hitachi id suite 9.0 features and technology
TRANSCRIPT
1 Hitachi ID Suite
Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications
Hitachi ID Suite 9.0 Features and Technology.
2 Overview
• Hitachi ID Suite 9.0 is a major release. Almost all components of the software have seen someenhancements.
• Major new capabilities:
– Mobile access.– Actionable analytics.– Check-out account sets.– More interactive UI.– Moved to 64-bit platform.
• Next release will be 10.0 – ETA Q4/2015.
© 2015 Hitachi ID Systems, Inc. All rights reserved. 1
Slide Presentation
3 Enhancements in 9.0
General HiPAM HiIM
• Move platform to 64-bit.• Stronger default crypto
(AES-256, SHA-512).• Support new MSSQL,
Oracle back ends.• Mobile: skin, iOS and
Android apps.• Usability improvements:
JS in UI, clickableobjects, sortable reportoutput, ...
• Analytics: report output→ request input.
• Many new reports, somewith graphicaldashboards.
• Account-set check-out.• Run commands across
managed systems.• LWS improved
scalability.• HiPAM reference build.
• Certification via arbitraryrelationships.
• Hierarchical attributes.• Usability improvements
to PDRs.• Photo upload.• VCARD links on user
profiles.• Deployability:
componentize referencebuilds.
4 Mobile / BYOD
4.1 Mobile UI for web apps
Enabling a mobile UI to an enterprise app is a two part problem.
• The UI has to fit on small screens:
– Narrow width.– Vertical scroll.
• Connectivity is required:
– The device is on the public Internet.– Hitachi ID Privileged Access Manager server is usually on a private network.
© 2015 Hitachi ID Systems, Inc. All rights reserved. 2
Slide Presentation
4.2 Mobile app architecture (1/4)
DMZPrivate
CorporateNetwork
PublicInternet
PersonalDevice
Mon, 15 June 2015
3:06 PM
Type to search...
4G 70%
IAMServer
Firewall Firewall
• The user’s phone probably has no VPN client installed.• The phone – via a data plan – is connected to the public Internet.• The IAM system is attached to the corporate network, behind multiple firewalls.
4.3 Mobile app architecture (2/4)
Simple, uncontroversial firewall configuration
Risky, controversial, likely not allowed
DMZPrivate
CorporateNetwork
PublicInternet
PersonalDevice
Mon, 15 June 2015
3:06 PM
Type to search...
4G 70%
IAMServer
Firewall Firewall
• Firewalls are designed to block inbound connections.• Outbound connections are usually allowed or easily justified.• Inbound connections would require:
– Port forwarding; or– A reverse web proxy.
• We want to minimize the set of attackers who can probe the IAM system.
© 2015 Hitachi ID Systems, Inc. All rights reserved. 3
Slide Presentation
4.4 Mobile app architecture (3/4)
How can a smart phone app, without a VPN,access an API or web UI published by an
on-premise application server?
Simple, uncontroversial firewall configuration
Risky, controversial, likely not allowed
DMZPrivate
CorporateNetwork
PublicInternet
PersonalDevice
Mon, 15 June 2015
3:06 PM
Type to search...
4G 70%
IAMServer
Firewall Firewall
4.5 Mobile app architecture (4/4)
DMZPrivate
CorporateNetwork
PublicInternet
Firewall Firewall
Messaging passing system:“Exchange requests”
Worker thread:“Give me an HTTP request”
HTTPS request:“Includes userID, deviceID”
CloudProxy
PersonalDevice
Mon, 15 June 2015
3:06 PM
Type to search...
4G 70%
IAMServer
2
3
1
• The solution is to insert a proxy between the BYOD and IAM system.• The proxy is on the Internet, so reachable by both.• Connections from both ends are authenticated.
© 2015 Hitachi ID Systems, Inc. All rights reserved. 4
Slide Presentation
4.6 Security features
Problem Solution
• Only accept connectionsfrom activated devices.
• Deploy an app to the device.• Install a personal key at activation time.• Proxy rejects connections with a bad/missing key.• IAM system only receives valid traffic.
• Denial of service attacks • Proxy is efficient but somewhat vulnerable.• Attackers have no key – DDoS attacks never reach the
IAM system.
• Lost/stolen device • Keys can be revoked.• Users still need to authenticate.
• Two factor authentication • Use of a valid key is a first authentication step.• Follow up with password, security questions, etc.
4.7 Activate Mobile Access
Animation: ../../pics/camtasia/v9/enable-mobile-device-1/enable-mobile-device-1.mp4
5 Mobile use cases
5.1 Add contact to phone
Animation: ../../pics/camtasia/v9/add-contact-to-phone-1/add-contact-to-phone-1.mp4
5.2 Scan contact QR code
Animation: ../../pics/camtasia/v9/find-download-contact-info-1/find-download-contact-info-1.mp4
5.3 Mobile request approval
Animation: ../../pics/camtasia/v9/approve-request-group-membership-via-mobile-access-app-1/approve-request-group-membership-via-mobile-access-app-1.mp4
© 2015 Hitachi ID Systems, Inc. All rights reserved. 5
Slide Presentation
5.4 Unlock pre-boot password
Animation: ../../pics/camtasia/v9/unlock-epo-pba-password-1/unlock-epo-pba-password-1.mp4
5.5 Request groupset
Animation: ../../pics/camtasia/v9/request-groupset-1/request-groupset-1.mp4
5.6 Password display
Animation: ../../pics/camtasia/v9/pw-disp-scaled-1/pw-disp-scaled-1.mp4
6 UI: AJAX and clickable objects
6.1 Hierarchical attributes
© 2015 Hitachi ID Systems, Inc. All rights reserved. 6
Slide Presentation
6.2 Dynamic report output
6.3 Clickable objects in UI
© 2015 Hitachi ID Systems, Inc. All rights reserved. 7
Slide Presentation
6.4 Object types – visible detail
Object in UI Click for details Object in UI Click for details
User name • User ID• Profile attributes.• Entitlements.
Group name • Target system• Membership.• Owner/authorizers.• History.
Request ID • Meta data.• Authorizers.• Operations.
Role • ID, description.• Entitlements.• Users with the role.• Owner/authorizers.
Managedsystem (HiPAM)
• Attributes.• Attached policy.• Groups, services and
accounts.• Attached policies.
Managedaccount(HiPAM)
• Attributes.• Groups and services.• Managed system.• Attached policies.
7 More and more powerful reports
© 2015 Hitachi ID Systems, Inc. All rights reserved. 8
Slide Presentation
7.1 Report output to request input
7.2 Graphical report summaries
© 2015 Hitachi ID Systems, Inc. All rights reserved. 9
Slide Presentation
7.3 Many built-in reports
• More than 150 built-in report programs.• Some reports have as many as 10 different modes.
– (orphan accounts / orphan profiles / dormant accounts / dormant profiles).
• Various areas of the product:
– 20 HiPAM specific.– 10 data quality.– 7 entitlement analysis.– etc.
• Reports callable via API
– Integration with enterprise dashboards.
7.4 Hitachi ID Privileged Access Manager Reports
Operation Policy, configuration Trends
© 2015 Hitachi ID Systems, Inc. All rights reserved. 10
Slide Presentation
7.5 Workflow Trend Dashboard
8 Actionable Analytics
8.1 PDR: New Employee
Animation: ../../pics/camtasia/v9/pdr-config-new-employee-1/pdr-config-new-employee-1.mp4
8.2 Report2PDR: Onboard employees
Animation: ../../pics/camtasia/v9/report2pdr-new-user-1/report2pdr-new-user-1.mp4
8.3 Report2PDR: Approve and first login
Animation: ../../pics/camtasia/v9/approve-new-employee-first-login-1/approve-new-employee-first-login-1.mp4
8.4 Report2PDR: Disable orphan accounts
Animation: ../../pics/camtasia/v9/report2pdr-disable-orphan-accounts-1/report2pdr-disable-orphan-accounts-1.mp4
9 Account sets
© 2015 Hitachi ID Systems, Inc. All rights reserved. 11
Slide Presentation
9.1 Account sets
Definitions Use cases
• A saved search.• Returns managed accounts on managed
systems.• Example: search on OS, subnet, login ID.• Can also include accounts, systems
individually.
• Check out multiple accounts at once:
– e.g., all systems requiring a patch.– e.g., all systems supporting an n-tier
app.
• Launch multiple login sessions at once:
– RDP, SSH, vSphere, SQL Studio,Toad, etc.
• Push commands to run on all checked outsystems, accounts:
– Retrieve status from end systems.– Make configuration changes.– Apply patches.
9.2 Account set checkout
Animation: ../../pics/camtasia/v9/account-set-checkout-1/account-set-checkout-1.mp4
10 Reference builds
10.1 Need but hate code
• Most enterprise-scale deployments require some business logic.• In practice, business logic looks like either script code or intricate flow charts.• Nobody wants to write or maintain these things:
– Costly.– Risky.– Easy to make mistakes.– Hard to find/keep staff with the skills.
• Reference builds are intended to eliminate this.
© 2015 Hitachi ID Systems, Inc. All rights reserved. 12
Slide Presentation
10.2 HiPAM Reference Build
Business decisions: Policy rules:
• What authentication processes should beallowed for this user, at this time, from thisIP and device?
• What systems can a user see?• What accounts and group sets can a user
request?• Is access pre-authorized?• Who must approve access?• If authorizers do not respond, who should
we escalate to?• What disclosure mechanisms should be
allowed?• What, if any, session data should be
recorded?
• All rules tables have two parts:
– Left: match on the current sessionon request.
– Right: make a policy decision or takeaction.
• Authentication chain selection.• System/account filter (visibility).• Authorizer selection and threshold setting.• Escalation routing.• Disclosure mechanism selection.• Session data stream selection.
10.3 Authorization policy
© 2015 Hitachi ID Systems, Inc. All rights reserved. 13
Slide Presentation
10.4 Example authorization policy rules
If ... ... Then If ... ... Then
• Accountrequest,
• RecipientmatchesEMERGENCY-RECOVERY.
• Emptyauthorizer list,
• Auto-approve,• No more rules.
• Accountrequest,
• RecipientmatchesUNIX-ADMINS,
• MSPID is UNIX-SYSTEMS.
• Auto-approve,• Empty
authorizer list,• No more rules.
• Groupsetrequest,
• RecipientmatchesVENDORS.
• Add authorizersfrom VENDOR-ACCESS,
• Sample 3,• Minimum 1.
• Accountsetrequest,
• MSPID is UNIX-SYSTEMS.
• Add authorizersfromUNIX-ADMINS,
• Sample 2,• Minimum 1.
10.5 Sample rule: emergency access
11 Identity Manager
© 2015 Hitachi ID Systems, Inc. All rights reserved. 14
Slide Presentation
11.1 Certifier/user via relationship
11.2 More interactive input fields
© 2015 Hitachi ID Systems, Inc. All rights reserved. 15
Slide Presentation
11.3 Picture upload
12 Discussion
www.Hitachi-ID.com
500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: [email protected]
Date: May 22, 2015 File: PRCS:pres