Upload
others
View
25
Download
0
Embed Size (px)
Citation preview
1 Hitachi ID Password Manager
Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications
Reasons to upgrade, migration process. Version 11.1.1 is current.
2 Focus on password management
This presentation focuses on Hitachi ID Password Manager, not other Hitachi ID Suite products.
• Details for organizations currently using 6.x, thru 11.x.• Architectural changes.• New features.• Upgrade path.• Services.
© 2019 Hitachi ID Systems, Inc. All rights reserved. 1
Slide Presentation
3 Why upgrade?
• Improve metrics
– Increase proportion of users who have enrolled Q&A.– "Re-think" the questions being asked of users to comply with today’s policies.– Increase adoption of self-service.– Reduce help desk calls due to login problems.
• Increase accessibility
– Pre-boot – full disk encryption software / password prompt.– Windows login screen – on-premises and off-site.– BYOD – Android, iOS device.
• Solve real world problems:
– Call volume creeping back up.– Users increasingly off-site, can’t access password reset.– Deploying full disk encryption, need self-service unlock pre-boot.– Refresh integrations – Windows 2016, Office 365, SaaS apps, etc.
• Security, cloud:
– SaaS applications call for more than just a password login.– Hitachi ID Password Manager now includes federated access and 2FA, out-of-the-box.
4 Platform changes from 6.x
4.1 SQL replaces embedded DB
6.x Now Notes
Embedded: CodeBase. SQL Server 2016/12. Standard, scalable, open.
DB replication built-in. N/C Easier, more secure thanDB-native.
Multi-master architecture. N/C If it’s not broken...
DB on each server. Local or separate DB. Scale up with more HW.
1 DB instance per PW server. DB can be shared. Leverage corporate DBclusters.
Limited Unicode support (e.g.,security Qs).
Full Unicode support (e.g.,attributes, IDs).
Better for Asian users.
Direct access to data. All access via stored procs. Better performance.
© 2019 Hitachi ID Systems, Inc. All rights reserved. 2
Slide Presentation
4.2 Other architectural improvements
• Password synchronization trigger:
– Used to run 100% as a DLL in Kernel-space on Windows servers.– Now a service offloads much of the work.– Less code running in the kernel.– New features: user filtering, queue/retry.
• Logging subsystem:
– Individual log files are gone.– High performance, consolidated logging system added.– Easier to plug into SIEM, syslog, etc.– Search/examine from web UI.
• Continuous operation:
– No more brief outage to merge databases nightly.– Helpful for truly global organizations.
• Multiple password policies:
– Per group of systems (if mutually exclusive requirements).– Per group of users (based on risk).
• 64-bit code (faster, more scalable).• Newer crypto algorithms (256-bit AES, SSHA-512).
4.3 Improved usability, updated UI
• A comprehensive usability study was completed:
– Untrained, non-technical users asked to perform tasks.– Sessions recorded and analyzed.– UI "tweaked" - nav, instructions, layout and more.– More users asked to repeat, to validate results.
• The entire UI was refreshed as a result:
– Easier to navigate.– Easier to understand.– Less time per session.
• Other changes:
– Left-side navigation bar dropped – easier to embed UI in portals.– Overhauled login screens, to support new authentication models.– Dynamic evaluation of password policy compliance as you type.
© 2019 Hitachi ID Systems, Inc. All rights reserved. 3
Slide Presentation
4.4 Single instance with IAM
• User signs on to manage identity, entitlements, credentials.• Examples:
– Change my password(s).– Enroll or update security questions.– Enter mobile number, personal e-mail address.– Update mailing address.– Request access to a share, folder or app.– Lookup co-worker and add contact to mobile.– Recertify users, entitlements.– Approve/reject open requests.
5 Platform changes since 7.x
5.1 One-click: new node
• Easier to add an app node:
– Increase capacity.– Recover from hardware or facility problem.
• Replicas:
– Need not be configured in advance.– Are somewhat disposable.
• Mechanism:
– Configure a new replica, in disabled state.– Send it a full data set.– Queue up changes while sending bulk data.– Enable the node when ready.– Aware of schema dependencies – sends data over in a safe order.
• No down-time.
© 2019 Hitachi ID Systems, Inc. All rights reserved. 4
Slide Presentation
5.2 Replication Setup Screen
5.3 Multiple skins per instance
• Default skins on a new install:
– Full UI (including branding, nav).– Unbranded (for embedding in IFRAME).– Kiosk-mode (full screen, limited nav).– Mobile (works well on phones).
• Skins and language translations are independent.
– Example: 4 skins, 5 languages means 20 UIs.
• NOTE: pre-8.2 UI customization needs to be adjusted to work in the new framework.
6 Policy engines and connectors
© 2019 Hitachi ID Systems, Inc. All rights reserved. 5
Slide Presentation
6.1 Adaptive Authentication
• An authentication chain is a definedseries of steps.
• Special type:interactively choose a chain.
• Special type:programmatically limit available chains.
• Risk-analysis:VPN? admin user?
� � �� � �� � �� � � � � � � � � � � �� � � � � � � � � �� ��� � � � � � � � � � � �� �� � � � �� � � � �� ��
� � � � ! " ! �� � # �� $ � � ! �% &� � � '� ! () $� ! � �� ! ( * & + ,&� � � '� ! () �% � ! � �- . � � � � �� � �/ 0 & &� � � �� ( �) �� ( & , 1 �� ) 2 ) 3 ) �% � ! � � - . � � � � �� � �) � 2 4 � � � � ! � �� �6.2 User classes
User classes define sets of individual usersor types of relationships between users:
• Sets of users:
– By group membership– In an OU– Having certain attributes
• Types of relationships:
– Shared attributes (e.g.,department, location).
– Group membership of participants(e.g., security team).
– Direct or indirect manager.
User classes are a natural way to definesecurity policy:
• Route requests(requester+recipient/authorizer).
• Invite reviewers (user/certifier).• Escalate requests (old/new
participants).• Limit visibility (viewer/user profile).• Define what is requestable
(requester/recipient).
© 2019 Hitachi ID Systems, Inc. All rights reserved. 6
Slide Presentation
6.3 Included connectors
Directories: Databases: Server OS – X86/IA64: Server OS – Unix: Server OS – Mainframe:
Active Directory and AzureAD; any LDAP; NIS/NIS+ andeDirectory.
Oracle; SAP ASE and HANA;SQL Server; DB2/UDB;Hyperion; Caché; MySQL;OLAP and ODBC.
Windows: NT thru 2016; Linuxand *BSD.
Solaris, AIX and HP-UX. RAC/F, ACF/2 and TopSecret.
Server OS – Midrange: ERP, CRM and other apps: Messaging & collaboration: Smart cards and 2FA: Access managers / SSO:
iSeries (OS400); OpenVMSand HPE/Tandem NonStop.
Oracle EBS; SAP ECC andR/3; JD Edwards; PeopleSoft;Salesforce.com; Concur;Business Objects and Epic.
Microsoft Exchange, Lync andOffice 365; LotusNotes/Domino; Google Apps;Cisco WebEx, Call Managerand Unity.
Any RADIUS service or SAMLIdP; Duo Security; RSASecurID; SafeWord; Vasco;ActivIdentity andSchlumberger.
CA SiteMinder; IBM SecurityAccess Manager; Oracle AM;RSA Access Manager andImprivata OneSign.
Help desk / ITSM: PC filesystem encryption: Server health monitoring: HR / HCM: Extensible / scriptable:
ServiceNow; BMC Remedy,RemedyForce and Footprints;JIRA; HPE Service Manager;CA Service Desk; AxiosAssyst; Ivanti HEAT;Symantec Altiris; Track-It!; MSSCS Manager and Cherwell.
Microsoft BitLocker; McAfee;Symantec EndpointEncryption and PGP;CheckPoint and SophosSafeGuard.
HP iLO, Dell DRAC and IBMRSA.
WorkDay; PeopleSoft HR;SAP HCM andSuccessFactors.
CSV files; SCIM; SSH;Telnet/TN3270/TN5250;HTTP(S); SQL; LDAP;PowerShell and Python.
Hypervisors and IaaS: Mobile management: Network devices: Filesystems and content: SIEM:
AWS; vSphere and ESXi. BlackBerry Enterprise Serverand MobileIron.
Cisco IOS PIX and ASA;Juniper JunOS andScreenOS; F5 BigIP; HPProcurve; Brocade Fabric OSand CheckPointSecurePlatform.
Windows/CIFS/DFS;SharePoint; Samba; HitachiContent Platform and HCPAnywhere; Box.com andTwitter.
Splunk; ArcSight; RSAEnvision and QRadar. AnySIEM supporting SYSLOG orWindows events.
Management & inventory:
Qualys; McAfee ePO andMVM; Cisco ACS;ServiceNow ITAM; HPUCMDB; Hitachi HiTrack.
6.4 Integration with custom apps
• Hitachi ID Suite easily integrates with custom, vertical and hosted applications using flexible agents.
• Each flexible agent connects to a class of applications:
– API bindings (C, C++, Java, COM, ActiveX, MQ Series).– Telnet / TN3270 / TN5250 / sessions with TLS or SSL.– SSH sessions.– HTTP(S) administrative interfaces.– Web services.– Win32 and Unix command-line administration programs.– SQL scripts.– Custom LDAP attributes.
• Integration takes a few hours to a few days.• Fixed cost service available from Hitachi ID.
7 Maximizing and monitoring adoption
© 2019 Hitachi ID Systems, Inc. All rights reserved. 7
Slide Presentation
7.1 Notification subsystem
The notification system controls when Hitachi ID Suite initiates communication with users. It is key tohigh user adoption rates.
Notification types Batch/e-mail.Interactive/popup web browser.
Notification levels Information.Warning.Forced (lock down PC until action completed).
Notification triggers Incomplete profile (e.g., security questions).Password expiry (imminent or past).Expression in terms of identity attributes
Consequent actions Complete enrollment.Change passwords.Visit a specified URL.
Process Throttling N invitations/day.Maximum frequency/message/user.Date - day of week - time of day controls.
7.2 Scheduled reports
© 2019 Hitachi ID Systems, Inc. All rights reserved. 8
Slide Presentation
7.3 Language supportThe Hitachi ID Password Manager UI can be rendered in many languages:
Languages are easy to add. Hitachi ID will do it for a nominal fee and customers can do it themselves.
7.4 Self-Service, Anywhere
Self-service is complicated by connectivity and device options.
User location Endpoint device Connectivity Reset/unlock
• Work.• Home.• Airport.• Cafe.• Partner office.
• Laptop.• Tablet.• Smart phone.
• Wired at work.• Wired at home.• WiFi at home.• Public WiFi.• Tethered
phone.• Cell modem.
• Networkpassword.
• Cachedpassword.
• Smart card PIN.• Token PIN.• Encrypted
drive.
Example scenarios supported by Hitachi ID Password Manager:
• Reset forgotten, cached AD password at airport.• Recover from forgotten full disk encryption password (via phone).
© 2019 Hitachi ID Systems, Inc. All rights reserved. 9
Slide Presentation
7.5 Password reset with WiFi, VPN and 2FA
Animation: ../../pics/camtasia/v10/hipm-ssa-windows-10.mp4
8 Smart phone app / BYOD
8.1 BYOD access to on-premises IAM system
The challenge Hitachi ID Mobile Access
• Users want access on their phones.• Phone on the Internet, IAM on-prem.• Don’t want attackers probing IAM from
Internet.
• Install + activate iOS, Android app.• Proxy service on DMZ or cloud.• IAM, phone both call the proxy - no
firewall changes.• IAM not visible on Internet.
Outbound connections only
DMZ Private corporate
network
Personal
device
FirewallFirewall
Internet
(3)
Message passing system
(1)
Worker thread:
“Give me an HTTP
request”
(2)
HTTPS request:
“Includes userID,
deviceID”
IAM server
Cloud
proxy
8.2 Activate Mobile Access app
Animation: ../../pics/camtasia/suite11/enable-mobile-device-1.mp4
© 2019 Hitachi ID Systems, Inc. All rights reserved. 10
Slide Presentation
8.3 Mobile Access: QR 2FA
Animation: ../../pics/camtasia/suite11/hima-qr-2fa.mp4
8.4 Add contact to phone
Animation: ../../pics/camtasia/suite11.1/add-contact-to-phone-2.mp4
8.5 Unlock pre-boot password
Animation: ../../pics/camtasia/v10/mcafee-drive-encryption.mp4
8.6 Password change from mobile app
Animation: ../../pics/camtasia/suite11/hima-password-reset.mp4
9 MacOSX client support
© 2019 Hitachi ID Systems, Inc. All rights reserved. 11
Slide Presentation
9.1 MacOSX login access to password reset
9.2 MacOSX kiosk mode browser from login screen
© 2019 Hitachi ID Systems, Inc. All rights reserved. 12
Slide Presentation
10 Extranet-facing deployments
10.1 Social integration via OAuth and CAPTCHAs
• Mostly for Extranet access and B2C deployments.• Enroll new users with their Facebook, Google, etc. account.• Login using the same social credentials.• reCAPTCHA and AreYouAHuman samples provided.
10.2 CAPTCHA Example
10.3 Social network integration
11 Federation and 2FA
© 2019 Hitachi ID Systems, Inc. All rights reserved. 13
Slide Presentation
11.1 SAMLv2 Federated IdP
• Externalize login process from third party web apps.• Cloud: Google Apps, Office 365, Salesforce.com, WebEx, Concur, etc.• On-premise: SharePoint (via ADFS), HCP Anywhere, etc.• Basically respond to SAMLv2 requests with assertions.• Leverage user classes for authorization control, authentication chains for 2FA/MFA.
11.2 Policy-driven single sign-on
• Hitachi ID Password Manager can beused as an application launchpad forfederated logins.
• Password Manager can also respond toSAML requests to authenticate andauthorize user access (IdP responses toSP requests).
• Whether to allow user authentication topersist, and for how long depends onpolicy:
– Is this a high risk user?– Is the user connecting from an
untrusted device or location?– Is this a normal work day and time
for the user?
• Policy uses rules to decide whether andfor how long to persist login sessions.
© 2019 Hitachi ID Systems, Inc. All rights reserved. 14
Slide Presentation
11.3 Hitachi ID Mobile Access authentication factor
• Leverage Hitachi ID Mobile Access on user phones as a soft token.• Zero extra cost: organizations have no excuse to revert to just Q&A or just a password on Extranet
logins.• More secure password reset.• 2FA for all Hitachi ID Privileged Access Manager logins, even if the network is down, AD or RADIUS
unreachable.
12 Personal password vault
12.1 Personal vaults
• Users want secure, convenient access to all their credentials, not just those related to work.• Access should work on all devices (PC, phone, etc.).• The user’s employer should not be able to access/decrypt this data – this is just a friendly service
offered by IT, but not a compromise of PII.• Similar to FastPass, LastPass, LogMeIn, etc. but no extra cost for employees• Built into Hitachi ID Password Manager starting with 10.0.
© 2019 Hitachi ID Systems, Inc. All rights reserved. 15
Slide Presentation
12.2 Personal password vault (use)
13 Persistent Listing (ver 11.x)
13.1 Persistent listing - technology
• The AD and AD-LDS connectors support persistent listing.• A Persistent Connector Service (PCS) launches the connector in a special mode:
– Initially runs a full discovery.– Keeps the connector attached to the target system.
• Every few seconds, the connector asks for directory changes:
– Changes may have originated on the DC or come from replication.– Tokens track which changes have been exported.– The process can be moved across servers or DCs without data loss.
• Changes:
– Update the internal Hitachi ID Suite database.– Trigger the same business logic as bulk auto-discovery.– Update cached user classes membership.
• A full synchronization is required after target configuration changes:
– Changed scope (OUs, domain names).– Changes to attribute mapping.
© 2019 Hitachi ID Systems, Inc. All rights reserved. 16
Slide Presentation
13.2 Configure persistent listing
13.3 Impact of persistent listing
• It is feasible to integrate with very large directories:
– 10,000,000 objects.– Long-running discovery is no longer a constraint.
• Auto-discovery time is significantly reduced:
– Listing and loading from AD usually takes longer than other targets.– Removing list + load times from AD can cut periodic auto-discovery time in half.– It becomes feasible to run all remaining discovery tasks more often.
• New accounts, group memberships have an immediate impact:
– Unauthorized group membership?Revoke and alert in real time.
– Change in group membership or attribute?Can perform newly-authorized actions immediately.
– New account onboarded?Can manage passwords without delay.
14 Migration
© 2019 Hitachi ID Systems, Inc. All rights reserved. 17
Slide Presentation
14.1 Implementation steps
Platform Install, configure app
• Deploy new VMs.• Windows 2016/12.• SQL 2016/12.
• Setup replication.• UI branding.• Policies: password quality, auth methods,
access controls.• Notifications: enrollment, password
expiry.• Reports, analytics.
Integrations Data migration
• Target systems, Client tools.• E-mail, Help desk / ticketing, SIEM /
SYSLOG.• Interceptor on AD DCs.• Encrypted filesystem unlock.• VPN for off-site password reset.• Cloud for mobile access.
• Security questions.• Login ID aliases.• Password history (hashes)
15 Demo
hitachi-id.com
500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 E-Mail: [email protected]
Date: 2019-11-21 | 2019-11-21 File: PRCS:pres