1 Hitachi ID Suite Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications Administration and governance of Identities, entitlements and credentials.2 Agenda • Corporate. • IAM problems / Hitachi ID solutions. • Technology. • Privileged Access • Example deployments. • Discussion.3 Corporate © 2017 Hitachi ID Systems, Inc. All rights reserved. 1
Slide Presentation3.1 Hitachi ID corporate overview Hitachi ID delivers access governance and identity administration solutions to organizations globally. Hitachi ID IAM solutions are used by Fortune 500 companies to secure access to systems in the enterprise and in the cloud. • Founded as M-Tech in 1992. • A division of Hitachi, Ltd. since 2008. • Over 1200 customers. • More than 14M+ licensed users. • Offices in North America, Europe and APAC. • Global partner network.3.2 Representative customers4 Products © 2017 Hitachi ID Systems, Inc. All rights reserved. 2
Slide Presentation4.1 Hitachi ID Suite © 2017 Hitachi ID Systems, Inc. All rights reserved. 3
Slide Presentation4.2 HiIM features • Monitor one or more systems of record (SoR). • Generate requests to grant, revoke access. Automation: Request portal: • Users can request for themselves or others. • Access control model limits visibility, requestability. Certification: Workflow: • Initiated by the system (event, schedule). • Stake-holders review identities, entitlements. Policies, controls: • Generates deprovisioning requests. Integrations: • Invite authorizers, implementers, certifiers to act. • Built-in reminders, escalation, delegation and more. • Selects participants via policy, not flow-charts. • RBAC. • SoD. • Risk scores. • Approvals. • Entitlement analytics. • 110+ bidirectional connectors, included. • Incident management, SIEM, e-mail interfaces. • Manage building access, physical assets. © 2017 Hitachi ID Systems, Inc. All rights reserved. 4
Slide Presentation4.3 HiPM features • Reduce the number of passwords per user. Password synch: • Password reset. Self-service: • Clear lockout. • Smart card PIN reset. Value-add: • Token PIN reset. Access from: • Encrypted filesystem unlock. Assisted service: • Federated access – replace other apps’ login screens. Policy enforcement: • Password vault – users can store unmanaged passwords. Managed enrollment: • PC browser or login screen. • At the office or remote. • Smart phone or voice call. • Password, token PIN, intruder lockout. • Two-factor authentication for all users. • Password complexity, expiry, history. • Non-password authentication. • Security questions. • Login IDs. • Mobile phone numbers.5 Technology © 2017 Hitachi ID Systems, Inc. All rights reserved. 5
Slide Presentation5.1 Multi-master architecture Native password SaaS apps change Password synch trigger systems “Cloud” AD, Unix, z/OS, Mobile LDAP, iSeries proxy z/OS - local agent Mobile UI Manage Validate pw Reverse Load Hitachi ID web balancers servers proxy VPN server Replication Managed endpoints with remote agent: AD, SQL, SAP, Notes, etcIVR server MS SQL databases Notifications Hitachi ID Data center B center and invitations servers Remote Firewalls E-mail Tickets data system System ofTCP/IP + AES Ticketing record system HR Data center AVarious protocols Managed endpointsSecure native protocol Proxy serverHTTPS (if needed) © 2017 Hitachi ID Systems, Inc. All rights reserved. 6
Slide Presentation5.2 Key architectural features BYOD enabled On premise and SaaS SaaS apps “Cloud” Replicated across data centers Horizontal scalingLoad balanced Data center B data center RemoteTCP/IP + AES Data center A Reach across firewallsVarious protocolsSecure native protocolHTTPS5.3 Multi-master replication Avoid data loss and service interruption: Multiple copies of the vault in different cities.• Real-time data replication.• Fault-tolerant.• Bandwidth efficient, latency tolerant.• Best practice: multiple servers in multiple data centers.• Active/active• Load balanced. © 2017 Hitachi ID Systems, Inc. All rights reserved. 7
Slide Presentation5.4 Included connectors Many integrations to target systems included in the base price:Directories: Servers: Databases:Any LDAP, Active Directory, Windows NT, 2000, 2003, Oracle, Sybase, SQL Server,NIS/NIS+. 2008[R2], 2012[R2], Samba. DB2/UDB, Informix, Progress, Hyperion, Cache, ODBC.Unix: Mainframes, Midrange:Linux, Solaris, AIX, HPUX, 24 z/OS: RACF, ACF2, HDD Encryption:more variants. TopSecret. iSeries, McAfee, CheckPoint, OpenVMS. BitLocker, PGP.ERP:JDE, Oracle eBiz, Collaboration: Tokens, Smart Cards:PeopleSoft, PeopleSoft HR, Lotus Notes, iNotes, RSA SecurID, SafeWord,SAP R/3 and ECC 6, Siebel, Exchange, SharePoint, Vasco, ActivIdentity,Business Objects. BlackBerry ES. Schlumberger, RADIUS.WebSSO: Help Desk: Cloud/SaaS:CA Siteminder, IBM TAM, ServiceNow, BMC Remedy, WebEx, Google Apps, MSOracle AM, RSA Access SDE, HP SM, CA Unicenter, Office 365, Success Factors,Manager. Assyst, HEAT, Altiris, Clarify, Salesforce.com, SOAP. RSA Envision, Track-It!, MS System Center5.5 Rapid integration with custom apps • Hitachi ID Suite easily integrates with custom, vertical and hosted applications using flexible agents . • Each flexible agent connects to a class of applications: – API bindings (C, C++, Java, COM, ActiveX, MQ Series). – Telnet / TN3270 / TN5250 / sessions with TLS or SSL. – SSH sessions. – HTTP(S) administrative interfaces. – Web services. – Win32 and Unix command-line administration programs. – SQL scripts. – Custom LDAP attributes. • Integration takes a few hours to a few days. • Fixed cost service available from Hitachi ID. © 2017 Hitachi ID Systems, Inc. All rights reserved. 8
Slide Presentation6 Privileged Access © 2017 Hitachi ID Systems, Inc. All rights reserved. 9
Slide Presentation6.1 HiPAM features • Find systems, accounts. • Attach policy. Auto-discovery: Random passwords: • Default is daily. Secure storage: • Replicated (with fault tolerance/queue). • Encrypted. Access controls: • Geographically distributed. Workflow controls: • Policy: who can sign into which account? Single sign-on: • One time request/approval/login. Application passwords: Logging: • Launch SSH, RDP, vSphere, SQL, etc. • Alternately: display password, temporary group membership, Session monitoring: temporary SSH trust/SUDO rights. • Notify SCM, IIS, Scheduler, DCOM of new passwords. • API to eliminate embedded passwords. • Requests, approvals, logins to privileged accounts. • Screen, keyboard, webcam, process ID, window title, etc. © 2017 Hitachi ID Systems, Inc. All rights reserved. 10
Slide Presentation6.2 Securing privileged accountsThousands of IT assets: Who has the keys to the kingdom? • Servers, network devices, databases and • Every IT asset has sensitive passwords: applications: – Administrator passwords: – Numerous. Used to manage each system. – High value. – Heterogeneous. – Service passwords: • Workstations: Provide security context to service programs. – Mobile – dynamic IPs. – Powered on or off. – Application: – Direct-attached or firewalled. Allows one application to connect to another. • Do these passwords ever change? • Plaintext in configuration files? • Who knows these passwords? (ex-staff?) • Who made what changes, when and why?6.3 Types of privileged accountsDefinition: Shared Administrative Embedded ServiceChallenges: • Interactive logins • One application • Run service used by humans. connects to programs with another. admin or limited • Client tools: rights. PuTTY, RDP, SQL • DB logins, web Studio, etc. services, etc. • Windows requires a password. • May be used at a physical console. • Scheduled tasks, IIS, DCOM, SCM, etc. • Access control. • Authenticating apps • Avoiding service • Audit/accountability. prior to password interruption. • Single sign-on. disclosure. • Session capture. • Restart service if • Caching, key req’d. management. © 2017 Hitachi ID Systems, Inc. All rights reserved. 11
Slide Presentation6.4 Securing administrator accounts7 Example Deployments7.1 Case Study: Industrial conglomerateCustomer description: Global industrial conglomerate with energy utility subsidiaries.Product: Hitachi IDIndustry: Identity ManagerTarget systems:Functionality: Industrials, energy utilitiesMain business driver: Windows/AD, Oracle EBS, mainframe, databases.Business impact: Onboard, deactivate, manage access of over 10,000 employees and contractors. Automation, self-service, policy enforcement. Lower IT support cost and improve SLA. Retired home-grown IAM and access reporting system. Lower IT security management workload. © 2017 Hitachi ID Systems, Inc. All rights reserved. 12
Slide Presentation7.2 Case Study: Energy companyCustomer description: Global energy companyProduct: Hitachi IDNumber of users: Group ManagerFunctionality:Main business driver: 100,000+Business impact: Self-service requests to access network shares, folders. Reduce IT support call volume. Replace \"access denied\" help desk calls with self-service infrastructure.7.3 Case Study: US bankCustomer description: US bankProduct: Hitachi IDIndustry: Password ManagerNumber of users:Functionality: BankingMain business driver: 150,000Business impact: Password reset via telephone, web browser Reduce IT support cost, improve authentication security when users call for help. Eliminated 33,000 help desk calls/month. Saved at least US$ 4,000,000/year.7.4 Case Study: Investment bankCustomer description: Top-10 global investment bank.Product:Industry: FinanceTarget systems:Functionality: Windows, Unix/Linux, MSSQL.Main business driver: Randomize passwords weekly on 122,000 systems around the world.Business impact: Deployed 12 servers in 4 data centers globally for super-high availability and fault tolerance. Eliminate static, shared, administrative passwords to comply with audit, regulatory requirements. Control, audit administrator logins to privileged accounts on 122,000 systems globally. Pass audits. © 2017 Hitachi ID Systems, Inc. All rights reserved. 13
Slide Presentation8 Differentiation8.1 HiIM advantagesHitachi ID Identity Express HiIM Others • Every deployment is • Pre-configured with most custom, new. common scenarios. • Custom forms.Built-in features: • Request portal. • Custom workflows. • Access certification. • Approval workflow • Users must know what entitlements to request.User friendly requests: • Windows Shell extension. • SharePoint integration. • SoD easily bypassed. • Compare users. • Hard-coded approvals. • No privacy protection.Robust policy enforcement: • SoD with deep inspection. • Policy-driven approvals. • DB is choke point, single • Privacy protection. point of failure.Architecture: • Scalable: multi-master, • Only hot standby. load-balanced. • Fault tolerant: active-active. © 2017 Hitachi ID Systems, Inc. All rights reserved. 14
Slide Presentation8.2 HiPM advantagesHiPM Others • 2FA, Federation included for all users. • Extra products required.• Access from smart phones (BYOD). • Only with a public URL.• Unlock encrypted filesystem - pre-boot • Call the help desk. password prompt.• Access from Windows login screen, even • Come back to the office or ship laptop to when off-site. dept• Access from domain-member MacOSX • Call the help desk. login screen.• All connectors included in base price. • Some charge per-connector.• Web browser, smart-phone, PC login • Extra features, extra cost. screen, telephony all included.• Managed enrollment, max. adoption. • Write scripts – extra cost, lower ROI.• Active-active replication: scalable and • Hot standby at best. reliable. • May cost extra.8.3 HiPAM advantages (technical)Hitachi ID Privileged Access Manager Competitors • Multi-master, active-active. • Hot standby, \"offline\" mode.• 2FA for everyone, no extra cost. • Either purchase a separate 2FA system• BYOD access, including approvals or rely on AD passwords. • Fire up your laptop, sign into the VPN.• Check-out multiple accounts in one • One account at a time. request.• Temporary privilege elevation. • Only password display/injection.• Secure laptops (mobile, NAT, firewalled). • Endpoints not really supported. • Only via proxy.• Direct connect, HTML5, RDP+launch proxy.• Proxy servers to integrate with remote • Extra cost (more appliances?). systems.• Run any admin tool, with any protocol. • Can only launch RDP, SSH. © 2017 Hitachi ID Systems, Inc. All rights reserved. 15
Slide Presentation8.4 HiPAM advantages (commercial)Hitachi ID Privileged Access Manager Competitors • Manage groups that control access policy. • Need a separate IAM system for that. • Proxy servers to integrate with remote • Extra cost (more appliances?). systems. • Secure Windows service acct passwords. • Separate product. • Secure API replaces embedded • Separate product. passwords. • Session recording included. • Separate product. • Over 110 connectors included. • Some connectors cost more. • Unlimited users. • Fee per user.9 Discussion500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: [email protected] w.Hitachi-ID.com Date: 2017-03-15 | 2017-03-15 File: PRCS:pres
Search
Read the Text Version
- 1 - 16
Pages:
