3 hitachi id direction · scenario: – simplify ... • zero extra cost: organizations have no...

1 Hitachi ID Suite

Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications

Hitachi ID Suite 10.0 Features and Technology.

2 Overview

• Corporate direction – Hitachi ID view of market evolution.• Hitachi ID Suite 9.0 was a major release.

– Review of 9.0 for customers on older versions.

• Hitachi ID Suite 10.0 was released on May 2, 2016:

– Largest release yet.– Overview of enhancements.

3 Hitachi ID Direction

© 2020 Hitachi ID Systems, Inc. All rights reserved. 1

http://Hitachi.com/

Slide Presentation

3.1 IAM responds to IT trends

IAM systems consolidate and automate the management of the lifecycles of identities , entitlementsand credentials .

How do IT trends impact this?

Mobility Cloud Big data

• Access to IAM fromBYOD.

• Leverage BYOD to offernew services, improveSLA and as 2FA.

• Manage identities,entitlements credentialson SaaS platforms.

• Privileged access toIaaS and SaaS.

• SSO to SaaS.• Deliver IAM as SaaS.

• Entitlement analytics –role mining, risk scores.

• Enrich log data withidentity correlation.

• Pattern and riskanalysis of filesystemACLs.

Security and governance are the core outcome of IM, PM and PAM.

3.2 High level roadmap (all products)

Three industry-leading products.Significant new features and integrations:

Hitachi ID IdentityManager

Hitachi ID PasswordManager

Hitachi IDPrivileged AccessManager

Hitachi ID MobileAccess

• Entitlementanalytics.

• Expandedaccesscertification.

• Lifecyclemanagementfor folders,shares.

• Filesystem ACLanalytics.

• Federated SSO(SAMLv2 IdP).

• Password wallet(secure,personalstorage).

• Accessdashboard.

• Incrementalauto-discovery.

• Launchsessions fromBYOD, off-site,non-IEbrowsers.

• Dynamic riskscoring.

• 2FA for all apps.• Push

notifications tomobile.

• One-clickrequestapproval.

• Corporate whitepages / peoplesearch.

4 Hitachi ID Suite 9.0


Slide Presentation

4.1 Enhancements in 9.0

General HiIM

• Move platform to 64-bit.• Stronger default crypto (AES-256,

SHA-512).• Move to MSSQL 2012.• Mobile: skin, iOS and Android apps.• Usability improvements: JS in UI,

clickable objects, sortable report output,...

• Actionable Analytics: report output →request input.

• Many new reports, some with graphicaldashboards.

• Certification via arbitrary relationships.• Hierarchical attributes.• Usability improvements to PDRs.• Photo upload.• VCARD links on user profiles.• Deployability: componentize reference

implementations.

5 Hitachi ID Suite 10.0

5.1 Enhancements in 10.0

General HiIM, HiPM

• Single-system, event-drivenauto-discovery.

• Suite can act as a federated IdP.• Mobile app adds 2FA.• Push notifications to mobile.• Updated 95 search engines across 200+

screens.• Landing page customizable ("pin" links,

dashboards, reports).• Search in nav (menu entries, reports).• Drill-down in graphs/dashboards.

• Recertify role definitions, SoD rules.• Direct support for managing nested

groups.• Manage cross-target group memberships.• Improved UI in requester, certifier

screens.• Workflow to create folders+groups on

Windows/AD.• Personal password vaults.• Updated reference implementation to

significantly reduce TCO.• Client for MacOSX - password reset from

AD-joined Mac login screen.

5.2 Updated navigation

• New style of navigation.• 100% mobile friendly.• Search lets you quickly find items regardless of where they are buried in the navigational hierarchy.


Slide Presentation

5.3 New navigation structure

5.4 Updated search screens

• There are 95 search engines embedded in over 200 pages in Hitachi ID Suite.• All of them have been updated.• Many of them are faster.• All have new search terms.• Control over what columns to display, sort order.• Quick search and boolean advanced search terms.


Slide Presentation

5.5 PIN items to landing page

• Hitachi ID Suite displays a landing page when a user signs on.• New ability to PIN items to this page:

– Shortcuts to screens deeply nested in the navigation.– Dashboards (graphs) and reports (tables).– Request types and privileged access check-outs.

• Personalize the UI.

5.6 Pin reports, dashboards, requests to main menu


Slide Presentation

5.7 Components and reference implementations

• A component framework eliminates the need to manually configure every element of a feature orscenario:

– Simplify implementation.– Eliminate custom coding.– Ease migration (dev to prod, ...) and upgrades.

• Components consist of:

– Configuration objects, such as attributes, forms, roles or access rights.– UI elements, including language tags.– Policy logic, such as authorizer selection.– Scripts, for example to process scheduled events.

• Components have dependencies and a hierarchy:

– Functional components: introduce policy tables.– Scenarios: automate specific business cases.– Reference implementations: complete IAM implementations.

• There are fully featured workforce and B2B reference implementations.• A new UI in 10.0 is used to manage installed components.

5.8 Component management app


Slide Presentation

6 New in HiIM 10.0

6.1 New app for request tracking and approvals

• There is an entirely new UI for accessing requests.• Used by:

– Requesters – track status, cancel open requests.– Authorizers – approve, reject, delegate.– Implementers – accept, decline, complete.

• Responsive design, optimized for mobile.• Accessible 24x7 via smart phone app and cloud proxy.

6.2 New requests app

6.3 Reports, graphs and drill-down details

• There are over 150 reports built into the system.• Many reports are "multi-mode"

– Ex: orphan accounts, orphan users, dormant accounts, dormant profiles all in a single report.

• Many reports include a summary mode.• Where the summary mode has numeric data, graphs are provided.• All graphs support drill-down:

– Examine the underlying data.– Interactive browse from the report UI.

• All this is accessible when reports are pinned to the landing page.


Slide Presentation

6.4 Graphical dashboards and data drill-down

6.5 Entitlement analytics

Analysis Purpose

• Cluster/frequency analysis. • Find new roles, user classes.

• Overlapping roles, user classes. • Opportunities to merge, simplify.

• Roles, entitlements with too few users. • Retire?

• Roles, entitlements with too many users. • Too coarse grained?

• Users with too many roles or entitlements. • Business risk? Compatibility problems?Need higher-level roles?

• Users with too few entitlements. • Deactivate entirely?

• Entitlements embedded in many roles. • Nest into sub-role?

• Entitlements not in any role. • Should they be?

• Users with no roles. • Truly unique?

• Roles where users have many out-of-roleentitlements.

• Incomplete role definitions? Poor fit?


Slide Presentation

6.6 Entitlement cluster discovery: search

6.7 Entitlement cluster discovery: summary


Slide Presentation

6.8 Single cluster details:

6.9 Recertify roles, SoD policies

• New type of certification round: configuration object.• Initially to support roles, SoD rules.• Invite a business user to review, possibly update the definition of a role:

– What entitlements does it include?– What are its resource attributes, such as default expiration date or risk profile?– Who owns it?– To whom is it automatically assigned?– Who must approve requests for it?

• Same type of review for other configuration objects.• Track change history.


Slide Presentation

6.10 Role configuration certification: define a review

6.11 Role certification: certifier selects a review


Slide Presentation

6.12 Role certification: certifier edits role definition

6.13 Role certification: certifier signs off


Slide Presentation

6.14 Manage nested groups

• Nested groups are no longer "flattened" on auto-discovery.• Hitachi ID tracks detailed group nesting structure in its schema.• Requesters can start by asking for one group but then specify a parent or child.• Certifiers can see parent groups and detach child groups.• Policies evaluate both direct and indirect group memberships.• Over 100 scenarios impacted by nested groups.

6.15 Discovered groups have parent and child info


Slide Presentation

6.16 Request adding/removing child groups

6.17 Review/correct group memberships


Slide Presentation

6.18 SoD violations include nested groups

6.19 New requests to create folders and groups

• Users wish to create a new folder and grant access to others.• A single request can capture this and encapsulate:

– Folder path.– Meta data such as description, owner, etc.– List of people with read-only access.– List of people with read-write access.

• Single approval follows by multiple setup steps.


Slide Presentation

6.20 Folder creation: browse for parent location

6.21 Folder creation: enter details

7 New in HiPM 10.0


Slide Presentation

7.1 SAMLv2 Federated IdP

• Externalize login process from third party web apps.• Cloud: Google Apps, Office 365, Salesforce.com, WebEx, Concur, etc.• On-premise: SharePoint (via ADFS), HCP Anywhere, etc.• Basically respond to SAMLv2 requests with assertions.• Leverage user classes for authorization control, authentication chains for 2FA/MFA.

7.2 Hitachi ID Mobile Access authentication factor

• Leverage Hitachi ID Mobile Access on user phones as a soft token.• Zero extra cost: organizations have no excuse to revert to just Q&A or just a password on Extranet

logins.• More secure password reset.• 2FA for all Hitachi ID Privileged Access Manager logins, even if the network is down, AD or RADIUS

unreachable.


Slide Presentation

7.3 Personal vaults

• Users want secure, convenient access to all their credentials, not just those related to work.• Access should work on all devices (PC, phone, etc.).• The user’s employer should not be able to access/decrypt this data – this is just a friendly service

offered by IT, but not a compromise of PII.• Similar to FastPass, LastPass, LogMeIn, etc. but no extra cost for employees• Built into Hitachi ID Password Manager starting with 10.0.

7.4 Personal password vault (setup)

7.5 Personal password vault (use)


Slide Presentation

7.6 MacOSX login access to password reset

7.7 MacOSX kiosk mode browser from login screen


Slide Presentation

8 Discussion

hitachi-id.com

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 E-Mail: [email protected]

Date: 2020-03-23 | 2020-03-23 File: PRCS:pres

https://Hitachi-ID.com

3 hitachi id direction · scenario: – simplify ... • zero extra cost: organizations have no...

Documents