Managing the User Lifecycle Across On-Premises and 2...
Transcript of Managing the User Lifecycle Across On-Premises and 2...
1 Hitachi ID Suite
Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications
Administration and governance ofIdentities, entitlements and credentials.
2 Agenda
• Introductions.• Hitachi ID corporate overview.• Hitachi ID Suite overview.• Architecture and technology.• MSP advantages.
© 2017 Hitachi ID Systems, Inc. All rights reserved. 1
Slide Presentation
3 Hitachi ID corporate overview
Hitachi ID delivers access governanceand identity administration solutionsto organizations globally.Hitachi ID IAM solutions are used by Fortune500companies to secure access to systemsin the enterprise and in the cloud.
• Founded as M-Tech in 1992.• A division of Hitachi, Ltd. since 2008.• Over 1200 customers.• More than 14M+ licensed users.• Offices in North America, Europe and
APAC.• Global partner network.
© 2017 Hitachi ID Systems, Inc. All rights reserved. 2
Slide Presentation
4 Representative customers
5 Managed service provider partners
• Managed service providers outsource IT services, such as help desk call resolution• Almost all major MSPs have standardized on Hitachi ID solutions to automatically resolve password
problems for their customers.• Many MSPs are now adding Hitachi ID solutions to automate identity and access management as
well.• Hitachi ID MSP partners include:
© 2017 Hitachi ID Systems, Inc. All rights reserved. 3
Slide Presentation
6 Hitachi ID Suite
© 2017 Hitachi ID Systems, Inc. All rights reserved. 4
Slide Presentation
7 Integration With Other IAM Infrastructure
E/SSO
WebSSO/WebAM
Directory
Meta Directory
Virtual Directory
System of Record
CO
RE
IN
FR
AS
TR
UC
TU
RE
Automation
Self-service requests
Authorization workflow
Consolidated reporting
Auto-discovery
Reliable updates
Target connectors
Help desk integrations
Database replication
HitachiIDPassword Manager
HitachiIDIdentity Manager
HitachiIDGroup Manager
HitachiIDLogin Manager
HitachiIDOrg Manager
HitachiIDPrivileged Access Manager
HitachiIDPhone PW Manager
HitachiIDAccess Certifier
8 Problem: Too Many Passwords
Every login account has its own: Password complexity creates businessproblems:
• Password value.• User interface.• Strength rules.• Expiration date.
• High call volume :Users forget or lock out their passwords.This can be 30% of help desk workload.
• Sticky notes :Users write down their passwords andmay leave them in public view.
• Bad passwords :Users choose simple, easily guessedpasswords.
© 2017 Hitachi ID Systems, Inc. All rights reserved. 5
Slide Presentation
9 HiPM features
Password synch:
• Reduce the number of passwords per user.
Self-service:
• Password change, reset and unlock.• Token or smart card PIN reset.• Unlock encrypted filesystem with forgotten pre-boot password.
Value-add:
• 2FA – built-in for all users, including via mobile app.• Federated access – replace other apps’ login screens.• Password vault – users can store unmanaged passwords.
Access from:
• PC browser or login screen.• At the office or off-site.• Smart phone app or self-service phone call.
Assisted service:
• Password, token PIN, intruder lockout.
Policy enforcement:
• Two-factor authentication for all users.• Password complexity, expiry, history.• Non-password authentication.
Managed enrollment:
• Security questions.• Login IDs.• Mobile phone numbers.
© 2017 Hitachi ID Systems, Inc. All rights reserved. 6
Slide Presentation
10 Identity and access Needs are ever-changing
Digital identities require frequent updates toreflect business changes:
Complexity creates delay and reliabilityproblems:
• Who? (Types of users):Employees, contractors, vendors,partners, customers.
• Why? (Business events):Hire, move, change job function,terminate.
• What? (Change types:)Create/move/disable/delete user, updateidentity data and entitlements, resetpasswords.
• Where? (Applications:)AD, Exchange, Notes, ERP, Linux/Unix,database, mainframe, physical assets.
• Productivity:Slow onboarding, change fulfillment.
• Cost:Many FTEs needed to implement securitychanges.
• Security:Unreliable access termination,inappropriate user entitlements. EnforceSoD policies.
• Accountability:Who has access to what? How/when didthey get it?
© 2017 Hitachi ID Systems, Inc. All rights reserved. 7
Slide Presentation
11 HiIM features
Automation:
• Monitor one or more systems of record (SoR).• Generate requests to grant, revoke access.
Request portal:
• Users can request for themselves or others.• Access control model limits visibility, requestability.
Certification:
• Initiated by the system (event, schedule).• Stake-holders review identities, entitlements.• Generates deprovisioning requests.
Workflow:
• Invite authorizers, implementers, certifiers to act.• Built-in reminders, escalation, delegation and more.• Selects participants via policy, not flow-charts.
Policies, controls:
• RBAC, SoD.• Risk scores, analytics.• Approvals, recertification.
Integrations:
• 120+ bidirectional connectors, included.• Manage mail boxes, home directories, badges.• Incident management, SIEM, e-mail, 2FA.• Manage building access, physical assets.
© 2017 Hitachi ID Systems, Inc. All rights reserved. 8
Slide Presentation
12 Users accumulate access rights
Over time, users changeroles/responsibilities:
With each transition, users accumulateentitlements:
• Users change jobs, departments andlocations.
• There are many users, each with accessto many systems.
• From what? There is no record of everyright a user had before, so old rights arenot removed.
• To what? Without a role model, it isimpossible to say which of a user’s oldrights should stay and which should go.
• When? A reassigned user may back uphis replacement for a while, so must retainold rights for an undefined period of time.
13 HiAC features
HiAC automates periodic review and cleanup of user entitlements:
• Capture:
– Auto-discovery creates a clear picture of the actual state of user entitlements across theenterprise.
• Leverage org-chart:
– Management relationships can be used to structure a certification round. Allows delegationof access review, cleanup and certification to managers.
• Notify:
– Automated e-mail reminders to managers, app owners and other stake-holders.
• Certify:
– Entitlements are either certified or flagged for removal.
• Sign off:
– Stake-holders must sign off on completed reviews.
• Action:
– Upon approval (if required), the offending entitlements are automatically removed and theuser is brought back into compliance.
• Report:
– Full reports to satisfy audit requests are available.
© 2017 Hitachi ID Systems, Inc. All rights reserved. 9
Slide Presentation
14 Problem: Too many security groups
Medium to large AD environments havethousands of security groups:
It is challenging to manage groupmembership on this scale:
• Control access to printers, shares andfolders.
• Membership in mail distribution lists.
• User needs constantly change.• Users do not understand groups or ACLs.• Users don’t know which groups they need.• Who authorizes membership in each
group?
15 HiGM features
Hitachi ID Group Manager enables self-service administration of user access to network resources –shares, folders, etc.:
• Intercept:
– The Windows "Access Denied" error dialog and send users to the appropriate workflow /group membership request screen.
• Browse:
– Users find the resources they want using HiGM.
• Request:
– Users ask for access to a resource (no knowledge of groups required).
• Map:
– HiGM maps user requests to group membership.
• Route:
– A workflow request is created dynamically and sent to the group’s owner plus anyone elsespecified by policy.
• Provision:
– Upon approval, the user is added to the appropriate group.
• Notify:
– Users and authorizers are sent thank-you notes.
© 2017 Hitachi ID Systems, Inc. All rights reserved. 10
Slide Presentation
16 Orgchart data is scarce
• Hitachi ID estimates that:
– 30% of organizations have no data about each employee or contractor’s manager.– 90% of organizations have incomplete, inaccurate or out-of-date OrgChart data.
• HR systems rarely include contractors, vendors, etc.• Organizations are dynamic and HR often doesn’t have the means to accurately or quickly record
changes.• Staff may have multiple managers, but it’s best if only one manager is ultimately responsible for their
actions, privileges, pay, etc.• Bottom line: while OrgChart data is valuable, it is rarely available, complete or reliable.
17 Summary
Hitachi ID Org Manager leverages the Hitachi ID Suite infrastructure to effectively manage OrgChartdata:
• Get managers to name their own subordinates.• Clean up errors in current OrgChart data.• Fill in gaps in existing data – contractors, vendors, temps, etc.• Enable processes that depend on complete and accurate OrgChart data, such as IAM workflow
and access certification.
18 Privileged Accounts Not Secured
• Workstations and servers often have the same, unchanging administrator passwords.• These passwords are used by desktop support staff, data center staff and other IT resources to
manage hardware, operating systems, etc.• With thousands of workstations and servers, it is difficult or impossible to ever change these
passwords.• As IT staff turn over, ex-staff retain keys to sensitive assets.
© 2017 Hitachi ID Systems, Inc. All rights reserved. 11
Slide Presentation
19 HiPAM features
Auto-discovery:
• Find systems, accounts.• Automatically assign to policies via rules.
Passwords:
• Randomize on a schedule and after use.• Store in an encrypted, replicated, distributed vault.
Authorization:
• Policy-driven rules.• Pre-authorized and request/approval workflow if not routine.
Grant access:
• Launch SSH, RDP, vSphere, SQL, etc.• Direct connection, VDI proxy or HTML5 proxy.• Password display.• Temporary group membership or SSH trust.
Application passwords:
• Notify SCM, IIS, Scheduler, DCOM of new passwords.• API replaces embedded passwords.
Logging:
• Requests, approvals, logins to privileged accounts.
Session monitoring:
• Screen, keyboard, webcam, process ID, window title, etc.• Keylog censorship protects passwords, SSN, CC numbers, etc.• Request/approval workflow protects staff privacy.
© 2017 Hitachi ID Systems, Inc. All rights reserved. 12
Slide Presentation
20 E-SSO Deployment Challenges
• Deploying client software to each and every workstation.• Building and securing a high-availability database or directory in which to store application
passwords.• Populating and keeping current user application passwords.• Updating encrypted passwords after password resets.• Enabling application access from Internet kiosks, PDAs and other non-SSO-enabled devices.
21 HiLM features
Reduced Signon Compatible Applications Advantages:... never
• Capture the user’s loginID and password fromthe workstation login.
• Extract alternate loginIDs from AD.
• Detect dialogs where theuser types the knownlogin IDs/password.
• Automatically fill in userID/password prompts.
• Native Windows dialogboxes.
• HTML forms using IEand Firefox.
• 3270 and 5250 terminalsessions.
• Lotus Notes R6 – R8.• SAP R/3 GUI.
• Store passwords.• Hand-code scripts.• Contact a central server.• Set an application
password to somethingthe user doesn’t know.
© 2017 Hitachi ID Systems, Inc. All rights reserved. 13
Slide Presentation
22 Active-active architecture
“Cloud”
Reverse
web
proxyVPN server
IVR server
Load
balancers
system
Ticketing
system
HR
Hitachi ID
servers
Hitachi ID
servers
Firewalls
Proxy server
(if needed)
Mobile
proxy
SaaS apps
Managed
endpoints
Managed endpoints
with remote agent:
AD, SQL, SAP, Notes, etc
z/OS - local agent
MS SQL databases
Password synch
trigger systems
Native password
change
ManageMobile UI
AD, Unix, z/OS,
LDAP, iSeries
Validate pw
Replication
System of
record
Tickets
Notifications
and invitations
Data c
enter A
Data c
enter B
Remote
data
cente
r
TCP/IP + AES
Various protocols
Secure native protocol
HTTPS
© 2017 Hitachi ID Systems, Inc. All rights reserved. 14
Slide Presentation
23 Included connectors
Directories: Databases: Server OS – X86/IA64: Server OS – Unix: Server OS – Mainframe:
Active Directory and AzureAD; any LDAP; NIS/NIS+ andeDirectory.
Oracle; SAP ASE and HANA;SQL Server; DB2/UDB;Hyperion; Caché; MySQL;OLAP and ODBC.
Windows: NT thru 2016; Linuxand *BSD.
Solaris, AIX and HP-UX. RAC/F, ACF/2 and TopSecret.
Server OS – Midrange: ERP, CRM and other apps: Messaging & collaboration: Smart cards and 2FA: Access managers / SSO:
iSeries (OS400); OpenVMSand HPE/Tandem NonStop.
Oracle EBS; SAP ECC andR/3; JD Edwards; PeopleSoft;Salesforce.com; Concur;Business Objects and Epic.
Microsoft Exchange, Lync andOffice 365; LotusNotes/Domino; Google Apps;Cisco WebEx, Call Managerand Unity.
Any RADIUS service or SAMLIdP; Duo Security; RSASecurID; SafeWord; Vasco;ActivIdentity andSchlumberger.
CA SiteMinder; IBM SecurityAccess Manager; Oracle AM;RSA Access Manager andImprivata OneSign.
Help desk / ITSM: PC filesystem encryption: Server health monitoring: HR / HCM: Extensible / scriptable:
ServiceNow; BMC Remedy,RemedyForce and Footprints;JIRA; HPE Service Manager;CA Service Desk; AxiosAssyst; Ivanti HEAT;Symantec Altiris; Track-It!; MSSCS Manager and Cherwell.
Microsoft BitLocker; McAfee;Symantec EndpointEncryption and PGP;CheckPoint and SophosSafeGuard.
HP iLO, Dell DRAC and IBMRSA.
WorkDay; PeopleSoft HR;SAP HCM andSuccessFactors.
CSV files; SCIM; SSH;Telnet/TN3270/TN5250;HTTP(S); SQL; LDAP;PowerShell and Python.
Hypervisors and IaaS: Mobile management: Network devices: Filesystems and content: SIEM:
AWS; vSphere and ESXi. BlackBerry Enterprise Serverand MobileIron.
Cisco IOS PIX and ASA;Juniper JunOS andScreenOS; F5 BigIP; HPProcurve; Brocade Fabric OSand CheckPointSecurePlatform.
Windows/CIFS/DFS;SharePoint; Samba; HitachiContent Platform and HCPAnywhere; Box.com andTwitter.
Splunk; ArcSight; RSAEnvision and QRadar. AnySIEM supporting SYSLOG orWindows events.
Management & inventory:
Qualys; McAfee ePO andMVM; Cisco ACS;ServiceNow ITAM; HPUCMDB; Hitachi HiTrack.
24 Rapid integration with custom apps
• Hitachi ID Suite easily integrates with custom, vertical and hosted applications using flexible agents.
• Each flexible agent connects to a class of applications:
– API bindings (C, C++, Java, COM, ActiveX, MQ Series).– Telnet / TN3270 / TN5250 / sessions with TLS or SSL.– SSH sessions.– HTTP(S) administrative interfaces.– Web services.– Win32 and Unix command-line administration programs.– SQL scripts.– Custom LDAP attributes.
• Integration takes a few hours to a few days.• Fixed cost service available from Hitachi ID.
© 2017 Hitachi ID Systems, Inc. All rights reserved. 15
Slide Presentation
25 Multiple servers and instances
• Hitachi ID Suite supports multiple servers:
– Built-in automation replicates data, software and configuration.– Both real-time and nightly checkpoint replication.
• Any off-the-shelf load balancer, or just DNS round-robin, can be used to distribute user sessionsacross servers.
• Fail-out, not fail-over:
– Use all servers normally.– Remove unresponsive servers from circulation only if required.
• Deploy to multiple sites, get DR/BC for free.• Hitachi ID Suite supports multiple instances per server:
– Different instances for different policies (ex: users vs. administrators).– Multi-tenant deployment for outsourcers.
26 MSP technology advantages
Hitachi ID solutions make our partners more competitive.
• More features and functionality for less money:
– Lower initial and ongoing investment (License scheme)– Lower on-going administration costs
• Technology (not services) drives lower deployment costs:
– Reference builds.– All features, connectors included.– Auto-discovery of systems, accounts, entitlements.– Automated and self-service ID mapping.– Policy-driven workflow easier to manage.– No need to engage in costly role engineering.
© 2017 Hitachi ID Systems, Inc. All rights reserved. 16
Slide Presentation
27 Hitachi ID Suite summary
• Three integrated IAM products, used by over 14M users, that can:
– Discover and connect identities across systems and applications.– Securely and efficiently manage entitlements and credentials.– Secure and monitor access to privileged accounts.
• Improve security to comply with regulations.• Reduce IT support cost and improve user productivity.• Consolidate management of on-premises and SaaS apps.
hitachi-id.com
500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: [email protected]
Date: 2017-12-08 | 2017-12-08 File: PRCS:pres