1 Hitachi ID Identity Manager

Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications

Manage identities, accounts, groups and roles:Automation, requests, approvals, reviews, SoD and RBAC.

2 Agenda

• Introductions.• Hitachi ID corporate overview.• Hitachi ID Suite overview.• Identity problems and Hitachi ID Identity Manager benefits.• The Identity Manager solution.• Software demonstration.

© 2019 Hitachi ID Systems, Inc. All rights reserved. 1

Slide Presentation

3 Hitachi ID corporate overview

Hitachi ID delivers access governanceand identity administration solutionsto organizations globally.Hitachi ID IAM solutions are used by Fortune500companies to secure access to systemsin the enterprise and in the cloud.

• Founded as M-Tech in 1992.• A division of Hitachi, Ltd. since 2008.• Over 1200 customers.• More than 14M+ licensed users.• Offices in North America, Europe and

APAC.• Global partner network.

© 2019 Hitachi ID Systems, Inc. All rights reserved. 2

Slide Presentation

4 Representative customers

© 2019 Hitachi ID Systems, Inc. All rights reserved. 3

Slide Presentation

5 Hitachi ID Suite

6 Access and credential challenges (1/2)

For users For IT support

• How to request a change?• Who must approve the change?• When will the change be completed?• Too many passwords.• Too many login prompts.

• Onboarding, deactivation across manyapps is challenging.

• More apps all the time!• What data is trustworthy and what is

obsolete?• Not notified of new-hires/terminations on

time.• Hard to interpret end user requests.• Who can request, who should authorize

changes?• What entitlements are appropriate for

each user?• The problems increase as scope grows

from internal to external.

© 2019 Hitachi ID Systems, Inc. All rights reserved. 4

Slide Presentation

7 Access and credential challenges (2/2)

For Security / risk / audit For Developers

• Orphan, dormant accounts.• Too many people with privileged access.• Static admin, service passwords a

security risk.• Weak password, password-reset

processes.• Inappropriate, outdated entitlements.• Who owns ID X on system Y?• Who approved entitlement W on system

Z?• Limited/unreliable audit logs in apps.

• Temporary access (e.g., prod migration).• Half the code in every new app is the

same:

– Identify.– Authenticate.– Authorize.– Audit.– Manage the above.

• Mistakes in this infrastructure createsecurity holes.

8 Identity and access management

Identity and access management is software to automate processes to securely and efficiently manageidentities, entitlements and credentials:

Processes: Policies: Connectors:

• Data synchronization.• Request portal.• Workflows to invite

human participation.• Manual and automated

fulfillment.

• Unique ID generation.• Selection of approvers,

reviewers andimplementers.

• Access reviews.• Segregation of duties.• Role-based access.• Risk scores.• Visibility, privacy.

• Applications.• Databases.• Operating systems.• Directories.• On-premises.• Cloud-hosted.

© 2019 Hitachi ID Systems, Inc. All rights reserved. 5

Slide Presentation

9 Hitachi ID Suite component overview

Hitachi IDIdentity Manager

Create, manage and delete users and entitlements.Automation, self-service and delegation.

Hitachi IDAccess Certifier

Periodic review and cleanup of users and entitlements.

Hitachi IDGroup Manager

Self service, resource-centric management of ADgroup membership.

Hitachi IDPassword Manager

Synchronize, reset passwords.Manage RSA tokens, security questions, voice prints,PKI certs.

Periodically randomize and control access to sensitivepasswords.

Addons

Hitachi IDOrg Manager

Periodic updates to data mapping users to theirmanagers.

Hitachi IDPhone PW Manager

Turn-key IVR for password reset and tokenmanagement.

Hitachi IDLogin Manager

Auto-populate login IDs and synchronized passwordsfor users.

© 2019 Hitachi ID Systems, Inc. All rights reserved. 6

Slide Presentation

10 Hitachi ID Suite in the user lifecycle

Lifecyclestage

Automation Self-service /request workflow

Policy enforcement

Onboarding

• From HR(employ-ees).

• Web UI (contractors). • Role-basedsetup.

• StandardizedIDs, OU, mailstore, etc.

Management

• Identitysynchro-nization.

• Automaticrolechanges.

• Applications.• Group membership.• Profile updates.• Privileged access

• SoDenforcement.

• Authorizechanges.

• ID mapping.

Support

• Password reset.• Resolve access denied

errors.

• Passwordstrength.

• Passwordexpiry.

Deactivation

• Auto-termination.

• Access certification.• Scheduled terminations.

• Archivemailboxes,home dirs, etc.

© 2019 Hitachi ID Systems, Inc. All rights reserved. 7

Slide Presentation

11 HiIM features

Automation:

• Monitor one or more systems of record (SoR).• Generate requests to grant, revoke access.

Integrations:

• 120+ bidirectional connectors, included.• Manage resources including mail boxes, home directories and

badges.• Incident management, SIEM, e-mail, 2FA.• Manage building access, physical assets.

Request portal:

• Users can request for themselves or others.• Access control model limits visibility, requestability.

Accounts and groups:

• Create, manage and delete accounts & groups across systems.• Update attributes and assign/revoke group memberships.

Workflow:

• Invite authorizers, implementers, certifiers to act.• Built-in reminders, escalation, delegation and more.• Selects participants via policy, not flow-charts.

Policies, controls:

• RBAC, SoD.• Risk scores, analytics.• Approvals, recertification.

Certification:

• Initiated by the system (event, schedule).• Stake-holders review identities, entitlements.• Generates deprovisioning requests.

© 2019 Hitachi ID Systems, Inc. All rights reserved. 8

Slide Presentation

12 Closed loop IAM

Integrated

Systems

of Record�� ��� �� � � � �

�� �� � � � �� � � � � � �� � � � � � � � � � � �� � � � � � � ��� � � Integrated

Target

Systems

Non-integrated

Systems

� � � � � �� �

List accounts

Create,

delete,

update

accountsUpdates

UpdatesDetected

changes

List

people

Approve,

reject,

delegate

Invitations � � �� � �� �� �Review,

certify,

correct

Invitations � � � � � �� � � � �� �� �

Manual

request

� � � � ��� �� � - Validate requests

- Route for approval

- Invite authorizers

- Send reminders

- Escalate

- DelegateManual

fulfillment

Auto-

fulfillment

Create,

delete,

update

accounts

Automatic

request

Accept,

confirm

Invitations�� � � � � � � � �� � � � �� � �

� � �� � �

13 IM technology advantages

Unique features Rapid deployment

• Group lifecycle management.• Requester usability: intercept "Access

Denied" errors, compare users,recommend entitlements.

• Rapid approvals, including from BYOD.• Access rights based on relationships.• Combine auto- and manual fulfillment.• SoD engine actually works.

• Hitachi ID Identity Express acceleratesdeployment.

• Key features built-in:

– Request forms.– Authorization workflow.– Access certification.

• Customers actually automate processes,don’t get stuck in "clean up" of legacydata.

Scalable platform Integrations

• Real-time data replication.• Multi-master, active-active.• Proxy server to cross firewalls.• Native code + stored procedures.

• 120+ included connectors.• Flexible/scriptable connectors.• Incident management/ticketing.• SIEM.

© 2019 Hitachi ID Systems, Inc. All rights reserved. 9

Slide Presentation

14 The Hitachi ID solution is flexible

Customize: Every aspect of the user interfaceInput validationAttribute mapping to target systems

Integrate with: 120+ target system typesCall tracking systemsHR systemsAuthentication hardwareMeta directories

Enforce: Password policyAuthentication rulesChange authorization rulesUser naming standards

15 Scalability and fault-tolerance

• Multiple, load-balanced Hitachi ID Identity Manager servers:

– Active/active architecture.

• Data replication between nodes:

– Built-in, easy to configure.– WAN-friendly (high latency, low bandwidth, insecure channels).– Reliable (multiple retry queues).

• Native code and SQL stored procedures run faster than Java and object persistence frameworks.• Proxy servers resolve connection problems:

– Across firewalls.– Over slow, insecure network routes.

• Large production deployments:

– 12M managed identities.– 150,000 managed systems.– 12 load balanced, replicated IAM servers in 4 locations on 3 continents.– 15,000 completed transactions/hour.

© 2019 Hitachi ID Systems, Inc. All rights reserved. 10

Slide Presentation

16 Included connectors

Directories: Databases: Server OS – X86/IA64: Server OS – Unix: Server OS – Mainframe:

Active Directory and AzureAD; any LDAP; NIS/NIS+ andeDirectory.

Oracle; SAP ASE and HANA;SQL Server; DB2/UDB;Hyperion; Caché; MySQL;OLAP and ODBC.

Windows: NT thru 2016; Linuxand *BSD.

Solaris, AIX and HP-UX. RAC/F, ACF/2 and TopSecret.

Server OS – Midrange: ERP, CRM and other apps: Messaging & collaboration: Smart cards and 2FA: Access managers / SSO:

iSeries (OS400); OpenVMSand HPE/Tandem NonStop.

Oracle EBS; SAP ECC andR/3; JD Edwards; PeopleSoft;Salesforce.com; Concur;Business Objects and Epic.

Microsoft Exchange, Lync andOffice 365; LotusNotes/Domino; Google Apps;Cisco WebEx, Call Managerand Unity.

Any RADIUS service or SAMLIdP; Duo Security; RSASecurID; SafeWord; Vasco;ActivIdentity andSchlumberger.

CA SiteMinder; IBM SecurityAccess Manager; Oracle AM;RSA Access Manager andImprivata OneSign.

Help desk / ITSM: PC filesystem encryption: Server health monitoring: HR / HCM: Extensible / scriptable:

ServiceNow; BMC Remedy,RemedyForce and Footprints;JIRA; HPE Service Manager;CA Service Desk; AxiosAssyst; Ivanti HEAT;Symantec Altiris; Track-It!; MSSCS Manager and Cherwell.

Microsoft BitLocker; McAfee;Symantec EndpointEncryption and PGP;CheckPoint and SophosSafeGuard.

HP iLO, Dell DRAC and IBMRSA.

WorkDay; PeopleSoft HR;SAP HCM andSuccessFactors.

CSV files; SCIM; SSH;Telnet/TN3270/TN5250;HTTP(S); SQL; LDAP;PowerShell and Python.

Hypervisors and IaaS: Mobile management: Network devices: Filesystems and content: SIEM:

AWS; vSphere and ESXi. BlackBerry Enterprise Serverand MobileIron.

Cisco IOS PIX and ASA;Juniper JunOS andScreenOS; F5 BigIP; HPProcurve; Brocade Fabric OSand CheckPointSecurePlatform.

Windows/CIFS/DFS;SharePoint; Samba; HitachiContent Platform and HCPAnywhere; Box.com andTwitter.

Splunk; ArcSight; RSAEnvision and QRadar. AnySIEM supporting SYSLOG orWindows events.

Management & inventory:

Qualys; McAfee ePO andMVM; Cisco ACS;ServiceNow ITAM; HPUCMDB; Hitachi HiTrack.

17 Integration with custom apps

• Hitachi ID Identity Manager easily integrates with custom, vertical and hosted applications usingflexible agents .

• Each flexible agent connects to a class of applications:

– API bindings (C, C++, Java, COM, ActiveX, MQ Series).– Telnet / TN3270 / TN5250 / sessions with TLS or SSL.– SSH sessions.– HTTP(S) administrative interfaces.– Web services.– Win32 and Unix command-line administration programs.– SQL scripts.– Custom LDAP attributes.

• Integration takes a few hours to a few days.• Fixed cost service available from Hitachi ID.

© 2019 Hitachi ID Systems, Inc. All rights reserved. 11

Slide Presentation

18 Active-active architecture

“Cloud”

Reverse

web

proxyVPN server

IVR server

Load

balancers

E-mail

system

Ticketing

system

HR

Hitachi ID

servers

Hitachi ID

servers

Firewalls

Proxy server

(if needed)

Mobile

proxy

SaaS apps

Managed

endpoints

Managed endpoints

with remote agent:

AD, SQL, SAP, Notes, etc

z/OS - local agent

MS SQL databases

Password synch

trigger systems

Native password

change

ManageMobile UI

AD, Unix, z/OS,

LDAP, iSeries

Validate pw

Replication

System of

record

Tickets

Notifications

and invitations

Data c

enter A

Data c

enter B

Remote

data

cente

r

TCP/IP + AES

Various protocols

Secure native protocol

HTTPS

© 2019 Hitachi ID Systems, Inc. All rights reserved. 12

Slide Presentation

19 Server block diagramRemote site

List, inspect,

create, delete,

modify: Users,

groups

Native API,

protocol

Hitachi ID

encrypted

protocol

Real-time

encrypted

replication

Local agent

Hitachi ID Server:

Internal components

Identity cache, requests,

configuration, history

Stored procs

HT

TP

S

Managed

endpoint

Hitachi ID

proxy server

Hitachi ID server

Managed

endpoint

Managed

endpoint

Business logic

Integrations Core services

IIS web server

User web

browser

Workflow manager

End userEnd userEnd user

Admin / configAdmin / configAdmin / config

IDTM

Transaction manager

PSUPDATE

Auto-discovery

IDTRACK

Automation engine

IDDB

Database manager

MSSQL

ExitsExitsExits

PluginsPluginsPlugins

Connector

20 Rapid deployment and low TCO

Optimized to minimize effort: Using Hitachi ID Identity Managertechnology:

• Identity Manager:

– Initial deployment:2 – 4 months.

– Ongoing maintenance:0.5 – 1.0 FTE.

• Hitachi ID Identity Express – typical usecases preconfigured.

• Built-in discovery, mapping of IDs,entitlements.

• Policy driven workflow, included.• Implementer process for small apps.• RBAC (can be costly) is optional.• 120 connectors out of the box (more easy

to add).

© 2019 Hitachi ID Systems, Inc. All rights reserved. 13

Slide Presentation

21 Hitachi ID professional services

• Hitachi ID offers a complete range of services relating to Hitachi ID Identity Manager, including:

– Needs analysis and solution design.– Fixed price system deployment.– Project planning.– Roll-out management, including maximizing user adoption.– Ongoing system monitoring.– Training.

• Services are based on extensive experience with the Hitachi ID solution delivery process.• The Hitachi ID professional services team is highly technical and have years of experience deploying

IAM solutions.• Hitachi ID partners with integrators that also offer business process and system design services to

mutual customers.• All implementation services are fixed price:

– Solution design.– Statement of work.

22 Hitachi ID solution delivery

Fixed-price: All work is delivered on a fixed-price, fixed-deliverables basis. The"meter" is never running.

Phases, milestones: Hitachi ID recommends breaking up long projects into phases of 1–3months. Work is reviewed and payment is due when milestones are met.

Open assignment: Each phase may be undertaken by Hitachi ID, the customer, a systemsintegrator or a combination of the participants.

Templates: Template documents and sample business logic are used to expeditework.

Customer portal: A self-service portal supports discovery, client/partner/vendor interaction,document distribution and more.

© 2019 Hitachi ID Systems, Inc. All rights reserved. 14

Slide Presentation

23 AdMax: Maximizing user adoption

• Successful implementation of an identity and access management system must be supported by aneffective user adoption program.

• AdMax is an Hitachi ID professional services program, used to plan for and execute effective userenrollment projects.

• AdMax is designed to maximize adoption of and ROI from Hitachi ID identity management solutions,using:

– Best practices, case studies and industry norms.– Enrollment, user adoption and ROI measurement.– Incentive and disincentive programs.– Presentations and training materials for users and HD staff.– Project roles and responsibilities.– Sample project plans, promotional materials, e-mails, graphics and other user communications.– Workbooks for project implementation.

24 Summary

An integrated solution for managing identities and entitlements:

• Automation: onboarding, deactivation, detect out-of-band changes.• Manage identities, accounts, groups and roles.• Self-service: profile updates, access requests.• Governance: certification, authorization workflow, RBAC, SoD, analytics.• Automatically manage identities, entitlements: 120 bidirectional connectors.• Other integrations: filesystem, collaboration, SIEM, incident management.• Rapid deployment: pre-configured Hitachi ID Identity Express.

Security, lower cost, faster service.

Learn more at hitachi-id.com/identity-manager

© 2019 Hitachi ID Systems, Inc. All rights reserved. 15

Slide Presentation

25 Getting an IAM project started

• Build a business case.• Get management sponsorship and a budget.• Discovery phase, capture detailed requirements.• Assemble a project team:

– security– system administration– user support– etc.

• Try before you buy: Demos, POCs, pilots.• Install the software, roll to production.• Enroll users, if/as required.

hitachi-id.com

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 E-Mail: sales@hitachi-id.com

Date: 2019-11-20 | 2019-11-20 File: PRCS:pres