managing the user lifecycle across on-premises and 2...
TRANSCRIPT
1 Hitachi ID Suite
Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications
Administration and governance ofIdentities, entitlements and credentials.
2 Agenda
• Corporate• Hitachi ID Identity Manager• Hitachi ID Password Manager• Recorded Demos• Technology• Implementation• Differentiation
3 Corporate
© 2018 Hitachi ID Systems, Inc. All rights reserved. 1
Slide Presentation
3.1 Hitachi ID corporate overview
Hitachi ID delivers access governanceand identity administration solutionsto organizations globally.Hitachi ID IAM solutions are used by Fortune500companies to secure access to systemsin the enterprise and in the cloud.
• Founded as M-Tech in 1992.• A division of Hitachi, Ltd. since 2008.• Over 1200 customers.• More than 14M+ licensed users.• Offices in North America, Europe and
APAC.• Global partner network.
3.2 Representative customers
© 2018 Hitachi ID Systems, Inc. All rights reserved. 2
Slide Presentation
3.3 Hitachi ID Suite
4 Hitachi ID Identity Manager
4.1 Compliance / internal controls
Challenges Solutions
• Slow and unreliable deactivation whenpeople leave.
• Orphan and dormant accounts.• Users with no-longer-needed access.• Access that violates SoD policies or
represents high risk.• Unreliable approvals for access requests.• Audit failures and regulatory risk.
• Automate deactivation based on SoR(HR).
• Review and remediate excessive access(certification).
• Block requests that would violate SoD.• Analyze entitlements to find policy
violations, high risk users.• Automatically route access requests to
appropriate stake-holders.
© 2018 Hitachi ID Systems, Inc. All rights reserved. 3
Slide Presentation
4.2 Access administration cost
Challenges Solutions
• Multiple FTEs required to setup,deactivate access.
• Additional burden on platformadministrators.
• Audit requests can add significant strain.
• Automate access setup, tear-down inresponse to changes in systems of record(SoRs).
• Simple, business-friendly access requestforms.
• Route requests to authorizersautomatically.
• Automate fulfillment where possible.• Help auditors help themselves:
– With certification, auditors focus onprocess, not entitlements.
– Reports and analytics.
4.3 Access changes take too long
Challenges Solutions
• Approvers take too long.• Too many IT staff required to complete
approved requests.• Service is slow and expensive to deliver.
• Automatically grant access:
– Where predicted by job function,location, ...
– Eliminate request/approval processwhere possible.
• Streamline approvals:
– Automatically assign authorizers,based on policy.
– Invite participants simultaneously,not sequentially.
– Enable approvals from smart-phone.– Pre-emptively escalate when
stake-holders are out of office.
• Automate fulfillment where possible.
© 2018 Hitachi ID Systems, Inc. All rights reserved. 4
Slide Presentation
4.4 Access requests are too complicated
Challenges Solutions
• Requesting access is complex:
– Where is the request form?– What access rights do I need?– How do I fill this in?– Who do I send it to, for approval?
• Complexity creates frustration.
• Auto-assign access when possible.• Simplify request forms.• Intercept "access denied" errors:
– Navigate lead users to appropriaterequest forms.
• Compare entitlements:
– Help requesters select entitlements.– Compare recipient, model user
rights.– Select from a small set of
differences.
• Automatically assign authorizers basedon policy.
4.5 Too many groups
Challenges Solutions
• Too many security groups and maildistribution lists.
• Groups represent business functions butare only manageable by IT.
• Hard to tell whether membership andaccess are appropriate.
• Assigning privileges is complex andcostly.
• Groups and memberships persist longafter needed.
• Empower business users to create,manage groups directly.
• Apply policy to requests, naming,metadata.
• Make groups and membershipstemporary where possible.
• Calculate group membership where thereis supporting data.
• Use request/approval and review/revokeworkflows to clean up.
• Apply analytics to find too-small,too-large, overlapping, etc.
5 Hitachi ID Password Manager
© 2018 Hitachi ID Systems, Inc. All rights reserved. 5
Slide Presentation
5.1 Too many passwords
Challenges Solutions
• Users have too many passwords.• Write them on sticky notes.• Forget and call the help desk.• Pick trivial, insecure values.
• Synchronize passwords.• Reduce to 1 or a few.• Easier to remember.• Less likely to write down.• Opportunity to mandate stronger
passwords.
5.2 Help desk call volume
Challenges Solutions
• Users forget their passwords.• Lock themselves out.• Highest volume incident type.• Peak volume at start of week.
• Self-service password reset.• Clear intruder lockouts.• PIN resets and emergency pass-codes for
tokens.
© 2018 Hitachi ID Systems, Inc. All rights reserved. 6
Slide Presentation
5.3 Automated user enrollment
Challenges Solutions
• Self service depends on non-passwordcredentials:
– Security questions.– Mobile phone number.– Personal e-mail address.– App on smart phone.
• This data rarely exists prior todeployment.
• New hires must enroll too.• ROI depends on user adoption:
– Users tend to ignore invitations.
• Identify users with incomplete profiles.• Invite them to sign up. Send reminders
with increasing urgency:
– E-mail.– Open browser at login time.– Forced enrollment (full screen,
locked browser.)
• Throttle invitations:
– Per user (e.g., once a week).– Overall (e.g., 500/day).
5.4 Password reset from difficult contexts
Challenges Solutions
• Users have trouble logging in:
– Forget their password.– Trigger an intruder lockout.
• User context can complicate assistance:
– Pre-boot? No OS yet!– Login screen? How to navigate to
self-service?– Off-site? Locally cached password.
• Pre-boot:
– Smart phone app or voice call toaccess service.
– Encrypted drive unlock.
• Windows login screen:
– Credential Provider extends theWindows login UI.
– Smart phone app or voice call.– Secure kiosk account if client
software is a problem.
• VPN integration:
– Update locally cached password foroff-site users.
© 2018 Hitachi ID Systems, Inc. All rights reserved. 7
Slide Presentation
5.5 Need consistently strong authentication
Challenges Solutions
• Few apps natively support multi-factorlogins.
• Mandate strong authentication beforeself-service password reset.
• Offer 2FA to all users:
– PIN to phone/email.– Smart phone app.– Existing OTP.– Browser fingerprint (reduces the
nuisance of 2FA).
• Built into Hitachi ID Suite
– Leverage existing 2FA if available.– Introduce zero-cost 2FA otherwise.
• Extend 2FA to other apps via federation:
– Hitachi ID Password Managerincludes a built-in SAML IdP
6 Recorded Demos
6.1 Access request (new contractor)
Animation: ../../pics/camtasia/v10/hiim-onboarding-contractor-original-resolution.mp4
6.2 Create group
Animation: ../../pics/camtasia/suite11/higm-group-create.mp4
6.3 Access review by managers
Animation: ../../pics/camtasia/suite11/org-cert.mp4
6.4 Intercept ’Access denied’ dialogs
Animation: ../../pics/camtasia/suite11/higm-A-request-folder.mp4
© 2018 Hitachi ID Systems, Inc. All rights reserved. 8
Slide Presentation
6.5 Compare user entitlements
Animation: ../../pics/camtasia/v10/hiim-model-after-ui.mp4
6.6 Mobile request approval
Animation: ../../pics/camtasia/v10/approve-request-group-membership-via-mobile-access-app-1.mp4
6.7 Actionable analytics: Disable orphans
Animation: ../../pics/camtasia/v10/report2pdr-disable-orphan-accounts-1.mp4
6.8 Password reset with WiFi, VPN and 2FA
Animation: ../../pics/camtasia/v10/hipm-ssa-windows-10.mp4
6.9 Federated access launchpad
Animation: ../../pics/camtasia/v10.1/federated-launchpad.mp4
6.10 Activate Mobile Access app
Animation: ../../pics/camtasia/suite11/enable-mobile-device-1.mp4
6.11 Unlock pre-boot password
Animation: ../../pics/camtasia/v10/mcafee-drive-encryption.mp4
6.12 Add contact to phone
Animation: ../../pics/camtasia/v9/add-contact-to-phone-1/add-contact-to-phone-1.mp4
7 Technology
© 2018 Hitachi ID Systems, Inc. All rights reserved. 9
Slide Presentation
7.1 Active-active architecture
“Cloud”
Reverse
web
proxyVPN server
IVR server
Load
balancers
system
Ticketing
system
HR
Hitachi ID
servers
Hitachi ID
servers
Firewalls
Proxy server
(if needed)
Mobile
proxy
SaaS apps
Managed
endpoints
Managed endpoints
with remote agent:
AD, SQL, SAP, Notes, etc
z/OS - local agent
MS SQL databases
Password synch
trigger systems
Native password
change
ManageMobile UI
AD, Unix, z/OS,
LDAP, iSeries
Validate pw
Replication
System of
record
Tickets
Notifications
and invitations
Data c
enter A
Data c
enter B
Remote
data
cente
r
TCP/IP + AES
Various protocols
Secure native protocol
HTTPS
© 2018 Hitachi ID Systems, Inc. All rights reserved. 10
Slide Presentation
7.2 Key architectural features
“Cloud”
SaaS apps
Data c
enter A
Data c
enter B
Remote
data
cente
r
TCP/IP + AES
Various protocols
Secure native protocol
HTTPS
Reach across firewalls
Load balanced
On premises and SaaS
BYOD enabled
Replicated across data centers
Horizontal scaling
7.3 Internal architecture
• Multi-master, active-active out of the box.• Built-in data replication between app nodes:
– Fault tolerant.– Secure - encrypted.– Reliable - queue and retry.– App nodes need and should not be co-located.
• Native, 64-bit code:
– 2x faster than .NET.– 10x faster than Java.
• Stored procedures:
– For all data lookups, inserts.– Fast, efficient.– Eliminates client/server chatter.
• Modern crypto: AES-256, SSHA-512
© 2018 Hitachi ID Systems, Inc. All rights reserved. 11
Slide Presentation
7.4 BYOD access to on-premises IAM system
The challenge Hitachi ID Mobile Access
• Users want access on their phones.• Phone on the Internet, IAM on-prem.• Don’t want attackers probing IAM from
Internet.
• Install + activate iOS, Android app.• Proxy service on DMZ or cloud.• IAM, phone both call the proxy - no
firewall changes.• IAM not visible on Internet.
Outbound connections only
DMZ Private corporate
network
Personal
device
FirewallFirewall
Internet
(3)
Message passing system
(1)
Worker thread:
“Give me an HTTP
request”
(2)
HTTPS request:
“Includes userID,
deviceID”
IAM server
Cloud
proxy
© 2018 Hitachi ID Systems, Inc. All rights reserved. 12
Slide Presentation
7.5 Included connectors
Directories: Databases: Server OS – X86/IA64: Server OS – Unix: Server OS – Mainframe:
Active Directory and AzureAD; any LDAP; NIS/NIS+ andeDirectory.
Oracle; SAP ASE and HANA;SQL Server; DB2/UDB;Hyperion; Caché; MySQL;OLAP and ODBC.
Windows: NT thru 2016; Linuxand *BSD.
Solaris, AIX and HP-UX. RAC/F, ACF/2 and TopSecret.
Server OS – Midrange: ERP, CRM and other apps: Messaging & collaboration: Smart cards and 2FA: Access managers / SSO:
iSeries (OS400); OpenVMSand HPE/Tandem NonStop.
Oracle EBS; SAP ECC andR/3; JD Edwards; PeopleSoft;Salesforce.com; Concur;Business Objects and Epic.
Microsoft Exchange, Lync andOffice 365; LotusNotes/Domino; Google Apps;Cisco WebEx, Call Managerand Unity.
Any RADIUS service or SAMLIdP; Duo Security; RSASecurID; SafeWord; Vasco;ActivIdentity andSchlumberger.
CA SiteMinder; IBM SecurityAccess Manager; Oracle AM;RSA Access Manager andImprivata OneSign.
Help desk / ITSM: PC filesystem encryption: Server health monitoring: HR / HCM: Extensible / scriptable:
ServiceNow; BMC Remedy,RemedyForce and Footprints;JIRA; HPE Service Manager;CA Service Desk; AxiosAssyst; Ivanti HEAT;Symantec Altiris; Track-It!; MSSCS Manager and Cherwell.
Microsoft BitLocker; McAfee;Symantec EndpointEncryption and PGP;CheckPoint and SophosSafeGuard.
HP iLO, Dell DRAC and IBMRSA.
WorkDay; PeopleSoft HR;SAP HCM andSuccessFactors.
CSV files; SCIM; SSH;Telnet/TN3270/TN5250;HTTP(S); SQL; LDAP;PowerShell and Python.
Hypervisors and IaaS: Mobile management: Network devices: Filesystems and content: SIEM:
AWS; vSphere and ESXi. BlackBerry Enterprise Serverand MobileIron.
Cisco IOS PIX and ASA;Juniper JunOS andScreenOS; F5 BigIP; HPProcurve; Brocade Fabric OSand CheckPointSecurePlatform.
Windows/CIFS/DFS;SharePoint; Samba; HitachiContent Platform and HCPAnywhere; Box.com andTwitter.
Splunk; ArcSight; RSAEnvision and QRadar. AnySIEM supporting SYSLOG orWindows events.
Management & inventory:
Qualys; McAfee ePO andMVM; Cisco ACS;ServiceNow ITAM; HPUCMDB; Hitachi HiTrack.
7.6 Integration with custom apps
• Hitachi ID Suite easily integrates with custom, vertical and hosted applications using flexible agents.
• Each flexible agent connects to a class of applications:
– API bindings (C, C++, Java, COM, ActiveX, MQ Series).– Telnet / TN3270 / TN5250 / sessions with TLS or SSL.– SSH sessions.– HTTP(S) administrative interfaces.– Web services.– Win32 and Unix command-line administration programs.– SQL scripts.– Custom LDAP attributes.
• Integration takes a few hours to a few days.• Fixed cost service available from Hitachi ID.
© 2018 Hitachi ID Systems, Inc. All rights reserved. 13
Slide Presentation
7.7 HiTPM: self-service via phone call
Self-contained: Flexible:
• Hitachi ID Phone Password Manager runson a Windows server with a Dialogicphone card or with HMP software Dialogicsolution.
• No IVR software is required.
• Fully scriptable and can implement anycall logic.
• Multi-lingual: just record more voiceprompts.
• The default call logic is powerful and easyto customize.
Integrated with Hitachi ID PasswordManager:
Scalable:
• Manage user enrollment.• Map network login ID to digits.• HiPM ties to target systems.
• Multiple load balanced HiTPM servers.• Multiple load balanced HiPM servers.
7.8 Language supportThe Hitachi ID Password Manager UI can be rendered in many languages:
Languages are easy to add. Hitachi ID will do it for a nominal fee and customers can do it themselves.
8 Implementation
© 2018 Hitachi ID Systems, Inc. All rights reserved. 14
Slide Presentation
8.1 Hitachi ID professional services
• Hitachi ID offers a complete range of services relating to Hitachi ID Suite, including:
– Needs analysis and solution design.– Fixed price system deployment.– Project planning.– Roll-out management, including maximizing user adoption.– Ongoing system monitoring.– Training.
• Services are based on extensive experience with the Hitachi ID solution delivery process.• The Hitachi ID professional services team is highly technical and have years of experience deploying
IAM solutions.• Hitachi ID partners with integrators that also offer business process and system design services to
mutual customers.• All implementation services are fixed price:
– Solution design.– Statement of work.
8.2 ID Express
Before reference implementations:
• Every implementation starts fromscratch.
• Some code reuse, in the form oflibraries.
• Even simple business processes havecomplex boundary conditions:
– Onboarding: initial passwords,blocking rehires.
– Termination: scheduled vs.immediate, warnings, cleanup.
– Transfers: move mailboxes andhomedirs, trigger recertification.
• Complex processes often scripted.• Delay, cost, risk.
With Hitachi ID Identity Express:
• Start with a fully configured system.• Handles all the basic user lifecycle
processes out of the box.• Basic integrations pre-configured (HR,
AD, Exchange, Windows).• Implementation means "adjust as
required" not "build from scratch."• Configuration is fully data driven (no
scripts).• Fast, efficient, reliable.
© 2018 Hitachi ID Systems, Inc. All rights reserved. 15
Slide Presentation
8.3 Identity Express - Corporate Edition
• Integrations:
– SQL-based HR SoR.– AD domain– Exchange domain (mailboxes)– Windows filesystem (homedirs)
• Entitlements:
– Login IDs.– Group memberships.– Roles.
• User communities:
– Employees.– Contractors/other.
• Configuration:
– Based on user classes, rules tablesand lookup tables.
– Near-zero script logic.
• Automation:
– Onboard/deactivate based on SoR.– Identity attribute propagation.
• Self-service:
– Password, security questionmanagement.
– Update to contact info.– Request for application, share, folder
access.
• Delegated admin:
– Same as self-service, plus recert.
• Approval workflows:
– IT security (global rights).– HR/managers (approve for
each-other).
• Recertification:
– Scheduled.– Ad-hoc.
9 Differentiation
© 2018 Hitachi ID Systems, Inc. All rights reserved. 16
Slide Presentation
9.1 HiIM differentiation (1/3)
Feature Details Competitors
Hitachi ID Identity Express
• Pre-configuredprocesses, policies.
• Full implementation ormenu of components.
• Rich processes.• Faster deployment.• Low implementation risk.
• Slow, risky deployment.• Never get around to J/M/L
process automation.
Requester usability
• Intercept "access denied"errors.
• Compare entitlements ofrecipient, model users.
• Usability aid forrequesters.
• Hard to find requestportal.
• Users don’t know how torequest access.
• Low user adoption.• Reduced ROI.
SoD actually works
• Hierarchy of roles,groups.
• Roles can containgroups, more roles.
• Groups can contain othergroups.
• SoD defined at one level,violation may happen atanother.
• Hitachi ID IdentityManager reliably detects,prevents violations.
• Fail to detect someviolations.
• Users can bypasscontrols.
• False sense of security.• Audit failures.• Regulatory risk.
© 2018 Hitachi ID Systems, Inc. All rights reserved. 17
Slide Presentation
9.2 HiIM differentiation (2/3)
Feature Details Competitors
Active-active architecture
• Multiple servers.• Load balanced.• Geographically
distributed.• No single point of failure.• Scalable.
• Single points of failure.• Costly to scale.• Slow to recover from
disasters.
Smart phone access
• Android and iOS apps.• Cloud-hosted proxy.• No public URL.• Approvals, 2FA, contact
download, etc.
• Require a public URL.• Less secure / rarely
permitted.• No viable BYOD strategy.• Impacts security, approval
SLA.
Actionable analytics
• Link report output torequest input.
• Automated remediation.• Immediate or scheduled.• No coding.
• Fewer reports, analytics.• No automated
remediation.
© 2018 Hitachi ID Systems, Inc. All rights reserved. 18
Slide Presentation
9.3 HiIM differentiation (3/3)
Feature Details Competitors
Group lifecycle management
• Included. • Absent from mostcompetitors.
Governance, provisioning inone product
• Governance: requests,approvals, certification,SoD, RBAC, analytics.
• Provisioning:connectors, J/M/Lprocess automation.
• Single, integratedsolution.
• Some focus ongovernance (noremediation, no J/M/Lprocess automation).
• Others focus onprovisioning (nocertification, limitedanalytics).
• Higher total cost.• Integration risk.
Policies built onrelationships
• Relationships drive allpolicies in Hitachi IDIdentity Manager.
• Who can a user searchfor?
• What data is visible?• What changes are
requestable?• Who will be asked to
approve?• Escalation path?
• Hierarchical accesscontrols.
• Script code forexceptions.
• Costly, risky.• Hard to configure,
maintain.
© 2018 Hitachi ID Systems, Inc. All rights reserved. 19
Slide Presentation
9.4 HiPM differentiation
The most features
• Manage all credentials:
– Passwords on directories, servers,apps, DBs.
– On-premises and SaaS.– Pre-boot passwords.– Smart cards and tokens.
• 2FA for all users.• Personal password vault.• Federated single sign-on (SAML IdP).• 120+ connectors included.
Always available
• Corporate PCs:
– Pre-boot unlock screen.– Windows/MacOSX login screen.– Desktop browser.
• Smart phone app.• Voice call to IVR.• At work and off-site.
Scalable
• Multi-master, active-active.• Load balanced, replicated.• Geographically distributed.• Multi-lingual.
The best ROI
• Reduce problem frequency
– Address root cause.– Don’t just download problem
resolution to users.
• Managed enrollment to maximizeadoption.
• Rapid deployment, minimal maintenance.
9.5 The leading PM vendor
Innovation Ongoing support Low cost
• Self-Service, Anywhere.• Drive unlock via smart
phone app or call to IVR.• Integrated password
wallet.• Integrated federated
access and SSO.• 2FA for everyone.
• Responsive and skilledcustomer support.
• Unattended operation:
– Auto-discovery.– Managed
enrollment.– Metrics and trend
analysis.– SIEM, help desk
integration.
• Fixed-priceimplementation.
• Minimal need forongoing maintenance.
© 2018 Hitachi ID Systems, Inc. All rights reserved. 20
Slide Presentation
10 Hitachi ID Suite summary
• Three integrated IAM products, licensed to over 14M users, that can:
– Discover and connect identities across systems and applications.– Securely and efficiently manage identities, groups, entitlements and credentials.– Secure and monitor access to privileged accounts.– Provide strong authentication and federated sign-on.
• Improve security to comply with regulations.• Reduce IT support cost and improve user productivity.• Consolidate management of on-premises and SaaS apps.
hitachi-id.com
500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: [email protected]
Date: 2018-06-14 | 2018-06-14 File: PRCS:pres