hitachi id identity manager: detailed presentation
DESCRIPTION
Hitachi ID Identity Manager: Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications. User provisioning, RBAC, SoD and access certification. http://hitachi-id.com/TRANSCRIPT
1 Hitachi ID Identity Manager
Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications
User provisioning, RBAC, SoD and access certification.
2 Agenda
• Introductions.• Hitachi ID corporate overview.• ID Management Suite overview.• Identity problems and Hitachi ID Identity Manager benefits.• The HiIM solution.• Software demonstration.
© 2012 Hitachi ID Systems, Inc.. All rights reserved. 1
Slide Presentation
3 Hitachi ID Corporate Overview
Hitachi ID is a leading provider of identityand access management solutions.
• Founded as M-Tech in 1992.• A division of Hitachi, Ltd. since 2008.• Over 900 customers.• More than 11M+ licensed users.• Offices in North America, Europe and
APAC.• Partners globally.
4 Representative Hitachi ID Customers
© 2012 Hitachi ID Systems, Inc.. All rights reserved. 2
Slide Presentation
5 ID Management Suite
6 Identity and Access Problems
For users For IT support
• How to request a change?• Who must approve the change?• When will the change be completed?• Too many passwords.• Too many login prompts.
• Onboarding, deactivation across manyapps is challenging.
• More apps all the time!• What data is trustworthy and what is
obsolete?• Not notified of new-hires/terminations on
time.• Hard to interpret end user requests.• Who can request, who should authorize
changes?• What entitlements are appropriate for
each user?• The problems increase as scope grows
from internal to external.
© 2012 Hitachi ID Systems, Inc.. All rights reserved. 3
Slide Presentation
7 Identity and Access Problems (continued)
For Security / risk / audit For Developers
• Orphan, dormant accounts.• Too many people with privileged access.• Static admin, service passwords a
security risk.• Weak password, password-reset
processes.• Inappropriate, outdated entitlements.• Who owns ID X on system Y?• Who approved entitlement W on system
Z?• Limited/unreliable audit logs in apps.
• Need temporary access (e.g., prodmigration).
• Half the code in every new app is thesame:
– Identify.– Authenticate.– Authorize.– Audit.– Manage the above.
• Mistakes in this infrastructure createsecurity holes.
8 User Provisioning
User provisioning is defined as:
• Software to create, modify and delete users on different systems.• It must include connectors:
– Directories.– Operating systems.– Applications.
• It also has to implement business process:
– Data synchronization from one system to another.– Self-service requests.– Authorization workflows.
• Finally, it should enforce policy rules:
– Login ID assignment.– Approvals rules.– Segregation of duties.
© 2012 Hitachi ID Systems, Inc.. All rights reserved. 4
Slide Presentation
9 ID Management Suite Component Overview
Hitachi IDIdentity Manager
Create, manage and delete users and entitlements.Automation, self-service and delegation.
Hitachi IDAccess Certifier
Periodic review and cleanup of users and entitlements.
Hitachi IDGroup Manager
Self service, resource-centric management of ADgroup membership.
Hitachi IDPassword Manager
Synchronize, reset passwords.Manage RSA tokens, security questions, voice prints,PKI certs.
Periodically randomize and control access to sensitivepasswords.
Addons
Hitachi IDOrg Manager
Periodic updates to data mapping users to theirmanagers.
Hitachi IDPhone PW Manager
Turn-key IVR for password reset and tokenmanagement.
Hitachi IDLogin Manager
Auto-populate login IDs and synchronized passwordsfor users.
© 2012 Hitachi ID Systems, Inc.. All rights reserved. 5
Slide Presentation
10 ID Management Suite
© 2012 Hitachi ID Systems, Inc.. All rights reserved. 6
Slide Presentation
11 ID Management Suite in the User Lifecycle
Lifecyclestage
Automation Self service /request workflow
Policy enforcement
Onboarding
• From HR(employ-ees).
• Web UI (contractors). • Role-basedsetup.
• StandardizedIDs, OU, mailstore, etc.
Management
• Identitysynchro-nization.
• Automaticrolechanges.
• Applications.• Group membership.• Profile updates.
• SoDenforcement.
• Authorizechanges.
• ID mapping.
Support
• Password reset.• Resolve access denied
errors.
• Passwordstrength.
• Passwordexpiry.
Deactivation
• Auto-termination.
• Access certification.• Scheduled terminations.
• Archivemailboxes,home dirs, etc.
© 2012 Hitachi ID Systems, Inc.. All rights reserved. 7
Slide Presentation
12 HiIM Features
Automation:
• Provision joiners, deactivate leavers.• Multiple HR feeds.
Requests portal:
• Self-service profile updates.• Delegated security change requests.
Security controls:
• Access certification.• RBAC and SoD.• Reports on current entitlements, history.
Workflow process:
• Authorizers.• Implementers.• Certifiers.
Integrations:
• 110+ connectors, included.• Incident management, SIEM, e-mail interfaces.• Manage building access, physical assets.
Identity synchronization:
• Consistent data among apps.
© 2012 Hitachi ID Systems, Inc.. All rights reserved. 8
Slide Presentation
13 Closed Loop IAM
IntegratedSystems
of Record Autodiscovery
Auto-provisioningIdentity synch.
IdentityCache
IntegratedTarget Systems
Non-integratedSystems
Transaction Manager
Connectors
List accounts
Create,delete,update
accountsUpdates
UpdatesDetectedchanges
Listpeople
Authorizers Approve,reject,delegate
Invitations
ApprovalsWeb UI
Certifiers Review,certify,correct
Invitations
CertificationWeb UI
Requesters Manualrequest
RequestsWeb UI
- Validate requests- Route for approval- Invite authorizers- Send reminders- Escalate- Delegate
Manualfulfillment
Auto-fulfillment
Create,delete,updateaccounts
Automaticrequest
ImplementersAccept,confirm
Invitations
ImplementerWeb UI
RequestQueue
WorkflowManager
Hitachi ID Management Suite
WorkQueue
© 2012 Hitachi ID Systems, Inc.. All rights reserved. 9
Slide Presentation
14 Competitive Differentiation
Consistency
• Manage all identities and entitlements• On-premise and SaaS.• Accounts, entitlements and resources.• 110+ connectors included.
Full featured
• Administration and governance in a singleproduct.
• Triggers: automation and request portal.• Controls: policy, authorization workflow,
certification.
Scalability
• Multi-master architecture.• Load balanced, replicated.• Deploy across data centers.• Multi-lingual.
Usability
• Business-friendly request process usingroles, PDRs.
• Simple e-mail/web authorization.• Windows shell extension.• Fulfillment by both connectors and
humans.
15 The Hitachi ID Solution is Flexible
Customize: Every aspect of the user interface
Integrate with: 110+ target system typesCall tracking systemsHR systemsAuthentication hardwareMeta directories
Enforce: Password policyAuthentication rulesChange authorization rulesUser naming standards
© 2012 Hitachi ID Systems, Inc.. All rights reserved. 10
Slide Presentation
16 Scalability and Fault-Tolerance
• Multiple Hitachi ID Identity Manager servers can be configured for load balancing.• Data is automatically replicated between servers in real time.• Built-in high performance identity cache accelerates system response.• A service monitors the health of each server and may restart it or take it out of circulation.• A proxy server compensates for slow or insecure connectivity to remote target systems.• There are production customers with up to 300,000 users on just two servers.• Replication has been scaled to 20 servers.
17 Included Connectors
Many integrations to target systems included in the base price:
Directories:Any LDAP, AD, WinNT, NDS,eDirectory, NIS/NIS+.
Servers:Windows NT, 2000, 2003,2008, Samba, Novell,SharePoint.
Databases:Oracle, Sybase, SQL Server,DB2/UDB, Informix, ODBC.
Unix:Linux, Solaris, AIX, HPUX, 24more.
Mainframes, Midrange:z/OS: RACF, ACF2,TopSecret. iSeries,OpenVMS.
HDD Encryption:McAfee, CheckPoint.
ERP:JDE, Oracle eBiz, PeopleSoft,SAP R/3 and ECC 6, Siebel,Business Objects.
Collaboration:Lotus Notes, Exchange,GroupWise, BlackBerry ES.
Tokens, Smart Cards:RSA SecurID, SafeWord,RADIUS, ActivIdentity,Schlumberger.
WebSSO:CA Siteminder, IBM TAM,Oracle AM, RSA AccessManager.
Help Desk:BMC Remedy, SDE, HP SM,CA Unicenter, Assyst, HEAT,Altiris, Track-It!
Cloud/SaaS:WebEx, Google Apps,Salesforce.com, SOAP(generic).
© 2012 Hitachi ID Systems, Inc.. All rights reserved. 11
Slide Presentation
18 Simple Integration with Custom Apps
• Hitachi ID Identity Manager easily integrates with custom, vertical and hosted applications usingflexible agents .
• Each flexible agent connects to a class of applications:
– API bindings (C, C++, Java, COM, ActiveX, MQ Series).– Telnet / TN3270 / TN5250 / sessions with TLS or SSL.– SSH sessions.– HTTP(S) administrative interfaces.– Web services.– Win32 and Unix command-line administration programs.– SQL scripts.– Custom LDAP attributes.
• Integration takes a few hours to a few days.• Fixed cost service available from Hitachi ID.
19 Multi-Master Architecture
UserPasswordSynchTriggerSystems
Load Balancer
SMTP or Notes Mail
IncidentManagementSystem System of
Record
IVRServer
ReverseWeb Proxy
Target Systemswith local agent:OS/390, Unix, older RSA
Firewall
TCP/IP + AES
Various Protocols
Secure Native Protocol
HTTPS
Remote Data Center
Firewall
Local Network
Target Systemswith remote agent:AD, SQL, SAP, Notes, etc
Target SystemsEmails
Tickets
Lookup & Trigger
Native
password
change
AD, Unix,
OS/390,
LDAP,
AS400
Validate PW
Web Services
Proxy Server(if needed)
Hitachi IDApplicationServer(s)
SQL/Oracle
SQLDB
SQLDB
Cloud-hosted,
SaaS apps
VPNServer
© 2012 Hitachi ID Systems, Inc.. All rights reserved. 12
Slide Presentation
20 Server Internal Architecture
Hitachi ID Server:InternalComponents
Remote Site
User InterfaceUser WebBrowser
Hitachi IDProxy Server
Hitachi IDServer
TargetSystem
TargetSystem
TargetSystem
Stored Procs
Secu
re R
PC
Execu
teList, Inspect,Create, Delete,Modify:Users, Groups
Native API,Protocol
Hitachi IDEncryptedProtocol
LocalAgent
Real-TimeEncryptedReplication
Execu
te
HTTPS
Admin/Config
Connector IDWFMWorkflow Manager
IDTMTransaction Manager
PSUPDATEAuto-Discovery
IDTRACKAutomation Engine
Exits
Plugins
Core ServicesIntegrations
Business Logic
Identity CacheRequests
ConfigurationHistory
IDM Database
Oracle or MSSQL
End User
IIS or Apache
IDDBDatabase Manager
21 Rapid Deployment and Low TCO
Optimized to minimize effort: Using Hitachi ID Identity Managertechnology:
• User provisioning with HiIM:
– Initial deployment:6 – 9 months.
– Ongoing maintenance:0.5 – 1.0 FTE.
• Built-in nightly auto-discovery of IDs,entitlements.
• Both attribute-based and self-service IDmapping.
• Request, approvals screens andprocesses are built-in.
• Implementer infrastructure fornon-integrated apps is built-in.
• Powerful authorization workflow is built-in.• Deployment does not depend on role
engineering.• 110 connectors out of the box.• Rapid integration with custom, vertical
apps.• Easy customization of GUI, business
logic.
© 2012 Hitachi ID Systems, Inc.. All rights reserved. 13
Slide Presentation
22 Competitive Advantages
Unique features Rapid deployment
• Self-service password/PIN reset fromanywhere.
• Workflow to refresh OrgChart data.• Request for resources mapped to AD
groups.• Detect/block effective SoD violations.
• Key features built-in, not custom:
– Change request forms.– Authorization process.– Access certification UI.– Auto-discovery.
• Self-service ID mapping.• Unique approach to workflow.
Scalable platform Integrations
• Real-time data replication.• Multi-master architecture.• Proxy server to cross firewalls.• Stored procedures, native code for speed.
• 110+ included connectors.• Flexible connectors.• Built-in implementers workflow.• Integrated with incident management,
SIEM, etc.
23 Hitachi ID Professional Services
• Hitachi ID offers a variety of services relating to Hitachi ID Identity Manager, including:
– Needs analysis and solution design.– Fixed price system deployment.– Project planning.– Roll-out management, including maximizing user adoption.– Ongoing system monitoring.– Training.
• Services are based on extensive experience with the Hitachi ID solution delivery process.• The Hitachi ID professional services team is highly technical and have years of experience deploying
IAM solutions.• Hitachi ID partners with integrators that also offer business process and system design services to
mutual customers.
© 2012 Hitachi ID Systems, Inc.. All rights reserved. 14
Slide Presentation
24 Hitachi ID Solution Delivery Approach
Fixed-price: All work is delivered on a fixed-price, fixed-deliverables basis. The"meter" is never running.
Phases, milestones: Hitachi ID recommends breaking up long projects into phases of 1–3months. Work is reviewed and payment is due when milestones are met.
Open assignment: Each phase may be undertaken by Hitachi ID, the customer, a systemsintegrator or a combination of the participants.
Templates: Template documents and sample business logic are used to expeditework.
Customer portal: A self-service portal supports discovery, client/partner/vendor interaction,document distribution and more.
25 AdMax: Maximizing User Adoption
• Successful implementation of an identity and access management system must be supported by aneffective user adoption program.
• AdMax is an Hitachi ID professional services program, used to plan for and execute effective userenrollment projects.
• AdMax is designed to maximize adoption of and ROI from Hitachi ID identity management solutions,using:
– Best practices, case studies and industry norms.– Enrollment, user adoption and ROI measurement.– Incentive and disincentive programs.– Presentations and training materials for users and HD staff.– Project roles and responsibilities.– Sample project plans, promotional materials, e-mails, graphics and other user communications.– Workbooks for project implementation.
© 2012 Hitachi ID Systems, Inc.. All rights reserved. 15
Slide Presentation
26 Summary
Hitachi ID Identity Manager enables automated, self-service and policy-driven management of identitiesand entitlements:
• Automation: onboarding, deactivation, identity synchronization.• Self-service: profile updates.• Delegated administration: access requests, approvals workflow.• Policy engines: RBAC, SoD, standard setup for new users.• Reports: who-has-what, change history.• Integrations: 110 connectors built-in.• Rapid deployment: built-in screens, processes, features minimize custom coding.
More secure infrastructure, lower IT management costs and faster user service.
Learn more at Hitachi-ID.com/Identity-Manager
27 Getting an IAM Project Started
• Build a business case.• Get management sponsorship and a budget.• Discovery phase, capture detailed requirements.• Assemble a project team:
– security– system administration– user support– etc.
• Try before you buy: Demos, POCs, pilots.• Install the software, roll to production.• Enroll users, if/as required.
www.Hitachi-ID.com
500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: [email protected]
File: PRCS:presDate: March 1, 2012