Upload
trantuyen
View
220
Download
0
Embed Size (px)
Citation preview
1 Hitachi ID Identity Manager
Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications
Entitlement administration and governance:Automation, requests, approvals, recertification, SoD and RBAC.
2 Agenda
• Corporate• Hitachi ID Identity Manager• Recorded Demos• Technology• Implementation• Differentiation
3 Corporate
© 2016 Hitachi ID Systems, Inc. All rights reserved. 1
Slide Presentation
3.1 Hitachi ID corporate overview
Hitachi ID delivers access governanceand identity administration solutionsto organizations globally.Hitachi ID solutions are used by Fortune 500companies to secure access to systemsin the enterprise and in the cloud.
• Founded as M-Tech in 1992.• A division of Hitachi, Ltd. since 2008.• Over 1200 customers.• More than 14M+ licensed users.• Offices in North America, Europe and
APAC.• Global partner network.
3.2 Representative customers
© 2016 Hitachi ID Systems, Inc. All rights reserved. 2
Slide Presentation
3.3 Hitachi ID Suite
4 Hitachi ID Identity Manager
4.1 Compliance / internal controls
Challenges Solutions
• Slow and unreliable deactivation whenpeople leave.
• Orphan and dormant accounts.• Users with no-longer-needed access.• Access that violates SoD policies or
represents high risk.• Unreliable approvals for access requests.• Audit failures and regulatory risk.
• Automate deactivation based on SoR(HR).
• Review and remediate excessive access(certification).
• Block requests that would violate SoD.• Analyze entitlements to find policy
violations, high risk users.• Automatically route access requests to
appropriate stake-holders.
© 2016 Hitachi ID Systems, Inc. All rights reserved. 3
Slide Presentation
4.2 Access administration cost
Challenges Solutions
• Multiple FTEs required to setup,deactivate access.
• Additional burden on platformadministrators.
• Audit requests can add significant strain.
• Automate access setup, tear-down inresponse to changes in systems of record(SoRs).
• Simple, business-friendly access requestforms.
• Route requests to authorizersautomatically.
• Automate fulfillment where possible.• Help auditors help themselves:
– With certification, auditors focus onprocess, not entitlements.
– Reports and analytics.
4.3 Access changes take too long
Challenges Solutions
• Approvers take too long.• Too many IT staff required to complete
approved requests.• Service is slow and expensive to deliver.
• Automatically grant access:
– Where predicted by job function,location, ...
– Eliminate request/approval processwhere possible.
• Streamline approvals:
– Automatically assign authorizers,based on policy.
– Invite participants simultaneously,not sequentially.
– Enable approvals from smart-phone.– Pre-emptively escalate when
stake-holders are out of office.
• Automate fulfillment where possible.
© 2016 Hitachi ID Systems, Inc. All rights reserved. 4
Slide Presentation
4.4 Access requests are too complicated
Challenges Solutions
• Requesting access is complex:
– Where is the request form?– What access rights do I need?– How do I fill this in?– Who do I send it to, for approval?
• Complexity creates frustration.
• Auto-assign access when possible.• Simplify request forms.• Intercept "access denied" errors:
– Navigate lead users to appropriaterequest forms.
• Compare entitlements:
– Help requesters select entitlements.– Compare recipient, model user
rights.– Select from a small set of
differences.
• Automatically assign authorizers basedon policy.
5 Features
5.1 HiIM features
Inputs → → Processes →
• Monitor SoRs (automation).• Request portal:
– Self-service.– Delegated.– Access admin.
• Web services API.
• Request forms.• Approval workflows.• Access certification.• Manual fulfillment.• Analytics.
→ Policies → → Outputs
• Segregation of duties.• Risk scores.• Role based access control.• Authorizer, certifier selection.• Visibility / privacy protection.
• Connectors to 110 systems andapplications.
• E-mail.• Create/update/close tickets.• Send events to SIEM.
© 2016 Hitachi ID Systems, Inc. All rights reserved. 5
Slide Presentation
5.2 Identity and entitlement lifecycle automation
• Using Hitachi ID Identity Express, we recommend full automation of identity and entitlementlifecycles out of the gate:
– Joiners, movers, leavers processes.– Password management, strong authentication and federation.– Change requests, approval, review/certification.– Driven by both SoR data and requests.
• No need to "clean up" entitlements before automating access changes.• Roles can be added later: not a pre-requisite.• Automate first, clean up afterwards:
– Unlike with competitors, automation is pre-configured and easy.– Start with basic integrations, add connectors over time.– Leverage automation and user knowledge to help clean up.– Add roles and expand automation over time.
5.3 Monitoring systems of record
• Any target system can function as a system of record(SoR).
• Examples: HR apps, SQL databases, CSV files, ...• Hitachi ID Identity Manager can monitor multiple SoR’s:
– Multinationals: regional HR systems.– Colleges: students vs. faculty/staff.
• Map attributes to user profiles and prioritize.• Automatically submit access requests in response to
detected changes.• Users can submit pre-emptive or corrective requests:
– New hire not yet in HR.– HR data is wrong.– Override SoR data until HR updates it.
• Request portal handles users who never appear in SoRs:
– Contractors, partners, etc.
© 2016 Hitachi ID Systems, Inc. All rights reserved. 6
Slide Presentation
5.4 Requester usability
• Users rarely know where or how to request access!• Windows shell extension, SharePoint error page:
– Intercept "Access Denied" errors.– Navigate user to appropriate request URL.
• Compare users:
– Compare entitlements between the intended recipient and areference user.
– Select entitlements from the variance.
• Search for entitlements:
– Keywords, description, metadata/tags.
• Relationship between requester and recipient:
– What recipients can the requester see?– What identity attributes are visible?– What kinds of requests are available?
5.5 Robust, policy-driven workflow
• Workflow invites stake-holders to participate in processes:
– Approve or reject a request.– Review entitlements and recertify or remediate.– Fulfill an approved request.– Extensible. e.g., audit cases.
• Stake-holders are invited based on policy:
– No flow-charts or diagrams required.– Process is simple, transparent and secure.– Routing may be based on relationships, resource ownership, risk.
• The process is robust, even when people aren’t:
– Invite N participants, accept response from M (M<N).– Simultaneous invitations by default (sequential made sense for
paper forms).– Automatically send reminders.– Escalate (e.g., to manager) if unresponsive.– Check out-of-office message, pre-emptively escalate.– Accessible from smart phone, not just PC.
© 2016 Hitachi ID Systems, Inc. All rights reserved. 7
Slide Presentation
5.6 Reports, dashboards and analytics
• Over 150 reports built in:
– Many include multiple modes (e.g,. dormant vs. orphan accounts).– Identities, entitlements, history, system operation, trends, etc.– Easy to add custom reports.
• Many dashboards included as well.• Run interactively or schedule (once, recurring).• Deliver output (HTML, CSV, PDF):
– Interactively.– In e-mails.– Drop files on UNC shares.– Stream results via web services.
• Actionable analytics:
– Feedback from reports to requests.– Automated remediation.
• Database is normalized, documented – can use 3rd party tools too.
6 Recorded Demos
6.1 Intercept Access Denied Dialogs
Animation: ../../pics/camtasia/v10/higm-A-request-folder.mp4
6.2 Authorization of a request for security group membership
Animation: ../../pics/camtasia/v10/higm-B-request-approve.mp4
6.3 Request approved, user can access the folder
Animation: ../../pics/camtasia/v10/higm-C-approved-open-file-nb.mp4
6.4 Mobile request approval
Animation: ../../pics/camtasia/v10/approve-request-group-membership-via-mobile-access-app-1.mp4
© 2016 Hitachi ID Systems, Inc. All rights reserved. 8
Slide Presentation
6.5 Compare user entitlements
Animation: ../../pics/camtasia/v10/hiim-model-after-ui.mp4
6.6 Application-centric certification
Animation: ../../pics/camtasia/v10/hiac-complete-app-centric-2.mp4
6.7 Add contact to phone
Animation: ../../pics/camtasia/v9/add-contact-to-phone-1/add-contact-to-phone-1.mp4
6.8 Actionable analytics: Disable orphan accounts
Animation: ../../pics/camtasia/v10/report2pdr-disable-orphan-accounts-1.mp4
7 Technology
© 2016 Hitachi ID Systems, Inc. All rights reserved. 9
Slide Presentation
7.1 Multi-master architecture
“Cloud”
Reverse
web
proxyVPN server
IVR server
Load
balancers
system
Ticketing
system
HR
Hitachi ID
servers
Hitachi ID
servers
Firewalls
Proxy server
(if needed)
Mobile
proxy
SaaS apps
Managed
endpoints
Managed endpoints
with remote agent:
AD, SQL, SAP, Notes, etc
z/OS - local agent
MS SQL databases
Password synch
trigger systems
Native password
change
ManageMobile UI
AD, Unix, z/OS,
LDAP, iSeries
Validate pw
Replication
System of
record
Tickets
Notifications
and invitations
Data c
enter A
Data c
enter B
Remote
data
cente
r
TCP/IP + AES
Various protocols
Secure native protocol
HTTPS
© 2016 Hitachi ID Systems, Inc. All rights reserved. 10
Slide Presentation
7.2 Key architectural features
“Cloud”
SaaS apps
Data c
enter A
Data c
enter B
Remote
data
cente
r
TCP/IP + AES
Various protocols
Secure native protocol
HTTPS
Reach across firewalls
Load balanced
On premise and SaaS
BYOD enabled
Replicated across data centers
Horizontal scaling
7.3 Internal architecture
• Multi-master, active-active out of the box.• Built-in data replication between app nodes:
– Fault tolerant.– Secure - encrypted.– Reliable - queue and retry.– App nodes need and should not be co-located.
• Native, 64-bit code:
– 2x faster than .NET.– 10x faster than Java.
• Stored procedures:
– For all data lookups, inserts.– Fast, efficient.– Eliminates client/server chatter.
• Modern crypto: AES-256, SSHA-512
© 2016 Hitachi ID Systems, Inc. All rights reserved. 11
Slide Presentation
7.4 BYOD access to on-premise IAM system
The challenge Hitachi ID Mobile Access
• Users want access on their phones.• Phone on the Internet, IAM on-prem.• Don’t want attackers probing IAM from
Internet.
• Install + activate iOS, Android app.• Proxy service on DMZ or cloud.• IAM, phone both call the proxy - no
firewall changes.• IAM not visible on Internet.
Outbound connections only
DMZ Private corporate
network
Personal
device
FirewallFirewall
Internet
(3)
Message passing system
(1)
Worker thread:
“Give me an HTTP
request”
(2)
HTTPS request:
“Includes userID,
deviceID”
IAM server
Cloud
proxy
© 2016 Hitachi ID Systems, Inc. All rights reserved. 12
Slide Presentation
7.5 Included connectors
Many integrations to target systems included in the base price:
Directories:Any LDAP, Active Directory,NIS/NIS+.
Servers:Windows NT, 2000, 2003,2008[R2], 2012[R2], Samba.
Databases:Oracle, Sybase, SQL Server,DB2/UDB, Informix, Progress,Hyperion, Cache, ODBC.
Unix:Linux, Solaris, AIX, HPUX, 24more variants.
Mainframes, Midrange:z/OS: RACF, ACF2,TopSecret. iSeries,OpenVMS.
HDD Encryption:McAfee, CheckPoint,BitLocker, PGP.
ERP:JDE, Oracle eBiz,PeopleSoft, PeopleSoft HR,SAP R/3 and ECC 6, Siebel,Business Objects.
Collaboration:Lotus Notes, iNotes,Exchange, SharePoint,BlackBerry ES.
Tokens, Smart Cards:RSA SecurID, SafeWord,Vasco, ActivIdentity,Schlumberger, RADIUS.
WebSSO:CA Siteminder, IBM TAM,Oracle AM, RSA AccessManager.
Help Desk:ServiceNow, BMC Remedy,SDE, HP SM, CA Unicenter,Assyst, HEAT, Altiris, Clarify,RSA Envision, Track-It!, MSSystem Center
Cloud/SaaS:WebEx, Google Apps, MSOffice 365, Success Factors,Salesforce.com, SOAP.
7.6 Rapid integration with custom apps
• Hitachi ID Identity Manager easily integrates with custom, vertical and hosted applications usingflexible agents .
• Each flexible agent connects to a class of applications:
– API bindings (C, C++, Java, COM, ActiveX, MQ Series).– Telnet / TN3270 / TN5250 / sessions with TLS or SSL.– SSH sessions.– HTTP(S) administrative interfaces.– Web services.– Win32 and Unix command-line administration programs.– SQL scripts.– Custom LDAP attributes.
• Integration takes a few hours to a few days.• Fixed cost service available from Hitachi ID.
© 2016 Hitachi ID Systems, Inc. All rights reserved. 13
Slide Presentation
8 Implementation
8.1 Hitachi ID professional services
• Hitachi ID offers a complete range of services relating to Hitachi ID Identity Manager, including:
– Needs analysis and solution design.– Fixed price system deployment.– Project planning.– Roll-out management, including maximizing user adoption.– Ongoing system monitoring.– Training.
• Services are based on extensive experience with the Hitachi ID solution delivery process.• The Hitachi ID professional services team is highly technical and have years of experience deploying
IAM solutions.• Hitachi ID partners with integrators that also offer business process and system design services to
mutual customers.• All implementation services are fixed price:
– Solution design.– Statement of work.
© 2016 Hitachi ID Systems, Inc. All rights reserved. 14
Slide Presentation
8.2 Hitachi ID Identity Express
Before reference implementations:
• Every implementation starts fromscratch.
• Some code reuse, in the form oflibraries.
• Even simple business processes havecomplex boundary conditions:
– Onboarding: initial passwords,blocking rehires.
– Termination: scheduled vs.immediate, warnings, cleanup.
– Transfers: move mailboxes andhomedirs, trigger recertification.
• Complex processes often scripted.• Delay, cost, risk.
With Hitachi ID Identity Express:
• Start with a fully configured system.• Handles all the basic user lifecycle
processes out of the box.• Basic integrations pre-configured (HR,
AD, Exchange, Windows).• Implementation means "adjust as
required" not "build from scratch."• Configuration is fully data driven (no
scripts).• Fast, efficient, reliable.
© 2016 Hitachi ID Systems, Inc. All rights reserved. 15
Slide Presentation
8.3 Hitachi ID Identity Express - Corporate: details
• Integrations:
– SQL-based HR SoR.– AD domain– Exchange domain (mailboxes)– Windows filesystem (homedirs)
• Entitlements:
– Login IDs.– Group memberships.– Roles.
• User communities:
– Employees.– Contractors/other.
• Configuration:
– Based on user classes, rules tablesand lookup tables.
– Near-zero script logic.
• Automation:
– Onboard/deactivate based on SoR.– Identity attribute propagation.
• Self-service:
– Password, security questionmanagement.
– Update to contact info.– Request for application, share, folder
access.
• Delegated admin:
– Same as self-service, plus recert.
• Approval workflows:
– IT security (global rights).– HR/managers (approve for
each-other).
• Recertification:
– Scheduled.– Ad-hoc.
9 Differentiation
© 2016 Hitachi ID Systems, Inc. All rights reserved. 16
Slide Presentation
9.1 HiIM differentiation (1/3)
Feature Details Differentiation
Hitachi ID Identity Express
• Pre-configured businesslogic.
• Option A: full referenceimplementation.
• Option B:pick-and-choosefunctionality fromcomponent framework.
• Reduces implementationeffort by 5x to 10x ascompared to competitors.
• Alternately, spend thesame money and get 5xto 10x the functionality!
Requester usability
• Requesters struggle tofind, complete accessrequests.
• Aid #1: intercept ’accessdenied’ errors,click-through to requestform.
• Aid #2: requestercompares entitlements ofrecipient, model users,selects from the variance.
• No competitor intercepts’access denied’ errors.
• Few competitors supportrecipient/modelcomparison.
• Happy users, higheradoption rates, betterROI.
SoD actually works
• SoD policy may bedefined in terms ofentitlements or roles.
• Roles and groups may benested.
• Violations may happen ata different level of the roleor group hierarchy thanwhere the SoD policy wasdefined.
• Hitachi ID IdentityManager decomposesroles, expands groups toalways find SoDviolations.
• Competitors fail to detectviolations where rule andrequest are at differentlevels of role, grouphierarchies.
• Users can trivially bypasscontrols.
• False sense of security.• Audit failures.• Regulatory risk.
© 2016 Hitachi ID Systems, Inc. All rights reserved. 17
Slide Presentation
9.2 HiIM differentiation (2/3)
Feature Details Differentiation
Active-active architecture
• Replicate across multipleservers.
• Multi-master, active-activeoperation.
• Geographic distribution.• No single point of failure.• Excellent scalability.
• All competitors have asingle point of failure.
• Usually it’s a databasecluster.
• Expensive to scale up.• Time consuming to
recover from disasters.
Smart phone access
• Android and iOS apps.• Cloud-hosted proxy.• BYOD can interact with
on-premise Hitachi IDIdentity Manager instance.
• Important use cases:request approval, peerlookup/contact download.
• No competitor has a cloudproxy.
• Few competitors havemobile apps.
• Not realistic to interactwith the IAM system fromBYOD.
• Slow approvals, waitingfor managers to sign intolaptop and VPN.
Actionable analytics
• All reports can be linkedto requests.
• Feedback enablesautomated remediation.
• Immediate or scheduled.• No coding required.
• Competitors with limitedreports, analytics.
• No competitor has a wayto make analyticsactionable, rather than justinformational.
• Automating remediation isbetter than waiting forhumans.
© 2016 Hitachi ID Systems, Inc. All rights reserved. 18
Slide Presentation
9.3 HiIM differentiation (3/3)
Feature Details Differentiation
Governance, provisioning inone product
• Provisioning features:connectors, automatedonboarding/deactivation.
• Governance features:request/approvalworkflow, SoD andRBAC policy, risk scores,access cert, analytics.
• Hitachi ID IdentityManager includes all ofthe above in a singleproduct.
• Some competitors havemostly governancecapabilities – limitedconnectors, mostlyread-only.
• Other competitors havemostly provisioningcapabilities – weak or3rd party governanceUIs.
• HiIM is almost unique inincluding both.
• Better value, lowerintegration risk.
Policies built onrelationships
• Relationships drive allpolicies in HiIM.
• What users appear insearch results?
• On whose behalf can auser submit what kindsof requests?
• What PII is visible?• Who approves requests?• To whom are requests
escalated?
• Competitors generallyrely on hierarchies orcustom programming.
• Hierarchies do notrepresent the real world.
• Custom code is costly,time consuming andrisky.
© 2016 Hitachi ID Systems, Inc. All rights reserved. 19
Slide Presentation
10 Summary
An integrated solution for managing identities and entitlements:
• Automation: onboarding, deactivation, detect out-of-band changes.• Self-service: profile updates, access requests.• Governance: certification, authorization workflow, RBAC, SoD, analytics.• Automatically manage identities, entitlements: 110 bidirectional connectors.• Other integrations: filesystem, collaboration, SIEM, incident management.• Rapid deployment: pre-configured Hitachi ID Identity Express.
Security, lower cost, faster service.
Learn more at Hitachi-ID.com/Identity-Manager
www.Hitachi-ID.com
500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: [email protected]
Date: Monday 24th October, 2016 | 2016-10-24File: PRCS:pres