managing the user lifecycle across on-premises … · 1 hitachi id identity manager managing the...

1 Hitachi ID Identity Manager

Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications

Entitlement administration and governance:Automation, requests, approvals, recertification, SoD and RBAC.

2 Agenda

• Corporate• Hitachi ID Identity Manager• Recorded Demos• Technology• Implementation• Differentiation

3 Corporate

© 2016 Hitachi ID Systems, Inc. All rights reserved. 1

http://Hitachi.com/

Slide Presentation

3.1 Hitachi ID corporate overview

Hitachi ID delivers access governanceand identity administration solutionsto organizations globally.Hitachi ID solutions are used by Fortune 500companies to secure access to systemsin the enterprise and in the cloud.

• Founded as M-Tech in 1992.• A division of Hitachi, Ltd. since 2008.• Over 1200 customers.• More than 14M+ licensed users.• Offices in North America, Europe and

APAC.• Global partner network.

3.2 Representative customers


Slide Presentation

3.3 Hitachi ID Suite

4 Hitachi ID Identity Manager

4.1 Compliance / internal controls

Challenges Solutions

• Slow and unreliable deactivation whenpeople leave.

• Orphan and dormant accounts.• Users with no-longer-needed access.• Access that violates SoD policies or

represents high risk.• Unreliable approvals for access requests.• Audit failures and regulatory risk.

• Automate deactivation based on SoR(HR).

• Review and remediate excessive access(certification).

• Block requests that would violate SoD.• Analyze entitlements to find policy

violations, high risk users.• Automatically route access requests to

appropriate stake-holders.


Slide Presentation

4.2 Access administration cost


• Multiple FTEs required to setup,deactivate access.

• Additional burden on platformadministrators.

• Audit requests can add significant strain.

• Automate access setup, tear-down inresponse to changes in systems of record(SoRs).

• Simple, business-friendly access requestforms.

• Route requests to authorizersautomatically.

• Automate fulfillment where possible.• Help auditors help themselves:

– With certification, auditors focus onprocess, not entitlements.

– Reports and analytics.

4.3 Access changes take too long


• Approvers take too long.• Too many IT staff required to complete

approved requests.• Service is slow and expensive to deliver.

• Automatically grant access:

– Where predicted by job function,location, ...

– Eliminate request/approval processwhere possible.

• Streamline approvals:

– Automatically assign authorizers,based on policy.

– Invite participants simultaneously,not sequentially.

– Enable approvals from smart-phone.– Pre-emptively escalate when

stake-holders are out of office.

• Automate fulfillment where possible.


Slide Presentation

4.4 Access requests are too complicated


• Requesting access is complex:

– Where is the request form?– What access rights do I need?– How do I fill this in?– Who do I send it to, for approval?

• Complexity creates frustration.

• Auto-assign access when possible.• Simplify request forms.• Intercept "access denied" errors:

– Navigate lead users to appropriaterequest forms.

• Compare entitlements:

– Help requesters select entitlements.– Compare recipient, model user

rights.– Select from a small set of

differences.

• Automatically assign authorizers basedon policy.

5 Features

5.1 HiIM features

Inputs → → Processes →

• Monitor SoRs (automation).• Request portal:

– Self-service.– Delegated.– Access admin.

• Web services API.

• Request forms.• Approval workflows.• Access certification.• Manual fulfillment.• Analytics.

→ Policies → → Outputs

• Segregation of duties.• Risk scores.• Role based access control.• Authorizer, certifier selection.• Visibility / privacy protection.

• Connectors to 110 systems andapplications.

• E-mail.• Create/update/close tickets.• Send events to SIEM.


Slide Presentation

5.2 Identity and entitlement lifecycle automation

• Using Hitachi ID Identity Express, we recommend full automation of identity and entitlementlifecycles out of the gate:

– Joiners, movers, leavers processes.– Password management, strong authentication and federation.– Change requests, approval, review/certification.– Driven by both SoR data and requests.

• No need to "clean up" entitlements before automating access changes.• Roles can be added later: not a pre-requisite.• Automate first, clean up afterwards:

– Unlike with competitors, automation is pre-configured and easy.– Start with basic integrations, add connectors over time.– Leverage automation and user knowledge to help clean up.– Add roles and expand automation over time.

5.3 Monitoring systems of record

• Any target system can function as a system of record(SoR).

• Examples: HR apps, SQL databases, CSV files, ...• Hitachi ID Identity Manager can monitor multiple SoR’s:

– Multinationals: regional HR systems.– Colleges: students vs. faculty/staff.

• Map attributes to user profiles and prioritize.• Automatically submit access requests in response to

detected changes.• Users can submit pre-emptive or corrective requests:

– New hire not yet in HR.– HR data is wrong.– Override SoR data until HR updates it.

• Request portal handles users who never appear in SoRs:

– Contractors, partners, etc.


Slide Presentation

5.4 Requester usability

• Users rarely know where or how to request access!• Windows shell extension, SharePoint error page:

– Intercept "Access Denied" errors.– Navigate user to appropriate request URL.

• Compare users:

– Compare entitlements between the intended recipient and areference user.

– Select entitlements from the variance.

• Search for entitlements:

– Keywords, description, metadata/tags.

• Relationship between requester and recipient:

– What recipients can the requester see?– What identity attributes are visible?– What kinds of requests are available?

5.5 Robust, policy-driven workflow

• Workflow invites stake-holders to participate in processes:

– Approve or reject a request.– Review entitlements and recertify or remediate.– Fulfill an approved request.– Extensible. e.g., audit cases.

• Stake-holders are invited based on policy:

– No flow-charts or diagrams required.– Process is simple, transparent and secure.– Routing may be based on relationships, resource ownership, risk.

• The process is robust, even when people aren’t:

– Invite N participants, accept response from M (M<N).– Simultaneous invitations by default (sequential made sense for

paper forms).– Automatically send reminders.– Escalate (e.g., to manager) if unresponsive.– Check out-of-office message, pre-emptively escalate.– Accessible from smart phone, not just PC.


Slide Presentation

5.6 Reports, dashboards and analytics

• Over 150 reports built in:

– Many include multiple modes (e.g,. dormant vs. orphan accounts).– Identities, entitlements, history, system operation, trends, etc.– Easy to add custom reports.

• Many dashboards included as well.• Run interactively or schedule (once, recurring).• Deliver output (HTML, CSV, PDF):

– Interactively.– In e-mails.– Drop files on UNC shares.– Stream results via web services.

• Actionable analytics:

– Feedback from reports to requests.– Automated remediation.

• Database is normalized, documented – can use 3rd party tools too.

6 Recorded Demos

6.1 Intercept Access Denied Dialogs

Animation: ../../pics/camtasia/v10/higm-A-request-folder.mp4

6.2 Authorization of a request for security group membership

Animation: ../../pics/camtasia/v10/higm-B-request-approve.mp4

6.3 Request approved, user can access the folder

Animation: ../../pics/camtasia/v10/higm-C-approved-open-file-nb.mp4

6.4 Mobile request approval

Animation: ../../pics/camtasia/v10/approve-request-group-membership-via-mobile-access-app-1.mp4


Slide Presentation

6.5 Compare user entitlements

Animation: ../../pics/camtasia/v10/hiim-model-after-ui.mp4

6.6 Application-centric certification

Animation: ../../pics/camtasia/v10/hiac-complete-app-centric-2.mp4

6.7 Add contact to phone

Animation: ../../pics/camtasia/v9/add-contact-to-phone-1/add-contact-to-phone-1.mp4

6.8 Actionable analytics: Disable orphan accounts

Animation: ../../pics/camtasia/v10/report2pdr-disable-orphan-accounts-1.mp4

7 Technology


Slide Presentation

7.1 Multi-master architecture

“Cloud”

Reverse

web

proxyVPN server

IVR server

Load

balancers

E-mail

system

Ticketing

system

HR

Hitachi ID

servers

Hitachi ID

servers

Firewalls

Proxy server

(if needed)

Mobile

proxy

SaaS apps

Managed

endpoints

Managed endpoints

with remote agent:

AD, SQL, SAP, Notes, etc

z/OS - local agent

MS SQL databases

Password synch

trigger systems

Native password

change

ManageMobile UI

AD, Unix, z/OS,

LDAP, iSeries

Validate pw

Replication

System of

record

Tickets

Notifications

and invitations

Data c

enter A

Data c

enter B

Remote

data

cente

r

TCP/IP + AES

Various protocols

Secure native protocol

HTTPS


Slide Presentation

7.2 Key architectural features

“Cloud”

SaaS apps

Data c

enter A

Data c

enter B

Remote

data

cente

r

TCP/IP + AES

Various protocols

Secure native protocol

HTTPS

Reach across firewalls

Load balanced

On premise and SaaS

BYOD enabled

Replicated across data centers

Horizontal scaling

7.3 Internal architecture

• Multi-master, active-active out of the box.• Built-in data replication between app nodes:

– Fault tolerant.– Secure - encrypted.– Reliable - queue and retry.– App nodes need and should not be co-located.

• Native, 64-bit code:

– 2x faster than .NET.– 10x faster than Java.

• Stored procedures:

– For all data lookups, inserts.– Fast, efficient.– Eliminates client/server chatter.

• Modern crypto: AES-256, SSHA-512


Slide Presentation

7.4 BYOD access to on-premise IAM system

The challenge Hitachi ID Mobile Access

• Users want access on their phones.• Phone on the Internet, IAM on-prem.• Don’t want attackers probing IAM from

Internet.

• Install + activate iOS, Android app.• Proxy service on DMZ or cloud.• IAM, phone both call the proxy - no

firewall changes.• IAM not visible on Internet.

Outbound connections only

DMZ Private corporate

network

Personal

device

FirewallFirewall

Internet

(3)

Message passing system

(1)

Worker thread:

“Give me an HTTP

request”

(2)

HTTPS request:

“Includes userID,

deviceID”

IAM server

Cloud

proxy


Slide Presentation

7.5 Included connectors

Many integrations to target systems included in the base price:

Directories:Any LDAP, Active Directory,NIS/NIS+.

Servers:Windows NT, 2000, 2003,2008[R2], 2012[R2], Samba.

Databases:Oracle, Sybase, SQL Server,DB2/UDB, Informix, Progress,Hyperion, Cache, ODBC.

Unix:Linux, Solaris, AIX, HPUX, 24more variants.

Mainframes, Midrange:z/OS: RACF, ACF2,TopSecret. iSeries,OpenVMS.

HDD Encryption:McAfee, CheckPoint,BitLocker, PGP.

ERP:JDE, Oracle eBiz,PeopleSoft, PeopleSoft HR,SAP R/3 and ECC 6, Siebel,Business Objects.

Collaboration:Lotus Notes, iNotes,Exchange, SharePoint,BlackBerry ES.

Tokens, Smart Cards:RSA SecurID, SafeWord,Vasco, ActivIdentity,Schlumberger, RADIUS.

WebSSO:CA Siteminder, IBM TAM,Oracle AM, RSA AccessManager.

Help Desk:ServiceNow, BMC Remedy,SDE, HP SM, CA Unicenter,Assyst, HEAT, Altiris, Clarify,RSA Envision, Track-It!, MSSystem Center

Cloud/SaaS:WebEx, Google Apps, MSOffice 365, Success Factors,Salesforce.com, SOAP.

7.6 Rapid integration with custom apps

• Hitachi ID Identity Manager easily integrates with custom, vertical and hosted applications usingflexible agents .

• Each flexible agent connects to a class of applications:

– API bindings (C, C++, Java, COM, ActiveX, MQ Series).– Telnet / TN3270 / TN5250 / sessions with TLS or SSL.– SSH sessions.– HTTP(S) administrative interfaces.– Web services.– Win32 and Unix command-line administration programs.– SQL scripts.– Custom LDAP attributes.

• Integration takes a few hours to a few days.• Fixed cost service available from Hitachi ID.


Slide Presentation

8 Implementation

8.1 Hitachi ID professional services

• Hitachi ID offers a complete range of services relating to Hitachi ID Identity Manager, including:

– Needs analysis and solution design.– Fixed price system deployment.– Project planning.– Roll-out management, including maximizing user adoption.– Ongoing system monitoring.– Training.

• Services are based on extensive experience with the Hitachi ID solution delivery process.• The Hitachi ID professional services team is highly technical and have years of experience deploying

IAM solutions.• Hitachi ID partners with integrators that also offer business process and system design services to

mutual customers.• All implementation services are fixed price:

– Solution design.– Statement of work.


Slide Presentation

8.2 Hitachi ID Identity Express

Before reference implementations:

• Every implementation starts fromscratch.

• Some code reuse, in the form oflibraries.

• Even simple business processes havecomplex boundary conditions:

– Onboarding: initial passwords,blocking rehires.

– Termination: scheduled vs.immediate, warnings, cleanup.

– Transfers: move mailboxes andhomedirs, trigger recertification.

• Complex processes often scripted.• Delay, cost, risk.

With Hitachi ID Identity Express:

• Start with a fully configured system.• Handles all the basic user lifecycle

processes out of the box.• Basic integrations pre-configured (HR,

AD, Exchange, Windows).• Implementation means "adjust as

required" not "build from scratch."• Configuration is fully data driven (no

scripts).• Fast, efficient, reliable.


Slide Presentation

8.3 Hitachi ID Identity Express - Corporate: details

• Integrations:

– SQL-based HR SoR.– AD domain– Exchange domain (mailboxes)– Windows filesystem (homedirs)

• Entitlements:

– Login IDs.– Group memberships.– Roles.

• User communities:

– Employees.– Contractors/other.

• Configuration:

– Based on user classes, rules tablesand lookup tables.

– Near-zero script logic.

• Automation:

– Onboard/deactivate based on SoR.– Identity attribute propagation.

• Self-service:

– Password, security questionmanagement.

– Update to contact info.– Request for application, share, folder

access.

• Delegated admin:

– Same as self-service, plus recert.

• Approval workflows:

– IT security (global rights).– HR/managers (approve for

each-other).

• Recertification:

– Scheduled.– Ad-hoc.

9 Differentiation


Slide Presentation

9.1 HiIM differentiation (1/3)

Feature Details Differentiation

Hitachi ID Identity Express

• Pre-configured businesslogic.

• Option A: full referenceimplementation.

• Option B:pick-and-choosefunctionality fromcomponent framework.

• Reduces implementationeffort by 5x to 10x ascompared to competitors.

• Alternately, spend thesame money and get 5xto 10x the functionality!

Requester usability

• Requesters struggle tofind, complete accessrequests.

• Aid #1: intercept ’accessdenied’ errors,click-through to requestform.

• Aid #2: requestercompares entitlements ofrecipient, model users,selects from the variance.

• No competitor intercepts’access denied’ errors.

• Few competitors supportrecipient/modelcomparison.

• Happy users, higheradoption rates, betterROI.

SoD actually works

• SoD policy may bedefined in terms ofentitlements or roles.

• Roles and groups may benested.

• Violations may happen ata different level of the roleor group hierarchy thanwhere the SoD policy wasdefined.

• Hitachi ID IdentityManager decomposesroles, expands groups toalways find SoDviolations.

• Competitors fail to detectviolations where rule andrequest are at differentlevels of role, grouphierarchies.

• Users can trivially bypasscontrols.

• False sense of security.• Audit failures.• Regulatory risk.


Slide Presentation



Active-active architecture

• Replicate across multipleservers.

• Multi-master, active-activeoperation.

• Geographic distribution.• No single point of failure.• Excellent scalability.

• All competitors have asingle point of failure.

• Usually it’s a databasecluster.

• Expensive to scale up.• Time consuming to

recover from disasters.

Smart phone access

• Android and iOS apps.• Cloud-hosted proxy.• BYOD can interact with

on-premise Hitachi IDIdentity Manager instance.

• Important use cases:request approval, peerlookup/contact download.

• No competitor has a cloudproxy.

• Few competitors havemobile apps.

• Not realistic to interactwith the IAM system fromBYOD.

• Slow approvals, waitingfor managers to sign intolaptop and VPN.

Actionable analytics

• All reports can be linkedto requests.

• Feedback enablesautomated remediation.

• Immediate or scheduled.• No coding required.

• Competitors with limitedreports, analytics.

• No competitor has a wayto make analyticsactionable, rather than justinformational.

• Automating remediation isbetter than waiting forhumans.


Slide Presentation



Governance, provisioning inone product

• Provisioning features:connectors, automatedonboarding/deactivation.

• Governance features:request/approvalworkflow, SoD andRBAC policy, risk scores,access cert, analytics.

• Hitachi ID IdentityManager includes all ofthe above in a singleproduct.

• Some competitors havemostly governancecapabilities – limitedconnectors, mostlyread-only.

• Other competitors havemostly provisioningcapabilities – weak or3rd party governanceUIs.

• HiIM is almost unique inincluding both.

• Better value, lowerintegration risk.

Policies built onrelationships

• Relationships drive allpolicies in HiIM.

• What users appear insearch results?

• On whose behalf can auser submit what kindsof requests?

• What PII is visible?• Who approves requests?• To whom are requests

escalated?

• Competitors generallyrely on hierarchies orcustom programming.

• Hierarchies do notrepresent the real world.

• Custom code is costly,time consuming andrisky.


Slide Presentation

10 Summary

An integrated solution for managing identities and entitlements:

• Automation: onboarding, deactivation, detect out-of-band changes.• Self-service: profile updates, access requests.• Governance: certification, authorization workflow, RBAC, SoD, analytics.• Automatically manage identities, entitlements: 110 bidirectional connectors.• Other integrations: filesystem, collaboration, SIEM, incident management.• Rapid deployment: pre-configured Hitachi ID Identity Express.

Security, lower cost, faster service.

Learn more at Hitachi-ID.com/Identity-Manager

www.Hitachi-ID.com

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: [email protected]

Date: Monday 24th October, 2016 | 2016-10-24File: PRCS:pres

http://Hitachi-ID.com/Identity-Manager/

http://Hitachi-ID.com{}/

managing the user lifecycle across on-premises … · 1 hitachi id identity manager managing the...

Documents