Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
1 Hitachi ID Suite
Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications
Administration and governance ofIdentities, entitlements and credentials.
2 Agenda
• Corporate.• IAM problems / Hitachi ID solutions.• Technology.• Privileged Access• Example deployments.• Discussion.
3 Corporate
© 2020 Hitachi ID Systems, Inc. All rights reserved. 1
Slide Presentation
3.1 Hitachi ID corporate overview
Hitachi ID delivers access governanceand identity administration solutionsto organizations globally.Hitachi ID IAM solutions are used by Fortune500companies to secure access to systemsin the enterprise and in the cloud.
• Founded as M-Tech in 1992.• A division of Hitachi, Ltd. since 2008.• Over 1200 customers.• More than 14M+ licensed users.• Offices in North America, Europe and
APAC.• Global partner network.
3.2 Representative customers
© 2020 Hitachi ID Systems, Inc. All rights reserved. 2
Slide Presentation
4 Managing credentials and entitlements
4.1 Hitachi ID Suite
© 2020 Hitachi ID Systems, Inc. All rights reserved. 3
Slide Presentation
4.2 HiIM features
Automation:
• Monitor one or more systems of record (SoR).• Generate requests to grant, revoke access.
Integrations:
• 120+ bidirectional connectors, included.• Manage resources including mail boxes, home directories and
badges.• Incident management, SIEM, e-mail, 2FA.• Manage building access, physical assets.
Request portal:
• Users can request for themselves or others.• Access control model limits visibility, requestability.
Accounts and groups:
• Create, manage and delete accounts & groups across systems.• Update attributes and assign/revoke group memberships.
Workflow:
• Invite authorizers, implementers, certifiers to act.• Built-in reminders, escalation, delegation and more.• Selects participants via policy, not flow-charts.
Policies, controls:
• RBAC, SoD.• Risk scores, analytics.• Approvals, recertification.
Certification:
• Initiated by the system (event, schedule).• Stake-holders review identities, entitlements.• Generates deprovisioning requests.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 4
Slide Presentation
4.3 HiPM features
Password synch:
• Reduce the number of passwords per user.
Self-service:
• Password change, reset and unlock.• Token or smart card PIN reset.• Unlock encrypted drive with forgotten pre-boot password.
Value-add:
• 2FA – built-in for all users, including via mobile app.• Federated access – replace other apps’ login screens.• Password vault – users can store unmanaged passwords.
Access from:
• PC browser or login screen.• At the office or off-site.• Smart phone app or self-service phone call.
Assisted service:
• Password, token PIN, intruder lockout.
Policy enforcement:
• Two-factor authentication for all users.• Password complexity, expiry, history.• Non-password authentication.
Managed enrollment:
• Security questions.• Login IDs.• Mobile phone numbers.
5 Technology
© 2020 Hitachi ID Systems, Inc. All rights reserved. 5
Slide Presentation
5.1 Delivery options
On-premises Hosted / SaaS
What/where
•Conventionalsoftware;or
• Virtualappliance.
• ManagedbycustomerIT; or
• managedby HitachiIDremotely;or
• managedby apartner.
• Dedicated instance per customer.• Minimum two servers, locations.• Proxy server on-premises.• Managed by Hitachi ID.• Regular upgrades.
Charges • Software: License, annualmaintenance.
• Virtual appliance: add OS, DBlicenses.
• Managed service: add annual fee.
• Monthly per-user fee.• Commitment for minimum
quantity, duration.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 6
Slide Presentation
5.2 Active-active architecture
“Cloud”
Reverse
web
proxyVPN server
IVR server
Load
balancers
system
Ticketing
system
HR
Hitachi ID
servers
Hitachi ID
servers
Firewalls
Proxy server
(if needed)
Mobile
proxy
SaaS apps
Managed
endpoints
Managed endpoints
with remote agent:
AD, SQL, SAP, Notes, etc
z/OS - local agent
MS SQL databases
Password synch
trigger systems
Native password
change
ManageMobile UI
AD, Unix, z/OS,
LDAP, iSeries
Validate pw
Replication
System of
record
Tickets
Notifications
and invitations
Data c
enter A
Data c
enter B
Remote
data
cente
r
TCP/IP + AES
Various protocols
Secure native protocol
HTTPS
© 2020 Hitachi ID Systems, Inc. All rights reserved. 7
Slide Presentation
5.3 Key architectural features
“Cloud”
SaaS apps
Data c
enter A
Data c
enter B
Remote
data
cente
r
TCP/IP + AES
Various protocols
Secure native protocol
HTTPS
Reach across firewalls
Load balanced
On premises and SaaS
BYOD enabled
Replicated across data centers
Horizontal scaling
© 2020 Hitachi ID Systems, Inc. All rights reserved. 8
Slide Presentation
5.4 IAMaaS architectural overview
Firewall
Private Corporate
Network
Internet
Firewall Firewall
IAM App Server IAM Proxy
IAM Database
Mobile Proxy
Firewall
SaaS App
HR DB
AD
On-Prem. App
On-Prem. App
SaaS App
IAM App Server
IAM Database
Mobile Proxy
VLAN /
Location 1
VLAN /
Location 2
IaaS Provider
Network
5.5 Active-active replication
Avoid data loss and service interruption:Multiple copies of the vault in different cities.
• Real-time data replication.• Fault-tolerant.• Bandwidth efficient, latency
tolerant.• Best practice: multiple
servers in multiple datacenters.
• Active/active.• Load balanced.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 9
Slide Presentation
5.6 Included connectors
Directories: Databases: Server OS – X86/IA64: Server OS – Unix: Server OS – Mainframe:
Active Directory and AzureAD; any LDAP; NIS/NIS+ andeDirectory.
Oracle; SAP ASE and HANA;SQL Server; DB2/UDB;Hyperion; Caché; MySQL;OLAP and ODBC.
Windows: NT thru 2016; Linuxand *BSD.
Solaris, AIX and HP-UX. RAC/F, ACF/2 and TopSecret.
Server OS – Midrange: ERP, CRM and other apps: Messaging & collaboration: Smart cards and 2FA: Access managers / SSO:
iSeries (OS400); OpenVMSand HPE/Tandem NonStop.
Oracle EBS; SAP ECC andR/3; JD Edwards; PeopleSoft;Salesforce.com; Concur;Business Objects and Epic.
Microsoft Exchange, Lync andOffice 365; LotusNotes/Domino; Google Apps;Cisco WebEx, Call Managerand Unity.
Any RADIUS service or SAMLIdP; Duo Security; RSASecurID; SafeWord; Vasco;ActivIdentity andSchlumberger.
CA SiteMinder; IBM SecurityAccess Manager; Oracle AM;RSA Access Manager andImprivata OneSign.
Help desk / ITSM: PC filesystem encryption: Server health monitoring: HR / HCM: Extensible / scriptable:
ServiceNow; BMC Remedy,RemedyForce and Footprints;JIRA; HPE Service Manager;CA Service Desk; AxiosAssyst; Ivanti HEAT;Symantec Altiris; Track-It!; MSSCS Manager and Cherwell.
Microsoft BitLocker; McAfee;Symantec EndpointEncryption and PGP;CheckPoint and SophosSafeGuard.
HP iLO, Dell DRAC and IBMRSA.
WorkDay; PeopleSoft HR;SAP HCM andSuccessFactors.
CSV files; SCIM; SSH;Telnet/TN3270/TN5250;HTTP(S); SQL; LDAP;PowerShell and Python.
Hypervisors and IaaS: Mobile management: Network devices: Filesystems and content: SIEM:
AWS; vSphere and ESXi. BlackBerry Enterprise Serverand MobileIron.
Cisco IOS PIX and ASA;Juniper JunOS andScreenOS; F5 BigIP; HPProcurve; Brocade Fabric OSand CheckPointSecurePlatform.
Windows/CIFS/DFS;SharePoint; Samba; HitachiContent Platform and HCPAnywhere; Box.com andTwitter.
Splunk; ArcSight; RSAEnvision and QRadar. AnySIEM supporting SYSLOG orWindows events.
Management & inventory:
Qualys; McAfee ePO andMVM; Cisco ACS;ServiceNow ITAM; HPUCMDB; Hitachi HiTrack.
5.7 Integration with custom apps
• Hitachi ID Suite easily integrates with custom, vertical and hosted applications using flexible agents.
• Each flexible agent connects to a class of applications:
– API bindings (C, C++, Java, COM, ActiveX, MQ Series).– Telnet / TN3270 / TN5250 / sessions with TLS or SSL.– SSH sessions.– HTTP(S) administrative interfaces.– Web services.– Win32 and Unix command-line administration programs.– SQL scripts.– Custom LDAP attributes.
• Integration takes a few hours to a few days.• Fixed cost service available from Hitachi ID.
6 Privileged Access
© 2020 Hitachi ID Systems, Inc. All rights reserved. 10
Slide Presentation
6.1 Types of privileged accounts
Shared Administrative Embedded Service
Definition: • Interactive loginsused by humans.
• Client tools:PuTTY, RDP, SQLStudio, etc.
• May be used at aphysical console.
• One applicationconnects toanother.
• DB logins, webservices, etc.
• Run serviceprograms withadmin or limitedrights.
• Windows requires apassword.
• Scheduled tasks,IIS, DCOM, SCM,etc.
Challenges: • Access control.• Audit/accountability.• Single sign-on.• Session capture.
• Authenticating appsprior to passworddisclosure.
• Caching, keymanagement.
• Avoiding serviceinterruption.
• Restart service ifreq’d.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 11
Slide Presentation
6.2 HiPAM features
Auto-discovery:
• Find systems, accounts.• Automatically attach policies via rules.
Passwords:
• Randomize on a schedule and after use.• Store in an encrypted, replicated, distributed vault.
Authorization:
• Policy-driven rules.• Pre-authorized and request/approval workflow if not routine.
Grant access:
• Single sign-on (login once, launch many).• Request multiple accounts, run commands across them.• Launch SSH, RDP, vSphere, SQL, etc.• Direct connection, VDI proxy or HTML5 proxy.• Password display and copy buffer integration.• Temporary group membership or SSH trust.
Application passwords:
• Notify SCM, IIS, Scheduler, DCOM of new passwords.• API replaces embedded passwords.
Logging:
• Requests, approvals, logins to privileged accounts.
Session monitoring:
• Screen, keyboard, webcam, process ID, window title, etc.• Keylog censorship protects passwords, SSN, CC numbers, etc.• Request/approval workflow protects staff privacy.
7 Example Deployments
© 2020 Hitachi ID Systems, Inc. All rights reserved. 12
Slide Presentation
7.1 Case Study: Industrial conglomerate
Customer description: Global industrial conglomerate with energy utility subsidiaries.
Product: Hitachi IDIdentity Manager
Industry: Industrials, energy utilities
Target systems: Windows/AD, Oracle EBS, mainframe, databases.
Functionality: Onboard, deactivate, manage access of over 10,000 employees andcontractors. Automation, self-service, policy enforcement.
Main business driver: Lower IT support cost and improve SLA.
Business impact: Retired home-grown IAM and access reporting system. Lower ITsecurity management workload.
7.2 Case Study: Energy company
Customer description: Global energy company
Product: Hitachi IDGroup Manager
Number of users: 100,000+
Functionality: Self-service requests to access network shares, folders.
Main business driver: Reduce IT support call volume.
Business impact: Replace "access denied" help desk calls with self-serviceinfrastructure.
7.3 Case Study: US bank
Customer description: US bank
Product: Hitachi IDPassword Manager
Industry: Banking
Number of users: 150,000
Functionality: Password reset via telephone, web browser
Main business driver: Reduce IT support cost, improve authentication security when userscall for help.
Business impact: Eliminated 33,000 help desk calls/month.Saved at least US$ 4,000,000/year.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 13
Slide Presentation
7.4 Case Study: Investment bank
Customer description: Top-10 global investment bank.
Product:
Industry: Finance
Target systems: Windows, Unix/Linux, MSSQL.
Functionality: Randomize passwords weekly on 122,000 systems around the world.Deployed 12 servers in 4 data centers globally for super-highavailability and fault tolerance.
Main business driver: Eliminate static, shared, administrative passwords to comply withaudit, regulatory requirements.
Business impact: Control, audit administrator logins to privileged accounts on 122,000systems globally. Pass audits.
8 Differentiation
8.1 HiIM advantages
HiIM Others
Hitachi ID Identity Express • Pre-configured with mostcommon scenarios.
• Every deployment iscustom, new.
Built-in features: • Group lifecyclemanagement.
• Request portal.• Access certification.• Approval workflow
• Custom forms.• Custom workflows.
User friendly requests: • Windows Shell extension.• SharePoint integration.• Compare users.• Recommended
entitlements.
• Users must know whatentitlements to request.
Robust policy enforcement: • SoD with deep inspection.• Policy-driven approvals.• Privacy protection.
• SoD easily bypassed.• Hard-coded approvals.• No privacy protection.
Architecture: • Scalable: multi-master,load-balanced.
• Fault tolerant:active-active.
• DB is choke point, singlepoint of failure.
• Only hot standby.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 14
Slide Presentation
8.2 HiPM advantages
HiPM Others
• 2FA, Federation included for all users. • Extra products required.
• Access from smart phones (BYOD). • Only with a public URL.
• Unlock encrypted drive - pre-bootpassword prompt.
• Call the help desk.
• Access from Windows login screen, evenwhen off-site.
• Come back to the office or ship laptop todept.
• Access from domain-member MacOSXlogin screen.
• Call the help desk.
• All connectors included in base price. • Some charge per-connector.
• Web browser, smart-phone, PC loginscreen, telephony all included.
• Extra features, extra cost.
• Managed enrollment, max. adoption. • Write scripts – extra cost, lower ROI.
• Active-active replication: scalable andreliable.
• Hot standby at best.• May cost extra.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 15
Slide Presentation
8.3 HiPAM advantages
HiPAM Others
Multi-factor authentication • Included 2FA app.• Leverage any 3rd party
MFA.
• Limited 3rd party MFA.• Nothing built-in.
Access disclosure options • Display/copy password.• Single signon (SSO) -
direct connect, HTML5proxy, VDI proxy.
• Can launch any admin tool.
• Display/copy password.• Jump server only for SSH,
RDP.
User convenience • SSO: login once, launchmany.
• Request multiple accountsat once.
• Login again for everysession.
• One account at a time.
Other access mechanisms • Temporary groupmembership.
• Temporary SSH trustmembership.
• None
High availability • Active-active architecture.• Geographically distributed.• Built-in data replication.
• Hot standby only• Roll-your-own replication.
9 Discussion
hitachi-id.com
500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 E-Mail: [email protected]
Date: 2020-03-23 | 2020-03-23 File: PRCS:pres