fingerprint applications toauthenticate them.
7 Technology
© 2017 Hitachi ID Systems, Inc. All rights reserved. 11
Slide Presentation
7.1 Multi-master architecture
“Cloud”
Reverse
web
proxyVPN server
IVR server
Load
balancers
system
Ticketing
system
HR
Hitachi ID
servers
Hitachi ID
servers
Firewalls
Proxy server
(if needed)
Mobile
proxy
SaaS apps
Managed
endpoints
Managed endpoints
with remote agent:
AD, SQL, SAP, Notes, etc
z/OS - local agent
MS SQL databases
Password synch
trigger systems
Native password
change
ManageMobile UI
AD, Unix, z/OS,
LDAP, iSeries
Validate pw
Replication
System of
record
Tickets
Notifications
and invitations
Data c
enter A
Data c
enter B
Remote
data
cente
r
TCP/IP + AES
Various protocols
Secure native protocol
HTTPS
© 2017 Hitachi ID Systems, Inc. All rights reserved. 12
Slide Presentation
7.2 Key architectural features
“Cloud”
SaaS apps
Data c
enter A
Data c
enter B
Remote
data
cente
r
TCP/IP + AES
Various protocols
Secure native protocol
HTTPS
Reach across firewalls
Load balanced
On premises and SaaS
BYOD enabled
Replicated across data centers
Horizontal scaling
7.3 Internal architecture
• Multi-master, active-active out of the box.• Built-in data replication between app nodes:
– Fault tolerant.– Secure - encrypted.– Reliable - queue and retry.– App nodes need and should not be co-located.
• Native, 64-bit code:
– 2x faster than .NET.– 10x faster than Java.
• Stored procedures:
– For all data lookups, inserts.– Fast, efficient.– Eliminates client/server chatter.
• Modern crypto: AES-256, SSHA-512
© 2017 Hitachi ID Systems, Inc. All rights reserved. 13
Slide Presentation
7.4 BYOD access to on-premises IAM system
The challenge Hitachi ID Mobile Access
• Users want access on their phones.• Phone on the Internet, IAM on-prem.• Don’t want attackers probing IAM from
Internet.
• Install + activate iOS, Android app.• Proxy service on DMZ or cloud.• IAM, phone both call the proxy - no
firewall changes.• IAM not visible on Internet.
Outbound connections only
DMZ Private corporate
network
Personal
device
FirewallFirewall
Internet
(3)
Message passing system
(1)
Worker thread:
“Give me an HTTP
request”
(2)
HTTPS request:
“Includes userID,
deviceID”
IAM server
Cloud
proxy
© 2017 Hitachi ID Systems, Inc. All rights reserved. 14
Slide Presentation
7.5 Included connectors
Many integrations to target systems included in the base price:
Directories:Any LDAP, Active Directory,NIS/NIS+.
Servers:Windows NT, 2000, 2003,2008[R2], 2012[R2], Samba.
Databases:Oracle, Sybase, SQL Server,DB2/UDB, Informix, MySQL,Hyperion, Cache, ODBC.
Unix:Linux, Solaris, AIX, HPUX, 24more variants.
Mainframes, Midrange:z/OS: RACF, ACF2,TopSecret. iSeries,OpenVMS.
HDD Encryption:McAfee, CheckPoint,BitLocker, PGP.
ERP:JDE, Oracle eBiz,PeopleSoft, PeopleSoft HR,SAP R/3 and ECC 6, Siebel,Business Objects.
Collaboration:Lotus Notes, iNotes,Exchange, SharePoint,BlackBerry ES.
Tokens, Smart Cards:RSA SecurID, SafeWord,Vasco, ActivIdentity,Schlumberger, RADIUS.
WebSSO:CA Siteminder, IBM TAM,Oracle AM, RSA AccessManager.
Help Desk:ServiceNow, BMC Remedy,SDE, HP SM, CA Unicenter,Assyst, HEAT, Altiris, Clarify,RSA Envision, Track-It!, MSSystem Center
Cloud/SaaS:WebEx, Google Apps, MSOffice 365, Success Factors,Salesforce.com, SOAP.
8 Implementation
© 2017 Hitachi ID Systems, Inc. All rights reserved. 15
Slide Presentation
8.1 Hitachi ID professional services
• Hitachi ID offers a complete range of services relating to Hitachi ID Suite, including:
– Needs analysis and solution design.– Fixed price system deployment.– Project planning.– Roll-out management, including maximizing user adoption.– Ongoing system monitoring.– Training.
• Services are based on extensive experience with the Hitachi ID solution delivery process.• The Hitachi ID professional services team is highly technical and have years of experience deploying
IAM solutions.• Hitachi ID partners with integrators that also offer business process and system design services to
mutual customers.• All implementation services are fixed price:
– Solution design.– Statement of work.
8.2 ID Express
Before reference implementations:
• Every implementation starts fromscratch.
• Some code reuse, in the form oflibraries.
• Even simple business processes havecomplex boundary conditions:
– Onboarding: initial passwords,blocking rehires.
– Termination: scheduled vs.immediate, warnings, cleanup.
– Transfers: move mailboxes andhomedirs, trigger recertification.
• Complex processes often scripted.• Delay, cost, risk.
With Hitachi ID Identity Express:
• Start with a fully configured system.• Handles all the basic user lifecycle
processes out of the box.• Basic integrations pre-configured (HR,
AD, Exchange, Windows).• Implementation means "adjust as
required" not "build from scratch."• Configuration is fully data driven (no
scripts).• Fast, efficient, reliable.
© 2017 Hitachi ID Systems, Inc. All rights reserved. 16
Slide Presentation
9 Differentiation
9.1 Hitachi ID Competitors
Tier-1
Tier-2
Boutique
Overlap Technology
9.2 Hitachi ID Suite differentiation
Suite IAM PM PAM
• Multi-master,active-activearchitecture.
• Geographicallydistributed.
• BYOD access,no public URL.
• 2FA included forall users.
• Single codebase, singleinstance.
• Usabilityfeatures:model-after,interceptingaccess-deniederrors.
• Actionableanalytics:feedback fromreport torequest.
• Reference im-plementations:low risk, rapiddeployment,early ROI.
• Pre-bootfilesystemunlock.
• PC login promptaccess,includingoff-site.
• BYOD access.• Federated SSO
included.• Personal vault
included.• Managed
enrollment, highROI.
• 3 disclosuremethods:Direct launch,VDI proxy,HTML proxy.
• Scalableauto-discovery,auto-management.
• Check out SSHtrust, groupmembership,multipleaccounts, notjust singlepasswords.
© 2017 Hitachi ID Systems, Inc. All rights reserved. 17
Slide Presentation
10 HIDS/HDS Collaboration
10.1 Recent deals in partnership with HDS
Customer Product Value Status Region and HDS rep
Infosys PAM USD 1M Closed/won India / Ranganath Shenoy
Blue Cross Blue ShieldAlabama
PM USD 250k Closed/won USA SE / Bruce Gilland
Orange Lake Resorts IM+PM USD 250k Closed/won USA SE / Brian Temple +Lumenate
LL.Bean IM+PM USD 500k Evaluation USA NE / Michael Maguire
B&H Photo Suite USD 700k Legal review NYC / Joseph Lauricella
Canadian Nuclear SafetyCommission
IM+PM USD 500k Early eval Canada / Trevor Platthy
11 Hitachi ID Suite summary
• Three integrated IAM products, used by over 14M users, that can:
– Discover and connect identities across systems and applications.– Securely and efficiently manage entitlements and credentials.– Secure and monitor access to privileged accounts.
• Improve security to comply with regulations.• Reduce IT support cost and improve user productivity.• Consolidate management of on-premises and SaaS apps.
www.Hitachi-ID.com
500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: [email protected]
Date: 2017-07-24 | 2017-07-24 File: PRCS:pres