2 agenda 3 overview - hitachi-id.com– open browser at login time. – forced enrollment (full...

1 Hitachi ID Suite

Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications

Administration and governance ofIdentities, entitlements and credentials.

2 Agenda

• Hitachi ID Suite• Technology• Implementation• Differentiation

3 Overview

© 2017 Hitachi ID Systems, Inc. All rights reserved. 1

http://Hitachi.com/

http://Hitachi-ID.com/

Slide Presentation

3.1 Hitachi ID Suite

4 Hitachi ID Identity Manager

4.1 Compliance / internal controls

Challenges Solutions

• Slow and unreliable deactivation whenpeople leave.

• Orphan and dormant accounts.• Users with no-longer-needed access.• Access that violates SoD policies or

represents high risk.• Unreliable approvals for access requests.• Audit failures and regulatory risk.

• Automate deactivation based on SoR(HR).

• Review and remediate excessive access(certification).

• Block requests that would violate SoD.• Analyze entitlements to find policy

violations, high risk users.• Automatically route access requests to

appropriate stake-holders.


Slide Presentation

4.2 Access administration cost


• Multiple FTEs required to setup,deactivate access.

• Additional burden on platformadministrators.

• Audit requests can add significant strain.

• Automate access setup, tear-down inresponse to changes in systems of record(SoRs).

• Simple, business-friendly access requestforms.

• Route requests to authorizersautomatically.

• Automate fulfillment where possible.• Help auditors help themselves:

– With certification, auditors focus onprocess, not entitlements.

– Reports and analytics.

4.3 Access changes take too long


• Approvers take too long.• Too many IT staff required to complete

approved requests.• Service is slow and expensive to deliver.

• Automatically grant access:

– Where predicted by job function,location, ...

– Eliminate request/approval processwhere possible.

• Streamline approvals:

– Automatically assign authorizers,based on policy.

– Invite participants simultaneously,not sequentially.

– Enable approvals from smart-phone.– Pre-emptively escalate when

stake-holders are out of office.

• Automate fulfillment where possible.


Slide Presentation

4.4 Access requests are too complicated


• Requesting access is complex:

– Where is the request form?– What access rights do I need?– How do I fill this in?– Who do I send it to, for approval?

• Complexity creates frustration.

• Auto-assign access when possible.• Simplify request forms.• Intercept "access denied" errors:

– Navigate lead users to appropriaterequest forms.

• Compare entitlements:

– Help requesters select entitlements.– Compare recipient, model user

rights.– Select from a small set of

differences.

• Automatically assign authorizers basedon policy.

5 Hitachi ID Password Manager


Slide Presentation

5.1 Too many passwords


• Users have too many passwords.• Write them on sticky notes.• Forget and call the help desk.• Pick trivial, insecure values.

• Synchronize passwords.• Reduce to 1 or a few.• Easier to remember.• Less likely to write down.• Opportunity to mandate stronger

passwords.

5.2 Help desk call volume


• Users forget their passwords.• Lock themselves out.• Highest volume incident type.• Peak volume at start of week.

• Self-service password reset.• Clear intruder lockouts.• PIN resets and emergency pass-codes for

tokens.


Slide Presentation

5.3 Automated user enrollment


• Self service depends on non-passwordcredentials:

– Security questions.– Mobile phone number.– Personal e-mail address.– App on smart phone.

• This data rarely exists prior todeployment.

• New hires must enroll too.• ROI depends on user adoption:

– Users tend to ignore invitations.

• Identify users with incomplete profiles.• Invite them to sign up. Send reminders

with increasing urgency:

– E-mail.– Open browser at login time.– Forced enrollment (full screen,

locked browser.)

• Throttle invitations:

– Per user (e.g., once a week).– Overall (e.g., 500/day).

5.4 Password reset from difficult contexts


• Users have trouble logging in:

– Forget their password.– Trigger an intruder lockout.

• User context can complicate assistance:

– Pre-boot? No OS yet!– Login screen? How to navigate to

self-service?– Off-site? Locally cached password.

• Pre-boot:

– Smart phone app or voice call toaccess service.

– Mediate filesystem unlock.

• Windows login screen:

– Credential Provider extends theWindows login UI.

– Smart phone app or voice call.– Secure kiosk account if client

software is a problem.

• VPN integration:

– Update locally cached password foroff-site users.


Slide Presentation

5.5 Need consistently strong authentication


• Few apps natively support multi-factorlogins.

• Mandate strong authentication beforeself-service password reset.

• Offer 2FA to all users:

– PIN to phone/email.– Smart phone app.– Existing OTP.– Browser fingerprint (reduces the

nuisance of 2FA).

• Built into Hitachi ID Suite

– Leverage existing 2FA if available.– Introduce zero-cost 2FA otherwise.

• Extend 2FA to other apps via federation:

– Hitachi ID Password Managerincludes a built-in SAML IdP

6 Hitachi ID Privileged Access Manager

6.1 Passwords to privileged accounts


• Shared accounts with elevated privileges.• Static passwords:

– Long window of opportunity forattackers.

• Passwords known to many people:

– No accountability for use.– Departed workers still have access?

• Randomize passwords:

– No longer shared or static.

• Store values in a vault:

– Control access to accounts bylimiting access to passwords.


Slide Presentation

6.2 Accountability for use of elevated privileges


• Who used this account?• What changes were made?• Was use of the access reasonable?• Did anything break?• Was security compromised?

• Personally identify users prior to access.• Require strong, multi-factor

authentication.• Authorize access:

– Pre-approved for system admins.– One-time approval for infrequent

users.

• Audit activity:

– Access event.– Session recording.

6.3 Grant access only temporarily, when needed


• Granting permanent access increasesrisks:

– Abuse.– Accidents.– Malware.

• Better to grant access:

– On-demand.– For short periods.– Only when required.

• Randomize passwords after use.• Launch sessions and inject current

credentials.• Do not disclose passwords to users:

– Users can’t share what they don’tknow.


Slide Presentation

6.4 Multiple ways to grant access


• Different tasks call for different tools.• Alternatives to the standard mechanism:

– Shared accounts.– Randomized passwords in a vault.– SSO with password injection.

• Grant multiple credentials at once.

• Multiple types of access disclosure.• Group sets:

– Temporarily grant one or more groupmemberships.

– Elevate rights of an existing,personal ID.

• SSH trust:

– Temporary trust relationship.– Add user’s public SSH key to

privileged account’s.ssh/authorized_keys file.

• Account sets:

– Check out multiple accounts at once.– Named accounts or search results.– Single request, single approval.– Launch multiple logins.– Run script across accounts (SIMD).

6.5 Scaling up: thousands of assets, many types


• Admin accounts on every asset.• Windows, Unix, Linux, network device,

hardware monitor, laptops, databases,apps, midrange, mainframe, ...

• On-premise and cloud.• Fixed and moveable/personal assets.• Number of assets = 2X or 3X head-count.• Security is only as good as the weakest

link.

• Connectors to various kinds of systems.• Auto-discovery to find them.• Import rules to manage them.


Slide Presentation

6.6 Connectivity challenges


• 3 communication paths:

– User to PAM.– PAM to managed system.– User to managed system.

• Each path could be blocked:

– Systems behind firewalls or NAT.– Unroutable addresses.– DNS names that do not resolve.– Laptops move and get powered

down.

• PAM to endpoint:

– Direct connection.– PAM to proxy, proxy to endpoint.

• User to endpoint:

– Direct to target (launch admin UI,inject creds).

– RDP to proxy, any protocol to target.– HTML5 to proxy, SSH or RDP to

target.

• Endpoint to PAM:

– Local service calls home.– Suitable for laptops, VMs.

User

Managed

endpoint

PAM

server

?

?

?

6.7 High availability / minimal down-time


• Consider what happens in a physicaldisaster:

– Vault recovery time delays recoveryof all other services.

• Have to recover the vault first:

– Cannot afford delays in vaultrecovery.

• Human intervention in recovery would addtoo much delay.

• The system must survive disasters.• Requirements:

– Real-time data replication.– Geographically distributed.– Active-active architecture.


Slide Presentation

6.8 Non-human users of privileged accounts


• Service accounts are used to runprocesses.

• Scripts and applications use embeddedpasswords to connect to databases andother services.

• These accounts also have high privilege.• Non-human account passwords may be:

– Plaintext, static or well-known

• Discover service accounts.• Randomize and vault passwords;

– Inject new passwords into servicesubscribers.

• Expose an API to retrieve passwords.

– Fingerprint applications toauthenticate them.

7 Technology


Slide Presentation

7.1 Multi-master architecture

“Cloud”

Reverse

web

proxyVPN server

IVR server

Load

balancers

E-mail

system

Ticketing

system

HR

Hitachi ID

servers

Hitachi ID

servers

Firewalls

Proxy server

(if needed)

Mobile

proxy

SaaS apps

Managed

endpoints

Managed endpoints

with remote agent:

AD, SQL, SAP, Notes, etc

z/OS - local agent

MS SQL databases

Password synch

trigger systems

Native password

change

ManageMobile UI

AD, Unix, z/OS,

LDAP, iSeries

Validate pw

Replication

System of

record

Tickets

Notifications

and invitations

Data c

enter A

Data c

enter B

Remote

data

cente

r

TCP/IP + AES

Various protocols

Secure native protocol

HTTPS


Slide Presentation

7.2 Key architectural features

“Cloud”

SaaS apps

Data c

enter A

Data c

enter B

Remote

data

cente

r

TCP/IP + AES

Various protocols

Secure native protocol

HTTPS

Reach across firewalls

Load balanced

On premises and SaaS

BYOD enabled

Replicated across data centers

Horizontal scaling

7.3 Internal architecture

• Multi-master, active-active out of the box.• Built-in data replication between app nodes:

– Fault tolerant.– Secure - encrypted.– Reliable - queue and retry.– App nodes need and should not be co-located.

• Native, 64-bit code:

– 2x faster than .NET.– 10x faster than Java.

• Stored procedures:

– For all data lookups, inserts.– Fast, efficient.– Eliminates client/server chatter.

• Modern crypto: AES-256, SSHA-512


Slide Presentation

7.4 BYOD access to on-premises IAM system

The challenge Hitachi ID Mobile Access

• Users want access on their phones.• Phone on the Internet, IAM on-prem.• Don’t want attackers probing IAM from

Internet.

• Install + activate iOS, Android app.• Proxy service on DMZ or cloud.• IAM, phone both call the proxy - no

firewall changes.• IAM not visible on Internet.

Outbound connections only

DMZ Private corporate

network

Personal

device

FirewallFirewall

Internet

(3)

Message passing system

(1)

Worker thread:

“Give me an HTTP

request”

(2)

HTTPS request:

“Includes userID,

deviceID”

IAM server

Cloud

proxy


Slide Presentation

7.5 Included connectors

Many integrations to target systems included in the base price:

Directories:Any LDAP, Active Directory,NIS/NIS+.

Servers:Windows NT, 2000, 2003,2008[R2], 2012[R2], Samba.

Databases:Oracle, Sybase, SQL Server,DB2/UDB, Informix, MySQL,Hyperion, Cache, ODBC.

Unix:Linux, Solaris, AIX, HPUX, 24more variants.

Mainframes, Midrange:z/OS: RACF, ACF2,TopSecret. iSeries,OpenVMS.

HDD Encryption:McAfee, CheckPoint,BitLocker, PGP.

ERP:JDE, Oracle eBiz,PeopleSoft, PeopleSoft HR,SAP R/3 and ECC 6, Siebel,Business Objects.

Collaboration:Lotus Notes, iNotes,Exchange, SharePoint,BlackBerry ES.

Tokens, Smart Cards:RSA SecurID, SafeWord,Vasco, ActivIdentity,Schlumberger, RADIUS.

WebSSO:CA Siteminder, IBM TAM,Oracle AM, RSA AccessManager.

Help Desk:ServiceNow, BMC Remedy,SDE, HP SM, CA Unicenter,Assyst, HEAT, Altiris, Clarify,RSA Envision, Track-It!, MSSystem Center

Cloud/SaaS:WebEx, Google Apps, MSOffice 365, Success Factors,Salesforce.com, SOAP.

8 Implementation


Slide Presentation

8.1 Hitachi ID professional services

• Hitachi ID offers a complete range of services relating to Hitachi ID Suite, including:

– Needs analysis and solution design.– Fixed price system deployment.– Project planning.– Roll-out management, including maximizing user adoption.– Ongoing system monitoring.– Training.

• Services are based on extensive experience with the Hitachi ID solution delivery process.• The Hitachi ID professional services team is highly technical and have years of experience deploying

IAM solutions.• Hitachi ID partners with integrators that also offer business process and system design services to

mutual customers.• All implementation services are fixed price:

– Solution design.– Statement of work.

8.2 ID Express

Before reference implementations:

• Every implementation starts fromscratch.

• Some code reuse, in the form oflibraries.

• Even simple business processes havecomplex boundary conditions:

– Onboarding: initial passwords,blocking rehires.

– Termination: scheduled vs.immediate, warnings, cleanup.

– Transfers: move mailboxes andhomedirs, trigger recertification.

• Complex processes often scripted.• Delay, cost, risk.

With Hitachi ID Identity Express:

• Start with a fully configured system.• Handles all the basic user lifecycle

processes out of the box.• Basic integrations pre-configured (HR,

AD, Exchange, Windows).• Implementation means "adjust as

required" not "build from scratch."• Configuration is fully data driven (no

scripts).• Fast, efficient, reliable.


Slide Presentation

9 Differentiation

9.1 Hitachi ID Competitors

Tier-1

Tier-2

Boutique

Overlap Technology

9.2 Hitachi ID Suite differentiation

Suite IAM PM PAM

• Multi-master,active-activearchitecture.

• Geographicallydistributed.

• BYOD access,no public URL.

• 2FA included forall users.

• Single codebase, singleinstance.

• Usabilityfeatures:model-after,interceptingaccess-deniederrors.

• Actionableanalytics:feedback fromreport torequest.

• Reference im-plementations:low risk, rapiddeployment,early ROI.

• Pre-bootfilesystemunlock.

• PC login promptaccess,includingoff-site.

• BYOD access.• Federated SSO

included.• Personal vault

included.• Managed

enrollment, highROI.

• 3 disclosuremethods:Direct launch,VDI proxy,HTML proxy.

• Scalableauto-discovery,auto-management.

• Check out SSHtrust, groupmembership,multipleaccounts, notjust singlepasswords.


Slide Presentation

10 HIDS/HDS Collaboration

10.1 Recent deals in partnership with HDS

Customer Product Value Status Region and HDS rep

Infosys PAM USD 1M Closed/won India / Ranganath Shenoy

Blue Cross Blue ShieldAlabama

PM USD 250k Closed/won USA SE / Bruce Gilland

Orange Lake Resorts IM+PM USD 250k Closed/won USA SE / Brian Temple +Lumenate

LL.Bean IM+PM USD 500k Evaluation USA NE / Michael Maguire

B&H Photo Suite USD 700k Legal review NYC / Joseph Lauricella

Canadian Nuclear SafetyCommission

IM+PM USD 500k Early eval Canada / Trevor Platthy

11 Hitachi ID Suite summary

• Three integrated IAM products, used by over 14M users, that can:

– Discover and connect identities across systems and applications.– Securely and efficiently manage entitlements and credentials.– Secure and monitor access to privileged accounts.

• Improve security to comply with regulations.• Reduce IT support cost and improve user productivity.• Consolidate management of on-premises and SaaS apps.

www.Hitachi-ID.com

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: [email protected]

Date: 2017-07-24 | 2017-07-24 File: PRCS:pres

http://Hitachi-ID.com{}/

2 agenda 3 overview - hitachi-id.com– open browser at login time. – forced enrollment (full...

Documents