Managing the User Lifecycle Across On-Premises and 2 ... · Slide Presentation 3.1 Hitachi ID...

1 Hitachi ID Suite

Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications

Administration and governance ofIdentities, entitlements and credentials.

2 Agenda

• Corporate.• IAM problems / Hitachi ID solutions.• Technology.• Privileged Access• Example deployments.• Discussion.

3 Corporate

© 2020 Hitachi ID Systems, Inc. All rights reserved. 1

http://Hitachi.com/

Slide Presentation

3.1 Hitachi ID corporate overview

Hitachi ID delivers access governanceand identity administration solutionsto organizations globally.Hitachi ID IAM solutions are used by Fortune500companies to secure access to systemsin the enterprise and in the cloud.

• Founded as M-Tech in 1992.• A division of Hitachi, Ltd. since 2008.• Over 1200 customers.• More than 14M+ licensed users.• Offices in North America, Europe and

APAC.• Global partner network.

3.2 Representative customers


Slide Presentation

4 Managing credentials and entitlements

4.1 Hitachi ID Suite


Slide Presentation

4.2 HiIM features

Automation:

• Monitor one or more systems of record (SoR).• Generate requests to grant, revoke access.

Integrations:

• 120+ bidirectional connectors, included.• Manage resources including mail boxes, home directories and

badges.• Incident management, SIEM, e-mail, 2FA.• Manage building access, physical assets.

Request portal:

• Users can request for themselves or others.• Access control model limits visibility, requestability.

Accounts and groups:

• Create, manage and delete accounts & groups across systems.• Update attributes and assign/revoke group memberships.

Workflow:

• Invite authorizers, implementers, certifiers to act.• Built-in reminders, escalation, delegation and more.• Selects participants via policy, not flow-charts.

Policies, controls:

• RBAC, SoD.• Risk scores, analytics.• Approvals, recertification.

Certification:

• Initiated by the system (event, schedule).• Stake-holders review identities, entitlements.• Generates deprovisioning requests.


Slide Presentation

4.3 HiPM features

Password synch:

• Reduce the number of passwords per user.

Self-service:

• Password change, reset and unlock.• Token or smart card PIN reset.• Unlock encrypted drive with forgotten pre-boot password.

Value-add:

• 2FA – built-in for all users, including via mobile app.• Federated access – replace other apps’ login screens.• Password vault – users can store unmanaged passwords.

Access from:

• PC browser or login screen.• At the office or off-site.• Smart phone app or self-service phone call.

Assisted service:

• Password, token PIN, intruder lockout.

Policy enforcement:

• Two-factor authentication for all users.• Password complexity, expiry, history.• Non-password authentication.

Managed enrollment:

• Security questions.• Login IDs.• Mobile phone numbers.

5 Technology


Slide Presentation

5.1 Delivery options

On-premises Hosted / SaaS

What/where

•Conventionalsoftware;or

• Virtualappliance.

• ManagedbycustomerIT; or

• managedby HitachiIDremotely;or

• managedby apartner.

• Dedicated instance per customer.• Minimum two servers, locations.• Proxy server on-premises.• Managed by Hitachi ID.• Regular upgrades.

Charges • Software: License, annualmaintenance.

• Virtual appliance: add OS, DBlicenses.

• Managed service: add annual fee.

• Monthly per-user fee.• Commitment for minimum

quantity, duration.


Slide Presentation

5.2 Active-active architecture

“Cloud”

Reverse

web

proxyVPN server

IVR server

Load

balancers

E-mail

system

Ticketing

system

HR

Hitachi ID

servers

Hitachi ID

servers

Firewalls

Proxy server

(if needed)

Mobile

proxy

SaaS apps

Managed

endpoints

Managed endpoints

with remote agent:

AD, SQL, SAP, Notes, etc

z/OS - local agent

MS SQL databases

Password synch

trigger systems

Native password

change

ManageMobile UI

AD, Unix, z/OS,

LDAP, iSeries

Validate pw

Replication

System of

record

Tickets

Notifications

and invitations

Data c

enter A

Data c

enter B

Remote

data

cente

r

TCP/IP + AES

Various protocols

Secure native protocol

HTTPS


Slide Presentation

5.3 Key architectural features

“Cloud”

SaaS apps

Data c

enter A

Data c

enter B

Remote

data

cente

r

TCP/IP + AES

Various protocols

Secure native protocol

HTTPS

Reach across firewalls

Load balanced

On premises and SaaS

BYOD enabled

Replicated across data centers

Horizontal scaling


Slide Presentation

5.4 IAMaaS architectural overview

Firewall

Private Corporate

Network

Internet

Firewall Firewall

IAM App Server IAM Proxy

IAM Database

Mobile Proxy

Firewall

SaaS App

HR DB

AD

On-Prem. App

On-Prem. App

SaaS App

IAM App Server

IAM Database

Mobile Proxy

VLAN /

Location 1

VLAN /

Location 2

IaaS Provider

Network

5.5 Active-active replication

Avoid data loss and service interruption:Multiple copies of the vault in different cities.

• Real-time data replication.• Fault-tolerant.• Bandwidth efficient, latency

tolerant.• Best practice: multiple

servers in multiple datacenters.

• Active/active.• Load balanced.


Slide Presentation

5.6 Included connectors

Directories: Databases: Server OS – X86/IA64: Server OS – Unix: Server OS – Mainframe:

Active Directory and AzureAD; any LDAP; NIS/NIS+ andeDirectory.

Oracle; SAP ASE and HANA;SQL Server; DB2/UDB;Hyperion; Caché; MySQL;OLAP and ODBC.

Windows: NT thru 2016; Linuxand *BSD.

Solaris, AIX and HP-UX. RAC/F, ACF/2 and TopSecret.

Server OS – Midrange: ERP, CRM and other apps: Messaging & collaboration: Smart cards and 2FA: Access managers / SSO:

iSeries (OS400); OpenVMSand HPE/Tandem NonStop.

Oracle EBS; SAP ECC andR/3; JD Edwards; PeopleSoft;Salesforce.com; Concur;Business Objects and Epic.

Microsoft Exchange, Lync andOffice 365; LotusNotes/Domino; Google Apps;Cisco WebEx, Call Managerand Unity.

Any RADIUS service or SAMLIdP; Duo Security; RSASecurID; SafeWord; Vasco;ActivIdentity andSchlumberger.

CA SiteMinder; IBM SecurityAccess Manager; Oracle AM;RSA Access Manager andImprivata OneSign.

Help desk / ITSM: PC filesystem encryption: Server health monitoring: HR / HCM: Extensible / scriptable:

ServiceNow; BMC Remedy,RemedyForce and Footprints;JIRA; HPE Service Manager;CA Service Desk; AxiosAssyst; Ivanti HEAT;Symantec Altiris; Track-It!; MSSCS Manager and Cherwell.

Microsoft BitLocker; McAfee;Symantec EndpointEncryption and PGP;CheckPoint and SophosSafeGuard.

HP iLO, Dell DRAC and IBMRSA.

WorkDay; PeopleSoft HR;SAP HCM andSuccessFactors.

CSV files; SCIM; SSH;Telnet/TN3270/TN5250;HTTP(S); SQL; LDAP;PowerShell and Python.

Hypervisors and IaaS: Mobile management: Network devices: Filesystems and content: SIEM:

AWS; vSphere and ESXi. BlackBerry Enterprise Serverand MobileIron.

Cisco IOS PIX and ASA;Juniper JunOS andScreenOS; F5 BigIP; HPProcurve; Brocade Fabric OSand CheckPointSecurePlatform.

Windows/CIFS/DFS;SharePoint; Samba; HitachiContent Platform and HCPAnywhere; Box.com andTwitter.

Splunk; ArcSight; RSAEnvision and QRadar. AnySIEM supporting SYSLOG orWindows events.

Management & inventory:

Qualys; McAfee ePO andMVM; Cisco ACS;ServiceNow ITAM; HPUCMDB; Hitachi HiTrack.

5.7 Integration with custom apps

• Hitachi ID Suite easily integrates with custom, vertical and hosted applications using flexible agents.

• Each flexible agent connects to a class of applications:

– API bindings (C, C++, Java, COM, ActiveX, MQ Series).– Telnet / TN3270 / TN5250 / sessions with TLS or SSL.– SSH sessions.– HTTP(S) administrative interfaces.– Web services.– Win32 and Unix command-line administration programs.– SQL scripts.– Custom LDAP attributes.

• Integration takes a few hours to a few days.• Fixed cost service available from Hitachi ID.

6 Privileged Access


Slide Presentation

6.1 Types of privileged accounts

Shared Administrative Embedded Service

Definition: • Interactive loginsused by humans.

• Client tools:PuTTY, RDP, SQLStudio, etc.

• May be used at aphysical console.

• One applicationconnects toanother.

• DB logins, webservices, etc.

• Run serviceprograms withadmin or limitedrights.

• Windows requires apassword.

• Scheduled tasks,IIS, DCOM, SCM,etc.

Challenges: • Access control.• Audit/accountability.• Single sign-on.• Session capture.

• Authenticating appsprior to passworddisclosure.

• Caching, keymanagement.

• Avoiding serviceinterruption.

• Restart service ifreq’d.


Slide Presentation

6.2 HiPAM features

Auto-discovery:

• Find systems, accounts.• Automatically attach policies via rules.

Passwords:

• Randomize on a schedule and after use.• Store in an encrypted, replicated, distributed vault.

Authorization:

• Policy-driven rules.• Pre-authorized and request/approval workflow if not routine.

Grant access:

• Single sign-on (login once, launch many).• Request multiple accounts, run commands across them.• Launch SSH, RDP, vSphere, SQL, etc.• Direct connection, VDI proxy or HTML5 proxy.• Password display and copy buffer integration.• Temporary group membership or SSH trust.

Application passwords:

• Notify SCM, IIS, Scheduler, DCOM of new passwords.• API replaces embedded passwords.

Logging:

• Requests, approvals, logins to privileged accounts.

Session monitoring:

• Screen, keyboard, webcam, process ID, window title, etc.• Keylog censorship protects passwords, SSN, CC numbers, etc.• Request/approval workflow protects staff privacy.

7 Example Deployments


Slide Presentation

7.1 Case Study: Industrial conglomerate

Customer description: Global industrial conglomerate with energy utility subsidiaries.

Product: Hitachi IDIdentity Manager

Industry: Industrials, energy utilities

Target systems: Windows/AD, Oracle EBS, mainframe, databases.

Functionality: Onboard, deactivate, manage access of over 10,000 employees andcontractors. Automation, self-service, policy enforcement.

Main business driver: Lower IT support cost and improve SLA.

Business impact: Retired home-grown IAM and access reporting system. Lower ITsecurity management workload.

7.2 Case Study: Energy company

Customer description: Global energy company

Product: Hitachi IDGroup Manager

Number of users: 100,000+

Functionality: Self-service requests to access network shares, folders.

Main business driver: Reduce IT support call volume.

Business impact: Replace "access denied" help desk calls with self-serviceinfrastructure.

7.3 Case Study: US bank

Customer description: US bank

Product: Hitachi IDPassword Manager

Industry: Banking

Number of users: 150,000

Functionality: Password reset via telephone, web browser

Main business driver: Reduce IT support cost, improve authentication security when userscall for help.

Business impact: Eliminated 33,000 help desk calls/month.Saved at least US$ 4,000,000/year.


Slide Presentation

7.4 Case Study: Investment bank

Customer description: Top-10 global investment bank.

Product:

Industry: Finance

Target systems: Windows, Unix/Linux, MSSQL.

Functionality: Randomize passwords weekly on 122,000 systems around the world.Deployed 12 servers in 4 data centers globally for super-highavailability and fault tolerance.

Main business driver: Eliminate static, shared, administrative passwords to comply withaudit, regulatory requirements.

Business impact: Control, audit administrator logins to privileged accounts on 122,000systems globally. Pass audits.

8 Differentiation

8.1 HiIM advantages

HiIM Others

Hitachi ID Identity Express • Pre-configured with mostcommon scenarios.

• Every deployment iscustom, new.

Built-in features: • Group lifecyclemanagement.

• Request portal.• Access certification.• Approval workflow

• Custom forms.• Custom workflows.

User friendly requests: • Windows Shell extension.• SharePoint integration.• Compare users.• Recommended

entitlements.

• Users must know whatentitlements to request.

Robust policy enforcement: • SoD with deep inspection.• Policy-driven approvals.• Privacy protection.

• SoD easily bypassed.• Hard-coded approvals.• No privacy protection.

Architecture: • Scalable: multi-master,load-balanced.

• Fault tolerant:active-active.

• DB is choke point, singlepoint of failure.

• Only hot standby.


Slide Presentation

8.2 HiPM advantages

HiPM Others

• 2FA, Federation included for all users. • Extra products required.

• Access from smart phones (BYOD). • Only with a public URL.

• Unlock encrypted drive - pre-bootpassword prompt.

• Call the help desk.

• Access from Windows login screen, evenwhen off-site.

• Come back to the office or ship laptop todept.

• Access from domain-member MacOSXlogin screen.

• Call the help desk.

• All connectors included in base price. • Some charge per-connector.

• Web browser, smart-phone, PC loginscreen, telephony all included.

• Extra features, extra cost.

• Managed enrollment, max. adoption. • Write scripts – extra cost, lower ROI.

• Active-active replication: scalable andreliable.

• Hot standby at best.• May cost extra.


Slide Presentation

8.3 HiPAM advantages

HiPAM Others

Multi-factor authentication • Included 2FA app.• Leverage any 3rd party

MFA.

• Limited 3rd party MFA.• Nothing built-in.

Access disclosure options • Display/copy password.• Single signon (SSO) -

direct connect, HTML5proxy, VDI proxy.

• Can launch any admin tool.

• Display/copy password.• Jump server only for SSH,

RDP.

User convenience • SSO: login once, launchmany.

• Request multiple accountsat once.

• Login again for everysession.

• One account at a time.

Other access mechanisms • Temporary groupmembership.

• Temporary SSH trustmembership.

• None

High availability • Active-active architecture.• Geographically distributed.• Built-in data replication.

• Hot standby only• Roll-your-own replication.

9 Discussion

hitachi-id.com

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 E-Mail: [email protected]

Date: 2020-03-23 | 2020-03-23 File: PRCS:pres

https://Hitachi-ID.com

Managing the User Lifecycle Across On-Premises and 2 ... · Slide Presentation 3.1 Hitachi ID...

Documents

Transcript of Managing the User Lifecycle Across On-Premises and 2 ... · Slide Presentation 3.1 Hitachi ID...