1 Hitachi ID Suite

Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications

Administration and governance ofIdentities, entitlements and credentials.

2 Agenda

• Introductions.• Hitachi ID corporate overview.• Hitachi ID Suite overview.• Architecture and technology.• MSP advantages.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 1

Slide Presentation

3 Hitachi ID corporate overview

Hitachi ID delivers access governanceand identity administration solutionsto organizations globally.Hitachi ID IAM solutions are used by Fortune500companies to secure access to systemsin the enterprise and in the cloud.

• Founded as M-Tech in 1992.• A division of Hitachi, Ltd. since 2008.• Over 1200 customers.• More than 14M+ licensed users.• Offices in North America, Europe and

APAC.• Global partner network.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 2

Slide Presentation

4 Representative customers

5 Managed service provider partners

• Managed service providers outsource IT services, such as help desk call resolution• Almost all major MSPs have standardized on Hitachi ID solutions to automatically resolve password

problems for their customers.• Many MSPs are now adding Hitachi ID solutions to automate identity and access management as

well.• Hitachi ID MSP partners include:

© 2017 Hitachi ID Systems, Inc. All rights reserved. 3

Slide Presentation

6 Hitachi ID Suite

© 2017 Hitachi ID Systems, Inc. All rights reserved. 4

Slide Presentation

7 Integration With Other IAM Infrastructure

E/SSO

WebSSO/WebAM

Directory

Meta Directory

Virtual Directory

System of Record

CO

RE

IN

FR

AS

TR

UC

TU

RE

Automation

Self-service requests

Authorization workflow

Consolidated reporting

Auto-discovery

Reliable updates

Target connectors

Help desk integrations

Database replication

HitachiIDPassword Manager

HitachiIDIdentity Manager

HitachiIDGroup Manager

HitachiIDLogin Manager

HitachiIDOrg Manager

HitachiIDPrivileged Access Manager

HitachiIDPhone PW Manager

HitachiIDAccess Certifier

8 Problem: Too Many Passwords

Every login account has its own: Password complexity creates businessproblems:

• Password value.• User interface.• Strength rules.• Expiration date.

• High call volume :Users forget or lock out their passwords.This can be 30% of help desk workload.

• Sticky notes :Users write down their passwords andmay leave them in public view.

• Bad passwords :Users choose simple, easily guessedpasswords.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 5

Slide Presentation

9 HiPM features

Password synch:

• Reduce the number of passwords per user.

Self-service:

• Password change, reset and unlock.• Token or smart card PIN reset.• Unlock encrypted filesystem with forgotten pre-boot password.

Value-add:

• 2FA – built-in for all users, including via mobile app.• Federated access – replace other apps’ login screens.• Password vault – users can store unmanaged passwords.

Access from:

• PC browser or login screen.• At the office or off-site.• Smart phone app or self-service phone call.

Assisted service:

• Password, token PIN, intruder lockout.

Policy enforcement:

• Two-factor authentication for all users.• Password complexity, expiry, history.• Non-password authentication.

Managed enrollment:

• Security questions.• Login IDs.• Mobile phone numbers.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 6

Slide Presentation

10 Identity and access Needs are ever-changing

Digital identities require frequent updates toreflect business changes:

Complexity creates delay and reliabilityproblems:

• Who? (Types of users):Employees, contractors, vendors,partners, customers.

• Why? (Business events):Hire, move, change job function,terminate.

• What? (Change types:)Create/move/disable/delete user, updateidentity data and entitlements, resetpasswords.

• Where? (Applications:)AD, Exchange, Notes, ERP, Linux/Unix,database, mainframe, physical assets.

• Productivity:Slow onboarding, change fulfillment.

• Cost:Many FTEs needed to implement securitychanges.

• Security:Unreliable access termination,inappropriate user entitlements. EnforceSoD policies.

• Accountability:Who has access to what? How/when didthey get it?

© 2017 Hitachi ID Systems, Inc. All rights reserved. 7

Slide Presentation

11 HiIM features

Automation:

• Monitor one or more systems of record (SoR).• Generate requests to grant, revoke access.

Request portal:

• Users can request for themselves or others.• Access control model limits visibility, requestability.

Certification:

• Initiated by the system (event, schedule).• Stake-holders review identities, entitlements.• Generates deprovisioning requests.

Workflow:

• Invite authorizers, implementers, certifiers to act.• Built-in reminders, escalation, delegation and more.• Selects participants via policy, not flow-charts.

Policies, controls:

• RBAC, SoD.• Risk scores, analytics.• Approvals, recertification.

Integrations:

• 120+ bidirectional connectors, included.• Manage mail boxes, home directories, badges.• Incident management, SIEM, e-mail, 2FA.• Manage building access, physical assets.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 8

Slide Presentation

12 Users accumulate access rights

Over time, users changeroles/responsibilities:

With each transition, users accumulateentitlements:

• Users change jobs, departments andlocations.

• There are many users, each with accessto many systems.

• From what? There is no record of everyright a user had before, so old rights arenot removed.

• To what? Without a role model, it isimpossible to say which of a user’s oldrights should stay and which should go.

• When? A reassigned user may back uphis replacement for a while, so must retainold rights for an undefined period of time.

13 HiAC features

HiAC automates periodic review and cleanup of user entitlements:

• Capture:

– Auto-discovery creates a clear picture of the actual state of user entitlements across theenterprise.

• Leverage org-chart:

– Management relationships can be used to structure a certification round. Allows delegationof access review, cleanup and certification to managers.

• Notify:

– Automated e-mail reminders to managers, app owners and other stake-holders.

• Certify:

– Entitlements are either certified or flagged for removal.

• Sign off:

– Stake-holders must sign off on completed reviews.

• Action:

– Upon approval (if required), the offending entitlements are automatically removed and theuser is brought back into compliance.

• Report:

– Full reports to satisfy audit requests are available.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 9

Slide Presentation

14 Problem: Too many security groups

Medium to large AD environments havethousands of security groups:

It is challenging to manage groupmembership on this scale:

• Control access to printers, shares andfolders.

• Membership in mail distribution lists.

• User needs constantly change.• Users do not understand groups or ACLs.• Users don’t know which groups they need.• Who authorizes membership in each

group?

15 HiGM features

Hitachi ID Group Manager enables self-service administration of user access to network resources –shares, folders, etc.:

• Intercept:

– The Windows "Access Denied" error dialog and send users to the appropriate workflow /group membership request screen.

• Browse:

– Users find the resources they want using HiGM.

• Request:

– Users ask for access to a resource (no knowledge of groups required).

• Map:

– HiGM maps user requests to group membership.

• Route:

– A workflow request is created dynamically and sent to the group’s owner plus anyone elsespecified by policy.

• Provision:

– Upon approval, the user is added to the appropriate group.

• Notify:

– Users and authorizers are sent thank-you notes.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 10

Slide Presentation

16 Orgchart data is scarce

• Hitachi ID estimates that:

– 30% of organizations have no data about each employee or contractor’s manager.– 90% of organizations have incomplete, inaccurate or out-of-date OrgChart data.

• HR systems rarely include contractors, vendors, etc.• Organizations are dynamic and HR often doesn’t have the means to accurately or quickly record

changes.• Staff may have multiple managers, but it’s best if only one manager is ultimately responsible for their

actions, privileges, pay, etc.• Bottom line: while OrgChart data is valuable, it is rarely available, complete or reliable.

17 Summary

Hitachi ID Org Manager leverages the Hitachi ID Suite infrastructure to effectively manage OrgChartdata:

• Get managers to name their own subordinates.• Clean up errors in current OrgChart data.• Fill in gaps in existing data – contractors, vendors, temps, etc.• Enable processes that depend on complete and accurate OrgChart data, such as IAM workflow

and access certification.

18 Privileged Accounts Not Secured

• Workstations and servers often have the same, unchanging administrator passwords.• These passwords are used by desktop support staff, data center staff and other IT resources to

manage hardware, operating systems, etc.• With thousands of workstations and servers, it is difficult or impossible to ever change these

passwords.• As IT staff turn over, ex-staff retain keys to sensitive assets.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 11

Slide Presentation

19 HiPAM features

Auto-discovery:

• Find systems, accounts.• Automatically assign to policies via rules.

Passwords:

• Randomize on a schedule and after use.• Store in an encrypted, replicated, distributed vault.

Authorization:

• Policy-driven rules.• Pre-authorized and request/approval workflow if not routine.

Grant access:

• Launch SSH, RDP, vSphere, SQL, etc.• Direct connection, VDI proxy or HTML5 proxy.• Password display.• Temporary group membership or SSH trust.

Application passwords:

• Notify SCM, IIS, Scheduler, DCOM of new passwords.• API replaces embedded passwords.

Logging:

• Requests, approvals, logins to privileged accounts.

Session monitoring:

• Screen, keyboard, webcam, process ID, window title, etc.• Keylog censorship protects passwords, SSN, CC numbers, etc.• Request/approval workflow protects staff privacy.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 12

Slide Presentation

20 E-SSO Deployment Challenges

• Deploying client software to each and every workstation.• Building and securing a high-availability database or directory in which to store application

passwords.• Populating and keeping current user application passwords.• Updating encrypted passwords after password resets.• Enabling application access from Internet kiosks, PDAs and other non-SSO-enabled devices.

21 HiLM features

Reduced Signon Compatible Applications Advantages:... never

• Capture the user’s loginID and password fromthe workstation login.

• Extract alternate loginIDs from AD.

• Detect dialogs where theuser types the knownlogin IDs/password.

• Automatically fill in userID/password prompts.

• Native Windows dialogboxes.

• HTML forms using IEand Firefox.

• 3270 and 5250 terminalsessions.

• Lotus Notes R6 – R8.• SAP R/3 GUI.

• Store passwords.• Hand-code scripts.• Contact a central server.• Set an application

password to somethingthe user doesn’t know.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 13

Slide Presentation

22 Active-active architecture

“Cloud”

Reverse

web

proxyVPN server

IVR server

Load

balancers

E-mail

system

Ticketing

system

HR

Hitachi ID

servers

Hitachi ID

servers

Firewalls

Proxy server

(if needed)

Mobile

proxy

SaaS apps

Managed

endpoints

Managed endpoints

with remote agent:

AD, SQL, SAP, Notes, etc

z/OS - local agent

MS SQL databases

Password synch

trigger systems

Native password

change

ManageMobile UI

AD, Unix, z/OS,

LDAP, iSeries

Validate pw

Replication

System of

record

Tickets

Notifications

and invitations

Data c

enter A

Data c

enter B

Remote

data

cente

r

TCP/IP + AES

Various protocols

Secure native protocol

HTTPS

© 2017 Hitachi ID Systems, Inc. All rights reserved. 14

Slide Presentation

23 Included connectors

Directories: Databases: Server OS – X86/IA64: Server OS – Unix: Server OS – Mainframe:

Active Directory and AzureAD; any LDAP; NIS/NIS+ andeDirectory.

Oracle; SAP ASE and HANA;SQL Server; DB2/UDB;Hyperion; Caché; MySQL;OLAP and ODBC.

Windows: NT thru 2016; Linuxand *BSD.

Solaris, AIX and HP-UX. RAC/F, ACF/2 and TopSecret.

Server OS – Midrange: ERP, CRM and other apps: Messaging & collaboration: Smart cards and 2FA: Access managers / SSO:

iSeries (OS400); OpenVMSand HPE/Tandem NonStop.

Oracle EBS; SAP ECC andR/3; JD Edwards; PeopleSoft;Salesforce.com; Concur;Business Objects and Epic.

Microsoft Exchange, Lync andOffice 365; LotusNotes/Domino; Google Apps;Cisco WebEx, Call Managerand Unity.

Any RADIUS service or SAMLIdP; Duo Security; RSASecurID; SafeWord; Vasco;ActivIdentity andSchlumberger.

CA SiteMinder; IBM SecurityAccess Manager; Oracle AM;RSA Access Manager andImprivata OneSign.

Help desk / ITSM: PC filesystem encryption: Server health monitoring: HR / HCM: Extensible / scriptable:

ServiceNow; BMC Remedy,RemedyForce and Footprints;JIRA; HPE Service Manager;CA Service Desk; AxiosAssyst; Ivanti HEAT;Symantec Altiris; Track-It!; MSSCS Manager and Cherwell.

Microsoft BitLocker; McAfee;Symantec EndpointEncryption and PGP;CheckPoint and SophosSafeGuard.

HP iLO, Dell DRAC and IBMRSA.

WorkDay; PeopleSoft HR;SAP HCM andSuccessFactors.

CSV files; SCIM; SSH;Telnet/TN3270/TN5250;HTTP(S); SQL; LDAP;PowerShell and Python.

Hypervisors and IaaS: Mobile management: Network devices: Filesystems and content: SIEM:

AWS; vSphere and ESXi. BlackBerry Enterprise Serverand MobileIron.

Cisco IOS PIX and ASA;Juniper JunOS andScreenOS; F5 BigIP; HPProcurve; Brocade Fabric OSand CheckPointSecurePlatform.

Windows/CIFS/DFS;SharePoint; Samba; HitachiContent Platform and HCPAnywhere; Box.com andTwitter.

Splunk; ArcSight; RSAEnvision and QRadar. AnySIEM supporting SYSLOG orWindows events.

Management & inventory:

Qualys; McAfee ePO andMVM; Cisco ACS;ServiceNow ITAM; HPUCMDB; Hitachi HiTrack.

24 Rapid integration with custom apps

• Hitachi ID Suite easily integrates with custom, vertical and hosted applications using flexible agents.

• Each flexible agent connects to a class of applications:

– API bindings (C, C++, Java, COM, ActiveX, MQ Series).– Telnet / TN3270 / TN5250 / sessions with TLS or SSL.– SSH sessions.– HTTP(S) administrative interfaces.– Web services.– Win32 and Unix command-line administration programs.– SQL scripts.– Custom LDAP attributes.

• Integration takes a few hours to a few days.• Fixed cost service available from Hitachi ID.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 15

Slide Presentation

25 Multiple servers and instances

• Hitachi ID Suite supports multiple servers:

– Built-in automation replicates data, software and configuration.– Both real-time and nightly checkpoint replication.

• Any off-the-shelf load balancer, or just DNS round-robin, can be used to distribute user sessionsacross servers.

• Fail-out, not fail-over:

– Use all servers normally.– Remove unresponsive servers from circulation only if required.

• Deploy to multiple sites, get DR/BC for free.• Hitachi ID Suite supports multiple instances per server:

– Different instances for different policies (ex: users vs. administrators).– Multi-tenant deployment for outsourcers.

26 MSP technology advantages

Hitachi ID solutions make our partners more competitive.

• More features and functionality for less money:

– Lower initial and ongoing investment (License scheme)– Lower on-going administration costs

• Technology (not services) drives lower deployment costs:

– Reference builds.– All features, connectors included.– Auto-discovery of systems, accounts, entitlements.– Automated and self-service ID mapping.– Policy-driven workflow easier to manage.– No need to engage in costly role engineering.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 16

Slide Presentation

27 Hitachi ID Suite summary

• Three integrated IAM products, used by over 14M users, that can:

– Discover and connect identities across systems and applications.– Securely and efficiently manage entitlements and credentials.– Secure and monitor access to privileged accounts.

• Improve security to comply with regulations.• Reduce IT support cost and improve user productivity.• Consolidate management of on-premises and SaaS apps.

hitachi-id.com

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@hitachi-id.com

Date: 2017-12-08 | 2017-12-08 File: PRCS:pres