1 hitachi id password manager - identity management · – deploying full disk encryption, need...

18
1 Hitachi ID Password Manager Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications Reasons to upgrade, migration process. Version 11.1.1 is current. 2 Focus on password management This presentation focuses on Hitachi ID Password Manager, not other Hitachi ID Suite products. • Details for organizations currently using 6.x, thru 11.x. • Architectural changes. • New features. • Upgrade path. • Services. © 2020 Hitachi ID Systems, Inc. All rights reserved. 1

Upload: others

Post on 22-Jun-2020

6 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: 1 Hitachi ID Password Manager - Identity Management · – Deploying full disk encryption, need self-service unlock pre-boot. – Refresh integrations – Windows 2016, Office 365,

1 Hitachi ID Password Manager

Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications

Reasons to upgrade, migration process. Version 11.1.1 is current.

2 Focus on password management

This presentation focuses on Hitachi ID Password Manager, not other Hitachi ID Suite products.

• Details for organizations currently using 6.x, thru 11.x.• Architectural changes.• New features.• Upgrade path.• Services.

© 2020 Hitachi ID Systems, Inc. All rights reserved. 1

Page 2: 1 Hitachi ID Password Manager - Identity Management · – Deploying full disk encryption, need self-service unlock pre-boot. – Refresh integrations – Windows 2016, Office 365,

Slide Presentation

3 Why upgrade?

• Improve metrics

– Increase proportion of users who have enrolled Q&A.– "Re-think" the questions being asked of users to comply with today’s policies.– Increase adoption of self-service.– Reduce help desk calls due to login problems.

• Increase accessibility

– Pre-boot – full disk encryption software / password prompt.– Windows login screen – on-premises and off-site.– BYOD – Android, iOS device.

• Solve real world problems:

– Call volume creeping back up.– Users increasingly off-site, can’t access password reset.– Deploying full disk encryption, need self-service unlock pre-boot.– Refresh integrations – Windows 2016, Office 365, SaaS apps, etc.

• Security, cloud:

– SaaS applications call for more than just a password login.– Hitachi ID Password Manager now includes federated access and 2FA, out-of-the-box.

4 Platform changes from 6.x

4.1 SQL replaces embedded DB

6.x Now Notes

Embedded: CodeBase. SQL Server 2016/12. Standard, scalable, open.

DB replication built-in. N/C Easier, more secure thanDB-native.

Multi-master architecture. N/C If it’s not broken...

DB on each server. Local or separate DB. Scale up with more HW.

1 DB instance per PW server. DB can be shared. Leverage corporate DBclusters.

Limited Unicode support (e.g.,security Qs).

Full Unicode support (e.g.,attributes, IDs).

Better for Asian users.

Direct access to data. All access via stored procs. Better performance.

© 2020 Hitachi ID Systems, Inc. All rights reserved. 2

Page 3: 1 Hitachi ID Password Manager - Identity Management · – Deploying full disk encryption, need self-service unlock pre-boot. – Refresh integrations – Windows 2016, Office 365,

Slide Presentation

4.2 Other architectural improvements

• Password synchronization trigger:

– Used to run 100% as a DLL in Kernel-space on Windows servers.– Now a service offloads much of the work.– Less code running in the kernel.– New features: user filtering, queue/retry.

• Logging subsystem:

– Individual log files are gone.– High performance, consolidated logging system added.– Easier to plug into SIEM, syslog, etc.– Search/examine from web UI.

• Continuous operation:

– No more brief outage to merge databases nightly.– Helpful for truly global organizations.

• Multiple password policies:

– Per group of systems (if mutually exclusive requirements).– Per group of users (based on risk).

• 64-bit code (faster, more scalable).• Newer crypto algorithms (256-bit AES, SSHA-512).

4.3 Improved usability, updated UI

• A comprehensive usability study was completed:

– Untrained, non-technical users asked to perform tasks.– Sessions recorded and analyzed.– UI "tweaked" - nav, instructions, layout and more.– More users asked to repeat, to validate results.

• The entire UI was refreshed as a result:

– Easier to navigate.– Easier to understand.– Less time per session.

• Other changes:

– Left-side navigation bar dropped – easier to embed UI in portals.– Overhauled login screens, to support new authentication models.– Dynamic evaluation of password policy compliance as you type.

© 2020 Hitachi ID Systems, Inc. All rights reserved. 3

Page 4: 1 Hitachi ID Password Manager - Identity Management · – Deploying full disk encryption, need self-service unlock pre-boot. – Refresh integrations – Windows 2016, Office 365,

Slide Presentation

4.4 Single instance with IAM

• User signs on to manage identity, entitlements, credentials.• Examples:

– Change my password(s).– Enroll or update security questions.– Enter mobile number, personal e-mail address.– Update mailing address.– Request access to a share, folder or app.– Lookup co-worker and add contact to mobile.– Recertify users, entitlements.– Approve/reject open requests.

5 Platform changes since 7.x

5.1 One-click: new node

• Easier to add an app node:

– Increase capacity.– Recover from hardware or facility problem.

• Replicas:

– Need not be configured in advance.– Are somewhat disposable.

• Mechanism:

– Configure a new replica, in disabled state.– Send it a full data set.– Queue up changes while sending bulk data.– Enable the node when ready.– Aware of schema dependencies – sends data over in a safe order.

• No down-time.

© 2020 Hitachi ID Systems, Inc. All rights reserved. 4

Page 5: 1 Hitachi ID Password Manager - Identity Management · – Deploying full disk encryption, need self-service unlock pre-boot. – Refresh integrations – Windows 2016, Office 365,

Slide Presentation

5.2 Replication Setup Screen

5.3 Multiple skins per instance

• Default skins on a new install:

– Full UI (including branding, nav).– Unbranded (for embedding in IFRAME).– Kiosk-mode (full screen, limited nav).– Mobile (works well on phones).

• Skins and language translations are independent.

– Example: 4 skins, 5 languages means 20 UIs.

• NOTE: pre-8.2 UI customization needs to be adjusted to work in the new framework.

6 Policy engines and connectors

© 2020 Hitachi ID Systems, Inc. All rights reserved. 5

Page 6: 1 Hitachi ID Password Manager - Identity Management · – Deploying full disk encryption, need self-service unlock pre-boot. – Refresh integrations – Windows 2016, Office 365,

Slide Presentation

6.1 Adaptive Authentication

• An authentication chain is a definedseries of steps.

• Special type:interactively choose a chain.

• Special type:programmatically limit available chains.

• Risk-analysis:VPN? admin user?

� � �� � �� � �� � � � � � � � � � � �� � � � � � � � � �� ��� � � � � � � � � � � �� �� � � � �� � � � �� ��

� � � � ! " ! �� � # �� $ � � ! �% &� � � '� ! () $� ! � �� ! ( * & + ,&� � � '� ! () �% � ! � �- . � � � � �� � �/ 0 & &� � � �� ( �) �� ( & , 1 �� ) 2 ) 3 ) �% � ! � � - . � � � � �� � �) � 2 4 � � � � ! � �� �6.2 User classes

User classes define sets of individual usersor types of relationships between users:

• Sets of users:

– By group membership– In an OU– Having certain attributes

• Types of relationships:

– Shared attributes (e.g.,department, location).

– Group membership of participants(e.g., security team).

– Direct or indirect manager.

User classes are a natural way to definesecurity policy:

• Route requests(requester+recipient/authorizer).

• Invite reviewers (user/certifier).• Escalate requests (old/new

participants).• Limit visibility (viewer/user profile).• Define what is requestable

(requester/recipient).

© 2020 Hitachi ID Systems, Inc. All rights reserved. 6

Page 7: 1 Hitachi ID Password Manager - Identity Management · – Deploying full disk encryption, need self-service unlock pre-boot. – Refresh integrations – Windows 2016, Office 365,

Slide Presentation

6.3 Included connectors

Directories: Databases: Server OS – X86/IA64: Server OS – Unix: Server OS – Mainframe:

Active Directory and AzureAD; any LDAP; NIS/NIS+ andeDirectory.

Oracle; SAP ASE and HANA;SQL Server; DB2/UDB;Hyperion; Caché; MySQL;OLAP and ODBC.

Windows: NT thru 2016; Linuxand *BSD.

Solaris, AIX and HP-UX. RAC/F, ACF/2 and TopSecret.

Server OS – Midrange: ERP, CRM and other apps: Messaging & collaboration: Smart cards and 2FA: Access managers / SSO:

iSeries (OS400); OpenVMSand HPE/Tandem NonStop.

Oracle EBS; SAP ECC andR/3; JD Edwards; PeopleSoft;Salesforce.com; Concur;Business Objects and Epic.

Microsoft Exchange, Lync andOffice 365; LotusNotes/Domino; Google Apps;Cisco WebEx, Call Managerand Unity.

Any RADIUS service or SAMLIdP; Duo Security; RSASecurID; SafeWord; Vasco;ActivIdentity andSchlumberger.

CA SiteMinder; IBM SecurityAccess Manager; Oracle AM;RSA Access Manager andImprivata OneSign.

Help desk / ITSM: PC filesystem encryption: Server health monitoring: HR / HCM: Extensible / scriptable:

ServiceNow; BMC Remedy,RemedyForce and Footprints;JIRA; HPE Service Manager;CA Service Desk; AxiosAssyst; Ivanti HEAT;Symantec Altiris; Track-It!; MSSCS Manager and Cherwell.

Microsoft BitLocker; McAfee;Symantec EndpointEncryption and PGP;CheckPoint and SophosSafeGuard.

HP iLO, Dell DRAC and IBMRSA.

WorkDay; PeopleSoft HR;SAP HCM andSuccessFactors.

CSV files; SCIM; SSH;Telnet/TN3270/TN5250;HTTP(S); SQL; LDAP;PowerShell and Python.

Hypervisors and IaaS: Mobile management: Network devices: Filesystems and content: SIEM:

AWS; vSphere and ESXi. BlackBerry Enterprise Serverand MobileIron.

Cisco IOS PIX and ASA;Juniper JunOS andScreenOS; F5 BigIP; HPProcurve; Brocade Fabric OSand CheckPointSecurePlatform.

Windows/CIFS/DFS;SharePoint; Samba; HitachiContent Platform and HCPAnywhere; Box.com andTwitter.

Splunk; ArcSight; RSAEnvision and QRadar. AnySIEM supporting SYSLOG orWindows events.

Management & inventory:

Qualys; McAfee ePO andMVM; Cisco ACS;ServiceNow ITAM; HPUCMDB; Hitachi HiTrack.

6.4 Integration with custom apps

• Hitachi ID Suite easily integrates with custom, vertical and hosted applications using flexible agents.

• Each flexible agent connects to a class of applications:

– API bindings (C, C++, Java, COM, ActiveX, MQ Series).– Telnet / TN3270 / TN5250 / sessions with TLS or SSL.– SSH sessions.– HTTP(S) administrative interfaces.– Web services.– Win32 and Unix command-line administration programs.– SQL scripts.– Custom LDAP attributes.

• Integration takes a few hours to a few days.• Fixed cost service available from Hitachi ID.

7 Maximizing and monitoring adoption

© 2020 Hitachi ID Systems, Inc. All rights reserved. 7

Page 8: 1 Hitachi ID Password Manager - Identity Management · – Deploying full disk encryption, need self-service unlock pre-boot. – Refresh integrations – Windows 2016, Office 365,

Slide Presentation

7.1 Notification subsystem

The notification system controls when Hitachi ID Suite initiates communication with users. It is key tohigh user adoption rates.

Notification types Batch/e-mail.Interactive/popup web browser.

Notification levels Information.Warning.Forced (lock down PC until action completed).

Notification triggers Incomplete profile (e.g., security questions).Password expiry (imminent or past).Expression in terms of identity attributes

Consequent actions Complete enrollment.Change passwords.Visit a specified URL.

Process Throttling N invitations/day.Maximum frequency/message/user.Date - day of week - time of day controls.

7.2 Scheduled reports

© 2020 Hitachi ID Systems, Inc. All rights reserved. 8

Page 9: 1 Hitachi ID Password Manager - Identity Management · – Deploying full disk encryption, need self-service unlock pre-boot. – Refresh integrations – Windows 2016, Office 365,

Slide Presentation

7.3 Language supportThe Hitachi ID Password Manager UI can be rendered in many languages:

Languages are easy to add. Hitachi ID will do it for a nominal fee and customers can do it themselves.

7.4 Self-Service, Anywhere

Self-service is complicated by connectivity and device options.

User location Endpoint device Connectivity Reset/unlock

• Work.• Home.• Airport.• Cafe.• Partner office.

• Laptop.• Tablet.• Smart phone.

• Wired at work.• Wired at home.• WiFi at home.• Public WiFi.• Tethered

phone.• Cell modem.

• Networkpassword.

• Cachedpassword.

• Smart card PIN.• Token PIN.• Encrypted

drive.

Example scenarios supported by Hitachi ID Password Manager:

• Reset forgotten, cached AD password at airport.• Recover from forgotten full disk encryption password (via phone).

© 2020 Hitachi ID Systems, Inc. All rights reserved. 9

Page 10: 1 Hitachi ID Password Manager - Identity Management · – Deploying full disk encryption, need self-service unlock pre-boot. – Refresh integrations – Windows 2016, Office 365,

Slide Presentation

7.5 Password reset with WiFi, VPN and 2FA

Animation: ../../pics/camtasia/v10/hipm-ssa-windows-10.mp4

8 Smart phone app / BYOD

8.1 BYOD access to on-premises IAM system

The challenge Hitachi ID Mobile Access

• Users want access on their phones.• Phone on the Internet, IAM on-prem.• Don’t want attackers probing IAM from

Internet.

• Install + activate iOS, Android app.• Proxy service on DMZ or cloud.• IAM, phone both call the proxy - no

firewall changes.• IAM not visible on Internet.

Outbound connections only

DMZ Private corporate

network

Personal

device

FirewallFirewall

Internet

(3)

Message passing system

(1)

Worker thread:

“Give me an HTTP

request”

(2)

HTTPS request:

“Includes userID,

deviceID”

IAM server

Cloud

proxy

8.2 Activate Mobile Access app

Animation: ../../pics/camtasia/suite11/enable-mobile-device-1.mp4

© 2020 Hitachi ID Systems, Inc. All rights reserved. 10

Page 11: 1 Hitachi ID Password Manager - Identity Management · – Deploying full disk encryption, need self-service unlock pre-boot. – Refresh integrations – Windows 2016, Office 365,

Slide Presentation

8.3 Mobile Access: QR 2FA

Animation: ../../pics/camtasia/suite11/hima-qr-2fa.mp4

8.4 Add contact to phone

Animation: ../../pics/camtasia/suite11.1/add-contact-to-phone-2.mp4

8.5 Unlock pre-boot password

Animation: ../../pics/camtasia/v10/mcafee-drive-encryption.mp4

8.6 Password change from mobile app

Animation: ../../pics/camtasia/suite11/hima-password-reset.mp4

9 MacOSX client support

© 2020 Hitachi ID Systems, Inc. All rights reserved. 11

Page 12: 1 Hitachi ID Password Manager - Identity Management · – Deploying full disk encryption, need self-service unlock pre-boot. – Refresh integrations – Windows 2016, Office 365,

Slide Presentation

9.1 MacOSX login access to password reset

9.2 MacOSX kiosk mode browser from login screen

© 2020 Hitachi ID Systems, Inc. All rights reserved. 12

Page 13: 1 Hitachi ID Password Manager - Identity Management · – Deploying full disk encryption, need self-service unlock pre-boot. – Refresh integrations – Windows 2016, Office 365,

Slide Presentation

10 Extranet-facing deployments

10.1 Social integration via OAuth and CAPTCHAs

• Mostly for Extranet access and B2C deployments.• Enroll new users with their Facebook, Google, etc. account.• Login using the same social credentials.• reCAPTCHA and AreYouAHuman samples provided.

10.2 CAPTCHA Example

10.3 Social network integration

11 Federation and 2FA

© 2020 Hitachi ID Systems, Inc. All rights reserved. 13

Page 14: 1 Hitachi ID Password Manager - Identity Management · – Deploying full disk encryption, need self-service unlock pre-boot. – Refresh integrations – Windows 2016, Office 365,

Slide Presentation

11.1 SAMLv2 Federated IdP

• Externalize login process from third party web apps.• Cloud: Google Apps, Office 365, Salesforce.com, WebEx, Concur, etc.• On-premise: SharePoint (via ADFS), HCP Anywhere, etc.• Basically respond to SAMLv2 requests with assertions.• Leverage user classes for authorization control, authentication chains for 2FA/MFA.

11.2 Policy-driven single sign-on

• Hitachi ID Password Manager can beused as an application launchpad forfederated logins.

• Password Manager can also respond toSAML requests to authenticate andauthorize user access (IdP responses toSP requests).

• Whether to allow user authentication topersist, and for how long depends onpolicy:

– Is this a high risk user?– Is the user connecting from an

untrusted device or location?– Is this a normal work day and time

for the user?

• Policy uses rules to decide whether andfor how long to persist login sessions.

© 2020 Hitachi ID Systems, Inc. All rights reserved. 14

Page 15: 1 Hitachi ID Password Manager - Identity Management · – Deploying full disk encryption, need self-service unlock pre-boot. – Refresh integrations – Windows 2016, Office 365,

Slide Presentation

11.3 Hitachi ID Mobile Access authentication factor

• Leverage Hitachi ID Mobile Access on user phones as a soft token.• Zero extra cost: organizations have no excuse to revert to just Q&A or just a password on Extranet

logins.• More secure password reset.• 2FA for all Hitachi ID Privileged Access Manager logins, even if the network is down, AD or RADIUS

unreachable.

12 Personal password vault

12.1 Personal vaults

• Users want secure, convenient access to all their credentials, not just those related to work.• Access should work on all devices (PC, phone, etc.).• The user’s employer should not be able to access/decrypt this data – this is just a friendly service

offered by IT, but not a compromise of PII.• Similar to FastPass, LastPass, LogMeIn, etc. but no extra cost for employees• Built into Hitachi ID Password Manager starting with 10.0.

© 2020 Hitachi ID Systems, Inc. All rights reserved. 15

Page 16: 1 Hitachi ID Password Manager - Identity Management · – Deploying full disk encryption, need self-service unlock pre-boot. – Refresh integrations – Windows 2016, Office 365,

Slide Presentation

12.2 Personal password vault (use)

13 Persistent Listing (ver 11.x)

13.1 Persistent listing - technology

• The AD and AD-LDS connectors support persistent listing.• A Persistent Connector Service (PCS) launches the connector in a special mode:

– Initially runs a full discovery.– Keeps the connector attached to the target system.

• Every few seconds, the connector asks for directory changes:

– Changes may have originated on the DC or come from replication.– Tokens track which changes have been exported.– The process can be moved across servers or DCs without data loss.

• Changes:

– Update the internal Hitachi ID Suite database.– Trigger the same business logic as bulk auto-discovery.– Update cached user classes membership.

• A full synchronization is required after target configuration changes:

– Changed scope (OUs, domain names).– Changes to attribute mapping.

© 2020 Hitachi ID Systems, Inc. All rights reserved. 16

Page 17: 1 Hitachi ID Password Manager - Identity Management · – Deploying full disk encryption, need self-service unlock pre-boot. – Refresh integrations – Windows 2016, Office 365,

Slide Presentation

13.2 Configure persistent listing

13.3 Impact of persistent listing

• It is feasible to integrate with very large directories:

– 10,000,000 objects.– Long-running discovery is no longer a constraint.

• Auto-discovery time is significantly reduced:

– Listing and loading from AD usually takes longer than other targets.– Removing list + load times from AD can cut periodic auto-discovery time in half.– It becomes feasible to run all remaining discovery tasks more often.

• New accounts, group memberships have an immediate impact:

– Unauthorized group membership?Revoke and alert in real time.

– Change in group membership or attribute?Can perform newly-authorized actions immediately.

– New account onboarded?Can manage passwords without delay.

14 Migration

© 2020 Hitachi ID Systems, Inc. All rights reserved. 17

Page 18: 1 Hitachi ID Password Manager - Identity Management · – Deploying full disk encryption, need self-service unlock pre-boot. – Refresh integrations – Windows 2016, Office 365,

Slide Presentation

14.1 Implementation steps

Platform Install, configure app

• Deploy new VMs.• Windows 2016/12.• SQL 2016/12.

• Setup replication.• UI branding.• Policies: password quality, auth methods,

access controls.• Notifications: enrollment, password

expiry.• Reports, analytics.

Integrations Data migration

• Target systems, Client tools.• E-mail, Help desk / ticketing, SIEM /

SYSLOG.• Interceptor on AD DCs.• Encrypted filesystem unlock.• VPN for off-site password reset.• Cloud for mobile access.

• Security questions.• Login ID aliases.• Password history (hashes)

15 Demo

hitachi-id.com

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 E-Mail: [email protected]

Date: 2020-03-23 | 2020-03-23 File: PRCS:pres