1 Hitachi ID Identity Manager Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications Entitlement administration and governance: Automation, requests, approvals, recertification, SoD and RBAC.2 Agenda • Corporate • Hitachi ID Identity Manager • Recorded Demos • Technology • Implementation • Differentiation3 Corporate © 2017 Hitachi ID Systems, Inc. All rights reserved. 1
Slide Presentation3.1 Hitachi ID corporate overview Hitachi ID delivers access governance and identity administration solutions to organizations globally. Hitachi ID IAM solutions are used by Fortune 500 companies to secure access to systems in the enterprise and in the cloud. • Founded as M-Tech in 1992. • A division of Hitachi, Ltd. since 2008. • Over 1200 customers. • More than 14M+ licensed users. • Offices in North America, Europe and APAC. • Global partner network.3.2 Representative customers© 2017 Hitachi ID Systems, Inc. All rights reserved. 2
Slide Presentation3.3 Hitachi ID Suite4 Hitachi ID Identity Manager4.1 Compliance / internal controlsChallenges Solutions • Slow and unreliable deactivation when • Automate deactivation based on SoR people leave. (HR). • Orphan and dormant accounts. • Review and remediate excessive access • Users with no-longer-needed access. (certification). • Access that violates SoD policies or • Block requests that would violate SoD. represents high risk. • Analyze entitlements to find policy • Unreliable approvals for access requests. • Audit failures and regulatory risk. violations, high risk users. • Automatically route access requests to appropriate stake-holders. © 2017 Hitachi ID Systems, Inc. All rights reserved. 3
Slide Presentation4.2 Access administration cost Solutions Challenges • Automate access setup, tear-down in response to changes in systems of record • Multiple FTEs required to setup, (SoRs). deactivate access. • Simple, business-friendly access request • Additional burden on platform forms. administrators. • Route requests to authorizers • Audit requests can add significant strain. automatically. • Automate fulfillment where possible. • Help auditors help themselves: – With certification, auditors focus on process, not entitlements. – Reports and analytics.4.3 Access changes take too long Solutions Challenges • Automatically grant access: • Approvers take too long. – Where predicted by job function, • Too many IT staff required to complete location, ... approved requests. – Eliminate request/approval process • Service is slow and expensive to deliver. where possible. • Streamline approvals: – Automatically assign authorizers, based on policy. – Invite participants simultaneously, not sequentially. – Enable approvals from smart-phone. – Pre-emptively escalate when stake-holders are out of office. • Automate fulfillment where possible.© 2017 Hitachi ID Systems, Inc. All rights reserved. 4
Slide Presentation4.4 Access requests are too complicatedChallenges Solutions • Requesting access is complex: • Auto-assign access when possible. • Simplify request forms. – Where is the request form? • Intercept \"access denied\" errors: – What access rights do I need? – How do I fill this in? – Navigate lead users to appropriate – Who do I send it to, for approval? request forms. • Complexity creates frustration. • Compare entitlements: – Help requesters select entitlements. – Compare recipient, model user rights. – Select from a small set of differences. • Automatically assign authorizers based on policy.5 Features © 2017 Hitachi ID Systems, Inc. All rights reserved. 5
Slide Presentation5.1 HiIM features → Processes → Inputs → • Request forms. • Approval workflows. • Monitor SoRs (automation). • Access certification. • Systems and apps - current state. • Manual fulfillment. • Request portal: • Analytics. – Self-service. → Outputs – Delegated. – Access admin. • Connectors to 110 systems and • Web services API. applications. → Policies → • E-mail. • Create/update/close tickets. • Segregation of duties. • Send events to SIEM. • Risk scores. • Role based access control. • Authorizer, certifier selection. • Visibility / privacy protection.5.2 Identity and entitlement lifecycle automation • Using Hitachi ID Identity Express, we recommend full automation of identity and entitlement lifecycles out of the gate: – Joiners, movers, leavers processes. – Password management, strong authentication and federation. – Change requests, approval, review/certification. – Driven by both SoR data and requests. • No need to \"clean up\" entitlements before automating access changes. • Roles can be added later: not a pre-requisite. • Automate first, clean up afterwards: – Unlike with competitors, automation is pre-configured and easy. – Start with basic integrations, add connectors over time. – Leverage automation and user knowledge to help clean up. – Add roles and expand automation over time. © 2017 Hitachi ID Systems, Inc. All rights reserved. 6
Slide Presentation5.3 Monitoring systems of record • Any target system can function as a system of record (SoR). • Examples: HR apps, SQL databases, CSV files, ... • Hitachi ID Identity Manager can monitor multiple SoR’s: – Multinationals: regional HR systems. – Colleges: students vs. faculty/staff. • Map attributes to user profiles and prioritize. • Automatically submit access requests in response to detected changes. • Users can submit pre-emptive or corrective requests: – New hire not yet in HR. – HR data is wrong. – Override SoR data until HR updates it. • Request portal handles users who never appear in SoRs: – Contractors, partners, etc.5.4 Requester usability • Users rarely know where or how to request access! • Windows shell extension, SharePoint error page: – Intercept \"Access Denied\" errors. – Navigate user to appropriate request URL. • Compare users: – Compare entitlements between the intended recipient and a reference user. – Select entitlements from the variance. • Search for entitlements: – Keywords, description, metadata/tags. • Relationship between requester and recipient: – What recipients can the requester see? – What identity attributes are visible? – What kinds of requests are available?© 2017 Hitachi ID Systems, Inc. All rights reserved. 7
Slide Presentation5.5 Robust, policy-driven workflow • Workflow invites stake-holders to participate in processes: – Approve or reject a request. – Review entitlements and recertify or remediate. – Fulfill an approved request. – Extensible. e.g., audit cases. • Stake-holders are invited based on policy: – No flow-charts or diagrams required. – Process is simple, transparent and secure. – Routing may be based on relationships, resource ownership, risk. • The process is robust, even when people aren’t: – Invite N participants, accept response from M (M<N). – Simultaneous invitations by default (sequential made sense for paper forms). – Automatically send reminders. – Escalate (e.g., to manager) if unresponsive. – Check out-of-office message, pre-emptively escalate. – Accessible from smart phone, not just PC.5.6 Reports, dashboards and analytics • Over 150 reports built in: – Many include multiple modes (e.g,. dormant vs. orphan accounts). – Identities, entitlements, history, system operation, trends, etc. – Easy to add custom reports. • Many dashboards included as well. • Run interactively or schedule (once, recurring). • Deliver output (HTML, CSV, PDF): – Interactively. – In e-mails. – Drop files on UNC shares. – Stream results via web services. • Actionable analytics: – Feedback from reports to requests. – Automated remediation. • Database is normalized, documented – can use 3rd party tools too.6 Recorded Demos © 2017 Hitachi ID Systems, Inc. All rights reserved. 8
Slide Presentation6.1 Intercept Access Denied Dialogs Animation: ../../pics/camtasia/v10/higm-A-request-folder.mp46.2 Authorization of a request for security group membership Animation: ../../pics/camtasia/v10/higm-B-request-approve.mp46.3 Request approved, user can access the folder Animation: ../../pics/camtasia/v10/higm-C-approved-open-file-nb.mp46.4 Mobile request approval Animation: ../../pics/camtasia/v10/approve-request-group-membership-via-mobile-access-app-1.mp46.5 Compare user entitlements Animation: ../../pics/camtasia/v10/hiim-model-after-ui.mp46.6 Application-centric certification Animation: ../../pics/camtasia/v10/hiac-complete-app-centric-2.mp46.7 Add contact to phone Animation: ../../pics/camtasia/v9/add-contact-to-phone-1/add-contact-to-phone-1.mp46.8 Actionable analytics: Disable orphan accounts Animation: ../../pics/camtasia/v10/report2pdr-disable-orphan-accounts-1.mp47 Technology © 2017 Hitachi ID Systems, Inc. All rights reserved. 9
Slide Presentation7.1 Multi-master architecture Native password SaaS apps change Password synch trigger systems “Cloud” AD, Unix, z/OS, Mobile LDAP, iSeries proxy z/OS - local agent Mobile UI Manage Validate pw Reverse Load Hitachi ID web balancers servers proxy VPN server Replication Managed endpoints with remote agent: AD, SQL, SAP, Notes, etcIVR server MS SQL databases Notifications Hitachi ID Data center B center and invitations servers Remote Firewalls E-mail Tickets data system System ofTCP/IP + AES Ticketing record system HR Data center AVarious protocols Managed endpointsSecure native protocol Proxy serverHTTPS (if needed) © 2017 Hitachi ID Systems, Inc. All rights reserved. 10
Slide Presentation7.2 Key architectural features BYOD enabled On premise and SaaS SaaS apps “Cloud” Replicated across data centers Horizontal scalingLoad balanced Data center B data center RemoteTCP/IP + AES Data center A Reach across firewallsVarious protocolsSecure native protocolHTTPS7.3 Internal architecture • Multi-master, active-active out of the box. • Built-in data replication between app nodes: – Fault tolerant. – Secure - encrypted. – Reliable - queue and retry. – App nodes need and should not be co-located. • Native, 64-bit code: – 2x faster than .NET. – 10x faster than Java. • Stored procedures: – For all data lookups, inserts. – Fast, efficient. – Eliminates client/server chatter. • Modern crypto: AES-256, SSHA-512 © 2017 Hitachi ID Systems, Inc. All rights reserved. 11
Slide Presentation7.4 BYOD access to on-premises IAM systemThe challenge Hitachi ID Mobile Access • Users want access on their phones. • Install + activate iOS, Android app. • Phone on the Internet, IAM on-prem. • Proxy service on DMZ or cloud. • Don’t want attackers probing IAM from • IAM, phone both call the proxy - no Internet. firewall changes. • IAM not visible on Internet. Internet Firewall Firewall IAM serverPersonal DMZ Private corporate device (1) network (2) Outbound connections only Worker thread: HTTPS request: “Give me an HTTP “Includes userID, request” deviceID”Cloud (3)proxy Message passing system © 2017 Hitachi ID Systems, Inc. All rights reserved. 12
Slide Presentation7.5 Included connectors Many integrations to target systems included in the base price:Directories: Servers: Databases:Any LDAP, Active Directory, Windows NT, 2000, 2003, Oracle, Sybase, SQL Server,NIS/NIS+. 2008[R2], 2012[R2], Samba. DB2/UDB, Informix, Progress, Hyperion, Cache, ODBC.Unix: Mainframes, Midrange:Linux, Solaris, AIX, HPUX, 24 z/OS: RACF, ACF2, HDD Encryption:more variants. TopSecret. iSeries, McAfee, CheckPoint, OpenVMS. BitLocker, PGP.ERP:JDE, Oracle eBiz, Collaboration: Tokens, Smart Cards:PeopleSoft, PeopleSoft HR, Lotus Notes, iNotes, RSA SecurID, SafeWord,SAP R/3 and ECC 6, Siebel, Exchange, SharePoint, Vasco, ActivIdentity,Business Objects. BlackBerry ES. Schlumberger, RADIUS.WebSSO: Help Desk: Cloud/SaaS:CA Siteminder, IBM TAM, ServiceNow, BMC Remedy, WebEx, Google Apps, MSOracle AM, RSA Access SDE, HP SM, CA Unicenter, Office 365, Success Factors,Manager. Assyst, HEAT, Altiris, Clarify, Salesforce.com, SOAP. RSA Envision, Track-It!, MS System Center7.6 Rapid integration with custom apps • Hitachi ID Identity Manager easily integrates with custom, vertical and hosted applications using flexible agents . • Each flexible agent connects to a class of applications: – API bindings (C, C++, Java, COM, ActiveX, MQ Series). – Telnet / TN3270 / TN5250 / sessions with TLS or SSL. – SSH sessions. – HTTP(S) administrative interfaces. – Web services. – Win32 and Unix command-line administration programs. – SQL scripts. – Custom LDAP attributes. • Integration takes a few hours to a few days. • Fixed cost service available from Hitachi ID. © 2017 Hitachi ID Systems, Inc. All rights reserved. 13
Slide Presentation8 Implementation8.1 Hitachi ID professional services • Hitachi ID offers a complete range of services relating to Hitachi ID Identity Manager, including: – Needs analysis and solution design. – Fixed price system deployment. – Project planning. – Roll-out management, including maximizing user adoption. – Ongoing system monitoring. – Training. • Services are based on extensive experience with the Hitachi ID solution delivery process. • The Hitachi ID professional services team is highly technical and have years of experience deploying IAM solutions. • Hitachi ID partners with integrators that also offer business process and system design services to mutual customers. • All implementation services are fixed price: – Solution design. – Statement of work.© 2017 Hitachi ID Systems, Inc. All rights reserved. 14
Slide Presentation8.2 ID ExpressBefore reference implementations: With Hitachi ID Identity Express: • Every implementation starts from • Start with a fully configured system. scratch. • Handles all the basic user lifecycle • Some code reuse, in the form of processes out of the box. libraries. • Basic integrations pre-configured (HR, • Even simple business processes have AD, Exchange, Windows). complex boundary conditions: • Implementation means \"adjust as – Onboarding: initial passwords, required\" not \"build from scratch.\" blocking rehires. • Configuration is fully data driven (no – Termination: scheduled vs. scripts). immediate, warnings, cleanup. • Fast, efficient, reliable. – Transfers: move mailboxes and homedirs, trigger recertification. • Complex processes often scripted. • Delay, cost, risk. © 2017 Hitachi ID Systems, Inc. All rights reserved. 15
Slide Presentation8.3 ID Express - Corporate: details • Automation: • Integrations: – Onboard/deactivate based on SoR. – Identity attribute propagation. – SQL-based HR SoR. • Self-service: – AD domain – Exchange domain (mailboxes) – Password, security question – Windows filesystem (homedirs) management. • Entitlements: – Update to contact info. – Login IDs. – Request for application, share, folder – Group memberships. – Roles. access. • User communities: • Delegated admin: – Employees. – Same as self-service, plus recert. – Contractors/other. • Approval workflows: • Configuration: – IT security (global rights). – Based on user classes, rules tables – HR/managers (approve for and lookup tables. each-other). – Near-zero script logic. • Recertification: – Scheduled. – Ad-hoc.© 2017 Hitachi ID Systems, Inc. All rights reserved. 16
8.4 Services impact of ID Express Slide Presentation Documentation (5/5 days) Retest, adjust (10/10 days) Production migration (2/2 days) Test, debug, adjust (15/5 days) Get feedback (15/5 days) Implement new processes (30/5 days) Production migration (2/2 days) Test in prod., feedback, fixes (5/5 days) Advanced integrations (30/30 days) Test, debug, fix (15/15 days) Production migration (2/2 days) Implement new processes (30/5 days) Pilot test, adjust (20/15 days) Deploy software (2/2 days) Test, debug, adjust (30/10 days) Document old processes (30/5 days) Basic integrations (5/5 days) Design new processes (30/5 days) Initial planning (5/5 days)9 Differentiation © 2017 Hitachi ID Systems, Inc. All rights reserved. 17
Slide Presentation9.1 HiIM differentiation (1/3)Feature Details CompetitorsHitachi ID Identity Express • Pre-configured • Slow, risky deployment. processes, policies. • Never get around to J/M/L • Full implementation or process automation. menu of components. • Rich processes. • Faster deployment. • Low implementation risk.Requester usability • Intercept \"access denied\" • Hard to find request errors. portal. • Compare entitlements of • Users don’t know how to recipient, model users. request access. • Usability aid for • Low user adoption. requesters. • Reduced ROI.SoD actually works • Hierarchy of roles, • Fail to detect some groups. violations. • Roles can contain • Users can bypass groups, more roles. controls. • Groups can contain other • False sense of security. groups. • Audit failures. • Regulatory risk. • SoD defined at one level, violation may happen at another. • Hitachi ID Identity Manager reliably detects, prevents violations. © 2017 Hitachi ID Systems, Inc. All rights reserved. 18
Slide Presentation9.2 HiIM differentiation (2/3)Feature Details CompetitorsActive-active architecture • Multiple servers. • Single points of failure. • Load balanced. • Costly to scale. • Geographically • Slow to recover from distributed. disasters. • No single point of failure. • Scalable.Smart phone access • Android and iOS apps. • Require a public URL. • Cloud-hosted proxy. • Less secure / rarely • No public URL. • Approvals, 2FA, contact permitted. • No viable BYOD strategy. download, etc. • Impacts security, approval SLA.Actionable analytics • Link report output to • Fewer reports, analytics. request input. • No automated • Automated remediation. remediation. • Immediate or scheduled. • No coding. © 2017 Hitachi ID Systems, Inc. All rights reserved. 19
Slide Presentation9.3 HiIM differentiation (3/3)Feature Details CompetitorsGovernance, provisioning in • Governance: requests, • Some focus onone product approvals, certification, governance (no SoD, RBAC, analytics. remediation, no J/M/L process automation). • Provisioning: connectors, J/M/L • Others focus on process automation. provisioning (no certification, limited • Single, integrated analytics). solution. • Higher total cost. • Integration risk.Policies built on • Relationships drive all • Hierarchical accessrelationships policies in Hitachi ID controls. Identity Manager. • Script code for • Who can a user search exceptions. for? • Costly, risky. • What data is visible? • Hard to configure, • What changes are maintain. requestable? • Who will be asked to approve? • Escalation path?10 Summary An integrated solution for managing identities and entitlements: • Automation: onboarding, deactivation, detect out-of-band changes. • Self-service: profile updates, access requests. • Governance: certification, authorization workflow, RBAC, SoD, analytics. • Automatically manage identities, entitlements: 110 bidirectional connectors. • Other integrations: filesystem, collaboration, SIEM, incident management. • Rapid deployment: pre-configured Hitachi ID Identity Express. Security, lower cost, faster service. Learn more at Hitachi-ID.com/Identity-Manager500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: [email protected] w.Hitachi-ID.com Date: 2017-03-15 | 2017-03-15 File: PRCS:pres
Search
Read the Text Version
- 1 - 20
Pages: