1 Hitachi ID Password Manager

Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications

Reasons to upgrade, migration process.

2 Focus on password management

This presentation focuses on Hitachi ID Password Manager, not other Hitachi ID Suite products.

• Details for organizations currently using 6.x, thru 10.x.• Architectural changes.• New features.• Upgrade path.• Services.

© 2018 Hitachi ID Systems, Inc. All rights reserved. 1

Slide Presentation

3 Why upgrade?

• Improve metrics

– Increase proportion of users who have enrolled Q&A.– Increase adoption of self-service.– Reduce help desk calls due to login problems.

• Increase accessibility

– Pre-boot – full disk encryption software / password prompt.– Windows login screen – on-premises and off-site.– BYOD – Android, iOS device.

• Solve real world problems:

– Call volume creeping back up.– Users increasingly off-site, can’t access password reset.– Deploying full disk encryption, need self-service unlock pre-boot.– Refresh integrations – Windows 2012, Office 365, SaaS apps, etc.

• Security, cloud:

– SaaS applications call for more than just a password login.– Hitachi ID Password Manager now includes federated access and 2FA, out-of-the-box.

4 Platform changes from 6.x

4.1 SQL replaces embedded DB

6.x Now Notes

Embedded: CodeBase. SQL Server 2012. Standard, scalable, open.

DB replication built-in. N/C Easier, more secure thanDB-native.

Multi-master architecture. N/C If it’s not broken...

DB on each server. Local or separate DB. Scale up with more HW.

1 DB instance per PW server. DB can be shared. Leverage corporate DBclusters.

Limited Unicode support (e.g.,security Qs).

Full Unicode support (e.g.,attributes, IDs).

Better for Asian users.

Direct access to data. All access via stored procs. Better performance.

© 2018 Hitachi ID Systems, Inc. All rights reserved. 2

Slide Presentation

4.2 Other architectural improvements

• Password synchronization trigger:

– Used to run 100% as a DLL in Kernel-space on Windows servers.– Now a service offloads much of the work.– Less code running in the kernel.– New features: user filtering, queue/retry.

• Logging subsystem:

– Individual log files are gone.– High performance, consolidated logging system added.– Easier to plug into SIEM, syslog, etc.– Search/examine from web UI.

• Continuous operation:

– No more brief outage to merge databases nightly.– Helpful for truly global organizations.

• Multiple password policies:

– Per group of systems (if mutually exclusive requirements).– Per group of users (based on risk).

• 64-bit code (faster, more scalable).• Newer crypto algorithms (256-bit AES, SSHA-512).

4.3 Improved usability, updated UI

• A comprehensive usability study was completed:

– Untrained, non-technical users asked to perform tasks.– Sessions recorded and analyzed.– UI "tweaked" - nav, instructions, layout and more.– More users asked to repeat, to validate results.

• The entire UI was refreshed as a result:

– Easier to navigate.– Easier to understand.– Less time per session.

• Other changes:

– Left-side navigation bar dropped – easier to embed UI in portals.– Overhauled login screens, to support new authentication models.– Dynamic evaluation of password policy compliance as you type.

© 2018 Hitachi ID Systems, Inc. All rights reserved. 3

Slide Presentation

4.4 Single instance with IAM

• User signs on to manage identity, entitlements, credentials.• Examples:

– Change my password(s).– Enroll or update security questions.– Enter mobile number, personal e-mail address.– Update mailing address.– Request access to a share, folder or app.– Lookup co-worker and add contact to mobile.– Recertify users, entitlements.– Approve/reject open requests.

5 Platform changes since 7.x

5.1 One-click: new node

• Easier to add an app node:

– Increase capacity.– Recover from hardware or facility problem.

• Replicas:

– Need not be configured in advance.– Are somewhat disposable.

• Mechanism:

– Configure a new replica, in disabled state.– Send it a full data set.– Queue up changes while sending bulk data.– Enable the node when ready.– Aware of schema dependencies – sends data over in a safe order.

• No down-time.

© 2018 Hitachi ID Systems, Inc. All rights reserved. 4

Slide Presentation

5.2 Replication Setup Screen

5.3 Multiple skins per instance

• Default skins on a new install:

– Full UI (including branding, nav).– Unbranded (for embedding in IFRAME).– Kiosk-mode (full screen, limited nav).– Mobile (works well on phones).

• Skins and language translations are independent.

– Example: 4 skins, 5 languages means 20 UIs.

• NOTE: pre-8.2 UI customization needs to be adjusted to work in the new framework.

6 Policy engines and connectors

© 2018 Hitachi ID Systems, Inc. All rights reserved. 5

Slide Presentation

6.1 Authentication chains

• An authentication chain is a definedseries of steps.

• Special type:interactively choose a chain.

• Special type:programmatically limit available chains.

• Risk-analysis:VPN? admin user?

� � �� � �� � �� � � � � � � � � � � �� � � � � � � � � �� ��� � � � � � � � � � � �� �� � � � �� � � � �� ��

� � � � ! " ! �� � # �� $ � � ! �% &� � � '� ! () $� ! � �� ! ( * & + ,&� � � '� ! () �% � ! � �- . � � � � �� � �/ 0 & &� � � �� ( �) �� ( & , 1 �� ) 2 ) 3 ) �% � ! � � - . � � � � �� � �) � 2 4 � � � � ! � �� �6.2 User classes

User classes define sets of individual usersor types of relationships between users:

• Sets of users:

– By group membership– In an OU– Having certain attributes

• Types of relationships:

– Shared attributes (e.g.,department, location).

– Group membership of participants(e.g., security team).

– Direct or indirect manager.

User classes are a natural way to definesecurity policy:

• Route requests(requester+recipient/authorizer).

• Invite reviewers (user/certifier).• Escalate requests (old/new

participants).• Limit visibility (viewer/user profile).• Define what is requestable

(requester/recipient).

© 2018 Hitachi ID Systems, Inc. All rights reserved. 6

Slide Presentation

6.3 Included connectors

Directories: Databases: Server OS – X86/IA64: Server OS – Unix: Server OS – Mainframe:

Active Directory and AzureAD; any LDAP; NIS/NIS+ andeDirectory.

Oracle; SAP ASE and HANA;SQL Server; DB2/UDB;Hyperion; Caché; MySQL;OLAP and ODBC.

Windows: NT thru 2016; Linuxand *BSD.

Solaris, AIX and HP-UX. RAC/F, ACF/2 and TopSecret.

Server OS – Midrange: ERP, CRM and other apps: Messaging & collaboration: Smart cards and 2FA: Access managers / SSO:

iSeries (OS400); OpenVMSand HPE/Tandem NonStop.

Oracle EBS; SAP ECC andR/3; JD Edwards; PeopleSoft;Salesforce.com; Concur;Business Objects and Epic.

Microsoft Exchange, Lync andOffice 365; LotusNotes/Domino; Google Apps;Cisco WebEx, Call Managerand Unity.

Any RADIUS service or SAMLIdP; Duo Security; RSASecurID; SafeWord; Vasco;ActivIdentity andSchlumberger.

CA SiteMinder; IBM SecurityAccess Manager; Oracle AM;RSA Access Manager andImprivata OneSign.

Help desk / ITSM: PC filesystem encryption: Server health monitoring: HR / HCM: Extensible / scriptable:

ServiceNow; BMC Remedy,RemedyForce and Footprints;JIRA; HPE Service Manager;CA Service Desk; AxiosAssyst; Ivanti HEAT;Symantec Altiris; Track-It!; MSSCS Manager and Cherwell.

Microsoft BitLocker; McAfee;Symantec EndpointEncryption and PGP;CheckPoint and SophosSafeGuard.

HP iLO, Dell DRAC and IBMRSA.

WorkDay; PeopleSoft HR;SAP HCM andSuccessFactors.

CSV files; SCIM; SSH;Telnet/TN3270/TN5250;HTTP(S); SQL; LDAP;PowerShell and Python.

Hypervisors and IaaS: Mobile management: Network devices: Filesystems and content: SIEM:

AWS; vSphere and ESXi. BlackBerry Enterprise Serverand MobileIron.

Cisco IOS PIX and ASA;Juniper JunOS andScreenOS; F5 BigIP; HPProcurve; Brocade Fabric OSand CheckPointSecurePlatform.

Windows/CIFS/DFS;SharePoint; Samba; HitachiContent Platform and HCPAnywhere; Box.com andTwitter.

Splunk; ArcSight; RSAEnvision and QRadar. AnySIEM supporting SYSLOG orWindows events.

Management & inventory:

Qualys; McAfee ePO andMVM; Cisco ACS;ServiceNow ITAM; HPUCMDB; Hitachi HiTrack.

6.4 Rapid integration with custom apps

• Hitachi ID Suite easily integrates with custom, vertical and hosted applications using flexible agents.

• Each flexible agent connects to a class of applications:

– API bindings (C, C++, Java, COM, ActiveX, MQ Series).– Telnet / TN3270 / TN5250 / sessions with TLS or SSL.– SSH sessions.– HTTP(S) administrative interfaces.– Web services.– Win32 and Unix command-line administration programs.– SQL scripts.– Custom LDAP attributes.

• Integration takes a few hours to a few days.• Fixed cost service available from Hitachi ID.

7 Maximizing and monitoring adoption

© 2018 Hitachi ID Systems, Inc. All rights reserved. 7

Slide Presentation

7.1 Notification Subsystem

The notification system controls when Hitachi ID Suite initiates communication with users. It is key tohigh user adoption rates.

Notification types Batch/e-mail.Interactive/popup web browser.

Notification levels Information.Warning.Forced (lock down PC until action completed).

Notification triggers Incomplete profile (e.g., security questions).Password expiry (imminent or past).Expression in terms of identity attributes

Consequent actions Complete enrollment.Change passwords.Visit a specified URL.

Process Throttling N invitations/day.Maximum frequency/message/user.Date - day of week - time of day controls.

7.2 Scheduled Reports

© 2018 Hitachi ID Systems, Inc. All rights reserved. 8

Slide Presentation

7.3 Language supportThe Hitachi ID Password Manager UI can be rendered in many languages:

Languages are easy to add. Hitachi ID will do it for a nominal fee and customers can do it themselves.

7.4 Self-Service, Anywhere

Self-service is complicated by connectivity and device options.

User location Endpoint device Connectivity Reset/unlock

• Work.• Home.• Airport.• Cafe.• Partner office.

• Laptop.• Tablet.• Smart phone.

• Wired at work.• Wired at home.• WiFi at home.• Public WiFi.• Tethered

phone.• Cell modem.

• Networkpassword.

• Cachedpassword.

• Smart card PIN.• Token PIN.• Encrypted

HDD.

Example scenarios supported by Hitachi ID Password Manager:

• Reset forgotten, cached AD password at airport.• Recover from forgotten full disk encryption password (via phone).

© 2018 Hitachi ID Systems, Inc. All rights reserved. 9

Slide Presentation

7.5 Windows login screen password reset - offsite

Animation: ../../pics/camtasia/v10/hipm-ssa-windows-10.mp4

8 Smart phone app / BYOD

8.1 BYOD access to on-premises IAM system

The challenge Hitachi ID Mobile Access

• Users want access on their phones.• Phone on the Internet, IAM on-prem.• Don’t want attackers probing IAM from

Internet.

• Install + activate iOS, Android app.• Proxy service on DMZ or cloud.• IAM, phone both call the proxy - no

firewall changes.• IAM not visible on Internet.

Outbound connections only

DMZ Private corporate

network

Personal

device

FirewallFirewall

Internet

(3)

Message passing system

(1)

Worker thread:

“Give me an HTTP

request”

(2)

HTTPS request:

“Includes userID,

deviceID”

IAM server

Cloud

proxy

8.2 Activate Hitachi ID Mobile Access app

Animation: ../../pics/camtasia/v10/enable-mobile-device-1.mp4

© 2018 Hitachi ID Systems, Inc. All rights reserved. 10

Slide Presentation

8.3 Add contact to phone

Animation: ../../pics/camtasia/v9/add-contact-to-phone-1/add-contact-to-phone-1.mp4

9 MacOSX client support

9.1 MacOSX login access to password reset

© 2018 Hitachi ID Systems, Inc. All rights reserved. 11

Slide Presentation

9.2 MacOSX kiosk mode browser from login screen

10 Extranet-facing deployments

10.1 Social integration via OAuth and CAPTCHAs

• Mostly for Extranet access and B2C deployments.• Enroll new users with their Facebook, Google, etc. account.• Login using the same social credentials.• reCAPTCHA and AreYouAHuman samples provided.

© 2018 Hitachi ID Systems, Inc. All rights reserved. 12

Slide Presentation

10.2 CAPTCHA Example

10.3 Social Network Integration

11 Federation and 2FA

© 2018 Hitachi ID Systems, Inc. All rights reserved. 13

Slide Presentation

11.1 SAMLv2 Federated IdP

• Externalize login process from third party web apps.• Cloud: Google Apps, Office 365, Salesforce.com, WebEx, Concur, etc.• On-premise: SharePoint (via ADFS), HCP Anywhere, etc.• Basically respond to SAMLv2 requests with assertions.• Leverage user classes for authorization control, authentication chains for 2FA/MFA.

11.2 Hitachi ID Mobile Access authentication factor

• Leverage Hitachi ID Mobile Access on user phones as a soft token.• Zero extra cost: organizations have no excuse to revert to just Q&A or just a password on Extranet

logins.• More secure password reset.• 2FA for all Hitachi ID Privileged Access Manager logins, even if the network is down, AD or RADIUS

unreachable.

12 Personal password vault

© 2018 Hitachi ID Systems, Inc. All rights reserved. 14

Slide Presentation

12.1 Personal vaults

• Users want secure, convenient access to all their credentials, not just those related to work.• Access should work on all devices (PC, phone, etc.).• The user’s employer should not be able to access/decrypt this data – this is just a friendly service

offered by IT, but not a compromise of PII.• Similar to FastPass, LastPass, LogMeIn, etc. but no extra cost for employees• Built into Hitachi ID Password Manager starting with 10.0.

12.2 Personal password vault (use)

13 Migration

© 2018 Hitachi ID Systems, Inc. All rights reserved. 15

Slide Presentation

13.1 Project

This is a standard IT application deployment project:

• Implement in development environment.• Test.• Remediate any problems.• Pilot with limited users, integrations.• Migrate to production.• Support all users, add integrations.• Retest in production.• Remediate any problems.• Roll out to the wider user community.• Document and sign-off.

13.2 Implementation steps

Platform Install, configure app

• Deploy new VMs.• Windows 2012.• SQL 2012.

• Setup replication.• UI branding.• Policies: password quality, auth methods,

access controls.• Notifications: enrollment, password

expiry.• Reports, analytics.

Integrations Data migration

• Target systems, Client tools.• E-mail, Help desk / ticketing, SIEM /

SYSLOG.• Interceptor on AD DCs.• Encrypted filesystem unlock.• VPN for off-site password reset.• Cloud for mobile access.

• Security questions.• Login ID aliases.• Password history (hashes)

14 Demo

hitachi-id.com

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@hitachi-id.com

Date: 2018-02-26 | 2018-02-26 File: PRCS:pres