managing the user lifecycle across on-premises … › password-manager › largedocs › ...1...

18
1 Hitachi ID Suite Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications Administration and governance of Identities, entitlements and credentials. 2 Agenda • Corporate • Identity and access management • Key business drivers • Hitachi ID Suite • Technology • Key competitors • Recorded demos • Differentiation 3 Corporate © 2020 Hitachi ID Systems, Inc. All rights reserved. 1

Upload: others

Post on 05-Jul-2020

2 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Managing the User Lifecycle Across On-Premises … › password-manager › largedocs › ...1 Hitachi ID Suite Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

1 Hitachi ID Suite

Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications

Administration and governance ofIdentities, entitlements and credentials.

2 Agenda

• Corporate• Identity and access management• Key business drivers• Hitachi ID Suite• Technology• Key competitors• Recorded demos• Differentiation

3 Corporate

© 2020 Hitachi ID Systems, Inc. All rights reserved. 1

Page 2: Managing the User Lifecycle Across On-Premises … › password-manager › largedocs › ...1 Hitachi ID Suite Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Slide Presentation

3.1 Hitachi ID corporate overview

Hitachi ID delivers access governanceand identity administration solutionsto organizations globally.Hitachi ID IAM solutions are used by Fortune500companies to secure access to systemsin the enterprise and in the cloud.

• Founded as M-Tech in 1992.• A division of Hitachi, Ltd. since 2008.• Over 1200 customers.• More than 14M+ licensed users.• Offices in North America, Europe and

APAC.• Global partner network.

3.2 Representative customers

© 2020 Hitachi ID Systems, Inc. All rights reserved. 2

Page 3: Managing the User Lifecycle Across On-Premises … › password-manager › largedocs › ...1 Hitachi ID Suite Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Slide Presentation

4 Identity and access management

4.1 IAM in silos

In most organizations, many processes affect many applications.This many-to-many relationship creates complexity:

© 2020 Hitachi ID Systems, Inc. All rights reserved. 3

Page 4: Managing the User Lifecycle Across On-Premises … › password-manager › largedocs › ...1 Hitachi ID Suite Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Slide Presentation

4.2 Integrated IAM processes

Business processes

Systems and applications with users, passwords, groups, attributes

IT processes

Identity and Access Management System

Hire Retire Resign Finish contract

Transfer Fire Start contract

New application Retire application

Password resetPassword expiry

Operating

systems

Directory Application Database E-mail

system

ERP Legacy

app

Mainframe

4.3 Identity and access management

Identity and access management is software to automate processes to securely and efficiently manageidentities, entitlements and credentials:

Processes: Policies: Connectors:

• Data synchronization.• Request portal.• Workflows to invite

human participation.• Manual and automated

fulfillment.

• Unique ID generation.• Selection of approvers,

reviewers andimplementers.

• Access reviews.• Segregation of duties.• Role-based access.• Risk scores.• Visibility, privacy.

• Applications.• Databases.• Operating systems.• Directories.• On-premises.• Cloud-hosted.

© 2020 Hitachi ID Systems, Inc. All rights reserved. 4

Page 5: Managing the User Lifecycle Across On-Premises … › password-manager › largedocs › ...1 Hitachi ID Suite Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Slide Presentation

5 Key business drivers

5.1 Access and credential challenges (1/2)

For users For IT support

• How to request a change?• Who must approve the change?• When will the change be completed?• Too many passwords.• Too many login prompts.

• Onboarding, deactivation across manyapps is challenging.

• More apps all the time!• What data is trustworthy and what is

obsolete?• Not notified of new-hires/terminations on

time.• Hard to interpret end user requests.• Who can request, who should authorize

changes?• What entitlements are appropriate for

each user?• The problems increase as scope grows

from internal to external.

5.2 Access and credential challenges (2/2)

For Security / risk / audit For Developers

• Orphan, dormant accounts.• Too many people with privileged access.• Static admin, service passwords a

security risk.• Weak password, password-reset

processes.• Inappropriate, outdated entitlements.• Who owns ID X on system Y?• Who approved entitlement W on system

Z?• Limited/unreliable audit logs in apps.

• Temporary access (e.g., prod migration).• Half the code in every new app is the

same:

– Identify.– Authenticate.– Authorize.– Audit.– Manage the above.

• Mistakes in this infrastructure createsecurity holes.

6 Hitachi ID Suite

© 2020 Hitachi ID Systems, Inc. All rights reserved. 5

Page 6: Managing the User Lifecycle Across On-Premises … › password-manager › largedocs › ...1 Hitachi ID Suite Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Slide Presentation

6.1 Hitachi ID Suite

6.2 An integrated solution

PM: Self-service password reset Hitachi ID PasswordManager

Manage other credentials (tokens, cert, smart cards, Q&A, biometricenrollment, pre-boot drive unlock, etc.)

Federated identity provider and web single sign-on

IAM: Automated joiner/mover/leaver processes Hitachi ID IdentityManager

Access request portal, approval workflows

Access certification, SoD policy, RBAC, risk scores

Lifecycle management of groups and memberships

PAM: Randomize, vault, retrieve passwords Hitachi ID PrivilegedAccess Manager

Session single sign-on, video capture/search/playback

Service and embedded accounts (non-human)

Built-in strong authentication (MFA) plus integrate with existing MFA All products

Access from smart phone, pre-boot, login screen, off-site (w/o public URL)

© 2020 Hitachi ID Systems, Inc. All rights reserved. 6

Page 7: Managing the User Lifecycle Across On-Premises … › password-manager › largedocs › ...1 Hitachi ID Suite Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Slide Presentation

6.3 HiIM features

Automation:

• Monitor one or more systems of record (SoR).• Generate requests to grant, revoke access.

Integrations:

• 120+ bidirectional connectors, included.• Manage resources including mail boxes, home directories and

badges.• Incident management, SIEM, e-mail, 2FA.• Manage building access, physical assets.

Request portal:

• Users can request for themselves or others.• Access control model limits visibility, requestability.

Accounts and groups:

• Create, manage and delete accounts & groups across systems.• Update attributes and assign/revoke group memberships.

Workflow:

• Invite authorizers, implementers, certifiers to act.• Built-in reminders, escalation, delegation and more.• Selects participants via policy, not flow-charts.

Policies, controls:

• RBAC, SoD.• Risk scores, analytics.• Approvals, recertification.

Certification:

• Initiated by the system (event, schedule).• Stake-holders review identities, entitlements.• Generates deprovisioning requests.

© 2020 Hitachi ID Systems, Inc. All rights reserved. 7

Page 8: Managing the User Lifecycle Across On-Premises … › password-manager › largedocs › ...1 Hitachi ID Suite Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Slide Presentation

6.4 HiPM features

Password synch:

• Reduce the number of passwords per user.

Self-service:

• Password change, reset and unlock.• Token or smart card PIN reset.• Unlock encrypted drive with forgotten pre-boot password.

Value-add:

• 2FA – built-in for all users, including via mobile app.• Federated access – replace other apps’ login screens.• Password vault – users can store unmanaged passwords.

Access from:

• PC browser or login screen.• At the office or off-site.• Smart phone app or self-service phone call.

Assisted service:

• Password, token PIN, intruder lockout.

Policy enforcement:

• Two-factor authentication for all users.• Password complexity, expiry, history.• Non-password authentication.

Managed enrollment:

• Security questions.• Login IDs.• Mobile phone numbers.

© 2020 Hitachi ID Systems, Inc. All rights reserved. 8

Page 9: Managing the User Lifecycle Across On-Premises … › password-manager › largedocs › ...1 Hitachi ID Suite Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Slide Presentation

6.5 HiPAM features

Auto-discovery:

• Find systems, accounts.• Automatically attach policies via rules.

Passwords:

• Randomize on a schedule and after use.• Store in an encrypted, replicated, distributed vault.

Authorization:

• Policy-driven rules.• Pre-authorized and request/approval workflow if not routine.

Grant access:

• Single sign-on (login once, launch many).• Request multiple accounts, run commands across them.• Launch SSH, RDP, vSphere, SQL, etc.• Direct connection, VDI proxy or HTML5 proxy.• Password display and copy buffer integration.• Temporary group membership or SSH trust.

Application passwords:

• Notify SCM, IIS, Scheduler, DCOM of new passwords.• API replaces embedded passwords.

Logging:

• Requests, approvals, logins to privileged accounts.

Session monitoring:

• Screen, keyboard, webcam, process ID, window title, etc.• Keylog censorship protects passwords, SSN, CC numbers, etc.• Request/approval workflow protects staff privacy.

7 Technology

© 2020 Hitachi ID Systems, Inc. All rights reserved. 9

Page 10: Managing the User Lifecycle Across On-Premises … › password-manager › largedocs › ...1 Hitachi ID Suite Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Slide Presentation

7.1 Delivery options

On-premises Hosted / SaaS

What/where

•Conventionalsoftware;or

• Virtualappliance.

• ManagedbycustomerIT; or

• managedby HitachiIDremotely;or

• managedby apartner.

• Dedicated instance per customer.• Minimum two servers, locations.• Proxy server on-premises.• Managed by Hitachi ID.• Regular upgrades.

Charges • Software: License, annualmaintenance.

• Virtual appliance: add OS, DBlicenses.

• Managed service: add annual fee.

• Monthly per-user fee.• Commitment for minimum

quantity, duration.

© 2020 Hitachi ID Systems, Inc. All rights reserved. 10

Page 11: Managing the User Lifecycle Across On-Premises … › password-manager › largedocs › ...1 Hitachi ID Suite Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Slide Presentation

7.2 Active-active architecture

“Cloud”

Reverse

web

proxyVPN server

IVR server

Load

balancers

E-mail

system

Ticketing

system

HR

Hitachi ID

servers

Hitachi ID

servers

Firewalls

Proxy server

(if needed)

Mobile

proxy

SaaS apps

Managed

endpoints

Managed endpoints

with remote agent:

AD, SQL, SAP, Notes, etc

z/OS - local agent

MS SQL databases

Password synch

trigger systems

Native password

change

ManageMobile UI

AD, Unix, z/OS,

LDAP, iSeries

Validate pw

Replication

System of

record

Tickets

Notifications

and invitations

Data c

enter A

Data c

enter B

Remote

data

cente

r

TCP/IP + AES

Various protocols

Secure native protocol

HTTPS

© 2020 Hitachi ID Systems, Inc. All rights reserved. 11

Page 12: Managing the User Lifecycle Across On-Premises … › password-manager › largedocs › ...1 Hitachi ID Suite Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Slide Presentation

7.3 Key architectural features

“Cloud”

SaaS apps

Data c

enter A

Data c

enter B

Remote

data

cente

r

TCP/IP + AES

Various protocols

Secure native protocol

HTTPS

Reach across firewalls

Load balanced

On premises and SaaS

BYOD enabled

Replicated across data centers

Horizontal scaling

© 2020 Hitachi ID Systems, Inc. All rights reserved. 12

Page 13: Managing the User Lifecycle Across On-Premises … › password-manager › largedocs › ...1 Hitachi ID Suite Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Slide Presentation

7.4 IAMaaS architectural overview

Firewall

Private Corporate

Network

Internet

Firewall Firewall

IAM App Server IAM Proxy

IAM Database

Mobile Proxy

Firewall

SaaS App

HR DB

AD

On-Prem. App

On-Prem. App

SaaS App

IAM App Server

IAM Database

Mobile Proxy

VLAN /

Location 1

VLAN /

Location 2

IaaS Provider

Network

7.5 Included connectors

Directories: Databases: Server OS – X86/IA64: Server OS – Unix: Server OS – Mainframe:

Active Directory and AzureAD; any LDAP; NIS/NIS+ andeDirectory.

Oracle; SAP ASE and HANA;SQL Server; DB2/UDB;Hyperion; Caché; MySQL;OLAP and ODBC.

Windows: NT thru 2016; Linuxand *BSD.

Solaris, AIX and HP-UX. RAC/F, ACF/2 and TopSecret.

Server OS – Midrange: ERP, CRM and other apps: Messaging & collaboration: Smart cards and 2FA: Access managers / SSO:

iSeries (OS400); OpenVMSand HPE/Tandem NonStop.

Oracle EBS; SAP ECC andR/3; JD Edwards; PeopleSoft;Salesforce.com; Concur;Business Objects and Epic.

Microsoft Exchange, Lync andOffice 365; LotusNotes/Domino; Google Apps;Cisco WebEx, Call Managerand Unity.

Any RADIUS service or SAMLIdP; Duo Security; RSASecurID; SafeWord; Vasco;ActivIdentity andSchlumberger.

CA SiteMinder; IBM SecurityAccess Manager; Oracle AM;RSA Access Manager andImprivata OneSign.

Help desk / ITSM: PC filesystem encryption: Server health monitoring: HR / HCM: Extensible / scriptable:

ServiceNow; BMC Remedy,RemedyForce and Footprints;JIRA; HPE Service Manager;CA Service Desk; AxiosAssyst; Ivanti HEAT;Symantec Altiris; Track-It!; MSSCS Manager and Cherwell.

Microsoft BitLocker; McAfee;Symantec EndpointEncryption and PGP;CheckPoint and SophosSafeGuard.

HP iLO, Dell DRAC and IBMRSA.

WorkDay; PeopleSoft HR;SAP HCM andSuccessFactors.

CSV files; SCIM; SSH;Telnet/TN3270/TN5250;HTTP(S); SQL; LDAP;PowerShell and Python.

Hypervisors and IaaS: Mobile management: Network devices: Filesystems and content: SIEM:

AWS; vSphere and ESXi. BlackBerry Enterprise Serverand MobileIron.

Cisco IOS PIX and ASA;Juniper JunOS andScreenOS; F5 BigIP; HPProcurve; Brocade Fabric OSand CheckPointSecurePlatform.

Windows/CIFS/DFS;SharePoint; Samba; HitachiContent Platform and HCPAnywhere; Box.com andTwitter.

Splunk; ArcSight; RSAEnvision and QRadar. AnySIEM supporting SYSLOG orWindows events.

Management & inventory:

Qualys; McAfee ePO andMVM; Cisco ACS;ServiceNow ITAM; HPUCMDB; Hitachi HiTrack.

© 2020 Hitachi ID Systems, Inc. All rights reserved. 13

Page 14: Managing the User Lifecycle Across On-Premises … › password-manager › largedocs › ...1 Hitachi ID Suite Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Slide Presentation

7.6 Integration with custom apps

• Hitachi ID Suite easily integrates with custom, vertical and hosted applications using flexible agents.

• Each flexible agent connects to a class of applications:

– API bindings (C, C++, Java, COM, ActiveX, MQ Series).– Telnet / TN3270 / TN5250 / sessions with TLS or SSL.– SSH sessions.– HTTP(S) administrative interfaces.– Web services.– Win32 and Unix command-line administration programs.– SQL scripts.– Custom LDAP attributes.

• Integration takes a few hours to a few days.• Fixed cost service available from Hitachi ID.

8 Key competitors

8.1 Hitachi ID Competitors

Tier-1

Tier-2

Boutique

Overlap Technology

© 2020 Hitachi ID Systems, Inc. All rights reserved. 14

Page 15: Managing the User Lifecycle Across On-Premises … › password-manager › largedocs › ...1 Hitachi ID Suite Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Slide Presentation

9 Recorded demos

9.1 Access request (new contractor)

Animation: ../../pics/camtasia/v10/hiim-onboarding-contractor-original-resolution.mp4

9.2 Self service creation of a new Active Directory group

Animation: ../../pics/camtasia/suite11/higm-group-create.mp4

9.3 Access review by managers

Animation: ../../pics/camtasia/suite11/org-cert.mp4

9.4 Password reset with WiFi, VPN and 2FA

Animation: ../../pics/camtasia/v10/hipm-ssa-windows-10.mp4

9.5 Federated access launchpad

Animation: ../../pics/camtasia/v10.1/federated-launchpad.mp4

9.6 Request and launch PuTTY to Linux

Animation: ../../pics/camtasia/v10/hipam-linux-preauth.mp4

9.7 Request, approve and play recording

Animation: ../../pics/camtasia/suite11/hipam-view-playback-nb.mp4

10 Differentiation

© 2020 Hitachi ID Systems, Inc. All rights reserved. 15

Page 16: Managing the User Lifecycle Across On-Premises … › password-manager › largedocs › ...1 Hitachi ID Suite Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Slide Presentation

10.1 IM: What others miss

• Figuring out what to request is hard!

– Intercept ’access denied’ errors and navigate to the appropriate request page.– Compare user A to user B.– Suggestions based on a statistical model.

• Implementation can be costly/risky/long:

– Rich process automation, quickly with Hitachi ID Identity Express.– Services are a cash cow for some competitors.

• This should be just one product.

– "Provisioning," "Governance" and group management in one product.– Others have up to 8 (Oracle). Cash grab?

• Process automation is essential.

– Some vendors (e.g., SailPoint) really only offer access cert.– Customers spend millions without automating anything.

• BYOD for faster approval without a possibly insecure public URL.• Connectors are important.

– In base price, easy to turn on.– With some products, this is either complicated or costly.

10.2 PM: What others miss

• Accessible from the PC login screen?

– While off-site?

• Self-service if the user forgot their pre-boot (crypto) password?• Is 2FA included, in the base price?• Is federated access and SSO included?• Can users get to it with their phones?

– Without exposing this sensitive app to the Internet?

• Does it automatically remind users to enroll?

– ROI depends on user adoption.– Strong user engagement is mandatory.

• Can it manage every password, not just AD/Windows logins?

– Mainframe/legacy?– SaaS like SalesForce.com, O365, Google, WebEx?– ERP like SAP or Oracle EBS?– Custom apps and vertical market apps?

• Can it manage other credentials, like PINs on smart cards and tokens?

© 2020 Hitachi ID Systems, Inc. All rights reserved. 16

Page 17: Managing the User Lifecycle Across On-Premises … › password-manager › largedocs › ...1 Hitachi ID Suite Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Slide Presentation

10.3 PAM: What others miss

• An active-active replicated architecture.

– Zero effort and delay to "recover" from a disaster.– Imperative in an emergency.– All competitors have a single point of failure, warm-standby architecture.

• Should be able to launch any kind of session, grant any kind of privilege:

– Hitachi ID supports non-human accounts, SSH trust, group memberships, etc.– Some competitors are just SSH/RDP proxies – very limited.

• Convenient, flexible logins to managed accounts:

– Login once, launch many sessions.– Request multiple accounts at once.– Direct connection (scales well).– VDI proxies (flexible, commodity).– HTML proxies (for untrusted clients/vendors, lowest cost).– Competitors mainly rely on "jump server" approaches (no SSO, not scalable).

• Automation must scale:

– Discover systems, accounts; classify, connect and onboard.– Most competitors are missing this.

• Some products are still delivered as appliances.

– The 1990s called and they want their hardware back...

11 Hitachi ID Suite summary

• Three integrated IAM products, licensed to over 14M users, that can:

– Discover and connect identities across systems and applications.– Securely and efficiently manage identities, groups, entitlements and credentials.– Secure and monitor access to privileged accounts.– Provide strong authentication and federated sign-on.

• Improve security to comply with regulations.• Reduce IT support cost and improve user productivity.• Consolidate management of on-premises and SaaS apps.

© 2020 Hitachi ID Systems, Inc. All rights reserved. 17

Page 18: Managing the User Lifecycle Across On-Premises … › password-manager › largedocs › ...1 Hitachi ID Suite Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Slide Presentation

12 Bonus: phrases to listen for

If you hear these phrases, there may be an opportunity...

• Identity (administration|management|governance)• Access (administration|management|governance)• Password (reset|synchronization)• Single sign-on or SSO• Privileged (user|account|ID|identity|password|access|session) management• Federated (access|identity)• (Strong|Two-factor authentication (2FA)|Multi-factor (MFA)) authentication

hitachi-id.com

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 E-Mail: [email protected]

Date: 2020-03-23 | 2020-03-23 File: PRCS:pres