1 Hitachi ID Password Manager

Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications

Integrated Credential Management for Users:Passwords, encryption keys, tokens, smart cards and more.

2 Agenda

• Introducing Hitachi ID.• Credential management challenges.• Hitachi ID Password Manager:

– Features.– Technology.– Impact.

© 2013 Hitachi ID Systems, Inc.. All rights reserved. 1

Slide Presentation

3 Hitachi ID Corporate Overview

Hitachi ID delivers access governanceand identity administration solutionsto organizations globally.Hitachi ID solutions are used by Fortune 500companies to secure access to systemsin the enterprise and in the cloud.

• Founded as M-Tech in 1992.• A division of Hitachi, Ltd. since 2008.• Over 1000 customers.• More than 12M+ licensed users.• Offices in North America, Europe and

APAC.• Partners globally.

4 Representative Hitachi ID Customers

© 2013 Hitachi ID Systems, Inc.. All rights reserved. 2

Slide Presentation

5 IDM Suite

6 The Credentials Landscape

Laptop

Phone At office

At home

Mobile

Cached password

App password

SaaS password

AD password

ERP password

Mainframe pw

PIN

PIN

Boot password

OS password

Encryption key

Local password

Cached password

Cached password

Local password

R S ASecurID 159 759 The Cloud

Smart card

OTP token

iPad

Tablet

© 2013 Hitachi ID Systems, Inc.. All rights reserved. 3

Slide Presentation

7 Problems Due To Complexity

Security / Internal Controls

• Sticky notes.• Guessable passwords.• Social engineering the

help desk.

IT Support Cost

• High call volume.• #1 incident type.• Staffing for peak load.

Audit

• Is authenticationreliable?

• What users aretriggering lockouts?

• Who can or didreset whosepassword?

User Service

• Too manypasswords.

• Too many loginprompts.

• Frequent loginproblems.

© 2013 Hitachi ID Systems, Inc.. All rights reserved. 4

Slide Presentation

8 Too many passwords

Hard to remember passwords Synchronize passwords

• High help desk call volume.• Users write down passwords.

• Fewer, stronger passwords.• Easy to remember, change.• Lower help desk call volume.

9 Synchronization Features

• Transparent:

– Triggered from native PW change.– Available on AD, LDAP, RAC/F, etc.

• Web-based:

– Change passwords using web browser.– Interactively show systems, policies.

• Expired password notification:

– E-mail.– Web popup.– Pre-empt native expiry.

© 2013 Hitachi ID Systems, Inc.. All rights reserved. 5

Slide Presentation

10 Users forget their password or PIN

Users forget or lock out their password/PIN Self-service reset

self-service

• Business interruption: can’t login.• Support cost: high call volume.• Security: help desk fooled into

improper password resets.

• Fewer, shorter business interruptions.• Lower support cost.• Available 24x7, everywhere.• Secure and convenient.

11 Self-Service Reset Features

• Reset passwords and/or clear lockouts:

– Directory, OS, DB, application.– On-premise and SaaS (cloud).– Server-based and cached on the user’s device.

• Reset PINs:

– One time password tokens (e.g., RSA SecurID).– Smart cards.

• Always accessible:

– PC, tablet or phone web browser.– PC login screen.– On the corporate network and over public Internet/WiFi/VPN.– Via telephone call.

© 2013 Hitachi ID Systems, Inc.. All rights reserved. 6

Slide Presentation

12 Authentication prior to support

Need to authenticate users without askingfor their (forgotten) password or PIN

Managed enrollment process

• Backup authentication factors are apre-requisite to self-service.

• Automatically invite users to enroll.• Forms for Q&A; phone number, etc.• High user adoption leads to good ROI.

13 Managed Enrollment

• Prior enrollment is often a pre-requisite to self-service.• Enrollment may include:

– Security questions.– Mobile phone number (for SMS/PIN).– Non-standard login IDs.– Voice samples for biometric authentication.

• Hitachi ID Password Manager includes a robust, automated system to manage the enrollmentprocess:

– Identify users who need to enroll.– Send out e-mail invitations.– Automated reminders.– Launch browser to enrollment page at PC login time.– Control pace of invitations (globally and per user).– Mandatory enrollment is possible.

• Automated, managed enrollment significantly improves user adoption.

© 2013 Hitachi ID Systems, Inc.. All rights reserved. 7

Slide Presentation

14 Users tired of typing many passwords

Users enter too many passwords Copy credentials from Windows toapplication login screens

• Friction between users and apps.• User frustration.

• Faster, simpler logins.• Business happier with IT.

15 HiLM Operation

• Users log into their workstation as before, using their network login ID and password.• Hitachi ID Login Manager installs a network provider, which picks up the user’s primary ID and

password.• HiLM monitors the applications that a user launches, watching for instances where the user retypes

the primary ID and password.• HiLM stores the locations where the user reused his/her primary ID or password.• When a familiar authentication prompt reappears, HiLM automatically fills in the ID and/or password.• HiLM can read login ID aliases from an AD attribute at login time, eliminating the need to synchronize

login IDs.

© 2013 Hitachi ID Systems, Inc.. All rights reserved. 8

Slide Presentation

16 Mobile users have login problems

Users may forget their primary or VPNpassword while off-site.

Reset cached, VPN passwords overWiFi+VPN

Laptop

WiFi

VPN Server

Internet

Cafe HiPM Server

VPN Link

• Forgot cached Windows password: PCis a brick.

• Forgot VPN password: cannotcommunicate.

• Users can get back to work.• Self-service from any device, at any

location, any time.

17 Self-Service, Anywhere

Self-service is complicated by connectivity and device options.

User location Endpoint device Connectivity Reset/unlock

• Work.• Home.• Airport.• Cafe.• Partner office.

• Laptop.• Tablet.• Smart phone.

• Wired at work.• Wired at home.• WiFi at home.• Public WiFi.• Tethered

phone.• Cell modem.

• Networkpassword.

• Cachedpassword.

• Smart card PIN.• Token PIN.• Encrypted

HDD.

Example scenarios supported by Hitachi ID Password Manager:

• Reset forgotten, cached AD password at airport.• Recover from forgotten full disk encryption password (via phone).

© 2013 Hitachi ID Systems, Inc.. All rights reserved. 9

Slide Presentation

18 Off-site, Locked-out Password Reset

Animation: ../pics/camtasia/hipam-71/6-self-service-anywhere.cam

19 Forgotten encryption passwords

Users with a cryptographically secured PCforget their pre-boot password

Self-service key recovery overtelephone/IVR

Key Recovery Server

UserLaptop

PhoneSystem

Phone HiTPM

• PC is a brick until unlocked.• Support calls are long and costly.

• Users get back to work quickly.• No costly help desk support call.

© 2013 Hitachi ID Systems, Inc.. All rights reserved. 10

Slide Presentation

20 Password Management Savings

0

10

20

30

40

50

60

70

80

90

100

Baseline Self Reset only Synch only Both

60% user adoptionof self-servicepassword reset

User problems

Help desk calls

80% of problemsreduced by simplifiedpassword management

Combine problem reduction with self-service adoption

100 100 100

40

20 20 208

21 Multi-Master Architecture

Hitachi ID

Application Server(s)

TCP/IP + AES

Various Protocols

Secure Native Protocol

HTTPS

Remote Data Center

Remote Data CenterLocal Network

Emails

Tickets

Lookup & Trigger

Native

password

change

AD, Unix,

OS/390,

LDAP,

AS400

Validate PW

Web Services

SQLDB

SQLDB

Cloud-hosted,

SaaS apps

IVRServer

VPNServer

Reverse

Web

ProxyPassword Synch Trigger S

ystems

Firewall

Firewall

SMTP or

Notes Mail

Incident

Mgmt

System

System of

Record

Target

Systems

Proxy Server

(if needed)

SQL/

Oracle

Load

BalancerTarget Systems with local agent:

OS/390, Unix, older RSA

Target Systems with remote agent:

AD, SQL, SAP, Notes, etc

© 2013 Hitachi ID Systems, Inc.. All rights reserved. 11

Slide Presentation

22 Included Connectors

Many integrations to target systems included in the base price:

Directories:Any LDAP, AD, WinNT, NDS,eDirectory, NIS/NIS+.

Servers:Windows NT, 2000, 2003,2008, 2008R2, Samba,Novell, SharePoint.

Databases:Oracle, Sybase, SQL Server,DB2/UDB, Informix, ODBC,Oracle Hyperion EPM SharedServices, Cache.

Unix:Linux, Solaris, AIX, HPUX, 24more variants.

Mainframes, Midrange:z/OS: RACF, ACF2,TopSecret. iSeries,OpenVMS.

HDD Encryption:McAfee, CheckPoint,BitLocker, PGP.

ERP:JDE, Oracle eBiz,PeopleSoft, PeopleSoft HR,SAP R/3 and ECC 6, Siebel,Business Objects.

Collaboration:Lotus Notes, Exchange,GroupWise, BlackBerry ES.

Tokens, Smart Cards:RSA SecurID, SafeWord,RADIUS, ActivIdentity,Schlumberger.

WebSSO:CA Siteminder, IBM TAM,Oracle AM, RSA AccessManager.

Help Desk:ServiceNow, BMC Remedy,SDE, HP SM, CA Unicenter,Assyst, HEAT, Altiris, Clarify,RSA Envision, Track-It!, MSSystem Center ServiceManager

Cloud/SaaS:WebEx, Google Apps, MSOffice 365, Salesforce.com,SOAP (generic).

© 2013 Hitachi ID Systems, Inc.. All rights reserved. 12

Slide Presentation

23 Rapid Integration with Custom Apps

• Hitachi ID Password Manager easily integrates with custom, vertical and hosted applications usingflexible agents .

• Each flexible agent connects to a class of applications:

– API bindings (C, C++, Java, COM, ActiveX, MQ Series).– Telnet / TN3270 / TN5250 / sessions with TLS or SSL.– SSH sessions.– HTTP(S) administrative interfaces.– Web services.– Win32 and Unix command-line administration programs.– SQL scripts.– Custom LDAP attributes.

• Integration takes a few hours to a few days.• Fixed cost service available from Hitachi ID.

24 Competitive Differentiation

Consistency

• Manage all credentials:

– OS, app passwords.– Pre-boot passwords.– On-premise and SaaS.– Smart cards.– OTP tokens.

• 110+ connectors included.

Availability

• Full or mini browser.• Phone call.• PC login screen.• Pre-boot password prompt.• At work and remote.

Scalability

• Multi-master architecture.• Load balanced, replicated.• Deploy across data centers.• Multi-lingual.

Cost savings

• Reduce problem frequency.• Divert resolution to self-service.• Managed invitations to maximize user

adoption.• Quick, low-cost deployment.• Minimal effort to maintain.

© 2013 Hitachi ID Systems, Inc.. All rights reserved. 13

Slide Presentation

25 The Leading Vendor

Innovation Ongoing support Low cost

• Self-Service, Anywhere.• Crypto key recovery.• SSO without a password

wallet.

• Responsive and skilledcustomer support.

• Unattended operation:

– Auto-discovery.– Managed

enrollment.– Metrics and trend

analysis.– SIEM, help desk

integration.

• Lost cost deployments.• Minimal need for

ongoing maintenance.• Fixed-price

engagements.

26 Summary

An integrated solution for managing credentials:

• Immediate security benefit: password policy, help desk caller authentication.• Low deployment cost, minimal ongoing investment, significant IT support savings.• Always accessible:

– Web browser on PC, phone or tablet.– Windows login prompt.– Pre-boot encryption password prompt.– Phone call / IVR.– Available at work and while off-site.

• 110+ connectors included.

Learn more at Hitachi-ID.com/Password-Manager

www.Hitachi-ID.com

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com

File: PRCS:presDate: September 19, 2013