Hitachi ID Suite 9.0 Features and Technology

16
1 Hitachi ID Suite Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications Hitachi ID Suite 9.0 Features and Technology. 2 Overview • Hitachi ID Suite 9.0 is a major release. Almost all components of the software have seen some enhancements. • Major new capabilities: Mobile access. Actionable analytics. Check-out account sets. More interactive UI. Moved to 64-bit platform. • Next release will be 10.0 – ETA Q4/2015. © 2015 Hitachi ID Systems, Inc. All rights reserved. 1

Transcript of Hitachi ID Suite 9.0 Features and Technology

1 Hitachi ID Suite

Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications

Hitachi ID Suite 9.0 Features and Technology.

2 Overview

• Hitachi ID Suite 9.0 is a major release. Almost all components of the software have seen someenhancements.

• Major new capabilities:

– Mobile access.– Actionable analytics.– Check-out account sets.– More interactive UI.– Moved to 64-bit platform.

• Next release will be 10.0 – ETA Q4/2015.

© 2015 Hitachi ID Systems, Inc. All rights reserved. 1

Slide Presentation

3 Enhancements in 9.0

General HiPAM HiIM

• Move platform to 64-bit.• Stronger default crypto

(AES-256, SHA-512).• Support new MSSQL,

Oracle back ends.• Mobile: skin, iOS and

Android apps.• Usability improvements:

JS in UI, clickableobjects, sortable reportoutput, ...

• Analytics: report output→ request input.

• Many new reports, somewith graphicaldashboards.

• Account-set check-out.• Run commands across

managed systems.• LWS improved

scalability.• HiPAM reference build.

• Certification via arbitraryrelationships.

• Hierarchical attributes.• Usability improvements

to PDRs.• Photo upload.• VCARD links on user

profiles.• Deployability:

componentize referencebuilds.

4 Mobile / BYOD

4.1 Mobile UI for web apps

Enabling a mobile UI to an enterprise app is a two part problem.

• The UI has to fit on small screens:

– Narrow width.– Vertical scroll.

• Connectivity is required:

– The device is on the public Internet.– Hitachi ID Privileged Access Manager server is usually on a private network.

© 2015 Hitachi ID Systems, Inc. All rights reserved. 2

Slide Presentation

4.2 Mobile app architecture (1/4)

DMZPrivate

CorporateNetwork

PublicInternet

PersonalDevice

Mon, 15 June 2015

3:06 PM

Type to search...

4G 70%

IAMServer

Firewall Firewall

• The user’s phone probably has no VPN client installed.• The phone – via a data plan – is connected to the public Internet.• The IAM system is attached to the corporate network, behind multiple firewalls.

4.3 Mobile app architecture (2/4)

Simple, uncontroversial firewall configuration

Risky, controversial, likely not allowed

DMZPrivate

CorporateNetwork

PublicInternet

PersonalDevice

Mon, 15 June 2015

3:06 PM

Type to search...

4G 70%

IAMServer

Firewall Firewall

• Firewalls are designed to block inbound connections.• Outbound connections are usually allowed or easily justified.• Inbound connections would require:

– Port forwarding; or– A reverse web proxy.

• We want to minimize the set of attackers who can probe the IAM system.

© 2015 Hitachi ID Systems, Inc. All rights reserved. 3

Slide Presentation

4.4 Mobile app architecture (3/4)

How can a smart phone app, without a VPN,access an API or web UI published by an

on-premise application server?

Simple, uncontroversial firewall configuration

Risky, controversial, likely not allowed

DMZPrivate

CorporateNetwork

PublicInternet

PersonalDevice

Mon, 15 June 2015

3:06 PM

Type to search...

4G 70%

IAMServer

Firewall Firewall

4.5 Mobile app architecture (4/4)

DMZPrivate

CorporateNetwork

PublicInternet

Firewall Firewall

Messaging passing system:“Exchange requests”

Worker thread:“Give me an HTTP request”

HTTPS request:“Includes userID, deviceID”

CloudProxy

PersonalDevice

Mon, 15 June 2015

3:06 PM

Type to search...

4G 70%

IAMServer

2

3

1

• The solution is to insert a proxy between the BYOD and IAM system.• The proxy is on the Internet, so reachable by both.• Connections from both ends are authenticated.

© 2015 Hitachi ID Systems, Inc. All rights reserved. 4

Slide Presentation

4.6 Security features

Problem Solution

• Only accept connectionsfrom activated devices.

• Deploy an app to the device.• Install a personal key at activation time.• Proxy rejects connections with a bad/missing key.• IAM system only receives valid traffic.

• Denial of service attacks • Proxy is efficient but somewhat vulnerable.• Attackers have no key – DDoS attacks never reach the

IAM system.

• Lost/stolen device • Keys can be revoked.• Users still need to authenticate.

• Two factor authentication • Use of a valid key is a first authentication step.• Follow up with password, security questions, etc.

4.7 Activate Mobile Access

Animation: ../../pics/camtasia/v9/enable-mobile-device-1/enable-mobile-device-1.mp4

5 Mobile use cases

5.1 Add contact to phone

Animation: ../../pics/camtasia/v9/add-contact-to-phone-1/add-contact-to-phone-1.mp4

5.2 Scan contact QR code

Animation: ../../pics/camtasia/v9/find-download-contact-info-1/find-download-contact-info-1.mp4

5.3 Mobile request approval

Animation: ../../pics/camtasia/v9/approve-request-group-membership-via-mobile-access-app-1/approve-request-group-membership-via-mobile-access-app-1.mp4

© 2015 Hitachi ID Systems, Inc. All rights reserved. 5

Slide Presentation

5.4 Unlock pre-boot password

Animation: ../../pics/camtasia/v9/unlock-epo-pba-password-1/unlock-epo-pba-password-1.mp4

5.5 Request groupset

Animation: ../../pics/camtasia/v9/request-groupset-1/request-groupset-1.mp4

5.6 Password display

Animation: ../../pics/camtasia/v9/pw-disp-scaled-1/pw-disp-scaled-1.mp4

6 UI: AJAX and clickable objects

6.1 Hierarchical attributes

© 2015 Hitachi ID Systems, Inc. All rights reserved. 6

Slide Presentation

6.2 Dynamic report output

6.3 Clickable objects in UI

© 2015 Hitachi ID Systems, Inc. All rights reserved. 7

Slide Presentation

6.4 Object types – visible detail

Object in UI Click for details Object in UI Click for details

User name • User ID• Profile attributes.• Entitlements.

Group name • Target system• Membership.• Owner/authorizers.• History.

Request ID • Meta data.• Authorizers.• Operations.

Role • ID, description.• Entitlements.• Users with the role.• Owner/authorizers.

Managedsystem (HiPAM)

• Attributes.• Attached policy.• Groups, services and

accounts.• Attached policies.

Managedaccount(HiPAM)

• Attributes.• Groups and services.• Managed system.• Attached policies.

7 More and more powerful reports

© 2015 Hitachi ID Systems, Inc. All rights reserved. 8

Slide Presentation

7.1 Report output to request input

7.2 Graphical report summaries

© 2015 Hitachi ID Systems, Inc. All rights reserved. 9

Slide Presentation

7.3 Many built-in reports

• More than 150 built-in report programs.• Some reports have as many as 10 different modes.

– (orphan accounts / orphan profiles / dormant accounts / dormant profiles).

• Various areas of the product:

– 20 HiPAM specific.– 10 data quality.– 7 entitlement analysis.– etc.

• Reports callable via API

– Integration with enterprise dashboards.

7.4 Hitachi ID Privileged Access Manager Reports

Operation Policy, configuration Trends

© 2015 Hitachi ID Systems, Inc. All rights reserved. 10

Slide Presentation

7.5 Workflow Trend Dashboard

8 Actionable Analytics

8.1 PDR: New Employee

Animation: ../../pics/camtasia/v9/pdr-config-new-employee-1/pdr-config-new-employee-1.mp4

8.2 Report2PDR: Onboard employees

Animation: ../../pics/camtasia/v9/report2pdr-new-user-1/report2pdr-new-user-1.mp4

8.3 Report2PDR: Approve and first login

Animation: ../../pics/camtasia/v9/approve-new-employee-first-login-1/approve-new-employee-first-login-1.mp4

8.4 Report2PDR: Disable orphan accounts

Animation: ../../pics/camtasia/v9/report2pdr-disable-orphan-accounts-1/report2pdr-disable-orphan-accounts-1.mp4

9 Account sets

© 2015 Hitachi ID Systems, Inc. All rights reserved. 11

Slide Presentation

9.1 Account sets

Definitions Use cases

• A saved search.• Returns managed accounts on managed

systems.• Example: search on OS, subnet, login ID.• Can also include accounts, systems

individually.

• Check out multiple accounts at once:

– e.g., all systems requiring a patch.– e.g., all systems supporting an n-tier

app.

• Launch multiple login sessions at once:

– RDP, SSH, vSphere, SQL Studio,Toad, etc.

• Push commands to run on all checked outsystems, accounts:

– Retrieve status from end systems.– Make configuration changes.– Apply patches.

9.2 Account set checkout

Animation: ../../pics/camtasia/v9/account-set-checkout-1/account-set-checkout-1.mp4

10 Reference builds

10.1 Need but hate code

• Most enterprise-scale deployments require some business logic.• In practice, business logic looks like either script code or intricate flow charts.• Nobody wants to write or maintain these things:

– Costly.– Risky.– Easy to make mistakes.– Hard to find/keep staff with the skills.

• Reference builds are intended to eliminate this.

© 2015 Hitachi ID Systems, Inc. All rights reserved. 12

Slide Presentation

10.2 HiPAM Reference Build

Business decisions: Policy rules:

• What authentication processes should beallowed for this user, at this time, from thisIP and device?

• What systems can a user see?• What accounts and group sets can a user

request?• Is access pre-authorized?• Who must approve access?• If authorizers do not respond, who should

we escalate to?• What disclosure mechanisms should be

allowed?• What, if any, session data should be

recorded?

• All rules tables have two parts:

– Left: match on the current sessionon request.

– Right: make a policy decision or takeaction.

• Authentication chain selection.• System/account filter (visibility).• Authorizer selection and threshold setting.• Escalation routing.• Disclosure mechanism selection.• Session data stream selection.

10.3 Authorization policy

© 2015 Hitachi ID Systems, Inc. All rights reserved. 13

Slide Presentation

10.4 Example authorization policy rules

If ... ... Then If ... ... Then

• Accountrequest,

• RecipientmatchesEMERGENCY-RECOVERY.

• Emptyauthorizer list,

• Auto-approve,• No more rules.

• Accountrequest,

• RecipientmatchesUNIX-ADMINS,

• MSPID is UNIX-SYSTEMS.

• Auto-approve,• Empty

authorizer list,• No more rules.

• Groupsetrequest,

• RecipientmatchesVENDORS.

• Add authorizersfrom VENDOR-ACCESS,

• Sample 3,• Minimum 1.

• Accountsetrequest,

• MSPID is UNIX-SYSTEMS.

• Add authorizersfromUNIX-ADMINS,

• Sample 2,• Minimum 1.

10.5 Sample rule: emergency access

11 Identity Manager

© 2015 Hitachi ID Systems, Inc. All rights reserved. 14

Slide Presentation

11.1 Certifier/user via relationship

11.2 More interactive input fields

© 2015 Hitachi ID Systems, Inc. All rights reserved. 15

Slide Presentation

11.3 Picture upload

12 Discussion

www.Hitachi-ID.com

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: [email protected]

Date: May 22, 2015 File: PRCS:pres