Hitachi ID Password Manager

1 Hitachi ID Password Manager Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications Integrated credential management: Passwords, security questions, certificates, tokens, smart cards and biometrics.2 Agenda • Corporate • Hitachi ID Password Manager • Recorded Demos • Technology • Implementation • Differentiation3 Corporate© 2017 Hitachi ID Systems, Inc. All rights reserved. 1

Slide Presentation3.1 Hitachi ID corporate overview Hitachi ID delivers access governance and identity administration solutions to organizations globally. Hitachi ID IAM solutions are used by Fortune 500 companies to secure access to systems in the enterprise and in the cloud. • Founded as M-Tech in 1992. • A division of Hitachi, Ltd. since 2008. • Over 1200 customers. • More than 14M+ licensed users. • Offices in North America, Europe and APAC. • Global partner network.3.2 Representative customers© 2017 Hitachi ID Systems, Inc. All rights reserved. 2

Slide Presentation3.3 Hitachi ID Suite4 Hitachi ID Password Manager4.1 Too many passwords Solutions Challenges • Synchronize passwords. • Reduce to 1 or a few. • Users have too many passwords. • Easier to remember. • Write them on sticky notes. • Less likely to write down. • Forget and call the help desk. • Opportunity to mandate stronger • Pick trivial, insecure values. passwords. © 2017 Hitachi ID Systems, Inc. All rights reserved. 3

4.2 Help desk call volume Slide Presentation Challenges Solutions • Self-service password reset. • Users forget their passwords. • Clear intruder lockouts. • Lock themselves out. • PIN resets and emergency pass-codes for • Highest volume incident type. tokens. • Peak volume at start of week.4.3 Automated user enrollment Solutions Challenges • Identify users with incomplete profiles. • Invite them to sign up. Send reminders • Self service depends on non-password credentials: with increasing urgency: – Security questions. – E-mail. – Mobile phone number. – Open browser at login time. – Personal e-mail address. – Forced enrollment (full screen, – App on smart phone. • This data rarely exists prior to locked browser.) deployment. • New hires must enroll too. • Throttle invitations: • ROI depends on user adoption: – Per user (e.g., once a week). – Users tend to ignore invitations. – Overall (e.g., 500/day). © 2017 Hitachi ID Systems, Inc. All rights reserved. 4

Slide Presentation4.4 Password reset from difficult contextsChallenges Solutions • Users have trouble logging in: • Pre-boot: – Forget their password. – Smart phone app or voice call to – Trigger an intruder lockout. access service. • User context can complicate assistance: – Mediate filesystem unlock. – Pre-boot? No OS yet! • Windows login screen: – Login screen? How to navigate to – Credential Provider extends the self-service? Windows login UI. – Off-site? Locally cached password. – Smart phone app or voice call. – Secure kiosk account if client software is a problem. • VPN integration: – Update locally cached password for off-site users.4.5 Need consistently strong authenticationChallenges Solutions • Few apps natively support multi-factor • Offer 2FA to all users: logins. – PIN to phone/email. • Mandate strong authentication before – Smart phone app. self-service password reset. – Existing OTP. – Browser fingerprint (reduces the nuisance of 2FA). • Built into Hitachi ID Password Manager – Leverage existing 2FA if available. – Introduce zero-cost 2FA otherwise. • Extend 2FA to other apps via federation: – HiPM includes a built-in SAML IdP © 2017 Hitachi ID Systems, Inc. All rights reserved. 5

Slide Presentation4.6 SaaS apps demand stronger securityChallenges Solutions• SaaS apps expose a public URL. • Offload login screens to a federated• Unlike on-premises, they can be attacked access manager. by anyone with an Internet connection. • Require 2FA at the consolidated login screen. • Fingerprint browsers to reduce the nuisance of a two-step login.4.7 Users want to manage their own passwordsChallenges Solutions• Users sign into a variety of non-corporate • Offer them a secure alternative. services. • Improves customer satisfaction with IT. • Acts as an inducement to installing a 2FA• Insurance, banking, e-mail, social network, e-commerce, ... mobile app.• They sometimes ask IT for help managing these too. © 2017 Hitachi ID Systems, Inc. All rights reserved. 6

Slide Presentation5 Recorded Demos5.1 Off-site, Locked-out Password Reset Animation: ../../pics/camtasia/v9/hipm-self-service-anywhere-nb/hipm-self-service-anywhere-nb.mp45.2 Activate Hitachi ID Mobile Access app Animation: ../../pics/camtasia/v10/enable-mobile-device-1.mp45.3 Unlock pre-boot password Animation: ../../pics/camtasia/v10/mcafee-drive-encryption.mp45.4 Add contact to phone Animation: ../../pics/camtasia/v9/add-contact-to-phone-1/add-contact-to-phone-1.mp46 Technology© 2017 Hitachi ID Systems, Inc. All rights reserved. 7

Slide Presentation6.1 Multi-master architecture Native password SaaS apps change Password synch trigger systems “Cloud” AD, Unix, z/OS, Mobile LDAP, iSeries proxy z/OS - local agent Mobile UI Manage Validate pw Reverse Load Hitachi ID web balancers servers proxy VPN server Replication Managed endpoints with remote agent: AD, SQL, SAP, Notes, etcIVR server MS SQL databases Notifications Hitachi ID Data center B center and invitations servers Remote Firewalls E-mail Tickets data system System ofTCP/IP + AES Ticketing record system HR Data center AVarious protocols Managed endpointsSecure native protocol Proxy serverHTTPS (if needed) © 2017 Hitachi ID Systems, Inc. All rights reserved. 8

Slide Presentation6.2 Key architectural featuresBYOD enabled On premises and SaaS SaaS apps “Cloud” Replicated across data centers Horizontal scalingLoad balanced Data center B data center RemoteTCP/IP + AES Data center A Reach across firewallsVarious protocolsSecure native protocolHTTPS6.3 Internal architecture • Multi-master, active-active out of the box. • Built-in data replication between app nodes: – Fault tolerant. – Secure - encrypted. – Reliable - queue and retry. – App nodes need and should not be co-located. • Native, 64-bit code: – 2x faster than .NET. – 10x faster than Java. • Stored procedures: – For all data lookups, inserts. – Fast, efficient. – Eliminates client/server chatter. • Modern crypto: AES-256, SSHA-512 © 2017 Hitachi ID Systems, Inc. All rights reserved. 9

Slide Presentation6.4 Authentication chains    ¡ § £¢ ¦ • An authentication chain is a defined ¨ series of steps. ¤ £¥ © • Special type: £ interactively choose a chain. £ ¦ • Special type: £ programmatically limit available chains.  • Risk-analysis:  VPN? admin user? ¥6.5 User classes © ¢  ¨   ©  £  ¦ ¦ ¨ © ¢ © ¥ © © ¢  1 ( 0) 8 2 $ # 3 # 4 \" 3 9 0) 3 ' @ 5 \") 6 $ ' 3 7)     ¢ ¨ ¥    ¨ £ © A 6( 3 ' ( 3 @ B 8 C D ( 8 # # \" 9 3 @ \"! A \" 7 # $ $ & &% 3 ' ) ! E' (! 0) F & $ # ' \") 0 # G H 8 ( 8 # # \" @ $ A A 0 7 $ $ & @ 3 8 D ) I E' \" ' F A & P $ A # Q ' \") 0 # A % P R % # # $ 3 ' \") 0User classes define sets of individual users User classes are a natural way to defineor types of relationships between users: security policy: • Sets of users: • Route requests (requester+recipient/authorizer). – By group membership – In an OU • Invite reviewers (user/certifier). – Having certain attributes • Escalate requests (old/new • Types of relationships: participants). • Limit visibility (viewer/user profile). – Shared attributes (e.g., • Define what is requestable department, location). (requester/recipient). – Group membership of participants (e.g., security team). – Direct or indirect manager.© 2017 Hitachi ID Systems, Inc. All rights reserved. 10

Slide Presentation6.6 BYOD access to on-premises IAM systemThe challenge Hitachi ID Mobile Access • Users want access on their phones. • Install + activate iOS, Android app. • Phone on the Internet, IAM on-prem. • Proxy service on DMZ or cloud. • Don’t want attackers probing IAM from • IAM, phone both call the proxy - no Internet. firewall changes. • IAM not visible on Internet. Internet Firewall Firewall IAM serverPersonal DMZ Private corporate device (1) network (2) Outbound connections only Worker thread: HTTPS request: “Give me an HTTP “Includes userID, request” deviceID”Cloud (3)proxy Message passing system © 2017 Hitachi ID Systems, Inc. All rights reserved. 11

Slide Presentation6.7 Included connectors Many integrations to target systems included in the base price:Directories: Servers: Databases:Any LDAP, Active Directory, Windows NT, 2000, 2003, Oracle, Sybase, SQL Server,NIS/NIS+. 2008[R2], 2012[R2], Samba. DB2/UDB, Informix, MySQL, Hyperion, Cache, ODBC.Unix: Mainframes, Midrange:Linux, Solaris, AIX, HPUX, 24 z/OS: RACF, ACF2, HDD Encryption:more variants. TopSecret. iSeries, McAfee, CheckPoint, OpenVMS. BitLocker, PGP.ERP:JDE, Oracle eBiz, Collaboration: Tokens, Smart Cards:PeopleSoft, PeopleSoft HR, Lotus Notes, iNotes, RSA SecurID, SafeWord,SAP R/3 and ECC 6, Siebel, Exchange, SharePoint, Vasco, ActivIdentity,Business Objects. BlackBerry ES. Schlumberger, RADIUS.WebSSO: Help Desk: Cloud/SaaS:CA Siteminder, IBM TAM, ServiceNow, BMC Remedy, WebEx, Google Apps, MSOracle AM, RSA Access SDE, HP SM, CA Unicenter, Office 365, Success Factors,Manager. Assyst, HEAT, Altiris, Clarify, Salesforce.com, SOAP. RSA Envision, Track-It!, MS System Center6.8 Rapid integration with custom apps • Hitachi ID Password Manager easily integrates with custom, vertical and hosted applications using flexible agents . • Each flexible agent connects to a class of applications: – API bindings (C, C++, Java, COM, ActiveX, MQ Series). – Telnet / TN3270 / TN5250 / sessions with TLS or SSL. – SSH sessions. – HTTP(S) administrative interfaces. – Web services. – Win32 and Unix command-line administration programs. – SQL scripts. – Custom LDAP attributes. • Integration takes a few hours to a few days. • Fixed cost service available from Hitachi ID. © 2017 Hitachi ID Systems, Inc. All rights reserved. 12

Slide Presentation6.9 SAMLv2 Federated IdP • Externalize login process from third party web apps. • Cloud: Google Apps, Office 365, Salesforce.com, WebEx, Concur, etc. • On-premise: SharePoint (via ADFS), HCP Anywhere, etc. • Basically respond to SAMLv2 requests with assertions. • Leverage user classes for authorization control, authentication chains for 2FA/MFA.6.10 Hitachi ID Mobile Access authentication factor • Leverage Hitachi ID Mobile Access on user phones as a soft token. • Zero extra cost: organizations have no excuse to revert to just Q&A or just a password on Extranet logins. • More secure password reset. • 2FA for all Hitachi ID Privileged Access Manager logins, even if the network is down, AD or RADIUS unreachable.© 2017 Hitachi ID Systems, Inc. All rights reserved. 13

Slide Presentation6.11 HiTPM: self-service via phone callSelf-contained: Flexible:• Hitachi ID Phone Password Manager runs • Fully scriptable and can implement any on a Windows server with a Dialogic call logic. phone card or with HMP software Dialogic solution. • Multi-lingual: just record more voice prompts.• No IVR software is required. • The default call logic is powerful and easy to customize.Integrated with Hitachi ID Password Scalable:Manager:• Manage user enrollment. • Multiple load balanced HiTPM servers.• Map network login ID to digits. • Multiple load balanced HiPM servers.• HiPM ties to target systems.6.12 Language supportThe Hitachi ID Password Manager UI can be rendered in many languages:Languages are easy to add. Hitachi ID will do it for a nominal fee and customers can do it themselves.7 Implementation © 2017 Hitachi ID Systems, Inc. All rights reserved. 14

Slide Presentation7.1 Hitachi ID professional services • Hitachi ID offers a complete range of services relating to Hitachi ID Password Manager, including: – Needs analysis and solution design. – Fixed price system deployment. – Project planning. – Roll-out management, including maximizing user adoption. – Ongoing system monitoring. – Training. • Services are based on extensive experience with the Hitachi ID solution delivery process. • The Hitachi ID professional services team is highly technical and have years of experience deploying IAM solutions. • Hitachi ID partners with integrators that also offer business process and system design services to mutual customers. • All implementation services are fixed price: – Solution design. – Statement of work.8 Differentiation© 2017 Hitachi ID Systems, Inc. All rights reserved. 15

Slide Presentation8.1 HiPM differentiation Always available The most features• Manage all credentials: • Corporate PCs: – Passwords on directories, servers, – Pre-boot unlock screen. apps, DBs. – Windows/MacOSX login screen. – Desktop browser. – On-premise and SaaS. – Pre-boot passwords. • Smart phone app. – Smart cards and tokens. • Voice call to IVR. • At work and off-site.• 2FA for all users.• Personal password vault.• Federated access (SAML IdP).• 110+ connectors included.Scalable The best ROI• Multi-master, active-active. • Reduce problem frequency• Load balanced, replicated.• Geographically distributed. – Address root cause.• Multi-lingual. – Don’t just download problem resolution to users. • Managed enrollment to maximize adoption. • Rapid deployment, minimal maintenance.8.2 The leading vendor Ongoing support Low cost Innovation • Responsive and skilled • Fixed-price customer support. implementation. • Self-Service, Anywhere. • HDD unlock via call, • Unattended operation: • Minimal need for ongoing maintenance. smart phone app. – Auto-discovery. • Integrated password – Managed wallet. enrollment. • Integrated federated – Metrics and trend access. analysis. • 2FA for everyone. – SIEM, help desk integration. © 2017 Hitachi ID Systems, Inc. All rights reserved. 16

Slide Presentation9 Summary An integrated solution for managing credentials: • Immediate security benefit: password policy, help desk caller authentication. • Low deployment cost, minimal ongoing investment, significant IT support savings. • Always accessible: – Web browser on PC, phone or tablet. – Windows login prompt. – Pre-boot encryption password prompt. – Apps on iOS, Android. – Phone call / IVR. – Available at work and while off-site. • 110+ connectors included. Learn more at Hitachi-ID.com/Password-Manager500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: [email protected] w.Hitachi-ID.com Date: 2017-05-25 | 2017-05-25 File: PRCS:pres