Managing the User Lifecycle Across ... - Identity Management · 1 Hitachi ID Identity Manager...

1 Hitachi ID Identity Manager

Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications

Manage identities, accounts, groups and roles:Automation, requests, approvals, reviews, SoD and RBAC.

2 Agenda

• Corporate• Hitachi ID Identity Manager• Recorded Demos• Technology• Implementation• Differentiation

3 Corporate

© 2020 Hitachi ID Systems, Inc. All rights reserved. 1

http://Hitachi.com/

Slide Presentation

3.1 Hitachi ID corporate overview

Hitachi ID delivers access governanceand identity administration solutionsto organizations globally.Hitachi ID IAM solutions are used by Fortune500companies to secure access to systemsin the enterprise and in the cloud.

• Founded as M-Tech in 1992.• A division of Hitachi, Ltd. since 2008.• Over 1200 customers.• More than 14M+ licensed users.• Offices in North America, Europe and

APAC.• Global partner network.

3.2 Representative customers


Slide Presentation

3.3 Hitachi ID Suite

4 Hitachi ID Identity Manager

4.1 Compliance / internal controls

Challenges Solutions

• Slow and unreliable deactivation whenpeople leave.

• Orphan and dormant accounts.• Users with no-longer-needed access.• Access that violates SoD policies or

represents high risk.• Unreliable approvals for access requests.• Audit failures and regulatory risk.

• Automate deactivation based on SoR(HR).

• Review and remediate excessive access(certification).

• Block requests that would violate SoD.• Analyze entitlements to find policy

violations, high risk users.• Automatically route access requests to

appropriate stake-holders.


Slide Presentation

4.2 Access administration cost


• Multiple FTEs required to setup,deactivate access.

• Additional burden on platformadministrators.

• Audit requests can add significant strain.

• Automate access setup, tear-down inresponse to changes in systems of record(SoRs).

• Simple, business-friendly access requestforms.

• Route requests to authorizersautomatically.

• Automate fulfillment where possible.• Help auditors help themselves:

– With certification, auditors focus onprocess, not entitlements.

– Reports and analytics.

4.3 Access changes take too long


• Approvers take too long.• Too many IT staff required to complete

approved requests.• Service is slow and expensive to deliver.

• Automatically grant access:

– Where predicted by job function,location, ...

– Eliminate request/approval processwhere possible.

• Streamline approvals:

– Automatically assign authorizers,based on policy.

– Invite participants simultaneously,not sequentially.

– Enable approvals from smart-phone.– Pre-emptively escalate when

stake-holders are out of office.

• Automate fulfillment where possible.


Slide Presentation

4.4 Access requests are too complicated


• Requesting access is complex:

– Where is the request form?– What access rights do I need?– How do I fill this in?– Who do I send it to, for approval?

• Complexity creates frustration.

• Auto-assign access when possible.• Simplify request forms.• Intercept "access denied" errors:

– Navigate lead users to appropriaterequest forms.

• Compare entitlements:

– Help requesters select entitlements.– Compare recipient, model user

rights.– Select from a small set of

differences.

• Recommend entitlements:

– Identify users in a peer group basedon shared attributes.

– Rank entitlements by popularityamong peers.

– Sort entitlements so what therequester likely wants is at the top.

• Automatically assign authorizers basedon policy.

4.5 Too many groups


• Too many security groups and maildistribution lists.

• Groups represent business functions butare only manageable by IT.

• Hard to tell whether membership andaccess are appropriate.

• Assigning privileges is complex andcostly.

• Groups and memberships persist longafter needed.

• Empower business users to create,manage groups directly.

• Apply policy to requests, naming,metadata.

• Make groups and membershipstemporary where possible.

• Calculate group membership where thereis supporting data.

• Use request/approval and review/revokeworkflows to clean up.

• Apply analytics to find too-small,too-large, overlapping, etc.


Slide Presentation

5 Features


Slide Presentation

5.1 HiIM features

Automation:

• Monitor one or more systems of record (SoR).• Generate requests to grant, revoke access.

Integrations:

• 120+ bidirectional connectors, included.• Manage resources including mail boxes, home directories and

badges.• Incident management, SIEM, e-mail, 2FA.• Manage building access, physical assets.

Request portal:

• Users can request for themselves or others.• Access control model limits visibility, requestability.

Accounts and groups:

• Create, manage and delete accounts & groups across systems.• Update attributes and assign/revoke group memberships.

Workflow:

• Invite authorizers, implementers, certifiers to act.• Built-in reminders, escalation, delegation and more.• Selects participants via policy, not flow-charts.

Policies, controls:

• RBAC, SoD.• Risk scores, analytics.• Approvals, recertification.

Certification:

• Initiated by the system (event, schedule).• Stake-holders review identities, entitlements.• Generates deprovisioning requests.


Slide Presentation

5.2 HiIM data flow

Inputs → → Processes →

• Monitor SoRs (automation).• Systems and apps - current state.• Request portal:

– Self-service.– Delegated.– Access admin.

• Web services API.

• Request forms.• Approval workflows.• Access certification.• Manual fulfillment.• Analytics.

→ Policies → → Outputs

• Segregation of duties.• Risk scores.• Role based access control.• Authorizer, certifier selection.• Visibility / privacy protection.

• Manage accounts and groups via 120connectors.

• E-mail.• Create/update/close tickets.• Send events to SIEM.

5.3 Process automation, then access cleanup

• Using Hitachi ID Identity Express, we recommend full automation of identity and entitlementlifecycles out of the gate:

– Joiners, movers, leavers processes.– Password management, strong authentication and federation.– Change requests, approval, review/certification.– Driven by both SoR data and requests.

• No need to "clean up" entitlements before automating access changes.• Roles can be added later: not a pre-requisite.• Automate first, clean up afterwards:

– Unlike with competitors, automation is pre-configured and easy.– Start with basic integrations, add connectors over time.– Leverage automation and user knowledge to help clean up.– Add roles and expand automation over time.


Slide Presentation

5.4 Group lifecycle management

• Hitachi ID Identity Manager can manage groups as well as accounts on target systems.• This includes:

– Create new group.– Assign/revoke members.– Modify group owners, description and meta data.– Manage parent/child relationships.– Rename/move (change CN or OU).

• All change requests, applied to identities, accounts or groups flow through workflow:

– Hidden and calculated elements.– Validation and policy checking.– Policy-based approvals.– Change history.

• Group memberships and role assignments can be:

– Requested, subject to approval, review and revocation.– Calculated, based on identity attributes and other groups.– Scheduled with a start and end date.

• A dedicated UI is provided for group members and owners to make changes.

5.5 Monitoring systems of record

• Any target system can function as a system of record(SoR).

• Examples: HR apps, SQL databases, CSV files, ...• Hitachi ID Identity Manager can monitor multiple SoR’s:

– Multinationals: regional HR systems.– Colleges: students vs. faculty/staff.

• Map attributes to user profiles and prioritize.• Automatically submit access requests in response to

detected changes.• Users can submit pre-emptive or corrective requests:

– New hire not yet in HR.– HR data is wrong.– Override SoR data until HR updates it.

• Request portal handles users who never appear in SoRs:

– Contractors, partners, etc.


Slide Presentation

5.6 Help requesters formulate requests

• Users rarely know where or how to request access!• Make recommendations:

– What entitlements do peers of the recipient have?– Rank by popularity, omit already-held rights.

• Windows shell extension, SharePoint error page:

– Intercept "Access Denied" errors.– Navigate user to appropriate request URL.

• Compare users:

– Compare entitlements between the intended recipient and areference user.

– Select entitlements from the variance.

• Search for entitlements:

– Keywords, description, metadata/tags.

• Relationship between requester and recipient:

– What recipients can the requester see?– What identity attributes are visible?– What kinds of requests are available?

5.7 Robust, policy-driven workflow

• Workflow invites stake-holders to participate in processes:

– Approve or reject a request.– Review entitlements and recertify or remediate.– Fulfill an approved request.– Extensible. e.g., audit cases.

• Stake-holders are invited based on policy:

– No flow-charts or diagrams required.– Process is simple, transparent and secure.– Routing may be based on relationships, resource ownership, risk.

• The process is robust, even when people aren’t:

– Invite N participants, accept response from M (M<N).– Simultaneous invitations by default (sequential made sense for

paper forms).– Automatically send reminders.– Escalate (e.g., to manager) if unresponsive.– Check out-of-office message, pre-emptively escalate.– Accessible from smart phone, not just PC.


Slide Presentation

5.8 Reports, dashboards and analytics

• Over 150 reports built in:

– Many include multiple modes (e.g,. dormant vs. orphan accounts).– Identities, entitlements, history, system operation, trends, etc.– Easy to add custom reports.

• Many dashboards included as well.• Run interactively or schedule (once, recurring).• Deliver output (HTML, CSV, PDF):

– Interactively.– In e-mails.– Drop files on UNC shares.– Stream results via web services.

• Actionable analytics:

– Feedback from reports to requests.– Automated remediation.

• Database is normalized, documented – can use 3rd party tools too.

6 Recorded Demos

6.1 Access request (new contractor)

Animation: ../../pics/camtasia/v10/hiim-onboarding-contractor-original-resolution.mp4

6.2 Self service creation of a new Active Directory group

Animation: ../../pics/camtasia/suite11/higm-group-create.mp4

6.3 Intercept ’Access denied’ dialogs

Animation: ../../pics/camtasia/suite11/higm-A-request-folder.mp4

6.4 Compare user entitlements

Animation: ../../pics/camtasia/v10/hiim-model-after-ui.mp4


Slide Presentation

6.5 Request groups with recommendations

Animation: ../../pics/camtasia/suite11.1/group-request-with-app-and-recommendations.mp4

6.6 Review groups using consistency scores

Animation: ../../pics/camtasia/suite11.1/group-cert-with-recommendations.mp4

6.7 Mobile request approval

Animation: ../../pics/camtasia/v10/approve-request-group-membership-via-mobile-access-app-1.mp4

6.8 Actionable analytics: Disable orphans

Animation: ../../pics/camtasia/v10/report2pdr-disable-orphan-accounts-1.mp4

7 Technology


Slide Presentation

7.1 Delivery options

On-premises Hosted / SaaS

What/where

•Conventionalsoftware;or

• Virtualappliance.

• ManagedbycustomerIT; or

• managedby HitachiIDremotely;or

• managedby apartner.

• Dedicated instance per customer.• Minimum two servers, locations.• Proxy server on-premises.• Managed by Hitachi ID.• Regular upgrades.

Charges • Software: License, annualmaintenance.

• Virtual appliance: add OS, DBlicenses.

• Managed service: add annual fee.

• Monthly per-user fee.• Commitment for minimum

quantity, duration.


Slide Presentation

7.2 Active-active architecture

“Cloud”

Reverse

web

proxyVPN server

IVR server

Load

balancers

E-mail

system

Ticketing

system

HR

Hitachi ID

servers

Hitachi ID

servers

Firewalls

Proxy server

(if needed)

Mobile

proxy

SaaS apps

Managed

endpoints

Managed endpoints

with remote agent:

AD, SQL, SAP, Notes, etc

z/OS - local agent

MS SQL databases

Password synch

trigger systems

Native password

change

ManageMobile UI

AD, Unix, z/OS,

LDAP, iSeries

Validate pw

Replication

System of

record

Tickets

Notifications

and invitations

Data c

enter A

Data c

enter B

Remote

data

cente

r

TCP/IP + AES

Various protocols

Secure native protocol

HTTPS


Slide Presentation

7.3 Key architectural features

“Cloud”

SaaS apps

Data c

enter A

Data c

enter B

Remote

data

cente

r

TCP/IP + AES

Various protocols

Secure native protocol

HTTPS

Reach across firewalls

Load balanced

On premises and SaaS

BYOD enabled

Replicated across data centers

Horizontal scaling


Slide Presentation

7.4 IAMaaS architectural overview

Firewall

Private Corporate

Network

Internet

Firewall Firewall

IAM App Server IAM Proxy

IAM Database

Mobile Proxy

Firewall

SaaS App

HR DB

AD

On-Prem. App

On-Prem. App

SaaS App

IAM App Server

IAM Database

Mobile Proxy

VLAN /

Location 1

VLAN /

Location 2

IaaS Provider

Network

7.5 Internal architecture

• Multi-master, active-active out of the box.• Built-in data replication between app nodes:

– Fault tolerant.– Secure - encrypted.– Reliable - queue and retry.– App nodes need and should not be co-located.

• Native, 64-bit code:

– 2x faster than .NET.– 10x faster than Java.

• Stored procedures:

– For all data lookups, inserts.– Fast, efficient.– Eliminates client/server chatter.

• Modern crypto: AES-256, SSHA-512


Slide Presentation

7.6 BYOD access to on-premises IAM system

The challenge Hitachi ID Mobile Access

• Users want access on their phones.• Phone on the Internet, IAM on-prem.• Don’t want attackers probing IAM from

Internet.

• Install + activate iOS, Android app.• Proxy service on DMZ or cloud.• IAM, phone both call the proxy - no

firewall changes.• IAM not visible on Internet.

Outbound connections only

DMZ Private corporate

network

Personal

device

FirewallFirewall

Internet

(3)

Message passing system

(1)

Worker thread:

“Give me an HTTP

request”

(2)

HTTPS request:

“Includes userID,

deviceID”

IAM server

Cloud

proxy


Slide Presentation

7.7 Included connectors

Directories: Databases: Server OS – X86/IA64: Server OS – Unix: Server OS – Mainframe:

Active Directory and AzureAD; any LDAP; NIS/NIS+ andeDirectory.

Oracle; SAP ASE and HANA;SQL Server; DB2/UDB;Hyperion; Caché; MySQL;OLAP and ODBC.

Windows: NT thru 2016; Linuxand *BSD.

Solaris, AIX and HP-UX. RAC/F, ACF/2 and TopSecret.

Server OS – Midrange: ERP, CRM and other apps: Messaging & collaboration: Smart cards and 2FA: Access managers / SSO:

iSeries (OS400); OpenVMSand HPE/Tandem NonStop.

Oracle EBS; SAP ECC andR/3; JD Edwards; PeopleSoft;Salesforce.com; Concur;Business Objects and Epic.

Microsoft Exchange, Lync andOffice 365; LotusNotes/Domino; Google Apps;Cisco WebEx, Call Managerand Unity.

Any RADIUS service or SAMLIdP; Duo Security; RSASecurID; SafeWord; Vasco;ActivIdentity andSchlumberger.

CA SiteMinder; IBM SecurityAccess Manager; Oracle AM;RSA Access Manager andImprivata OneSign.

Help desk / ITSM: PC filesystem encryption: Server health monitoring: HR / HCM: Extensible / scriptable:

ServiceNow; BMC Remedy,RemedyForce and Footprints;JIRA; HPE Service Manager;CA Service Desk; AxiosAssyst; Ivanti HEAT;Symantec Altiris; Track-It!; MSSCS Manager and Cherwell.

Microsoft BitLocker; McAfee;Symantec EndpointEncryption and PGP;CheckPoint and SophosSafeGuard.

HP iLO, Dell DRAC and IBMRSA.

WorkDay; PeopleSoft HR;SAP HCM andSuccessFactors.

CSV files; SCIM; SSH;Telnet/TN3270/TN5250;HTTP(S); SQL; LDAP;PowerShell and Python.

Hypervisors and IaaS: Mobile management: Network devices: Filesystems and content: SIEM:

AWS; vSphere and ESXi. BlackBerry Enterprise Serverand MobileIron.

Cisco IOS PIX and ASA;Juniper JunOS andScreenOS; F5 BigIP; HPProcurve; Brocade Fabric OSand CheckPointSecurePlatform.

Windows/CIFS/DFS;SharePoint; Samba; HitachiContent Platform and HCPAnywhere; Box.com andTwitter.

Splunk; ArcSight; RSAEnvision and QRadar. AnySIEM supporting SYSLOG orWindows events.

Management & inventory:

Qualys; McAfee ePO andMVM; Cisco ACS;ServiceNow ITAM; HPUCMDB; Hitachi HiTrack.

7.8 Integration with custom apps

• Hitachi ID Identity Manager easily integrates with custom, vertical and hosted applications usingflexible agents .

• Each flexible agent connects to a class of applications:

– API bindings (C, C++, Java, COM, ActiveX, MQ Series).– Telnet / TN3270 / TN5250 / sessions with TLS or SSL.– SSH sessions.– HTTP(S) administrative interfaces.– Web services.– Win32 and Unix command-line administration programs.– SQL scripts.– Custom LDAP attributes.

• Integration takes a few hours to a few days.• Fixed cost service available from Hitachi ID.

8 Implementation


Slide Presentation

8.1 Hitachi ID professional services

• Hitachi ID offers a complete range of services relating to Hitachi ID Identity Manager, including:

– Needs analysis and solution design.– Fixed price system deployment.– Project planning.– Roll-out management, including maximizing user adoption.– Ongoing system monitoring.– Training.

• Services are based on extensive experience with the Hitachi ID solution delivery process.• The Hitachi ID professional services team is highly technical and have years of experience deploying

IAM solutions.• Hitachi ID partners with integrators that also offer business process and system design services to

mutual customers.• All implementation services are fixed price:

– Solution design.– Statement of work.

8.2 ID Express

Before reference implementations:

• Every implementation starts fromscratch.

• Some code reuse, in the form oflibraries.

• Even simple business processes havecomplex boundary conditions:

– Onboarding: initial passwords,blocking rehires.

– Termination: scheduled vs.immediate, warnings, cleanup.

– Transfers: move mailboxes andhomedirs, trigger recertification.

• Complex processes often scripted.• Delay, cost, risk.

With Hitachi ID Identity Express:

• Start with a fully configured system.• Handles all the basic user lifecycle

processes out of the box.• Basic integrations pre-configured (HR,

AD, Exchange, Windows).• Implementation means "adjust as

required" not "build from scratch."• Configuration is fully data driven (no

scripts).• Fast, efficient, reliable.


Slide Presentation

8.3 Identity Express - Workforce Edition

• Integrations:

– SQL-based HR SoR.– AD domain– Exchange domain (mailboxes)– Windows filesystem (homedirs)

• Entitlements:

– Login IDs.– Group memberships.– Roles.

• User communities:

– Employees.– Contractors/other.

• Configuration:

– Based on user classes, rules tablesand lookup tables.

– Near-zero script logic.

• Automation:

– Onboard/deactivate based on SoR.– Identity attribute propagation.

• Self-service:

– Password, security questionmanagement.

– Update to contact info.– Request for application, share, folder

access.

• Delegated admin:

– Same as self-service, plus recert.

• Approval workflows:

– IT security (global rights).– HR/managers (approve for

each-other).

• Recertification:

– Scheduled.– Ad-hoc.

8.4 Services impact of ID Express

Initial planning

(5:5)

Document old

processes

(30:4)

Design new

processes

(30:5)

Basic

integrations

(5:5)

Test, debug

adjust

(30:10)

Pilot test,

adjust

(20:15)

Test, debug,

fix

(15:15)

Test in prod,

feedback, fixes

(5:5)

Implement new

processes

(30:5)

Production

migration

(2:2)

Documentation

(5:5)

Implement new

processes

(30:5)

Production

migration

(2:2)

Advanced

integrations

(30:30)

Production

migration

(2:2)

Get feedback

(15:5)

Test, debug,

adjust

(15:5)

Reset,

adjust

(10:10)

Deploy

software

(2:2)

1

1

2 4 6 8 10 12 14 16 18

3 5 7 9 11 13 15 17 19

2 3 4 5 6 7 8 9 10 11 1213 14 15 16 17 18 19Custom

implementation283 days

9 Differentiation


Slide Presentation

9.1 HiIM differentiation (1/3)

Feature Details Competitors

Hitachi ID Identity Express

• Pre-configuredprocesses, policies.

• Full implementation ormenu of components.

• Rich processes.• Faster deployment.• Low implementation risk.

• Slow, risky deployment.• Never get around to J/M/L

process automation.

Requester usability

• Intercept "access denied"errors.

• Compare entitlements ofrecipient, model users.

• Usability aid forrequesters.

• Hard to find requestportal.

• Users don’t know how torequest access.

• Low user adoption.• Reduced ROI.

SoD actually works

• Hierarchy of roles,groups.

• Roles can containgroups, more roles.

• Groups can contain othergroups.

• SoD defined at one level,violation may happen atanother.

• Hitachi ID IdentityManager reliably detects,prevents violations.

• Fail to detect someviolations.

• Users can bypasscontrols.

• False sense of security.• Audit failures.• Regulatory risk.


Slide Presentation



Active-active architecture

• Multiple servers.• Load balanced.• Geographically

distributed.• No single point of failure.• Scalable.

• Single points of failure.• Costly to scale.• Slow to recover from

disasters.

Smart phone access

• Android and iOS apps.• Cloud-hosted proxy.• No public URL.• Approvals, 2FA, contact

download, etc.

• Require a public URL.• Less secure / rarely

permitted.• No viable BYOD strategy.• Impacts security, approval

SLA.

Actionable analytics

• Link report output torequest input.

• Automated remediation.• Immediate or scheduled.• No coding.

• Fewer reports, analytics.• No automated

remediation.


Slide Presentation



Group lifecycle management

• Included. • Absent from mostcompetitors.

Governance, provisioning inone product

• Governance: requests,approvals, certification,SoD, RBAC, analytics.

• Provisioning:connectors, J/M/Lprocess automation.

• Single, integratedsolution.

• Some focus ongovernance (noremediation, no J/M/Lprocess automation).

• Others focus onprovisioning (nocertification, limitedanalytics).

• Higher total cost.• Integration risk.

Policies built onrelationships

• Relationships drive allpolicies in Hitachi IDIdentity Manager.

• Who can a user searchfor?

• What data is visible?• What changes are

requestable?• Who will be asked to

approve?• Escalation path?

• Hierarchical accesscontrols.

• Script code forexceptions.

• Costly, risky.• Hard to configure,

maintain.


Slide Presentation

10 Summary

An integrated solution for managing identities and entitlements:

• Automation: onboarding, deactivation, detect out-of-band changes.• Manage identities, accounts, groups and roles.• Self-service: profile updates, access requests.• Governance: certification, authorization workflow, RBAC, SoD, analytics.• Automatically manage identities, entitlements: 120 bidirectional connectors.• Other integrations: filesystem, collaboration, SIEM, incident management.• Rapid deployment: pre-configured Hitachi ID Identity Express.

Security, lower cost, faster service.

Learn more at hitachi-id.com/identity-manager

hitachi-id.com

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 E-Mail: [email protected]

Date: 2020-03-23 | 2020-03-23 File: PRCS:pres

https://hitachi-id.com/identity-manager/

https://Hitachi-ID.com

Managing the User Lifecycle Across ... - Identity Management · 1 Hitachi ID Identity Manager...

Documents

Transcript of Managing the User Lifecycle Across ... - Identity Management · 1 Hitachi ID Identity Manager...