1 hitachi id identity...
TRANSCRIPT
1 Hitachi ID Identity Manager
Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications
Manage identities, accounts, groups and roles:Automation, requests, approvals, reviews, SoD and RBAC.
2 Agenda
• Introductions.• Hitachi ID corporate overview.• Hitachi ID Suite overview.• Identity problems and Hitachi ID Identity Manager benefits.• The Identity Manager solution.• Software demonstration.
© 2019 Hitachi ID Systems, Inc. All rights reserved. 1
Slide Presentation
3 Hitachi ID corporate overview
Hitachi ID delivers access governanceand identity administration solutionsto organizations globally.Hitachi ID IAM solutions are used by Fortune500companies to secure access to systemsin the enterprise and in the cloud.
• Founded as M-Tech in 1992.• A division of Hitachi, Ltd. since 2008.• Over 1200 customers.• More than 14M+ licensed users.• Offices in North America, Europe and
APAC.• Global partner network.
© 2019 Hitachi ID Systems, Inc. All rights reserved. 2
Slide Presentation
4 Representative customers
© 2019 Hitachi ID Systems, Inc. All rights reserved. 3
Slide Presentation
5 Hitachi ID Suite
6 Access and credential challenges (1/2)
For users For IT support
• How to request a change?• Who must approve the change?• When will the change be completed?• Too many passwords.• Too many login prompts.
• Onboarding, deactivation across manyapps is challenging.
• More apps all the time!• What data is trustworthy and what is
obsolete?• Not notified of new-hires/terminations on
time.• Hard to interpret end user requests.• Who can request, who should authorize
changes?• What entitlements are appropriate for
each user?• The problems increase as scope grows
from internal to external.
© 2019 Hitachi ID Systems, Inc. All rights reserved. 4
Slide Presentation
7 Access and credential challenges (2/2)
For Security / risk / audit For Developers
• Orphan, dormant accounts.• Too many people with privileged access.• Static admin, service passwords a
security risk.• Weak password, password-reset
processes.• Inappropriate, outdated entitlements.• Who owns ID X on system Y?• Who approved entitlement W on system
Z?• Limited/unreliable audit logs in apps.
• Temporary access (e.g., prod migration).• Half the code in every new app is the
same:
– Identify.– Authenticate.– Authorize.– Audit.– Manage the above.
• Mistakes in this infrastructure createsecurity holes.
8 Identity and access management
Identity and access management is software to automate processes to securely and efficiently manageidentities, entitlements and credentials:
Processes: Policies: Connectors:
• Data synchronization.• Request portal.• Workflows to invite
human participation.• Manual and automated
fulfillment.
• Unique ID generation.• Selection of approvers,
reviewers andimplementers.
• Access reviews.• Segregation of duties.• Role-based access.• Risk scores.• Visibility, privacy.
• Applications.• Databases.• Operating systems.• Directories.• On-premises.• Cloud-hosted.
© 2019 Hitachi ID Systems, Inc. All rights reserved. 5
Slide Presentation
9 Hitachi ID Suite component overview
Hitachi IDIdentity Manager
Create, manage and delete users and entitlements.Automation, self-service and delegation.
Hitachi IDAccess Certifier
Periodic review and cleanup of users and entitlements.
Hitachi IDGroup Manager
Self service, resource-centric management of ADgroup membership.
Hitachi IDPassword Manager
Synchronize, reset passwords.Manage RSA tokens, security questions, voice prints,PKI certs.
Periodically randomize and control access to sensitivepasswords.
Addons
Hitachi IDOrg Manager
Periodic updates to data mapping users to theirmanagers.
Hitachi IDPhone PW Manager
Turn-key IVR for password reset and tokenmanagement.
Hitachi IDLogin Manager
Auto-populate login IDs and synchronized passwordsfor users.
© 2019 Hitachi ID Systems, Inc. All rights reserved. 6
Slide Presentation
10 Hitachi ID Suite in the user lifecycle
Lifecyclestage
Automation Self-service /request workflow
Policy enforcement
Onboarding
• From HR(employ-ees).
• Web UI (contractors). • Role-basedsetup.
• StandardizedIDs, OU, mailstore, etc.
Management
• Identitysynchro-nization.
• Automaticrolechanges.
• Applications.• Group membership.• Profile updates.• Privileged access
• SoDenforcement.
• Authorizechanges.
• ID mapping.
Support
• Password reset.• Resolve access denied
errors.
• Passwordstrength.
• Passwordexpiry.
Deactivation
• Auto-termination.
• Access certification.• Scheduled terminations.
• Archivemailboxes,home dirs, etc.
© 2019 Hitachi ID Systems, Inc. All rights reserved. 7
Slide Presentation
11 HiIM features
Automation:
• Monitor one or more systems of record (SoR).• Generate requests to grant, revoke access.
Integrations:
• 120+ bidirectional connectors, included.• Manage resources including mail boxes, home directories and
badges.• Incident management, SIEM, e-mail, 2FA.• Manage building access, physical assets.
Request portal:
• Users can request for themselves or others.• Access control model limits visibility, requestability.
Accounts and groups:
• Create, manage and delete accounts & groups across systems.• Update attributes and assign/revoke group memberships.
Workflow:
• Invite authorizers, implementers, certifiers to act.• Built-in reminders, escalation, delegation and more.• Selects participants via policy, not flow-charts.
Policies, controls:
• RBAC, SoD.• Risk scores, analytics.• Approvals, recertification.
Certification:
• Initiated by the system (event, schedule).• Stake-holders review identities, entitlements.• Generates deprovisioning requests.
© 2019 Hitachi ID Systems, Inc. All rights reserved. 8
Slide Presentation
12 Closed loop IAM
Integrated
Systems
of Record�� ��� �� � � � �
�� �� � � � �� � � � � � �� � � � � � � � � � � �� � � � � � � ��� � � Integrated
Target
Systems
Non-integrated
Systems
� � � � � �� �
List accounts
Create,
delete,
update
accountsUpdates
UpdatesDetected
changes
List
people
Approve,
reject,
delegate
Invitations � � �� � �� �� �Review,
certify,
correct
Invitations � � � � � �� � � � �� �� �
Manual
request
� � � � ��� �� � - Validate requests
- Route for approval
- Invite authorizers
- Send reminders
- Escalate
- DelegateManual
fulfillment
Auto-
fulfillment
Create,
delete,
update
accounts
Automatic
request
Accept,
confirm
Invitations�� � � � � � � � �� � � � �� � �
� � �� � �
13 IM technology advantages
Unique features Rapid deployment
• Group lifecycle management.• Requester usability: intercept "Access
Denied" errors, compare users,recommend entitlements.
• Rapid approvals, including from BYOD.• Access rights based on relationships.• Combine auto- and manual fulfillment.• SoD engine actually works.
• Hitachi ID Identity Express acceleratesdeployment.
• Key features built-in:
– Request forms.– Authorization workflow.– Access certification.
• Customers actually automate processes,don’t get stuck in "clean up" of legacydata.
Scalable platform Integrations
• Real-time data replication.• Multi-master, active-active.• Proxy server to cross firewalls.• Native code + stored procedures.
• 120+ included connectors.• Flexible/scriptable connectors.• Incident management/ticketing.• SIEM.
© 2019 Hitachi ID Systems, Inc. All rights reserved. 9
Slide Presentation
14 The Hitachi ID solution is flexible
Customize: Every aspect of the user interfaceInput validationAttribute mapping to target systems
Integrate with: 120+ target system typesCall tracking systemsHR systemsAuthentication hardwareMeta directories
Enforce: Password policyAuthentication rulesChange authorization rulesUser naming standards
15 Scalability and fault-tolerance
• Multiple, load-balanced Hitachi ID Identity Manager servers:
– Active/active architecture.
• Data replication between nodes:
– Built-in, easy to configure.– WAN-friendly (high latency, low bandwidth, insecure channels).– Reliable (multiple retry queues).
• Native code and SQL stored procedures run faster than Java and object persistence frameworks.• Proxy servers resolve connection problems:
– Across firewalls.– Over slow, insecure network routes.
• Large production deployments:
– 12M managed identities.– 150,000 managed systems.– 12 load balanced, replicated IAM servers in 4 locations on 3 continents.– 15,000 completed transactions/hour.
© 2019 Hitachi ID Systems, Inc. All rights reserved. 10
Slide Presentation
16 Included connectors
Directories: Databases: Server OS – X86/IA64: Server OS – Unix: Server OS – Mainframe:
Active Directory and AzureAD; any LDAP; NIS/NIS+ andeDirectory.
Oracle; SAP ASE and HANA;SQL Server; DB2/UDB;Hyperion; Caché; MySQL;OLAP and ODBC.
Windows: NT thru 2016; Linuxand *BSD.
Solaris, AIX and HP-UX. RAC/F, ACF/2 and TopSecret.
Server OS – Midrange: ERP, CRM and other apps: Messaging & collaboration: Smart cards and 2FA: Access managers / SSO:
iSeries (OS400); OpenVMSand HPE/Tandem NonStop.
Oracle EBS; SAP ECC andR/3; JD Edwards; PeopleSoft;Salesforce.com; Concur;Business Objects and Epic.
Microsoft Exchange, Lync andOffice 365; LotusNotes/Domino; Google Apps;Cisco WebEx, Call Managerand Unity.
Any RADIUS service or SAMLIdP; Duo Security; RSASecurID; SafeWord; Vasco;ActivIdentity andSchlumberger.
CA SiteMinder; IBM SecurityAccess Manager; Oracle AM;RSA Access Manager andImprivata OneSign.
Help desk / ITSM: PC filesystem encryption: Server health monitoring: HR / HCM: Extensible / scriptable:
ServiceNow; BMC Remedy,RemedyForce and Footprints;JIRA; HPE Service Manager;CA Service Desk; AxiosAssyst; Ivanti HEAT;Symantec Altiris; Track-It!; MSSCS Manager and Cherwell.
Microsoft BitLocker; McAfee;Symantec EndpointEncryption and PGP;CheckPoint and SophosSafeGuard.
HP iLO, Dell DRAC and IBMRSA.
WorkDay; PeopleSoft HR;SAP HCM andSuccessFactors.
CSV files; SCIM; SSH;Telnet/TN3270/TN5250;HTTP(S); SQL; LDAP;PowerShell and Python.
Hypervisors and IaaS: Mobile management: Network devices: Filesystems and content: SIEM:
AWS; vSphere and ESXi. BlackBerry Enterprise Serverand MobileIron.
Cisco IOS PIX and ASA;Juniper JunOS andScreenOS; F5 BigIP; HPProcurve; Brocade Fabric OSand CheckPointSecurePlatform.
Windows/CIFS/DFS;SharePoint; Samba; HitachiContent Platform and HCPAnywhere; Box.com andTwitter.
Splunk; ArcSight; RSAEnvision and QRadar. AnySIEM supporting SYSLOG orWindows events.
Management & inventory:
Qualys; McAfee ePO andMVM; Cisco ACS;ServiceNow ITAM; HPUCMDB; Hitachi HiTrack.
17 Integration with custom apps
• Hitachi ID Identity Manager easily integrates with custom, vertical and hosted applications usingflexible agents .
• Each flexible agent connects to a class of applications:
– API bindings (C, C++, Java, COM, ActiveX, MQ Series).– Telnet / TN3270 / TN5250 / sessions with TLS or SSL.– SSH sessions.– HTTP(S) administrative interfaces.– Web services.– Win32 and Unix command-line administration programs.– SQL scripts.– Custom LDAP attributes.
• Integration takes a few hours to a few days.• Fixed cost service available from Hitachi ID.
© 2019 Hitachi ID Systems, Inc. All rights reserved. 11
Slide Presentation
18 Active-active architecture
“Cloud”
Reverse
web
proxyVPN server
IVR server
Load
balancers
system
Ticketing
system
HR
Hitachi ID
servers
Hitachi ID
servers
Firewalls
Proxy server
(if needed)
Mobile
proxy
SaaS apps
Managed
endpoints
Managed endpoints
with remote agent:
AD, SQL, SAP, Notes, etc
z/OS - local agent
MS SQL databases
Password synch
trigger systems
Native password
change
ManageMobile UI
AD, Unix, z/OS,
LDAP, iSeries
Validate pw
Replication
System of
record
Tickets
Notifications
and invitations
Data c
enter A
Data c
enter B
Remote
data
cente
r
TCP/IP + AES
Various protocols
Secure native protocol
HTTPS
© 2019 Hitachi ID Systems, Inc. All rights reserved. 12
Slide Presentation
19 Server block diagramRemote site
List, inspect,
create, delete,
modify: Users,
groups
Native API,
protocol
Hitachi ID
encrypted
protocol
Real-time
encrypted
replication
Local agent
Hitachi ID Server:
Internal components
Identity cache, requests,
configuration, history
Stored procs
HT
TP
S
Managed
endpoint
Hitachi ID
proxy server
Hitachi ID server
Managed
endpoint
Managed
endpoint
Business logic
Integrations Core services
IIS web server
User web
browser
Workflow manager
End userEnd userEnd user
Admin / configAdmin / configAdmin / config
IDTM
Transaction manager
PSUPDATE
Auto-discovery
IDTRACK
Automation engine
IDDB
Database manager
MSSQL
ExitsExitsExits
PluginsPluginsPlugins
Connector
20 Rapid deployment and low TCO
Optimized to minimize effort: Using Hitachi ID Identity Managertechnology:
• Identity Manager:
– Initial deployment:2 – 4 months.
– Ongoing maintenance:0.5 – 1.0 FTE.
• Hitachi ID Identity Express – typical usecases preconfigured.
• Built-in discovery, mapping of IDs,entitlements.
• Policy driven workflow, included.• Implementer process for small apps.• RBAC (can be costly) is optional.• 120 connectors out of the box (more easy
to add).
© 2019 Hitachi ID Systems, Inc. All rights reserved. 13
Slide Presentation
21 Hitachi ID professional services
• Hitachi ID offers a complete range of services relating to Hitachi ID Identity Manager, including:
– Needs analysis and solution design.– Fixed price system deployment.– Project planning.– Roll-out management, including maximizing user adoption.– Ongoing system monitoring.– Training.
• Services are based on extensive experience with the Hitachi ID solution delivery process.• The Hitachi ID professional services team is highly technical and have years of experience deploying
IAM solutions.• Hitachi ID partners with integrators that also offer business process and system design services to
mutual customers.• All implementation services are fixed price:
– Solution design.– Statement of work.
22 Hitachi ID solution delivery
Fixed-price: All work is delivered on a fixed-price, fixed-deliverables basis. The"meter" is never running.
Phases, milestones: Hitachi ID recommends breaking up long projects into phases of 1–3months. Work is reviewed and payment is due when milestones are met.
Open assignment: Each phase may be undertaken by Hitachi ID, the customer, a systemsintegrator or a combination of the participants.
Templates: Template documents and sample business logic are used to expeditework.
Customer portal: A self-service portal supports discovery, client/partner/vendor interaction,document distribution and more.
© 2019 Hitachi ID Systems, Inc. All rights reserved. 14
Slide Presentation
23 AdMax: Maximizing user adoption
• Successful implementation of an identity and access management system must be supported by aneffective user adoption program.
• AdMax is an Hitachi ID professional services program, used to plan for and execute effective userenrollment projects.
• AdMax is designed to maximize adoption of and ROI from Hitachi ID identity management solutions,using:
– Best practices, case studies and industry norms.– Enrollment, user adoption and ROI measurement.– Incentive and disincentive programs.– Presentations and training materials for users and HD staff.– Project roles and responsibilities.– Sample project plans, promotional materials, e-mails, graphics and other user communications.– Workbooks for project implementation.
24 Summary
An integrated solution for managing identities and entitlements:
• Automation: onboarding, deactivation, detect out-of-band changes.• Manage identities, accounts, groups and roles.• Self-service: profile updates, access requests.• Governance: certification, authorization workflow, RBAC, SoD, analytics.• Automatically manage identities, entitlements: 120 bidirectional connectors.• Other integrations: filesystem, collaboration, SIEM, incident management.• Rapid deployment: pre-configured Hitachi ID Identity Express.
Security, lower cost, faster service.
Learn more at hitachi-id.com/identity-manager
© 2019 Hitachi ID Systems, Inc. All rights reserved. 15
Slide Presentation
25 Getting an IAM project started
• Build a business case.• Get management sponsorship and a budget.• Discovery phase, capture detailed requirements.• Assemble a project team:
– security– system administration– user support– etc.
• Try before you buy: Demos, POCs, pilots.• Install the software, roll to production.• Enroll users, if/as required.
hitachi-id.com
500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 E-Mail: [email protected]
Date: 2019-11-20 | 2019-11-20 File: PRCS:pres