enterprise scale user provisioning with hiim

8/3/2019 Enterprise Scale User Provisioning With Hiim

1/28

Enterprise Scale User Provisioning

with Hitachi ID Identity Manager

2011 Hitachi ID Systems, Inc. All rights reserved.
http://hitachi.com/http://hitachi-id.com/


2/28

This document describes the business problems of user provisioning: slow resource provisioning, redun-dant systems administration and unreliable access termination. It then describes how Identity Manageraddresses these problems with process change and user provisioning technology. Finally, the businessbenefits of effective user provisioning are described.

Contents

1 Introduction 1

2 Business Challenges Related to Identity and Privilege Management 2

3 Shared Infrastructure for Identity Management 2

4 Streamlined User Provisioning Processes 4

4.1 User Lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

4.2 Automated Change Propagation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

4.3 Change Request Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

4.4 Templates and Roles to Simplify Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 8

4.5 Consolidated and Delegated Security Administration . . . . . . . . . . . . . . . . . . . . . . 10

4.6 Enterprise-wide Security Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

4.7 Web Services Flexibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

5 Identity Manager Technology 13

5.1 Network Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

5.2 Supported Target Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

5.3 Process Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

5.4 Scalability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

5.5 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

5.6 Rapid Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

6 Return on Investment 21

7 Summary 22

APPENDICES 23

A Management Suite Overview 24

i


3/28

Enterprise Scale User Provisioning with Identity Manager

1 Introduction

This document describes the business problems of user provisioning: slow resource provisioning, redun-

dant systems administration and unreliable access termination. It then describes how Hitachi ID IdentityManager addresses these problems with process change and user provisioning technology. Finally, thebusiness benefits of effective user provisioning are described.

Identity Manager is the user provisioning component of Hitachi ID Management Suite. Management Suiteis described in Appendix A on Page 24.

The remainder of this document is organized as follows:

Business Challenges Related to Identity and Privilege Management

The motivation for deploying Identity Manager.

Shared Infrastructure for Identity ManagementHow the proliferation of systems, each with their own user database, creates an administrative prob-lem, and how consolidating administration of user identity can help.

Streamlined User Provisioning Processes

How Identity Manager simplifies management of user identity data across multiple, heterogeneoussystems.

Identity Manager Technology

The Identity Manager network architecture, and design features that make it scalable, secure anddeployable.

Return on InvestmentA basic ROI model describing how Identity Manager can generate significant cost savings.

Summary

2011 Hitachi ID Systems, Inc. All rights reserved. 1


4/28

Enterprise Scale User Provisioning with Hitachi ID Identity Manager

2 Business Challenges Related to Identity and Privilege Manage-

ment

Several factors combine to make management of users and their security rights a growing challenge formany organizations:

The number of individual systems and platforms that users must access is large and growing.

Users are increasingly dependent on systems access: they cannot do their jobs without it.

Organizations cannot afford additional IT staffing to cope with the growing burden of systems admin-istration. On the contrary, most organizations would prefer to reduce the size of IT as a proportion oforganization size.

These factors lead to the following costly business problems:

Overloaded administration:Access / security administrators are overworked. This leads to staff burn-out and turn-over. Over-loaded administrators are prone to make errors, and improperly assign privileges.

Lost productivity:

Requests for new access are delayed, and the productivity of users waiting for new access rights isreduced.

Security risk:

System access persists even after users change responsibility or leave an organization. This is notonly a serious security vulnerability, but can violate regulatory requirements for effective internal con-

trols.

Hitachi ID Identity Manager is an automated user provisioning solution, designed to address these chal-lenges.

3 Shared Infrastructure for Identity Management

Systems administration burden is growing because there are an increasing number of systems to manage,and because almost every system manages user profiles in its own silo. For example, a single (human)

user might have a personal profile on the mainframe, an LDAP directory, an e-mail system, an ERP systemand elsewhere. Each of these systems is managed separately by different administrators, using different

tools.

The natural solution for this problem is to consolidate information about users (sometimes referred to asuser directories or security databases) into a single repository, and configure every system to refer to thatsingle repository as an authoritative system of record regarding user identity.

This approach has some merit, hence the popularity of LDAP. However, it also has problems:



5/28


Many systems are not compatible with LDAP, and cannot externalize their user/security databases.

Some systems that can externalize user data can only do so for some attributes, and continue to haveinternal user profiles, which must still be managed directly.

Many systems require data about users that is special to them, and would not benefit any other partof the IT infrastructure. If the data storage requirements of every application were added to a singleLDAP directory, then the schema would grow to thousands of attributes per user thus creating newperformance, scalability, reliability and management problems.

Some user-related data is confidential, and does not belong in a shared directory.

The result of these problems is that while LDAP has helped to slow the proliferation of user databases,organizations continue to require, and must still manage, multiple systems that house data about users.

Since most organizations continue to have multiple user directories, the next best solution is to implementconsolidated processes to manage user objects and access rights across multiple systems.

Identity Manager is designed to provide a shared set of processes and infrastructure to manage users andaccess across heterogeneous systems. It implements multiple processes that an organization can use toprovision, update and deactivate user access to multiple systems.



6/28


4 Streamlined User Provisioning Processes

4.1 User Lifecycle

The basic lifecycle of identity management begins with hiring a user. This business event triggers creationof one or more system login accounts and other user objects (e.g., HR record, phone book entries, etc.).

Over time, the user will make numerous routine password changes, and may periodically forget his pass-

word, and require an administrative password reset on one or more systems.

As the user moves through an organization, changing job functions and possibly locations, the systems hemust access, and his required privileges on those systems will change.

Finally, when a user leaves an organization, his access rights must be terminated. In most cases, hislogin accounts and related data objects persist for a while, until they are no longer required. In manyorganizations, user identifiers are never reused, to support long-term audit trails.

Each of the above processes is traditionally handled separately on each system. Each system has its owninternal directory of users and its own administration console. Typically, different IT staff manage users,passwords and privileges on different systems.

Hitachi ID Identity Manager, a part of the Hitachi ID Management Suite, is designed to leverage a single setof business processes to manage users and access rights on multiple systems, as illustrated in Figure 1.

Figure 1: User Lifecycle Management

4.2 Automated Change Propagation

Hitachi ID Identity Manager can monitor one or more systems of record on a periodic basis (e.g., nightlyor every few hours), enumerating new, deleted and changed users. In the case of an HR application, for

example, these changes may represent new hires, terminations and transfers. Auto-discovery is performedon all integrated systems and applications not just systems of record.



7/28


Changes detected by Identity Manager are passed through a data filter, which removes users that areoutside Identity Managers scope. For instance, in a scenario where Identity Manager manages all usersin one country, but the HR system is global, Identity Manager would ignore changes to users from othercountries.

All changes to a given user are aggregated and business logic is executed, with the set of changes as input.This is best illustrated with some examples:

Detectedchange

Actions Net result

New userappears in anHR application.

Lookup appropriate role based on theusers location and job code.

Submit a change request to the IdentityManager workflow engine, to create a newuser, with the HR-provided identityattributes and with resources specified bythe role.

Auto-provisioning.

New phonenumberdetected onwhite pages

directory.

White pages has a higher priority for thephone number attribute than othersystems.

Submit a change request to the IdentityManager workflow engine, to change thephone number in the users profile.

Once approved (most likely automatically),the new phone number is mapped to otherlogin IDs belonging to the user and

connectors are run to update thisinformation on other systems.

Identitysynchronization.

Change totermination dateis detected onthe HR system.

Using the identity synchronizationmechanism described above, set this dateon the users profile.

A separate batch process periodically

identifies users with today or earliertermination dates and submits requests todisable all accounts for every matchinguser.

Automatedtermination.

Userdisappears fromsystem of

record (HR).

Lookup all of a users login IDs. Submit a "disable all accounts" change

request to the Identity Manager workflowengine.

Given the source of the request (employeegone from HR), this type of change maybe auto-approved.

Automatedtermination (2nd

method).



8/28


Detectedchange

Actions Net result

User was addedto

Administratorsgroup on ActiveDirectorydomain.

Since the change was detected on AD, it

follows that it was not initiated by IdentityManager.

Submit two change requests to theworkflow engine:

Remove the user from theAdministrators group (this is an

auto-approved change). Add the user from the Administrators

group (requires approval).

Create a security incident in the help desksystem.

Detectunauthorized

privilegeescalation.

Collectively, these processes are known as automated user management. They are implemented by theID-Track component in Identity Manager.

Several Identity Manager modules are involved in automated user management:

1. The PSUPDATE auto-discovery engine, which extracts lists of users, attributes, groups and groupmemberships from every integrated system and application. In most deployments, PSUPDATE runsnightly.

2. The LOADDB batch loader, which collects detected changes to users on target systems and updatesthe internal identity cache accordingly.

3. Login ID mapping data, which connects unique user identifiers on different systems. For example, thismay map employee numbers in HR to login IDs on other systems. This data may be the producedthrough consistent login IDs, mapping other attributes or self-service reconciliation initiated throughinvitations sent to users.

4. The ID-Track module, which aggregates changes on a per-user basis and executes organization-specific business logic for each changed user. This business logic typically submits workflow change

requests based on detected changes.

5. The API service, which accepts change requests from ID-Track and/or external programs and submits

them to the workflow service.

6. The IDWFM workflow service, which accepts change requests, validates them, fills in missing data

(e.g., assigning login IDs and e-mail addresses), selects suitable authorizers and invites them toapprove or reject each change.

7. The IDTM transaction manager, which accepts approved changes from the workflow engine and runsconnectors to effect changes. IDTM retries failed updates to enable reliable updates to target systems.

8. A set of connectors, almost all of which run locally on the Identity Manager server, each of which isdesigned to discover and manage users on a particular type of system or application.



9/28


4.3 Change Request Workflow

A key capability in Hitachi ID Identity Manager is to accept change requests, to route them to the appropriateauthorizers, and to act on change requests once sufficient authority has been received. This is designed

to streamline requests, and to eliminate the need for system administrators to manually fulfill authorizedchanges.

Identity Managers workflow automation engine streamlines the process of requesting and authorizing thecreation of new accounts, as well as other security changes such as adding/removing group membership,changing attribute values, renaming or moving accounts, deleting or deactivating accounts and so on.

The Identity Manager workflow engine accepts change requests from the Identity Manager web UI, theIdentity Manager web services API or the auto-provisioning engine. Its main task is to validate changerequests and manage authorization of changes by business users, who are invited to review requests viae-mail and provide approval via the web UI.

The workflow automation engine works as follows:

Request input:

Users can authenticate to the system and make change requests.

Third party programs can submit change requests via a web services API.

The unattended Identity Manager process used to implement auto-provisioning, auto-deactivationand identity synchronization can submit change requests programmatically.

Change requests are formulated as changes to user profiles the requesters own (self-service)or another users (the recipient).

Change requests may be to update profile attributes, add new accounts, add or remove group

memberships, enable or disable accounts, etc.

Plug-in programs can limit or alter requests for example by limiting who can submit a given typeof request, for whom they can make requests and by validating or populating the contents of arequest.

Request routing:

Requests are automatically routed to appropriate authorizers, which are selected based on theidentities of the requester and recipient plus the specified operations and resources.

All authorizers are prompted to respond concurrently.

1. Authorizers may delegate their responsibility in advance if they plan to be unavailable for an

extended period.

2. Identity Manager can check an authorizers out-of-office status in an e-mail system (example:

Exchange) and preemptively escalate the request to someone else.

In most cases, a response is only required from a subset of the authorizers for example, anyone of three people can approve a new account on a given application.

Authorizers are notified by e-mail that their input is required. They click on a URL embedded in

the e-mail to respond.



10/28


Reminders are sent to non-responsive authorizers.

If an authorizer fails to respond after too many reminders, a new authorizer is selected by esca-lation logic.

Authorization:

Authorizers review requests using a web form, over a secure connection (HTTPS).

Authorizers normally have to sign in before they can approve a request.

Executing approved requests:

Once sufficient approvals has been collected, Identity Manager will generally apply the requestedchanges to target systems.

For un-integrated systems, Identity Manager can execute a separate workflow process to invite

implementers (typically system administrators) to make the approved change manually. Re-minders, escalation and delegation apply to this workflow as well.

Workflow is used in Identity Manager to approve change requests, to implement approved requests, to

certify user access and more. A participant in the workflow process is a person who is being asked tocomplete a task, most commonly change authorization.

The Identity Manager workflow engine has built-in support for automatic reminders, escalation and delega-tion, so as to elicit reliable responses from individually-unreliable users:

When participants are first chosen, their out-of-office status on their primary e-mail system may bechecked, to trigger early escalation to an alternate participant.

Non-responsive participants that have been asked to review a request receive automatic reminders.

The reminder interval is configurable.

Participants who remain non-responsive (too many reminders) are automatically replaced with al-ternate participants, identified using escalation business logic. Escalation is most often based onOrgChart data i.e., the original authorizers direct manager is often the escalated authorizer.

Participants can pro-actively delegate their authority, temporarily or permanently. Delegation maytrigger its own approval asking the new participant to accept a new responsibility.

A workflow manager can reassign participants attached to open requests, for instance when they areterminated or when a request is urgent and already-assigned participants are not available.

4.4 Templates and Roles to Simplify Configuration

Hitachi ID Identity Manager can create login accounts using templates and roles:

Rather than requiring an administrator to provide every parameter when creating a new account on atarget system, Identity Manager can copy all relevant parameters from a template account. In effect,

Identity Manager implements a clone user operation.



11/28


Note that not every user object on every target system can or should be cloned. Requiring the or-ganization administrators to name the accounts which should be available as templates ensures thatusers whose profiles have accumulated excess entitlements over time are not cloned.

Change requests, automated processes or updates initiated by administrators may specify attributesthat override those copied from the template. For example, a new account may be created by copy-ing a model account but overriding the employee number, phone number, e-mail address, login ID,directory OU, home directory server, mail server, etc.

Attributes may be entered by a user or administrator (e.g., phone number), may be validated by aplug-in that implements business logic (e.g., building code) or may be assigned by a plug-in that

implements business logic (e.g., login ID, directory OU, e-mail address). Plug-ins embody businessrules, and may be as simple or as complex as required.

Template accounts and membership in security groups can be collected into named sets called roles.This allows requests to specify whole sets of entitlements, rather than individual accounts and groups,should be granted or revoked. This simplifies the UI for business users, who may not have a clear,technically accurate idea of what entitlements to ask for.

Roles may be functional i.e., encapsulating all the entitlements needed by a given class of user.

Roles may also be application-oriented i.e., encapsulating a commonly used set of entitlementswithin one or more applications.

Functional roles are appropriate for large groups of users with identical business responsibilities.

Functional roles are also an excellent baseline for all users. For example, a functional role may bedefined for basic network and e-mail access.

Application-oriented or technical roles are appropriate for users whose requirements are relativelyunique.

Roles can be nested, to simplify definition of complex sets of entitlements. For example, functionalroles can and typically should be composed of application roles, which in turn encapsulate fine-grainedentitlements on target systems.

Change requests may include adding or removing roles, adding or removing accounts, adding orremoving group memberships and updating profile attributes.

Identity Manager does not require that users be classified into roles.

Identity Manager can be configured to compare users actual security entitlements on target systems tothe entitlements that their assigned roles predict and to automatically make adjustments to bring users intocompliance. This process is called RBAC enforcement.

RBAC enforcement is not a mandatory component of Identity Manager and indeed the scope of enforcementcan be controlled at multiple levels:

1. Users can be enabled/disabled for enforcement.

2. Roles can be enabled/disabled for enforcement.



12/28


3. Entitlements (i.e., accounts on target systems and security groups whose membership is managedby Identity Manager can be enabled/disabled for enforcement).

4. The number of users whose profiles are subjected to enforcement per day can be capped.

These mechanisms allow Hitachi ID Systems customers to use RBAC enforcement or not based on the

appropriateness of this mechanism to their environment. In general, we have found that RBAC enforcementis manageable for large numbers of users with identical needs (e.g., point of sale, retail, etc.) and to smallnumbers of high-risk users (e.g., finance/budget) but not usually cost-effective for other, unique, back-officeuser populations. Attributes can be attached to templates, groups and roles in Identity Manager, to makethem easier to find. For example, these resources can be classified by type and location and automaticallyassigned, filtered on search results, etc. accordingly.

4.5 Consolidated and Delegated Security Administration

Delegated user administration makes it possible to grant limited security privileges to departmental or re-gional staff. For example, an IT administrator at a business unit may be allowed to create accounts for userusers in that business unit, and manage the user profiles and access privileges of local users. The same ITadministrator would be unable to access user profiles for staff working in other business units and may onlybe able to perform certain types of updates, on certain systems.

Delegated user administration is implemented in the same manner as consolidated user administration, butwith the addition of access controls, as is illustrated in Figure 2.

Administrators

Target

Systems

Securityadmin UI

IdentityCache

TransactionManager

Connectors

Create,

delete,

update

accounts

read

currentstate

refresh

currentstate

Figure 2: Consolidated and Delegated User Administration Console

The scope of authority of a given security administrator can be limited to certain users, certain systems,certain groups or certain OUs. Access controls are normally implemented using business logic, which ac-cesses information about both the administrator and intended recipients of security changes, to dynamicallydetermine what kinds of updates are allowed.

4.6 Enterprise-wide Security Reporting

All data in Hitachi ID Identity Manager is available via SQL and accessible using standard analytical tools

(Crystal Reports, Cognos, MS-Excel, SQL queries, etc).

The schema is well documented and is available to all product licensees and evaluators under NDA. Thecurrent release schema documentation is about 127 pages long, and includes detailed descriptions of everyfield, table, relation, value constraint, etc.



13/28


Data available through Identity Manager includes:

A list of IDs per user. A list of IDs per system.

A list of IDs per group. Allocation of login IDs to user profiles.

Full detail of transaction history. Additional identity attributes (e.g., roles, employee ID) for users who were created using Identity

Manager. Select identity attributes drawn from target systems such as last login time/date, account en-

abled/disabled, etc.

Identity Manager includes a number of standard reports, available through a web user interface, from thecommand-line, or by e-mail:

Orphan and dormant accounts. Users who have accounts on specific systems. Templates and roles that a particular user has been assigned. User groups available on target systems. Membership of users in user groups on target systems. Transaction history per time period. Authorizer actions. Delegations (current and pending). Implementer definitions. Physical inventory availability.

Requests, by status, state and result. Request statistics. Identity attributes, by user and by system.

Past Reports.

Advantages of the reporting subsystem in Identity Manager include:

The Identity Manager schema is a simple, relational, SQL-based database. This makes it open toreports by third party programs, such as Crystal Reports or Cognos. In comparison, some competingproducts (most notably from Sun) store all their data in opaque XML objects and are therefore not

accessible to third party reporting software.

A rich set of built-in reports, including lists of users, accounts, group memberships, workflow requests,etc.

Dual-format output (HTML, CSV) in all reports. These formats are readily convertible to Excel, Word,PDF, etc.

Asynchronous report generation i.e,. generate a report, and browse the output while the report isstill running.

Reports can be scheduled and data selection criteria can be relative to the run date. This supportsconstructs such as run a weekly report on workflow requests, including all requests submitted in the

trailing 7 days and e-mail the output to...



14/28


Hitachi ID Systems provides full schema documentation is provided, which is guaranteed correct, asit is automatically generated from the same source code that produces the SQL tables.

4.7 Web Services Flexibility

A web services API (application programming interface) is exposed by Hitachi ID Identity Manager, allowingother applications to access the workflow request queue and data about users and resources.

The API is accessed using SOAP and includes a WSDL specification. This makes it accessible across awide range of platforms and programming languages, including Windows and Unix, .NET and J2EE, Perl,

Python and PHP, etc.

The Identity Manager API supports a wide range of operations, including:

Submitting new workflow requests. This includes requests to:

Create new user profiles.

Add login accounts to new or existing profiles.

Add users to or remove users from managed groups.

Assign roles to users or remove roles from users.

Get or set user identity attributes.

Initiating previously configured certification rounds.

Searching for users or roles matching specified criteria.

Creating, updating or deleting roles.

Getting or changing the set of authorizers attached to a request.

Approving or rejecting open requests.

The API allows organizations to develop their own request forms without having to code custom validation or

authorization logic and without having to develop integrations with target systems and applications whereusers will be provisioned. This is helpful for specialized onboarding applications or to connect IdentityManager to an IT service catalog, for example.



15/28


5 Identity Manager Technology

5.1 Network Architecture

Hitachi ID Identity Manager is designed for:

Security:

Identity Manager is installed on hardened servers. All sensitive data is encrypted in storage andtransit. Strong authentication and access controls protect business processes.

Scalability:

Multiple Identity Manager servers can be installed, using a built-in data replication facility. Workloadcan be distributed using any load-balancing technology (IP, DNS, etc.). The end result is a multi-master, distributed architecture that is very easy to setup, as replication is handled at the application

layer.

Performance:

Identity Manager uses a normalized, relational and indexed database back end. All access to thedatabase is via stored procedures, which help to minimize communication overhead between theapplication and database. All Identity Manager code is native code, which provides a 2x to 10xperformance advantage as compared to Java or .NET

Openness:

Open standards are used for inbound integration (SOAP) and outbound communications (SOAP,SMTP, HTTP, etc.).

Flexibility:

Both the Identity Manager user interface and all functionality can be customized to meet enterpriserequirements.

Low TCO:

Identity Manager is easy to set up and requires minimal ongoing administration.

Figure 3 on Page 14 illustrates the Identity Manager network architecture:

Users normally access Identity Manager using HTTPS from a web browser.

Multiple Identity Manager servers may be load balanced using either an IP-level device (e.g., CiscoLocal Director, F5 Big/IP) or simply using DNS round-robin distribution.

Users may call an IVR (interactive voice response) system with a telephone and be authenticatedeither using touch-tone input of personal information or using a voice print. Authenticated users may

initiate a password reset.

Identity Manager connects to most target systems using their native APIs and protocols and thus

requires no software to be installed locally on those systems.



16/28


UserPassword

Synch

TriggerSystems

Load

Balancer

SMTP or

Notes Mail

Incident

Management

System System of

Record

IVRServer

Reverse

Web Proxy

Target Systemswith local agent:

OS/390, Unix,

older RSA

Firewall

TCP/IP + AES

Various ProtocolsSecure Native Protocol

HTTPS

Remo

teDa

taCe

nter

Firewall

Target Systems

with remote agent:

AD, SQL, SAP, Notes, etc

Target Systems

Proxy Server

(if needed)

Hitachi ID

Application

Server(s)

SQL/Oracle

SQLDB

SQLDB

VPNServer

Figure 3: Network architecture diagram

Local agents are provided and recommended for Unix servers and z/OS mainframes. Use of these

agents improves transaction security, speed and concurrency.

A local agent is mandatory on RSA SecurID servers.

Where target systems are remote and communication with them is slow, insecure or both, a Identity

Manager proxy server may be co-located with the target system in the remote location. In this case,servers in the main Identity Manager server cluster initiate fast, secure connections to the remoteproxies, which decode these transactions and forward them to target systems locally, using native,slow and/or insecure protocols.

Identity Manager can look up and update user profile data in an existing system, including HRdatabases (ODBC), directories (LDAP) and meta-directories (e.g., WMI to Microsoft ILM).

Identity Manager can send e-mails to users asking them to register or to notify them of events impact-ing their profiles. Over 189 events can trigger e-mail notification.

Identity Manager can create tickets on most common incident management systems, either recordingcompleted activity or requesting assistance (security events, user service follow-up, etc.). Over 189events can trigger ticket generation. Binary integrations are available for 16 help desk applications

and open integration is possible using mail, ODBC, SQL and web services.

5.2 Supported Target Platforms

Hitachi ID Identity Manager has built-in integration for many common types of systems, plus programmableagents that can be readily adapted to manage IDs and passwords on applications and hosted services.



17/28


The supported platforms may be summarized as follows:

Directories: Servers: Databases:

Any LDAP, AD, NDS, eDirectory,

NIS/NIS+.

Windows 2000, 2003, 2008,

Samba, Novell, SharePoint.

Oracle, Sybase, SQL Server,

DB2/UDB, ODBC.

Unix: Mainframes: Midrange:

Linux, Solaris, AIX, HPUX, 24more.

z/OS with RAC/F, ACF/2 orTopSecret.

iSeries (OS400), OpenVMS.

ERP: Collaboration: Tokens, Smart Cards:

JDE, Oracle eBiz, PeopleSoft,SAP R/3, Siebel, BusinessObjects.

Lotus Notes, Exchange,GroupWise, BlackBerry ES.

RSA SecurID, SafeWord,RADIUS, ActivIdentity,Schlumberger.

WebSSO: Help Desk: HDD Encryption:

CA Siteminder, IBM TAM, OracleAM, RSA Access Manager.

BMC Remedy, BMC SDE, HPService Manager, CA Unicenter,Assyst, HEAT, Altiris, etc.

McAfee, CheckPoint.

Identity Manager includes a number of flexible connectors, each of which is used to script integration with a

common protocol or mechanism. These connectors allow organizations to quickly and inexpensively inte-grate Identity Manager with custom and vertical market applications. The ability to quickly and inexpensivelyadd integrations increases the value of the Identity Manager system as a whole.

There are flexible connectors to script interaction with:

API binding: Terminalemulation:

Web services: Back endintegration:

Command-line:

C, C++ Java, J2EE .NET

COM,ActiveX

MQ Series

SSH Telnet TN3270,

TN5250 Simulated

browser

SOAP WebRPC Pure

HTTP(S)

SQLInjection

LDAP

attributes

Windows PowerShell Unix/Linux

Organizations that wish to write a completely new connector to integrate with a custom or vertical marketapplication may do so using whatever development environment they prefer (J2EE, .NET, Perl, etc.) andinvoke it as either a command-line program or web service.

If the organization develops their own integrations, an effort of between four hours and four days is typical.Alternately, Hitachi ID Systems offers fixed-cost custom integrations for a nominal fee.

In most cases, Identity Manager does not require the installation of local agent software on target serversand applications. The only exceptions to this are two applications which do not publish a remote adminis-tration facility at all: RSA Authentication Manager servers and Entrust getAccess servers.

Identity Manager also includes local agents that can be installed on Unix servers and z/OS mainframes.



18/28


While users and passwords on these systems can be managed without a local agent by emulating aterminal session over a Telnet, TN3270 or SSH protocol such terminal connections are slower, lessreliable and (except for SSH) less secure than a local agent.

Ultimately, the organization must decide whether reduced change control or more secure, fast and reliableadministration are more important on Unix and z/OS systems and therefore make a determination aboutwhether local agents are desirable on these systems.

In no case do the provided local agents interfere with the target systems normal operation the loginprocess on each target system remains the same and no significant CPU or other load is placed on targetsystems.

5.3 Process Integration

Identity management is integral to an organizations business processes, and Hitachi ID Identity Manager

is designed to integrate with existing processes and systems:

Monitoring authoritative directories / rules-based user provisioning

Identity Manager can monitor an existing system of reference, and create or delete accounts on targetsystems based on changes. This works with HR systems, LDAP directories or simple text file extracts.

Routing requests

By default, change requests are routed based on the resources specified. For example, all requestsfor accounts payable access go to one or more authorizers attached to that account type.

The list of authorizers required to approve a request may be adjusted based on other variables:

The identity of the requester (e.g., Executives submitting requests may not require approval;others may require approval by someone in their management chain.)

The identity of the recipient.

Other attributes of the request (location, department code, etc.).

To maximize flexibility, the process of adjusting the list of authorizers is implemented with a pluginarchitecture.

Assigning new, standard login IDs

Login IDs for new accounts can be assigned manually by a designated approver, or automatically bya plugin program that implements site-specific logic (for example, rules such as first initial + last name

+ unique digit).

Escalating requests for authority

Identity Manager supports many features to ensure that requests for authorization are satisfied quickly:

Grouping authorizers, and only requiring approval from a subset of each group.

Temporarily delegating authority, so that authorizers can safely leave for holidays and other ab-sences.



19/28


Sending reminders to unresponsive authorizers.

Automatically escalating unfulfilled requests for approval.

Acting on behalf of existing processes

Some organizations already have a working, automated process to submit, route and approve changerequests. What these organizations require is automation to act on approved requests.

Identity Manager exposes both a web service and library-level RPCs to enable existing workflow pro-cesses to trigger administration actions, such as creating new accounts and updating or deactivatingexisting ones, on target systems.

5.4 Scalability

Scalability in a combined system for user provisioning and password management is primarily determinedby the password management component:

User provisioning is fairly uniform over time change requests and administrative actions may takeplace on any day, at any hour.

In contrast, password management is very bursty. Most password changes happen at login time, inthe morning. The largest spikes occur in the first work hour after a long weekend or holiday.

Password management is used multiple times per year by every user, unlike user provisioning whichoften has no UI (automation) and/or is used infrequently (e.g., just by managers when they hire/fire).

Typical peak transaction rates for a 10,000 person organization are 10 events/hour for provisioning and

5,000 events/hour for password synchronization.

Accordingly, the following discussion focuses on Hitachi ID Password Manager, since password manage-ment requires extreme scalability. Hitachi ID Identity Manager is built on the same scalable architecture.

Password Manager has been deployed in very large organizations, including:

One password reset system supporting 750,000 users and another supporting more than 2,000,000users (both Extranet-facing).

Internal corporate deployments with up to 300,000 users.

Users distributed over six continents (nobody in Antarctica).

A single Password Manager instance, running on a single server, managing passwords on over 3,200stand-alone Unix systems.

This level of scalability is a result of many features:

Built-in, real-time database replication between servers (WAN-friendly, encrypted).



20/28


Explicit support for multi-master, load-balanced configurations with cooperation between replica servers.

Multi-threading operation of the UI components, service components and connectors.

In addition, Identity Manager incorporates many features that, while not directly performance-related, areneeded to operate in large, complex networks:

Compatibility with reverse web proxies, which can expose some or all of the Identity Manager UI to

less-trusted network segments (e.g., DMZ).

An application proxy server, which allows Identity Manager to connect to target systems across fire-walls.

Support for multiple languages (including Unicode) per running instance.

Auto-discovery of users and groups on integrated systems and applications.

5.5 Security

Hitachi ID Identity Manager strengthens security by:

Quickly and reliably removing access to all systems and applications when users leave an organiza-tion.

Finding and helping to clean up orphan and dormant accounts.

Assigning standardized access rights, using roles and rules, to new and transitioned users.

Enforcing policy regarding segregation of duties and identifying users who are already in violation.

Ensuring that changes to user entitlements are always authorized before they are completed.

Asking business stake-holders to periodically review user entitlements and either certify or removethem, as appropriate.

Reducing the number and scope of administrator-level accounts needed to manage user access tosystems and applications.

Providing readily accessible audit data regarding current and historical security entitlements, includingwho requested and approved every change.

Identity Manager is designed to be secure. It is protected using a multi-layered security architecture, which

includes running on a hardened OS, using file system ACLs, providing strong application-level user authen-tication, filtering user inputs, encrypting sensitive data, enforcing application-level ACLs and storing log dataindefinitely.

Identity Manager never requires plaintext passwords to be stored in configuration files or scripts and doesnot store plaintext passwords anywhere. Identity Manager does not ship with a default administrator pass-word one must be typed in at installation time.

These security measures are illustrated in Figure 4.



21/28


CGI UserInterfaces

Web Server

Services

Identity CacheHitachi ID

Services

CPU Storage NICs

File system Networking

Input, output filteringApplication-level ACL

Server-local session stateRandom session/page keys.

Locked down.No Asp, COM, DDE, etc.,

Current SPs.

Input, output filteringApplication-level ACL

Caller authenticationEncrypted I/O.

Sensitive data encryptedor hashed.

All traffic in/outis encrypted.

Hardened at currentpatch levels;

most servicesdisabled.

Installed in a physicallysecure facility. Alarmed

and monitored.

Application

Operating System

Hardware

Figure 4: Network architecture security diagram

5.6 Rapid Deployment

Hitachi ID Systems solutions are optimized for rapid deployment this is a core design principle across allproducts in the Hitachi ID Management Suite. Features such as a dynamic workflow, an architecture whichdoes not depend on role engineering, auto-discovery of users on target systems and self-service login IDreconciliation are all designed to eliminate costly deployment steps and minimize ongoing administration.

Hitachi ID Identity Manager is designed for rapid deployment:

Built-in forms, policies, reports

All request forms, access control rules, approval processes and many reports are built into IdentityManager, so do not have to be manually configured for each customer.

Powerful, built-in authorization engine

A change authorization engine is built into Identity Manager. Rather than requiring customers to drawdiagrams for each business process, it automatically manages change authorization.

Important (but complex) features such as parallel invitations to multiple authorizers, approval by Nof M people, reminders, escalation and delegation are simply built in and need not be configured bycustomers.

Using a single, dynamic, parametric authorization engine, organizations can focus on the key ques-tions:

Is the change request syntactically correct and appropriate in its business context? Whose authority is required before the request can be implemented?

This approach eliminates the need to define hundreds of flow-charts for various kinds of changerequests.

No requirement for role engineering

Identity Manager works without a formal model of user privileges, which may take years to develop.Automation can provision coarse-grained access for new users, and terminate all access for departedstaff, without a detailed model of rights for each job code.

Workflow addresses the need to provision users with more fine-grained privileges using a request/ap-



22/28


proval/audit process, which requires very little work to setup.

Cloning model accounts

Identity Manager creates new accounts by cloning existing ones, which have been identified by the

Identity Manager administrator as models. This eliminates the need for Identity Manager administra-tors and platform administrators to collaborate in fully specifying the configuration of all new accounts.



23/28


6 Return on Investment

Hitachi ID Identity Manager reduces the cost of managing users and security entitlements:

Auto-provisioning and auto-deactivation leverage data feeds from HR systems to eliminate routine,manual user setup and tear-down.

Self-service eliminates IT involvement in simple updates to user names, phone numbers and ad-dresses.

Delegated administration moves the responsibility for requesting and approving common requests,such as for new application or folder access, to business users.

Identity synchronization means that corrections to user information can be made just once, on anauthoritative system and are then automatically propagated to other applications.

Built-in reports make it easier to answer audit questions, such as who had access to this system onthis date? or who authorized this user to have this entitlement?



24/28


7 Summary

Efficient and reliable user provisioning yields better productivity for users, reduced administration overhead,

and better security.

Hitachi ID Identity Manager allows organizations to streamline their user provisioning, access management

and termination processes through:

Identity synchronization:Detect changes to personal data, such as phone numbers or department codes, on one system andautomatically make matching changes on other systems for the same user.

Auto-provisioning:Detect new user records on a system of record (such as HR) and automatically provision those userswith appropriate access on other systems and applications.

Auto-deactivation:Detect deleted or deactivated users on an authoritative system and automatically deactivate thoseusers on all other systems and applications.

Self-service requests:Enable users to update their own profiles (e.g., new home phone number) and to request new entitle-ments (e.g., access to an application or share).

Delegated administration:Enable managers, application owners and other stake-holders to modify users and entitlements withintheir scope of authority.

Authorization workflow:

Validate all proposed changes, regardless of their origin and invite business stake-holders to approvethem before they are applied to integrated systems and applications.

Consolidated reporting:Provide data about what users have what entitlements, what accounts are dormant or orphaned,

change history, etc. across multiple systems and applications.

Identity Manager is designed to be scalable, secure and easy to deploy.



25/28

Enterprise Scale User Provisioning with Hitachi ID Identity Manager

APPENDICES



26/28


A Management Suite Overview

The Hitachi ID Management Suite is a complete identity and access management solution that enables

organizations to more securely and efficiently manage the user lifecycle across enterprise applications andsystems.

The Management Suite combines the power of Hitachi ID Systems flagship technologies, Hitachi ID IdentityManager for user provisioning and Hitachi ID Password Manager for password management with moretargeted products including Hitachi ID Group Manager to manage user access rights, Hitachi ID AccessCertifier to review user rights and clean up stale privileges and Hitachi ID Privileged Access Manager tosecure access to privileged accounts.

The Management Suite creates real business value by increasing productivity for users, reducing IT over-head, strengthening network security and providing internal controls to support compliance with privacyprotection and corporate governance regulations.

The Management Suite is designed as identity and access management middleware, in the sense that itpresents a uniform user interface and a consolidated set of business processes to manage user objects,identity attributes, security rights and authentication factors across multiple systems and platforms. This isillustrated in Figure 5.

Figure 5: Management Suite Overview: Identity Middleware

Employees, contractors,customers, and partners

Users Hitachi IDManagement Suite

Target Systems

Business processes

Synch./Propagation

Request/Authorization

Delegated Administration

Consolidated Reporting

User Objects

Attributes

Passwords

Privileges

Related Objects

Home Directories

Mail Boxes

PKI Certs.

The Management Suite includes several functional identity and access management modules:

Identity Manager User provisioning, RBAC, SoD and access certification.

Automated propagation of changes to user profiles, from systems of record to target systems. Workflow, to validate, authorize and log all security change requests. Automated, self-service and policy-driven user and entitlement management. Federated user administration, through a SOAP API to a user provisioning fulfillment engine. Consolidated access reporting.

Identity Manager includes the following modules, at no extra charge:

Access Certifier Periodic review and cleanup of security entitlements.

* Delegated audits of user entitlements, with certification by individual managers and applica-tion owners, roll-up of results to top management and cleanup of rejected security rights.

Group Manager Self service management of security group membership.

* Self-service and delegated management of user membership in Active Directory groups.

Hitachi ID Org Manager Delegated constuction and maintenance of Orgchart data.



27/28


* Self-service construction and maintenance of data about lines of reporting in an organization.

Password Manager Self service management of passwords, PINs and encryption keys.

Password synchronization.

Self-service and assisted password reset. Enrollment and management of other authentication factors, including security questions, hard-

ware tokens, biometric samples and PKI certificates.

Password Manager includes the following modules, at no extra charge:

Hitachi ID Login Manager Automated application logins.

* Automatically sign users into systems and applications.

* Eliminate the need to build and maintain a credential repository, using a combination ofpassword synchronization and artificial intelligence.

Hitachi ID Telephone Password Manager Telephone self service for passwords and tokens.

* Turn-key telephony-enabled password reset, including account unlock and RSA SecurIDtoken management.

* Numeric challenge/response or voice print authentication.

* Support for multiple languages.

Privileged Access Manager Control and audit access to privileged accounts.

Periodically randomize privileged passwords. Ensure that IT staff access to privileged accounts is authenticated, authorized and logged.

Group Manager is also available as a stand-alone product, as well as a component of Identity Manager.

The relationships between the Management Suite components is illustrated in Figure 6 on Page 26.

ww.Hitachi-ID.com

0, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: [email protected]

File: /pub/wp/documents/white/idsynch/ids-white-9.texDate: June 7, 2006
http://hitachi-id.com/http://hitachi-id.com/http://hitachi-id.com/http://hitachi-id.com/


28/28


Figure 6: Components of the Management Suite

enterprise scale user provisioning with hiim

Documents