Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlanâs ...
Â
Hitachi ID Identity Manager
1. 1 Hitachi ID Identity Manager
Managing the User Lifecycle
Across On-Premises and
Cloud-Hosted Applications
Entitlement administration and governance:
Automation, requests, approvals, recertiďŹcation, SoD and RBAC.
2 Agenda
⢠Corporate
⢠Hitachi ID Identity Manager
⢠Recorded Demos
⢠Technology
⢠Implementation
⢠Differentiation
3 Corporate
Š 2017 Hitachi ID Systems, Inc. All rights reserved. 1
2. Slide Presentation
3.1 Hitachi ID corporate overview
Hitachi ID delivers access governance
and identity administration solutions
to organizations globally.
Hitachi ID IAM solutions are used by Fortune
500
companies to secure access to systems
in the enterprise and in the cloud.
⢠Founded as M-Tech in 1992.
⢠A division of Hitachi, Ltd. since 2008.
⢠Over 1200 customers.
⢠More than 14M+ licensed users.
⢠OfďŹces in North America, Europe and
APAC.
⢠Global partner network.
3.2 Representative customers
Š 2017 Hitachi ID Systems, Inc. All rights reserved. 2
3. Slide Presentation
3.3 Hitachi ID Suite
4 Hitachi ID Identity Manager
4.1 Compliance / internal controls
Challenges Solutions
⢠Slow and unreliable deactivation when
people leave.
⢠Orphan and dormant accounts.
⢠Users with no-longer-needed access.
⢠Access that violates SoD policies or
represents high risk.
⢠Unreliable approvals for access requests.
⢠Audit failures and regulatory risk.
⢠Automate deactivation based on SoR
(HR).
⢠Review and remediate excessive access
(certiďŹcation).
⢠Block requests that would violate SoD.
⢠Analyze entitlements to ďŹnd policy
violations, high risk users.
⢠Automatically route access requests to
appropriate stake-holders.
Š 2017 Hitachi ID Systems, Inc. All rights reserved. 3
4. Slide Presentation
4.2 Access administration cost
Challenges Solutions
⢠Multiple FTEs required to setup,
deactivate access.
⢠Additional burden on platform
administrators.
⢠Audit requests can add signiďŹcant strain.
⢠Automate access setup, tear-down in
response to changes in systems of record
(SoRs).
⢠Simple, business-friendly access request
forms.
⢠Route requests to authorizers
automatically.
⢠Automate fulďŹllment where possible.
⢠Help auditors help themselves:
â With certiďŹcation, auditors focus on
process, not entitlements.
â Reports and analytics.
4.3 Access changes take too long
Challenges Solutions
⢠Approvers take too long.
⢠Too many IT staff required to complete
approved requests.
⢠Service is slow and expensive to deliver.
⢠Automatically grant access:
â Where predicted by job function,
location, ...
â Eliminate request/approval process
where possible.
⢠Streamline approvals:
â Automatically assign authorizers,
based on policy.
â Invite participants simultaneously,
not sequentially.
â Enable approvals from smart-phone.
â Pre-emptively escalate when
stake-holders are out of ofďŹce.
⢠Automate fulďŹllment where possible.
Š 2017 Hitachi ID Systems, Inc. All rights reserved. 4
5. Slide Presentation
4.4 Access requests are too complicated
Challenges Solutions
⢠Requesting access is complex:
â Where is the request form?
â What access rights do I need?
â How do I ďŹll this in?
â Who do I send it to, for approval?
⢠Complexity creates frustration.
⢠Auto-assign access when possible.
⢠Simplify request forms.
⢠Intercept "access denied" errors:
â Navigate lead users to appropriate
request forms.
⢠Compare entitlements:
â Help requesters select entitlements.
â Compare recipient, model user
rights.
â Select from a small set of
differences.
⢠Automatically assign authorizers based
on policy.
5 Features
Š 2017 Hitachi ID Systems, Inc. All rights reserved. 5
6. Slide Presentation
5.1 HiIM features
Inputs â â Processes â
⢠Monitor SoRs (automation).
⢠Systems and apps - current state.
⢠Request portal:
â Self-service.
â Delegated.
â Access admin.
⢠Web services API.
⢠Request forms.
⢠Approval workďŹows.
⢠Access certiďŹcation.
⢠Manual fulďŹllment.
⢠Analytics.
â Policies â â Outputs
⢠Segregation of duties.
⢠Risk scores.
⢠Role based access control.
⢠Authorizer, certiďŹer selection.
⢠Visibility / privacy protection.
⢠Connectors to 110 systems and
applications.
⢠E-mail.
⢠Create/update/close tickets.
⢠Send events to SIEM.
5.2 Identity and entitlement lifecycle automation
⢠Using Hitachi ID Identity Express, we recommend full automation of identity and entitlement
lifecycles out of the gate:
â Joiners, movers, leavers processes.
â Password management, strong authentication and federation.
â Change requests, approval, review/certiďŹcation.
â Driven by both SoR data and requests.
⢠No need to "clean up" entitlements before automating access changes.
⢠Roles can be added later: not a pre-requisite.
⢠Automate ďŹrst, clean up afterwards:
â Unlike with competitors, automation is pre-conďŹgured and easy.
â Start with basic integrations, add connectors over time.
â Leverage automation and user knowledge to help clean up.
â Add roles and expand automation over time.
Š 2017 Hitachi ID Systems, Inc. All rights reserved. 6
7. Slide Presentation
5.3 Monitoring systems of record
⢠Any target system can function as a system of record
(SoR).
⢠Examples: HR apps, SQL databases, CSV ďŹles, ...
⢠Hitachi ID Identity Manager can monitor multiple SoRâs:
â Multinationals: regional HR systems.
â Colleges: students vs. faculty/staff.
⢠Map attributes to user proďŹles and prioritize.
⢠Automatically submit access requests in response to
detected changes.
⢠Users can submit pre-emptive or corrective requests:
â New hire not yet in HR.
â HR data is wrong.
â Override SoR data until HR updates it.
⢠Request portal handles users who never appear in SoRs:
â Contractors, partners, etc.
5.4 Requester usability
⢠Users rarely know where or how to request access!
⢠Windows shell extension, SharePoint error page:
â Intercept "Access Denied" errors.
â Navigate user to appropriate request URL.
⢠Compare users:
â Compare entitlements between the intended recipient and a
reference user.
â Select entitlements from the variance.
⢠Search for entitlements:
â Keywords, description, metadata/tags.
⢠Relationship between requester and recipient:
â What recipients can the requester see?
â What identity attributes are visible?
â What kinds of requests are available?
Š 2017 Hitachi ID Systems, Inc. All rights reserved. 7
8. Slide Presentation
5.5 Robust, policy-driven workďŹow
⢠WorkďŹow invites stake-holders to participate in processes:
â Approve or reject a request.
â Review entitlements and recertify or remediate.
â FulďŹll an approved request.
â Extensible. e.g., audit cases.
⢠Stake-holders are invited based on policy:
â No ďŹow-charts or diagrams required.
â Process is simple, transparent and secure.
â Routing may be based on relationships, resource ownership, risk.
⢠The process is robust, even when people arenât:
â Invite N participants, accept response from M (M<N).
â Simultaneous invitations by default (sequential made sense for
paper forms).
â Automatically send reminders.
â Escalate (e.g., to manager) if unresponsive.
â Check out-of-ofďŹce message, pre-emptively escalate.
â Accessible from smart phone, not just PC.
5.6 Reports, dashboards and analytics
⢠Over 150 reports built in:
â Many include multiple modes (e.g,. dormant vs. orphan accounts).
â Identities, entitlements, history, system operation, trends, etc.
â Easy to add custom reports.
⢠Many dashboards included as well.
⢠Run interactively or schedule (once, recurring).
⢠Deliver output (HTML, CSV, PDF):
â Interactively.
â In e-mails.
â Drop ďŹles on UNC shares.
â Stream results via web services.
⢠Actionable analytics:
â Feedback from reports to requests.
â Automated remediation.
⢠Database is normalized, documented â can use 3rd party tools too.
6 Recorded Demos
Š 2017 Hitachi ID Systems, Inc. All rights reserved. 8
9. Slide Presentation
6.1 Intercept Access Denied Dialogs
Animation: ../../pics/camtasia/v10/higm-A-request-folder.mp4
6.2 Authorization of a request for security group membership
Animation: ../../pics/camtasia/v10/higm-B-request-approve.mp4
6.3 Request approved, user can access the folder
Animation: ../../pics/camtasia/v10/higm-C-approved-open-ďŹle-nb.mp4
6.4 Mobile request approval
Animation: ../../pics/camtasia/v10/approve-request-group-membership-via-mobile-access-app-1.mp4
6.5 Compare user entitlements
Animation: ../../pics/camtasia/v10/hiim-model-after-ui.mp4
6.6 Application-centric certiďŹcation
Animation: ../../pics/camtasia/v10/hiac-complete-app-centric-2.mp4
6.7 Add contact to phone
Animation: ../../pics/camtasia/v9/add-contact-to-phone-1/add-contact-to-phone-1.mp4
6.8 Actionable analytics: Disable orphan accounts
Animation: ../../pics/camtasia/v10/report2pdr-disable-orphan-accounts-1.mp4
7 Technology
Š 2017 Hitachi ID Systems, Inc. All rights reserved. 9
10. Slide Presentation
7.1 Multi-master architecture
âCloudâ
Reverse
web
proxy
VPN server
IVR server
Load
balancers
E-mail
system
Ticketing
system
HR
Hitachi ID
servers
Hitachi ID
servers
Firewalls
Proxy server
(if needed)
Mobile
proxy
SaaS apps
Managed
endpoints
Managed endpoints
with remote agent:
AD, SQL, SAP, Notes, etc
z/OS - local agent
MS SQL databases
Password synch
trigger systems
Native password
change
Manage
Mobile UI
AD, Unix, z/OS,
LDAP, iSeries
Validate pw
Replication
System of
record
Tickets
Notifications
and invitations
Data center A
Data center B
Remote data center
TCP/IP + AES
Various protocols
Secure native protocol
HTTPS
Š 2017 Hitachi ID Systems, Inc. All rights reserved. 10
11. Slide Presentation
7.2 Key architectural features
âCloudâ
SaaS apps
Data center A
Data center B
Remote data center
TCP/IP + AES
Various protocols
Secure native protocol
HTTPS
Reach across firewalls
Load balanced
On premise and SaaS
BYOD enabled
Replicated across data centers
Horizontal scaling
7.3 Internal architecture
⢠Multi-master, active-active out of the box.
⢠Built-in data replication between app nodes:
â Fault tolerant.
â Secure - encrypted.
â Reliable - queue and retry.
â App nodes need and should not be co-located.
⢠Native, 64-bit code:
â 2x faster than .NET.
â 10x faster than Java.
⢠Stored procedures:
â For all data lookups, inserts.
â Fast, efďŹcient.
â Eliminates client/server chatter.
⢠Modern crypto: AES-256, SSHA-512
Š 2017 Hitachi ID Systems, Inc. All rights reserved. 11
12. Slide Presentation
7.4 BYOD access to on-premises IAM system
The challenge Hitachi ID Mobile Access
⢠Users want access on their phones.
⢠Phone on the Internet, IAM on-prem.
⢠Donât want attackers probing IAM from
Internet.
⢠Install + activate iOS, Android app.
⢠Proxy service on DMZ or cloud.
⢠IAM, phone both call the proxy - no
ďŹrewall changes.
⢠IAM not visible on Internet.
Outbound connections only
DMZ Private corporate
network
Personal
device
FirewallFirewall
Internet
(3)
Message passing system
(1)
Worker thread:
âGive me an HTTP
requestâ
(2)
HTTPS request:
âIncludes userID,
deviceIDâ
IAM server
Cloud
proxy
Š 2017 Hitachi ID Systems, Inc. All rights reserved. 12
13. Slide Presentation
7.5 Included connectors
Many integrations to target systems included in the base price:
Directories:
Any LDAP, Active Directory,
NIS/NIS+.
Servers:
Windows NT, 2000, 2003,
2008[R2], 2012[R2], Samba.
Databases:
Oracle, Sybase, SQL Server,
DB2/UDB, Informix, Progress,
Hyperion, Cache, ODBC.
Unix:
Linux, Solaris, AIX, HPUX, 24
more variants.
Mainframes, Midrange:
z/OS: RACF, ACF2,
TopSecret. iSeries,
OpenVMS.
HDD Encryption:
McAfee, CheckPoint,
BitLocker, PGP.
ERP:
JDE, Oracle eBiz,
PeopleSoft, PeopleSoft HR,
SAP R/3 and ECC 6, Siebel,
Business Objects.
Collaboration:
Lotus Notes, iNotes,
Exchange, SharePoint,
BlackBerry ES.
Tokens, Smart Cards:
RSA SecurID, SafeWord,
Vasco, ActivIdentity,
Schlumberger, RADIUS.
WebSSO:
CA Siteminder, IBM TAM,
Oracle AM, RSA Access
Manager.
Help Desk:
ServiceNow, BMC Remedy,
SDE, HP SM, CA Unicenter,
Assyst, HEAT, Altiris, Clarify,
RSA Envision, Track-It!, MS
System Center
Cloud/SaaS:
WebEx, Google Apps, MS
OfďŹce 365, Success Factors,
Salesforce.com, SOAP.
7.6 Rapid integration with custom apps
⢠Hitachi ID Identity Manager easily integrates with custom, vertical and hosted applications using
ďŹexible agents .
⢠Each ďŹexible agent connects to a class of applications:
â API bindings (C, C++, Java, COM, ActiveX, MQ Series).
â Telnet / TN3270 / TN5250 / sessions with TLS or SSL.
â SSH sessions.
â HTTP(S) administrative interfaces.
â Web services.
â Win32 and Unix command-line administration programs.
â SQL scripts.
â Custom LDAP attributes.
⢠Integration takes a few hours to a few days.
⢠Fixed cost service available from Hitachi ID.
Š 2017 Hitachi ID Systems, Inc. All rights reserved. 13
14. Slide Presentation
8 Implementation
8.1 Hitachi ID professional services
⢠Hitachi ID offers a complete range of services relating to Hitachi ID Identity Manager, including:
â Needs analysis and solution design.
â Fixed price system deployment.
â Project planning.
â Roll-out management, including maximizing user adoption.
â Ongoing system monitoring.
â Training.
⢠Services are based on extensive experience with the Hitachi ID solution delivery process.
⢠The Hitachi ID professional services team is highly technical and have years of experience deploying
IAM solutions.
⢠Hitachi ID partners with integrators that also offer business process and system design services to
mutual customers.
⢠All implementation services are ďŹxed price:
â Solution design.
â Statement of work.
Š 2017 Hitachi ID Systems, Inc. All rights reserved. 14
15. Slide Presentation
8.2 ID Express
Before reference implementations:
⢠Every implementation starts from
scratch.
⢠Some code reuse, in the form of
libraries.
⢠Even simple business processes have
complex boundary conditions:
â Onboarding: initial passwords,
blocking rehires.
â Termination: scheduled vs.
immediate, warnings, cleanup.
â Transfers: move mailboxes and
homedirs, trigger recertiďŹcation.
⢠Complex processes often scripted.
⢠Delay, cost, risk.
With Hitachi ID Identity Express:
⢠Start with a fully conďŹgured system.
⢠Handles all the basic user lifecycle
processes out of the box.
⢠Basic integrations pre-conďŹgured (HR,
AD, Exchange, Windows).
⢠Implementation means "adjust as
required" not "build from scratch."
⢠ConďŹguration is fully data driven (no
scripts).
⢠Fast, efďŹcient, reliable.
Š 2017 Hitachi ID Systems, Inc. All rights reserved. 15
16. Slide Presentation
8.3 ID Express - Corporate: details
⢠Integrations:
â SQL-based HR SoR.
â AD domain
â Exchange domain (mailboxes)
â Windows ďŹlesystem (homedirs)
⢠Entitlements:
â Login IDs.
â Group memberships.
â Roles.
⢠User communities:
â Employees.
â Contractors/other.
⢠ConďŹguration:
â Based on user classes, rules tables
and lookup tables.
â Near-zero script logic.
⢠Automation:
â Onboard/deactivate based on SoR.
â Identity attribute propagation.
⢠Self-service:
â Password, security question
management.
â Update to contact info.
â Request for application, share, folder
access.
⢠Delegated admin:
â Same as self-service, plus recert.
⢠Approval workďŹows:
â IT security (global rights).
â HR/managers (approve for
each-other).
⢠RecertiďŹcation:
â Scheduled.
â Ad-hoc.
Š 2017 Hitachi ID Systems, Inc. All rights reserved. 16
17. Slide Presentation
8.4 Services impact of ID Express
Initial planning (5/5 days)
Document old processes (30/5 days)
Design new processes (30/5 days)
Deploy software (2/2 days)
Basic integrations (5/5 days)
Implement new processes (30/5 days)
Test, debug, adjust (30/10 days)
Production migration (2/2 days)
Pilot test, adjust (20/15 days)
Advanced integrations (30/30 days)
Test, debug, fix (15/15 days)
Production migration (2/2 days)
Test in prod., feedback, fixes (5/5 days)
Get feedback (15/5 days)
Implement new processes (30/5 days)
Test, debug, adjust (15/5 days)
Production migration (2/2 days)
Retest, adjust (10/10 days)
Documentation (5/5 days)
9 Differentiation
Š 2017 Hitachi ID Systems, Inc. All rights reserved. 17
18. Slide Presentation
9.1 HiIM differentiation (1/3)
Feature Details Competitors
Hitachi ID Identity Express
⢠Pre-conďŹgured
processes, policies.
⢠Full implementation or
menu of components.
⢠Rich processes.
⢠Faster deployment.
⢠Low implementation risk.
⢠Slow, risky deployment.
⢠Never get around to J/M/L
process automation.
Requester usability
⢠Intercept "access denied"
errors.
⢠Compare entitlements of
recipient, model users.
⢠Usability aid for
requesters.
⢠Hard to ďŹnd request
portal.
⢠Users donât know how to
request access.
⢠Low user adoption.
⢠Reduced ROI.
SoD actually works
⢠Hierarchy of roles,
groups.
⢠Roles can contain
groups, more roles.
⢠Groups can contain other
groups.
⢠SoD deďŹned at one level,
violation may happen at
another.
⢠Hitachi ID Identity
Manager reliably detects,
prevents violations.
⢠Fail to detect some
violations.
⢠Users can bypass
controls.
⢠False sense of security.
⢠Audit failures.
⢠Regulatory risk.
Š 2017 Hitachi ID Systems, Inc. All rights reserved. 18
19. Slide Presentation
9.2 HiIM differentiation (2/3)
Feature Details Competitors
Active-active architecture
⢠Multiple servers.
⢠Load balanced.
⢠Geographically
distributed.
⢠No single point of failure.
⢠Scalable.
⢠Single points of failure.
⢠Costly to scale.
⢠Slow to recover from
disasters.
Smart phone access
⢠Android and iOS apps.
⢠Cloud-hosted proxy.
⢠No public URL.
⢠Approvals, 2FA, contact
download, etc.
⢠Require a public URL.
⢠Less secure / rarely
permitted.
⢠No viable BYOD strategy.
⢠Impacts security, approval
SLA.
Actionable analytics
⢠Link report output to
request input.
⢠Automated remediation.
⢠Immediate or scheduled.
⢠No coding.
⢠Fewer reports, analytics.
⢠No automated
remediation.
Š 2017 Hitachi ID Systems, Inc. All rights reserved. 19
20. Slide Presentation
9.3 HiIM differentiation (3/3)
Feature Details Competitors
Governance, provisioning in
one product
⢠Governance: requests,
approvals, certiďŹcation,
SoD, RBAC, analytics.
⢠Provisioning:
connectors, J/M/L
process automation.
⢠Single, integrated
solution.
⢠Some focus on
governance (no
remediation, no J/M/L
process automation).
⢠Others focus on
provisioning (no
certiďŹcation, limited
analytics).
⢠Higher total cost.
⢠Integration risk.
Policies built on
relationships
⢠Relationships drive all
policies in Hitachi ID
Identity Manager.
⢠Who can a user search
for?
⢠What data is visible?
⢠What changes are
requestable?
⢠Who will be asked to
approve?
⢠Escalation path?
⢠Hierarchical access
controls.
⢠Script code for
exceptions.
⢠Costly, risky.
⢠Hard to conďŹgure,
maintain.
10 Summary
An integrated solution for managing identities and entitlements:
⢠Automation: onboarding, deactivation, detect out-of-band changes.
⢠Self-service: proďŹle updates, access requests.
⢠Governance: certiďŹcation, authorization workďŹow, RBAC, SoD, analytics.
⢠Automatically manage identities, entitlements: 110 bidirectional connectors.
⢠Other integrations: ďŹlesystem, collaboration, SIEM, incident management.
⢠Rapid deployment: pre-conďŹgured Hitachi ID Identity Express.
Security, lower cost, faster service.
Learn more at Hitachi-ID.com/Identity-Manager
www.Hitachi-ID.com
500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com
Date: 2017-03-15 | 2017-03-15 File: PRCS:pres