1 Hitachi ID Suite

Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications

Administration and governance ofIdentities, entitlements and credentials.

2 Agenda

• Introductions.• Hitachi ID corporate overview.• Hitachi ID Suite overview.• Why identity management?• The Hitachi ID solution• Hitachi ID identity management technology• Competitive advantage

© 2017 Hitachi ID Systems, Inc. All rights reserved. 1

Slide Presentation

3 Hitachi ID corporate overview

Hitachi ID delivers access governanceand identity administration solutionsto organizations globally.Hitachi ID IAM solutions are used by Fortune500companies to secure access to systemsin the enterprise and in the cloud.

• Founded as M-Tech in 1992.• A division of Hitachi, Ltd. since 2008.• Over 1200 customers.• More than 14M+ licensed users.• Offices in North America, Europe and

APAC.• Global partner network.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 2

Slide Presentation

4 Representative customers

© 2017 Hitachi ID Systems, Inc. All rights reserved. 3

Slide Presentation

5 Integration With Other IAM Infrastructure

E/SSO

WebSSO/WebAM

Directory

Meta Directory

Virtual Directory

System of Record

CO

RE

IN

FR

AS

TR

UC

TU

RE

Automation

Self-service requests

Authorization workflow

Consolidated reporting

Auto-discovery

Reliable updates

Target connectors

Help desk integrations

Database replication

HitachiIDPassword Manager

HitachiIDIdentity Manager

HitachiIDGroup Manager

HitachiIDLogin Manager

HitachiIDOrg Manager

HitachiIDPrivileged Access Manager

HitachiIDPhone PW Manager

HitachiIDAccess Certifier

6 Why IAM?

Managing user identity information separately on multiple systems creates business problems:

• Access termination across multiple systems is both slow and unreliable. As a result, terminatedemployees and contractors retain access.

• Users accumulate excess entitlements, violating SoD policies and regulations such as SOX andHIPAA.

• Users lose productivity waiting for needed entitlements.• Administrative changes spanning systems are redundant and expensive.• Forgotten passwords create costly help desk call volume.• Weak audit trails → lack of accountability, failed audits.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 4

Slide Presentation

7 Shared IAM Infrastructure

• Managing usersseparately oneach system istoo hard .

• Simplify: manageusers and groupswith a shared,globalinfrastructure.

• Continue to mapgroups toprivileges insideeach system.

�� � �� � � � �� � � � �� �� � � �� �� � � �� � �� � �� ���� � �� �� � �� ��� � � � �� � �� � ��� � � � � � �� � � � ��� � �� � � � � �� � � �� � � ��

� � � � � � � � � �� �� �� � � � � � � � � �� �� � �

� � � � � � � � � �� �� �� � � � � � � � � �� �� � �8 Defining enterprise IAM

Enterprise Identity and Access Management (IAM) isprocess and technologyto manage identities, entitlements and credentialsfor modest numbers of users (<1,000,000).

User

Provisioning

Password

Management

Virtual, Meta

Directories

Access

Reporting

• Many integrations (5 to 5,000)• No single system of record.• Pre-existing users, dirty data.• ID mapping across systems.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 5

Slide Presentation

9 Hitachi ID Suite in the user lifecycle

Lifecyclestage

Automation Self-service /request workflow

Policy enforcement

Onboarding

• From HR(employ-ees).

• Web UI (contractors). • Role-basedsetup.

• StandardizedIDs, OU, mailstore, etc.

Management

• Identitysynchro-nization.

• Automaticrolechanges.

• Applications.• Group membership.• Profile updates.

• SoDenforcement.

• Authorizechanges.

• ID mapping.

Support

• Password reset.• Resolve access denied

errors.

• Passwordstrength.

• Passwordexpiry.

Deactivation

• Auto-termination.

• Access certification.• Scheduled terminations.

• Archivemailboxes,home dirs, etc.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 6

Slide Presentation

10 HiPM features

Password synch:

• Reduce the number of passwords per user.

Self-service:

• Password change, reset and unlock.• Token or smart card PIN reset.• Unlock encrypted filesystem with forgotten pre-boot password.

Value-add:

• 2FA – built-in for all users, including via mobile app.• Federated access – replace other apps’ login screens.• Password vault – users can store unmanaged passwords.

Access from:

• PC browser or login screen.• At the office or off-site.• Smart phone app or self-service phone call.

Assisted service:

• Password, token PIN, intruder lockout.

Policy enforcement:

• Two-factor authentication for all users.• Password complexity, expiry, history.• Non-password authentication.

Managed enrollment:

• Security questions.• Login IDs.• Mobile phone numbers.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 7

Slide Presentation

11 HiIM features

Automation:

• Monitor one or more systems of record (SoR).• Generate requests to grant, revoke access.

Request portal:

• Users can request for themselves or others.• Access control model limits visibility, requestability.

Certification:

• Initiated by the system (event, schedule).• Stake-holders review identities, entitlements.• Generates deprovisioning requests.

Workflow:

• Invite authorizers, implementers, certifiers to act.• Built-in reminders, escalation, delegation and more.• Selects participants via policy, not flow-charts.

Policies, controls:

• RBAC, SoD.• Risk scores, analytics.• Approvals, recertification.

Integrations:

• 120+ bidirectional connectors, included.• Manage mail boxes, home directories, badges.• Incident management, SIEM, e-mail, 2FA.• Manage building access, physical assets.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 8

Slide Presentation

12 HiGM features

Hitachi ID Group Manager enables self-service administration of user access to network resources –shares, folders, etc.:

• Intercept:

– The Windows "Access Denied" error dialog and send users to the appropriate workflow /group membership request screen.

• Browse:

– Users find the resources they want using HiGM.

• Request:

– Users ask for access to a resource (no knowledge of groups required).

• Map:

– HiGM maps user requests to group membership.

• Route:

– A workflow request is created dynamically and sent to the group’s owner plus anyone elsespecified by policy.

• Provision:

– Upon approval, the user is added to the appropriate group.

• Notify:

– Users and authorizers are sent thank-you notes.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 9

Slide Presentation

13 HiAC features

HiAC automates periodic review and cleanup of user entitlements:

• Capture:

– Auto-discovery creates a clear picture of the actual state of user entitlements across theenterprise.

• Leverage org-chart:

– Management relationships can be used to structure a certification round. Allows delegationof access review, cleanup and certification to managers.

• Notify:

– Automated e-mail reminders to managers, app owners and other stake-holders.

• Certify:

– Entitlements are either certified or flagged for removal.

• Sign off:

– Stake-holders must sign off on completed reviews.

• Action:

– Upon approval (if required), the offending entitlements are automatically removed and theuser is brought back into compliance.

• Report:

– Full reports to satisfy audit requests are available.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 10

Slide Presentation

14 Cost Savings

Cost Item Before After Savings

Help desk cost ofpassword resets:

New hire lostproductivity

Access changelost productivity

10,000 x 3 x $25= $750,000 / year

10,000 x 10% x 10 x$400 x 50%= $2M / year

10,000 x 2 x 2 x$400 x 10%= $1.6M / year

10,000 x 2 x 1 x$400 x 10%= $800,000 / year

10,000 x 10% x 1 x$400 x 50%= $200,000 / year

= $1.8M / year

= $800,000 / year

10,000 x .6 x $13= $78,000 / year

= $672,000 / year

15 IAM strengthens security

• Reliable, prompt and complete access deactivation.• Robust authentication prior to changes to credentials, access.• Policy around:

– Password complexity / reuse / expiry.– Non-password authentication.– Access request approval routing.– Segregation of duties.– Access review/certification.– Shared account password changes.– New-user and per-role entitlements.

• Audit:

– Who has what?– Access request/approval/grant history?

• Regulatory compliance: governance- and privacy-related rules.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 11

Slide Presentation

16 Scalability and fault-tolerance

• Multiple, load-balanced Hitachi ID Suite servers:

– Active/active architecture.

• Data replication between nodes:

– Built-in, easy to configure.– WAN-friendly (high latency, low bandwidth, insecure channels).– Reliable (multiple retry queues).

• Native code and SQL stored procedures run faster than Java and object persistence frameworks.• Proxy servers resolve connection problems:

– Across firewalls.– Over slow, insecure network routes.

• Large production deployments:

– 5M users.– 130,000 managed systems.– 12 load balanced IAM servers.– 10,000 completed transactions/hour.

17 The Hitachi ID Solution is Flexible

Customize: Every aspect of the user interfaceInput validationAttribute mapping to target systems

Integrate with: 120+ target system typesCall tracking systemsHR systemsAuthentication hardwareMeta directoriesIVR servers

Enforce: Password policyAuthentication rulesChange authorization rulesUser naming standards

© 2017 Hitachi ID Systems, Inc. All rights reserved. 12

Slide Presentation

18 Rapid deployment and low TCO

Optimized to minimize effort: Using Hitachi ID Suite technology:

• Hitachi ID Identity Manager:

– Initial deployment:2 – 4 months.

– Ongoing maintenance:0.5 – 1.0 FTE.

• Hitachi ID Password Manager:

– Initial deployment:1 – 2 months.

– Ongoing maintenance:0.25 – 0.5 FTE.

• Hitachi ID Identity Express – typical usecases preconfigured.

• Built-in discovery, mapping of IDs,entitlements.

• Managed user enrollment (e.g., Q&A).• Client software optional.• Policy driven workflow, included.• Implementer process for small apps.• RBAC (can be costly) is optional.• 120 connectors out of the box (more easy

to add).

19 Active-active architecture

“Cloud”

Reverse

web

proxyVPN server

IVR server

Load

balancers

E-mail

system

Ticketing

system

HR

Hitachi ID

servers

Hitachi ID

servers

Firewalls

Proxy server

(if needed)

Mobile

proxy

SaaS apps

Managed

endpoints

Managed endpoints

with remote agent:

AD, SQL, SAP, Notes, etc

z/OS - local agent

MS SQL databases

Password synch

trigger systems

Native password

change

ManageMobile UI

AD, Unix, z/OS,

LDAP, iSeries

Validate pw

Replication

System of

record

Tickets

Notifications

and invitations

Data c

enter A

Data c

enter B

Remote

data

cente

r

TCP/IP + AES

Various protocols

Secure native protocol

HTTPS

© 2017 Hitachi ID Systems, Inc. All rights reserved. 13

Slide Presentation

20 Included connectors

Directories: Databases: Server OS – X86/IA64: Server OS – Unix: Server OS – Mainframe:

Active Directory and AzureAD; any LDAP; NIS/NIS+ andeDirectory.

Oracle; SAP ASE and HANA;SQL Server; DB2/UDB;Hyperion; Caché; MySQL;OLAP and ODBC.

Windows: NT thru 2016; Linuxand *BSD.

Solaris, AIX and HP-UX. RAC/F, ACF/2 and TopSecret.

Server OS – Midrange: ERP, CRM and other apps: Messaging & collaboration: Smart cards and 2FA: Access managers / SSO:

iSeries (OS400); OpenVMSand HPE/Tandem NonStop.

Oracle EBS; SAP ECC andR/3; JD Edwards; PeopleSoft;Salesforce.com; Concur;Business Objects and Epic.

Microsoft Exchange, Lync andOffice 365; LotusNotes/Domino; Google Apps;Cisco WebEx, Call Managerand Unity.

Any RADIUS service or SAMLIdP; Duo Security; RSASecurID; SafeWord; Vasco;ActivIdentity andSchlumberger.

CA SiteMinder; IBM SecurityAccess Manager; Oracle AM;RSA Access Manager andImprivata OneSign.

Help desk / ITSM: PC filesystem encryption: Server health monitoring: HR / HCM: Extensible / scriptable:

ServiceNow; BMC Remedy,RemedyForce and Footprints;JIRA; HPE Service Manager;CA Service Desk; AxiosAssyst; Ivanti HEAT;Symantec Altiris; Track-It!; MSSCS Manager and Cherwell.

Microsoft BitLocker; McAfee;Symantec EndpointEncryption and PGP;CheckPoint and SophosSafeGuard.

HP iLO, Dell DRAC and IBMRSA.

WorkDay; PeopleSoft HR;SAP HCM andSuccessFactors.

CSV files; SCIM; SSH;Telnet/TN3270/TN5250;HTTP(S); SQL; LDAP;PowerShell and Python.

Hypervisors and IaaS: Mobile management: Network devices: Filesystems and content: SIEM:

AWS; vSphere and ESXi. BlackBerry Enterprise Serverand MobileIron.

Cisco IOS PIX and ASA;Juniper JunOS andScreenOS; F5 BigIP; HPProcurve; Brocade Fabric OSand CheckPointSecurePlatform.

Windows/CIFS/DFS;SharePoint; Samba; HitachiContent Platform and HCPAnywhere; Box.com andTwitter.

Splunk; ArcSight; RSAEnvision and QRadar. AnySIEM supporting SYSLOG orWindows events.

Management & inventory:

Qualys; McAfee ePO andMVM; Cisco ACS;ServiceNow ITAM; HPUCMDB; Hitachi HiTrack.

21 Rapid integration with custom apps

• Hitachi ID Suite easily integrates with custom, vertical and hosted applications using flexible agents.

• Each flexible agent connects to a class of applications:

– API bindings (C, C++, Java, COM, ActiveX, MQ Series).– Telnet / TN3270 / TN5250 / sessions with TLS or SSL.– SSH sessions.– HTTP(S) administrative interfaces.– Web services.– Win32 and Unix command-line administration programs.– SQL scripts.– Custom LDAP attributes.

• Integration takes a few hours to a few days.• Fixed cost service available from Hitachi ID.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 14

Slide Presentation

22 Technology advantages

Unique features Rapid deployment

• Intercept "Access Denied" errors tosimplify requests.

• Formulate requests by comparing users.• Rapid approvals, including from BYOD.• Access rights based on relationships.• Combine auto- and manual fulfillment.• SoD engine actually works.

• Hitachi ID Identity Express acceleratesdeployment.

• Key features built-in:

– Request forms.– Authorization workflow.– Access certification.

• Customers actually automate processes,don’t get stuck in "clean up" of legacydata.

Scalable platform Integrations

• Real-time data replication.• Multi-master, active-active.• Proxy server to cross firewalls.• Native code + stored procedures.

• 120+ included connectors.• Flexible/scriptable connectors.• Incident management/ticketing.• SIEM.

23 Hitachi ID Suite summary

• Three integrated IAM products, used by over 14M users, that can:

– Discover and connect identities across systems and applications.– Securely and efficiently manage entitlements and credentials.– Secure and monitor access to privileged accounts.

• Improve security to comply with regulations.• Reduce IT support cost and improve user productivity.• Consolidate management of on-premises and SaaS apps.

hitachi-id.com

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@hitachi-id.com

Date: 2017-12-08 | 2017-12-08 File: PRCS:pres