Upload
others
View
9
Download
0
Embed Size (px)
Citation preview
1 Hitachi ID Identity Manager
Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications
Manage identities, accounts, groups and roles:Automation, requests, approvals, reviews, SoD and RBAC.
2 Agenda
• Corporate• Hitachi ID Identity Manager• Recorded Demos• Technology• Implementation• Differentiation
3 Corporate
© 2020 Hitachi ID Systems, Inc. All rights reserved. 1
Slide Presentation
3.1 Hitachi ID corporate overview
Hitachi ID delivers access governanceand identity administration solutionsto organizations globally.Hitachi ID IAM solutions are used by Fortune500companies to secure access to systemsin the enterprise and in the cloud.
• Founded as M-Tech in 1992.• A division of Hitachi, Ltd. since 2008.• Over 1200 customers.• More than 14M+ licensed users.• Offices in North America, Europe and
APAC.• Global partner network.
3.2 Representative customers
© 2020 Hitachi ID Systems, Inc. All rights reserved. 2
Slide Presentation
3.3 Hitachi ID Suite
4 Hitachi ID Identity Manager
4.1 Compliance / internal controls
Challenges Solutions
• Slow and unreliable deactivation whenpeople leave.
• Orphan and dormant accounts.• Users with no-longer-needed access.• Access that violates SoD policies or
represents high risk.• Unreliable approvals for access requests.• Audit failures and regulatory risk.
• Automate deactivation based on SoR(HR).
• Review and remediate excessive access(certification).
• Block requests that would violate SoD.• Analyze entitlements to find policy
violations, high risk users.• Automatically route access requests to
appropriate stake-holders.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 3
Slide Presentation
4.2 Access administration cost
Challenges Solutions
• Multiple FTEs required to setup,deactivate access.
• Additional burden on platformadministrators.
• Audit requests can add significant strain.
• Automate access setup, tear-down inresponse to changes in systems of record(SoRs).
• Simple, business-friendly access requestforms.
• Route requests to authorizersautomatically.
• Automate fulfillment where possible.• Help auditors help themselves:
– With certification, auditors focus onprocess, not entitlements.
– Reports and analytics.
4.3 Access changes take too long
Challenges Solutions
• Approvers take too long.• Too many IT staff required to complete
approved requests.• Service is slow and expensive to deliver.
• Automatically grant access:
– Where predicted by job function,location, ...
– Eliminate request/approval processwhere possible.
• Streamline approvals:
– Automatically assign authorizers,based on policy.
– Invite participants simultaneously,not sequentially.
– Enable approvals from smart-phone.– Pre-emptively escalate when
stake-holders are out of office.
• Automate fulfillment where possible.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 4
Slide Presentation
4.4 Access requests are too complicated
Challenges Solutions
• Requesting access is complex:
– Where is the request form?– What access rights do I need?– How do I fill this in?– Who do I send it to, for approval?
• Complexity creates frustration.
• Auto-assign access when possible.• Simplify request forms.• Intercept "access denied" errors:
– Navigate lead users to appropriaterequest forms.
• Compare entitlements:
– Help requesters select entitlements.– Compare recipient, model user
rights.– Select from a small set of
differences.
• Recommend entitlements:
– Identify users in a peer group basedon shared attributes.
– Rank entitlements by popularityamong peers.
– Sort entitlements so what therequester likely wants is at the top.
• Automatically assign authorizers basedon policy.
4.5 Too many groups
Challenges Solutions
• Too many security groups and maildistribution lists.
• Groups represent business functions butare only manageable by IT.
• Hard to tell whether membership andaccess are appropriate.
• Assigning privileges is complex andcostly.
• Groups and memberships persist longafter needed.
• Empower business users to create,manage groups directly.
• Apply policy to requests, naming,metadata.
• Make groups and membershipstemporary where possible.
• Calculate group membership where thereis supporting data.
• Use request/approval and review/revokeworkflows to clean up.
• Apply analytics to find too-small,too-large, overlapping, etc.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 5
Slide Presentation
5 Features
© 2020 Hitachi ID Systems, Inc. All rights reserved. 6
Slide Presentation
5.1 HiIM features
Automation:
• Monitor one or more systems of record (SoR).• Generate requests to grant, revoke access.
Integrations:
• 120+ bidirectional connectors, included.• Manage resources including mail boxes, home directories and
badges.• Incident management, SIEM, e-mail, 2FA.• Manage building access, physical assets.
Request portal:
• Users can request for themselves or others.• Access control model limits visibility, requestability.
Accounts and groups:
• Create, manage and delete accounts & groups across systems.• Update attributes and assign/revoke group memberships.
Workflow:
• Invite authorizers, implementers, certifiers to act.• Built-in reminders, escalation, delegation and more.• Selects participants via policy, not flow-charts.
Policies, controls:
• RBAC, SoD.• Risk scores, analytics.• Approvals, recertification.
Certification:
• Initiated by the system (event, schedule).• Stake-holders review identities, entitlements.• Generates deprovisioning requests.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 7
Slide Presentation
5.2 HiIM data flow
Inputs → → Processes →
• Monitor SoRs (automation).• Systems and apps - current state.• Request portal:
– Self-service.– Delegated.– Access admin.
• Web services API.
• Request forms.• Approval workflows.• Access certification.• Manual fulfillment.• Analytics.
→ Policies → → Outputs
• Segregation of duties.• Risk scores.• Role based access control.• Authorizer, certifier selection.• Visibility / privacy protection.
• Manage accounts and groups via 120connectors.
• E-mail.• Create/update/close tickets.• Send events to SIEM.
5.3 Process automation, then access cleanup
• Using Hitachi ID Identity Express, we recommend full automation of identity and entitlementlifecycles out of the gate:
– Joiners, movers, leavers processes.– Password management, strong authentication and federation.– Change requests, approval, review/certification.– Driven by both SoR data and requests.
• No need to "clean up" entitlements before automating access changes.• Roles can be added later: not a pre-requisite.• Automate first, clean up afterwards:
– Unlike with competitors, automation is pre-configured and easy.– Start with basic integrations, add connectors over time.– Leverage automation and user knowledge to help clean up.– Add roles and expand automation over time.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 8
Slide Presentation
5.4 Group lifecycle management
• Hitachi ID Identity Manager can manage groups as well as accounts on target systems.• This includes:
– Create new group.– Assign/revoke members.– Modify group owners, description and meta data.– Manage parent/child relationships.– Rename/move (change CN or OU).
• All change requests, applied to identities, accounts or groups flow through workflow:
– Hidden and calculated elements.– Validation and policy checking.– Policy-based approvals.– Change history.
• Group memberships and role assignments can be:
– Requested, subject to approval, review and revocation.– Calculated, based on identity attributes and other groups.– Scheduled with a start and end date.
• A dedicated UI is provided for group members and owners to make changes.
5.5 Monitoring systems of record
• Any target system can function as a system of record(SoR).
• Examples: HR apps, SQL databases, CSV files, ...• Hitachi ID Identity Manager can monitor multiple SoR’s:
– Multinationals: regional HR systems.– Colleges: students vs. faculty/staff.
• Map attributes to user profiles and prioritize.• Automatically submit access requests in response to
detected changes.• Users can submit pre-emptive or corrective requests:
– New hire not yet in HR.– HR data is wrong.– Override SoR data until HR updates it.
• Request portal handles users who never appear in SoRs:
– Contractors, partners, etc.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 9
Slide Presentation
5.6 Help requesters formulate requests
• Users rarely know where or how to request access!• Make recommendations:
– What entitlements do peers of the recipient have?– Rank by popularity, omit already-held rights.
• Windows shell extension, SharePoint error page:
– Intercept "Access Denied" errors.– Navigate user to appropriate request URL.
• Compare users:
– Compare entitlements between the intended recipient and areference user.
– Select entitlements from the variance.
• Search for entitlements:
– Keywords, description, metadata/tags.
• Relationship between requester and recipient:
– What recipients can the requester see?– What identity attributes are visible?– What kinds of requests are available?
5.7 Robust, policy-driven workflow
• Workflow invites stake-holders to participate in processes:
– Approve or reject a request.– Review entitlements and recertify or remediate.– Fulfill an approved request.– Extensible. e.g., audit cases.
• Stake-holders are invited based on policy:
– No flow-charts or diagrams required.– Process is simple, transparent and secure.– Routing may be based on relationships, resource ownership, risk.
• The process is robust, even when people aren’t:
– Invite N participants, accept response from M (M<N).– Simultaneous invitations by default (sequential made sense for
paper forms).– Automatically send reminders.– Escalate (e.g., to manager) if unresponsive.– Check out-of-office message, pre-emptively escalate.– Accessible from smart phone, not just PC.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 10
Slide Presentation
5.8 Reports, dashboards and analytics
• Over 150 reports built in:
– Many include multiple modes (e.g,. dormant vs. orphan accounts).– Identities, entitlements, history, system operation, trends, etc.– Easy to add custom reports.
• Many dashboards included as well.• Run interactively or schedule (once, recurring).• Deliver output (HTML, CSV, PDF):
– Interactively.– In e-mails.– Drop files on UNC shares.– Stream results via web services.
• Actionable analytics:
– Feedback from reports to requests.– Automated remediation.
• Database is normalized, documented – can use 3rd party tools too.
6 Recorded Demos
6.1 Access request (new contractor)
Animation: ../../pics/camtasia/v10/hiim-onboarding-contractor-original-resolution.mp4
6.2 Self service creation of a new Active Directory group
Animation: ../../pics/camtasia/suite11/higm-group-create.mp4
6.3 Intercept ’Access denied’ dialogs
Animation: ../../pics/camtasia/suite11/higm-A-request-folder.mp4
6.4 Compare user entitlements
Animation: ../../pics/camtasia/v10/hiim-model-after-ui.mp4
© 2020 Hitachi ID Systems, Inc. All rights reserved. 11
Slide Presentation
6.5 Request groups with recommendations
Animation: ../../pics/camtasia/suite11.1/group-request-with-app-and-recommendations.mp4
6.6 Review groups using consistency scores
Animation: ../../pics/camtasia/suite11.1/group-cert-with-recommendations.mp4
6.7 Mobile request approval
Animation: ../../pics/camtasia/v10/approve-request-group-membership-via-mobile-access-app-1.mp4
6.8 Actionable analytics: Disable orphans
Animation: ../../pics/camtasia/v10/report2pdr-disable-orphan-accounts-1.mp4
7 Technology
© 2020 Hitachi ID Systems, Inc. All rights reserved. 12
Slide Presentation
7.1 Delivery options
On-premises Hosted / SaaS
What/where
•Conventionalsoftware;or
• Virtualappliance.
• ManagedbycustomerIT; or
• managedby HitachiIDremotely;or
• managedby apartner.
• Dedicated instance per customer.• Minimum two servers, locations.• Proxy server on-premises.• Managed by Hitachi ID.• Regular upgrades.
Charges • Software: License, annualmaintenance.
• Virtual appliance: add OS, DBlicenses.
• Managed service: add annual fee.
• Monthly per-user fee.• Commitment for minimum
quantity, duration.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 13
Slide Presentation
7.2 Active-active architecture
“Cloud”
Reverse
web
proxyVPN server
IVR server
Load
balancers
system
Ticketing
system
HR
Hitachi ID
servers
Hitachi ID
servers
Firewalls
Proxy server
(if needed)
Mobile
proxy
SaaS apps
Managed
endpoints
Managed endpoints
with remote agent:
AD, SQL, SAP, Notes, etc
z/OS - local agent
MS SQL databases
Password synch
trigger systems
Native password
change
ManageMobile UI
AD, Unix, z/OS,
LDAP, iSeries
Validate pw
Replication
System of
record
Tickets
Notifications
and invitations
Data c
enter A
Data c
enter B
Remote
data
cente
r
TCP/IP + AES
Various protocols
Secure native protocol
HTTPS
© 2020 Hitachi ID Systems, Inc. All rights reserved. 14
Slide Presentation
7.3 Key architectural features
“Cloud”
SaaS apps
Data c
enter A
Data c
enter B
Remote
data
cente
r
TCP/IP + AES
Various protocols
Secure native protocol
HTTPS
Reach across firewalls
Load balanced
On premises and SaaS
BYOD enabled
Replicated across data centers
Horizontal scaling
© 2020 Hitachi ID Systems, Inc. All rights reserved. 15
Slide Presentation
7.4 IAMaaS architectural overview
Firewall
Private Corporate
Network
Internet
Firewall Firewall
IAM App Server IAM Proxy
IAM Database
Mobile Proxy
Firewall
SaaS App
HR DB
AD
On-Prem. App
On-Prem. App
SaaS App
IAM App Server
IAM Database
Mobile Proxy
VLAN /
Location 1
VLAN /
Location 2
IaaS Provider
Network
7.5 Internal architecture
• Multi-master, active-active out of the box.• Built-in data replication between app nodes:
– Fault tolerant.– Secure - encrypted.– Reliable - queue and retry.– App nodes need and should not be co-located.
• Native, 64-bit code:
– 2x faster than .NET.– 10x faster than Java.
• Stored procedures:
– For all data lookups, inserts.– Fast, efficient.– Eliminates client/server chatter.
• Modern crypto: AES-256, SSHA-512
© 2020 Hitachi ID Systems, Inc. All rights reserved. 16
Slide Presentation
7.6 BYOD access to on-premises IAM system
The challenge Hitachi ID Mobile Access
• Users want access on their phones.• Phone on the Internet, IAM on-prem.• Don’t want attackers probing IAM from
Internet.
• Install + activate iOS, Android app.• Proxy service on DMZ or cloud.• IAM, phone both call the proxy - no
firewall changes.• IAM not visible on Internet.
Outbound connections only
DMZ Private corporate
network
Personal
device
FirewallFirewall
Internet
(3)
Message passing system
(1)
Worker thread:
“Give me an HTTP
request”
(2)
HTTPS request:
“Includes userID,
deviceID”
IAM server
Cloud
proxy
© 2020 Hitachi ID Systems, Inc. All rights reserved. 17
Slide Presentation
7.7 Included connectors
Directories: Databases: Server OS – X86/IA64: Server OS – Unix: Server OS – Mainframe:
Active Directory and AzureAD; any LDAP; NIS/NIS+ andeDirectory.
Oracle; SAP ASE and HANA;SQL Server; DB2/UDB;Hyperion; Caché; MySQL;OLAP and ODBC.
Windows: NT thru 2016; Linuxand *BSD.
Solaris, AIX and HP-UX. RAC/F, ACF/2 and TopSecret.
Server OS – Midrange: ERP, CRM and other apps: Messaging & collaboration: Smart cards and 2FA: Access managers / SSO:
iSeries (OS400); OpenVMSand HPE/Tandem NonStop.
Oracle EBS; SAP ECC andR/3; JD Edwards; PeopleSoft;Salesforce.com; Concur;Business Objects and Epic.
Microsoft Exchange, Lync andOffice 365; LotusNotes/Domino; Google Apps;Cisco WebEx, Call Managerand Unity.
Any RADIUS service or SAMLIdP; Duo Security; RSASecurID; SafeWord; Vasco;ActivIdentity andSchlumberger.
CA SiteMinder; IBM SecurityAccess Manager; Oracle AM;RSA Access Manager andImprivata OneSign.
Help desk / ITSM: PC filesystem encryption: Server health monitoring: HR / HCM: Extensible / scriptable:
ServiceNow; BMC Remedy,RemedyForce and Footprints;JIRA; HPE Service Manager;CA Service Desk; AxiosAssyst; Ivanti HEAT;Symantec Altiris; Track-It!; MSSCS Manager and Cherwell.
Microsoft BitLocker; McAfee;Symantec EndpointEncryption and PGP;CheckPoint and SophosSafeGuard.
HP iLO, Dell DRAC and IBMRSA.
WorkDay; PeopleSoft HR;SAP HCM andSuccessFactors.
CSV files; SCIM; SSH;Telnet/TN3270/TN5250;HTTP(S); SQL; LDAP;PowerShell and Python.
Hypervisors and IaaS: Mobile management: Network devices: Filesystems and content: SIEM:
AWS; vSphere and ESXi. BlackBerry Enterprise Serverand MobileIron.
Cisco IOS PIX and ASA;Juniper JunOS andScreenOS; F5 BigIP; HPProcurve; Brocade Fabric OSand CheckPointSecurePlatform.
Windows/CIFS/DFS;SharePoint; Samba; HitachiContent Platform and HCPAnywhere; Box.com andTwitter.
Splunk; ArcSight; RSAEnvision and QRadar. AnySIEM supporting SYSLOG orWindows events.
Management & inventory:
Qualys; McAfee ePO andMVM; Cisco ACS;ServiceNow ITAM; HPUCMDB; Hitachi HiTrack.
7.8 Integration with custom apps
• Hitachi ID Identity Manager easily integrates with custom, vertical and hosted applications usingflexible agents .
• Each flexible agent connects to a class of applications:
– API bindings (C, C++, Java, COM, ActiveX, MQ Series).– Telnet / TN3270 / TN5250 / sessions with TLS or SSL.– SSH sessions.– HTTP(S) administrative interfaces.– Web services.– Win32 and Unix command-line administration programs.– SQL scripts.– Custom LDAP attributes.
• Integration takes a few hours to a few days.• Fixed cost service available from Hitachi ID.
8 Implementation
© 2020 Hitachi ID Systems, Inc. All rights reserved. 18
Slide Presentation
8.1 Hitachi ID professional services
• Hitachi ID offers a complete range of services relating to Hitachi ID Identity Manager, including:
– Needs analysis and solution design.– Fixed price system deployment.– Project planning.– Roll-out management, including maximizing user adoption.– Ongoing system monitoring.– Training.
• Services are based on extensive experience with the Hitachi ID solution delivery process.• The Hitachi ID professional services team is highly technical and have years of experience deploying
IAM solutions.• Hitachi ID partners with integrators that also offer business process and system design services to
mutual customers.• All implementation services are fixed price:
– Solution design.– Statement of work.
8.2 ID Express
Before reference implementations:
• Every implementation starts fromscratch.
• Some code reuse, in the form oflibraries.
• Even simple business processes havecomplex boundary conditions:
– Onboarding: initial passwords,blocking rehires.
– Termination: scheduled vs.immediate, warnings, cleanup.
– Transfers: move mailboxes andhomedirs, trigger recertification.
• Complex processes often scripted.• Delay, cost, risk.
With Hitachi ID Identity Express:
• Start with a fully configured system.• Handles all the basic user lifecycle
processes out of the box.• Basic integrations pre-configured (HR,
AD, Exchange, Windows).• Implementation means "adjust as
required" not "build from scratch."• Configuration is fully data driven (no
scripts).• Fast, efficient, reliable.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 19
Slide Presentation
8.3 Identity Express - Workforce Edition
• Integrations:
– SQL-based HR SoR.– AD domain– Exchange domain (mailboxes)– Windows filesystem (homedirs)
• Entitlements:
– Login IDs.– Group memberships.– Roles.
• User communities:
– Employees.– Contractors/other.
• Configuration:
– Based on user classes, rules tablesand lookup tables.
– Near-zero script logic.
• Automation:
– Onboard/deactivate based on SoR.– Identity attribute propagation.
• Self-service:
– Password, security questionmanagement.
– Update to contact info.– Request for application, share, folder
access.
• Delegated admin:
– Same as self-service, plus recert.
• Approval workflows:
– IT security (global rights).– HR/managers (approve for
each-other).
• Recertification:
– Scheduled.– Ad-hoc.
8.4 Services impact of ID Express
Initial planning
(5:5)
Document old
processes
(30:4)
Design new
processes
(30:5)
Basic
integrations
(5:5)
Test, debug
adjust
(30:10)
Pilot test,
adjust
(20:15)
Test, debug,
fix
(15:15)
Test in prod,
feedback, fixes
(5:5)
Implement new
processes
(30:5)
Production
migration
(2:2)
Documentation
(5:5)
Implement new
processes
(30:5)
Production
migration
(2:2)
Advanced
integrations
(30:30)
Production
migration
(2:2)
Get feedback
(15:5)
Test, debug,
adjust
(15:5)
Reset,
adjust
(10:10)
Deploy
software
(2:2)
1
1
2 4 6 8 10 12 14 16 18
3 5 7 9 11 13 15 17 19
2 3 4 5 6 7 8 9 10 11 1213 14 15 16 17 18 19Custom
implementation283 days
9 Differentiation
© 2020 Hitachi ID Systems, Inc. All rights reserved. 20
Slide Presentation
9.1 HiIM differentiation (1/3)
Feature Details Competitors
Hitachi ID Identity Express
• Pre-configuredprocesses, policies.
• Full implementation ormenu of components.
• Rich processes.• Faster deployment.• Low implementation risk.
• Slow, risky deployment.• Never get around to J/M/L
process automation.
Requester usability
• Intercept "access denied"errors.
• Compare entitlements ofrecipient, model users.
• Usability aid forrequesters.
• Hard to find requestportal.
• Users don’t know how torequest access.
• Low user adoption.• Reduced ROI.
SoD actually works
• Hierarchy of roles,groups.
• Roles can containgroups, more roles.
• Groups can contain othergroups.
• SoD defined at one level,violation may happen atanother.
• Hitachi ID IdentityManager reliably detects,prevents violations.
• Fail to detect someviolations.
• Users can bypasscontrols.
• False sense of security.• Audit failures.• Regulatory risk.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 21
Slide Presentation
9.2 HiIM differentiation (2/3)
Feature Details Competitors
Active-active architecture
• Multiple servers.• Load balanced.• Geographically
distributed.• No single point of failure.• Scalable.
• Single points of failure.• Costly to scale.• Slow to recover from
disasters.
Smart phone access
• Android and iOS apps.• Cloud-hosted proxy.• No public URL.• Approvals, 2FA, contact
download, etc.
• Require a public URL.• Less secure / rarely
permitted.• No viable BYOD strategy.• Impacts security, approval
SLA.
Actionable analytics
• Link report output torequest input.
• Automated remediation.• Immediate or scheduled.• No coding.
• Fewer reports, analytics.• No automated
remediation.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 22
Slide Presentation
9.3 HiIM differentiation (3/3)
Feature Details Competitors
Group lifecycle management
• Included. • Absent from mostcompetitors.
Governance, provisioning inone product
• Governance: requests,approvals, certification,SoD, RBAC, analytics.
• Provisioning:connectors, J/M/Lprocess automation.
• Single, integratedsolution.
• Some focus ongovernance (noremediation, no J/M/Lprocess automation).
• Others focus onprovisioning (nocertification, limitedanalytics).
• Higher total cost.• Integration risk.
Policies built onrelationships
• Relationships drive allpolicies in Hitachi IDIdentity Manager.
• Who can a user searchfor?
• What data is visible?• What changes are
requestable?• Who will be asked to
approve?• Escalation path?
• Hierarchical accesscontrols.
• Script code forexceptions.
• Costly, risky.• Hard to configure,
maintain.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 23
Slide Presentation
10 Summary
An integrated solution for managing identities and entitlements:
• Automation: onboarding, deactivation, detect out-of-band changes.• Manage identities, accounts, groups and roles.• Self-service: profile updates, access requests.• Governance: certification, authorization workflow, RBAC, SoD, analytics.• Automatically manage identities, entitlements: 120 bidirectional connectors.• Other integrations: filesystem, collaboration, SIEM, incident management.• Rapid deployment: pre-configured Hitachi ID Identity Express.
Security, lower cost, faster service.
Learn more at hitachi-id.com/identity-manager
hitachi-id.com
500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 E-Mail: [email protected]
Date: 2020-03-23 | 2020-03-23 File: PRCS:pres