Large Scale Password Management With Hitachi ID Password Manager

Large Scale Password Management

With Hitachi ID Password Manager

© 2014 Hitachi ID Systems, Inc. All rights reserved.

http://Hitachi-ID.com/

http://Hitachi.com/

As users access ever more systems and applications, they accumulate passwords and other authenticationfactors. Complexity that arises in managing multiple login technologies leads to IT support and securityproblems: high help desk call volumes, written passwords, lost or stolen OTP tokens and smart cards, etc.

Effective password management addresses these problems by helping users to manage all of their authen-tication factors in an integrated manner. Passwords are synchronized, so there are fewer to remember.Self-service allows users to reset their own forgotten or locked out passwords or PINs and unlock PCs withencrypted disks. A single process is used to enroll security questions, mobile phone numbers and biometricsamples. The entire solution is made available from full screen or mobile phone web browsers, phone callsor PC login screens.

Contents

1 Introduction 1

2 Business Drivers: IT Support for Passwords and PINs 2

3 Technical Challenges: Hard-To-Support Passwords 3

3.1 Locked Out Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

3.2 Cached Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

3.3 Replication Delays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

3.4 Forgotten Passwords for Full Disk Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . 4

3.5 Mobile, Disconnected Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

3.6 Managing PKI Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

4 Hitachi ID Password Manager Features 6

4.1 Password Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

4.2 Self-service Password Reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

4.3 Self-Service, Anywhere: Supporting Mobile Users and Encrypted Disks . . . . . . . . . . . 7

4.4 Assisted Password Reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

4.5 Password Policy Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

4.6 Password Expiration / Aging Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

4.7 Preventing Password Reuse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

5 Solution Architecture 10

6 Self-Service: Access and Authentication 12

6.1 Access For Locked Out Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

i

Large Scale Password Management With Password Manager

6.2 Authenticating Users Without Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

6.3 Authentication Chains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

7 User Enrollment: Maximizing Adoption 17

8 Telephony Integration 18

9 Managing PKI Certificate Passwords 21

10 Support for Mobile, Disconnected Users 22

11 Overcoming Active Directory Replication Delays 25

12 Built-in Single Sign-on Technology 26

13 Return on Investment 28

14 Platform Support 30

15 Rapid Deployment 32

© 2014 Hitachi ID Systems, Inc. All rights reserved.



1 Introduction

This white paper describes self-service management of authentication factors in general and Hitachi IDPassword Manager in particular. It shows how product features and best practices address business prob-lems.

Hitachi ID Password Manager is solution for managing all of a user’s authentication factors. This lowers ITsupport cost and improves security through:

• Password synchronization: Helping users to maintain a single, strong password across multiplesystems and applications.

• Single sign-on: Automatically signing users into applications.

• Password policy enforcement: Ensuring that new passwords are hard to guess, are changed fre-quently and that old passwords are not reused.

• Self-service password and PIN reset: Enabling users who have forgotten their password, forgottenthe PIN for their hardware token or smart card or who have triggered an intruder lockout to authenticatethemselves and resolve their problem – from any location, using any device, without calling the helpdesk.

• Cryptographic key recovery: Allowing users who forgot the password that activates their PC at boottime to resolve their problem without speaking to a support analyst.

• Assisted password and PIN reset: Streamlining IT support calls to resolve login problems.

© 2014 Hitachi ID Systems, Inc.. All rights reserved. 1

Large Scale Password Management With Hitachi ID Password Manager

2 Business Drivers: IT Support for Passwords and PINs

Users who must manage multiple passwords to corporate systems and applications have usability, securityand cost problems.

Users have too many passwords. Each password may expire on a different schedule, be changed with adifferent user interface and be subject to different rules about password composition and reuse.

Some systems are able to force users to select hard-to-guess passwords, while others are not. Somesystems require that users change their passwords periodically, while others cannot enforce expiration.

Users have trouble choosing hard-to-guess passwords.

Users have trouble remembering passwords, because they have too many of them or because they chosea new password at the end of the day or week, and didn’t have an opportunity to use it a few times beforegoing home.

These problems drive users to choose trivial passwords, to avoid changing their passwords and to writedown their passwords. All of these behaviors can compromise network security.

When users do comply with policy and regularly change their passwords to new, hard-to-guess values, theytend to forget their passwords and must call the help desk.

Password and login problems are the top incident type at most IT help desks, frequently accounting for 25%or more of total call volume.

In addition to the above security and support cost problems, users simply don’t like memorizing and typingpasswords. Password management is a nuisance that contributes to a negative perception of IT service.

Despite all these problems, passwords will continue to be needed for years to come:

1. Passwords are significantly less expensive to deploy and support than other technologies.

2. Other authentication technologies, such as biometrics, smart cards and hardware tokens, are typicallyused along with a password or PIN. i.e., “something you have” (smart card, token) or “something youare” (biometric) plus “something you know” (password, PIN).

3. Passwords are an important backup to other authentication technologies:

(a) Hardware devices can be lost or stolen or simply left at home.(b) Some devices from which users need to access corporate systems, such as smart phones and

home PCs, may not support more advanced authentication methods.

Since passwords are not going away and remain difficult for users to manage, solutions are needed to helpusers more effectively manage their passwords.



3 Technical Challenges: Hard-To-Support Passwords

Enabling synchronization and self-service reset for passwords on centralized servers is reasonably straight-forward. Technical problems arise, however, with locked out users, mobile users, cached credentials andPKI.

3.1 Locked Out Users

Users often forget their initial network login password or inadvertently trigger an intruder lockout. Theseusers should be able to get assistance, reset their network or local password, clear intruder lockouts andget back to work.

Since these users have a problem with their workstation login, they cannot access a conventional webbrowser or client/server application with which to resolve their problem. The problem these users face ishow to get to a user interface, so that they can fix their login problem and subsequently access their ownworkstation desktop.

This problem is especially acute for mobile users, who use cached domain passwords to sign into theirworkstation and who may not be attached to the corporate network when they experience a forgottenpassword problem.

3.2 Cached Credentials

Windows workstations cache user passwords – typically the primary password a user types at the loginscreen, which was authenticated against Active Directory. This is done for two reasons:

1. To enable users to log into their workstation while detached from the network (example: travelinglaptop).

2. To automatically sign the user into resources, such as shared file and print services, without having toask the user to retype his password.

When a user changes his password using the network client software on the workstation (e.g,. ctrl-alt-delmethod), the network client automatically updates its cached password.

On the other hand, if a user is logged into his workstation and simultaneously his password is reset else-where on the network – for example by the help desk or by the user himself on a second concurrently loggedin workstation, then the cached password on the workstation will not change – it will simply be wrong.

Similarly, if the user forgets his password and it is reset on the network while his PC is disconnected (e.g.,remote), the new password will not be copied to the workstation until it is re-attached to the network.

An invalid, cached password causes several problems:

1. If the user’s PC is not attached to the network when his password changes, the user will be unable touse the new password on his PC until he re-attaches to the network.



2. If the user’s PC is attached to the network and the user attempts to access a network resource (fileserver, print queue, etc.), the workstation may send an incorrect, cached password to the networkresource, which will increment the user’s “number of invalid login attempts” counter. Repeated con-nection attempts will trigger an intruder lockout.

3.3 Replication Delays

Active Directory does not propagate cleared intruder lockout flags on an expedited schedule. This cancreate problems for remote users who inadvertently trigger a lockout and subsequently call a central helpdesk for assistance. The help desk will typically clear the user’s lockout on a domain controller near thehelp desk. This lockout may take a long time (hours) to reach the domain controllers against which the userwishes to authenticate or which service network resources that the user wishes to access.

This problem is especially acute in global organizations, with hundreds of domain controllers that employ aglobal IT support function.

Note that AD password change replication is described here:

http://technet.microsoft.com/en-us/library/cc772726.aspx

3.4 Forgotten Passwords for Full Disk Encryption

Organizations deploy full disk encryption (FDE) software to protect against data leakage in the event that acorporate laptop is lost or stolen. Users with FDE on their PCs normally have to type a password to unlocktheir hard disk, before they can boot up an operating system. This password is normally synchronized withthe user’s primary Windows password, so that the user only has to remember and type a single passwordat login.

If a user forgets his hard disk encryption unlock password, the user will be unable to start their operat-ing system or use their computer. This is a serious service disruption for the user and can contribute tosignificant support costs for the IT help desk.

3.5 Mobile, Disconnected Users

Traveling users typically log into their workstations using cached Active Directory passwords. If they forgetthe cached password, technical support may be expensive, insecure or simply impossible:

1. Expensive: the user must physically bring (or mail) the laptop to a corporate location, the PC canre-authenticate to the AD domain and cache the user’s newly reset password.

2. Insecure: alternately, the help desk can give the traveling user the login ID and password of analternate login ID, which is defined on the user’s PC (not a domain account), whose security willhenceforth be compromised.

3. Impossible: the user is unable to bring his PC to the office and the help desk cannot or will not offeran alternate, local user ID.


http://technet.microsoft.com/en-us/library/cc772726.aspx


While the frequency of password reset incidents for traveling users is typically low, the cost per incident ismuch higher than for network-attached users.

3.6 Managing PKI Passwords

Public key infrastructures typically deploy certificate files on PCs and smart cards. This enables users toaccess encrypted documents, send and receive encrypted e-mail and (with smart cards) perform multi-factor authentication, even while disconnected from the corporate network.

Certificate files are typically encrypted and decrypted using a user’s personal password or smart card PIN.In other words, users have a “PKI password,” which is not necessarily stored on any server. Rather, thispassword is used to unlock the user’s personal certificate file.

This is true of both standards-based PKI, using x.509 certificates and proprietary PKI, using Lotus NotesID files.

“PKI passwords,” including Lotus Notes ID file passwords, are difficult for IT organizations to support be-cause they cannot be administratively reset:

1. The PKI certificate may exist in multiple locations – more or more PCs, network home directories,USB flash drives, smart cards, etc.

2. Some of these locations may be inaccessible to a password management server on the network.

3. The PKI certificate must be decrypted, using the current password, before it can be re-encrypted, withthe new password. In other words, there is no notion of an administrative password reset, which doesnot rely on knowledge of the current password.



4 Password Manager Features

Hitachi ID Password Manager is designed to reduce the cost and improve the security of password systems:

4.1 Password Synchronization

Password synchronization is any process or technology that helps users to maintain a single password,subject to a single security policy, across multiple systems.

Password synchronization is an effective mechanism for addressing password management problems onan enterprise network:

• Users with synchronized passwords tend to remember their passwords.

• Simpler password management means that users make significantly fewer password-related calls tothe help desk.

• Users with just one or two passwords are much less likely to write down their passwords.

There are two ways to implement password synchronization:

• Transparent password synchronization, where native password changes, that already take place ona common system (example: Active Directory) are automatically propagated through the passwordmanagement system to other systems and applications.

• Web-based password synchronization, where users are asked to change all of their passwords atonce, using a web application, instead of continuing to use native tools to change passwords.

One of the core features of Hitachi ID Password Manager is password synchronization.

Password Manager implements both transparent and web based password synchronization.

4.2 Self-service Password Reset

Self-service password reset is defined as any process or technology that allows users who have eitherforgotten their password or triggered an intruder lockout to authenticate with an alternate method and repairtheir own problem, without calling the help desk.

Users who have forgotten their password or triggered an intruder lockout may launch a self-service applica-tion using an extension to their workstation login prompt, using their own or another user’s web browser orthrough a telephone call. Users establish their identity, without using their forgotten or disabled password,by answering a series of personal questions, using a hardware authentication token or by providing a bio-metric sample. Users can then either specify a new, unlocked password or ask that a randomly generatedone be set.



Self-service password reset expedites problem resolution for users after a problem has already occurredand reduces help desk call volume. It can also be used to ensure that password problems are only resolvedafter strong user authentication, eliminating an important weakness of many help desks: social engineeringattacks.

One of the core features of Password Manager from Hitachi ID Systems is self-service password reset.

4.3 Self-Service, Anywhere: Supporting Mobile Users and Encrypted Disks

Hitachi ID Password Manager includes key features to assist mobile users:

1. E-mail notification to users about upcoming password expiry, since the notice displayed at the Win-dows login prompt is not shown to users away from the office.

2. Support for resetting forgotten encryption keys for users whose PCs are protected with full disk en-cryption.

3. Support for resetting forgotten passwords or PINs from the login prompt, even if the user is away fromthe office and is not physically attached to the Internet.

4.4 Assisted Password Reset

Hitachi ID Password Manager includes an assisted password reset web portal, which allows IT support staffto help callers without having direct administrative access to target systems:

• Support staff sign into Password Manager with a web browser.

• Support staff can be authenticated using IDs and passwords internal to Password Manager or usepass-through authentication to an existing system.

For example, support staff may sign into Password Manager using their Active Directory ID and pass-word, with Password Manager validating the membership of each support technician in a designatedAD security group and granting appropriate Password Manager privileges based on that group mem-bership.

• From the Password Manager web interface, support staff can search for the caller’s profile by login IDor full name.

• Support staff can be required to authenticate the caller – for example by keying answers to some of theuser’s personal questions, which Password Manager can validate against its own back-end databaseor an external database, directory or web service.

Note that the same, different or overlapping security questions can be used for assisted and self-service authentication processes.

• Once both the support technician and caller have been authenticated, support staff can reset thecaller’s password, lock or unlock the caller’s access to Password Manager or update the caller’s profile.Assisted password resets may be configured to also expire the new password, requiring the user tochange it on the next login.



• All transactions – IT support login, user profile lookup, successful or failed password reset and moremay trigger e-mails to the user, to the support technician or to a third party, such as a security offi-cer. The same events can also trigger automatic creation, update or closure of tickets in an incidentmanagement system.

• Since only a single, simple web interface is used, an assisted password reset is normally completedin 1–2 minutes.

• The right of one user to reset another user’s password may be global (e.g., global IT support team)or based on the requester/recipient relationship (e.g., departmental or regional IT support can onlyassist in-scope users). Moreover, which passwords a given user can reset can be controlled by policy.

• At no point in the process does an IT support technician require administrative access to the systemswhere passwords are being reset. Instead, Password Manager uses its own credentials to sign intotarget systems and these are encrypted in an internal Password Manager database.

Assisted password reset reduces the cost of password support calls and ensures that such calls are handledin a consistent, secure fashion.

4.5 Password Policy Enforcement

Hitachi ID Password Manager is normally configured to enforce a uniform password policy across all sys-tems, to ensure that any new password will be acceptable to every integrated system. This provides themost clear and understandable experience to users. Password Manager is configured such that it will neveraccept or attempt to propagate a password that will not meet this global password policy.

For instance, in the case of an organization that has both Windows Active Directory (AD) and z/OS pass-words, where users may enter very long passwords on AD but only 8 characters on the (older) main-frame, Password Manager can require that passwords be exactly 8 characters long. Alternately, PasswordManager can support longer passwords, but truncate them when it updates the mainframe. (Users generallyprefer the preset length rule, as it is easier to understand than automatic truncation).

In general, systems enforce one of two types of password rules:

• Complexity requirements ensure that users do not select easily-guessed passwords. Example rulesare: disallowing any permutation of the user’s login ID, password history, requiring mixed letters anddigits, forbidding dictionary words, etc.

• Representational constraints limit what can be physically stored in a password field on a given system.Usually there are just two such rules: maximum length and allowable character set.

A global password policy is normally created by combining and strengthening the best-of-breed complexityrequirements from each system affected by the policy. Password Manager then combines these with themost restrictive representational constraints. This forces users to select strong, secure passwords on everysystem.

The alternative, of defining different password policies for every target system or for groups of target sys-tems, is considered to be user-unfriendly. To update their passwords, users must select a system, choose



a password, wait for the password update to complete, possibly re-authenticate, choose another system,choose a different password, etc. Users must then remember multiple passwords and will continue to ex-perience many password problems. It has been shown that users with many passwords have a strongtendency to write down their passwords.

4.6 Password Expiration / Aging Enforcement

To enforce password expiration and to get users to trigger web-based password synchronization, Hitachi IDPassword Manager is configured to detect upcoming password expiration on individual systems (e.g., Win-dows, AD, LDAP, etc.) or based on the last time a user changed his passwords using Password Managerand to remind users to change their passwords using the Password Manager web UI.

Password expiration is normally configured so that users change their passwords with Password Managerweb portal on a shorter expiry interval than the native password expiry on any system. This way, PasswordManager prompts users to change passwords before any other system does and users are never promptedto change expired passwords by other systems or applications.

Early notification of upcoming password expiration is a viable alternative to transparent password synchro-nization, especially in cases where it is impossible to trigger synchronization from the primary login systemthat users most often use.

Users can be notified of upcoming password expiration by e-mail. Alternately, a small client program canbe triggered at user login time, which checks whether the user currently logging in is on the list of “soon toexpire” users and – if so – opens the user’s default web browser to a URL that asks the user to change hispasswords.

The same small program can be used to make the password change mandatory, by opening a kiosk-modeweb browser to the password change web portal and requiring the user to change passwords before theycan close this browser and access their desktop.

4.7 Preventing Password Reuse

In Hitachi ID Password Manager, password history is “infinite” by default. Unless specifically allowed, usersare prevented from reusing passwords at all. Where password reuse is allowed, it is based on a timeinterval, rather than the number of intervening password changes. Password history is stored in a one-way,non-reversible hash (SHA-1 plus 64-bit random salt).



5 Solution Architecture

Hitachi ID Password Manager is designed for:

• Security:

Password Manager is installed on hardened servers. All sensitive data is encrypted in storage andtransit. Strong authentication and access controls protect business processes.

• Scalability:

Multiple Password Manager servers can be installed, using a built-in data replication facility. Workloadcan be distributed using any load-balancing technology (IP, DNS, etc.). The end result is a multi-master, distributed architecture that is very easy to setup, as replication is handled at the applicationlayer.

• Performance:

Password Manager uses a normalized, relational and indexed database back end. All access to thedatabase is via stored procedures, which help to minimize communication overhead between theapplication and database. All Password Manager code is native code, which provides a 2x to 10xperformance advantage as compared to Java or .NET

• Openness:

Open standards are used for inbound integration (SOAP) and outbound communications (SOAP,SMTP, HTTP, etc.).

• Flexibility:

Both the Password Manager user interface and all functionality can be customized to meet enterpriserequirements.

• Low TCO:

Password Manager is easy to set up and requires minimal ongoing administration.

Figure 1 on Page 11 illustrates the Password Manager network architecture:

• Users normally access Password Manager using HTTPS from a web browser.

• Multiple Password Manager servers may be load balanced using either an IP-level device (e.g., CiscoLocal Director, F5 Big/IP) or simply using DNS round-robin distribution.

• Users may call an IVR (interactive voice response) system with a telephone and be authenticatedeither using touch-tone input of personal information or using a voice print. Authenticated users mayinitiate a password reset.

• Password Manager connects to most target systems using their native APIs (application programminginterfaces) and protocols and thus requires no software to be installed locally on those systems.

• Local agents are provided and recommended for Unix servers and z/OS mainframes. Use of theseagents improves transaction security, speed and concurrency.



UserPasswordSynchTriggerSystems

Load Balancer

SMTP or Notes Mail

IncidentManagementSystem System of

Record

IVRServer

ReverseWeb Proxy

Target Systemswith local agent:OS/390, Unix, older RSA

Firewall

TCP/IP + AES

Various Protocols

Secure Native Protocol

HTTPS

Remote Data Center

Firewall

Local Network

Target Systemswith remote agent:AD, SQL, SAP, Notes, etc

Target SystemsEmails

Tickets

Lookup & Trigger

Native

password

change

AD, Unix,

OS/390,

LDAP,

AS400

Validate PW

Web Services

Proxy Server(if needed)

Hitachi IDApplicationServer(s)

SQL/Oracle

SQLDB

SQLDB

Cloud-hosted,

SaaS apps

VPNServer

Figure 1: Network architecture diagram

• A local agent is mandatory on older RSA SecurID servers (version 7.x and later exposes a remoteAPI).

• Where target systems are remote and communication with them is slow, insecure or both, a PasswordManager proxy server may be co-located with the target system in the remote location. In this case,servers in the main Password Manager server cluster initiate fast, secure connections to the remoteproxies, which decode these transactions and forward them to target systems locally, using native,slow and/or insecure protocols.

• Password Manager can look up and update user profile data in an existing system, including HRdatabases (ODBC), directories (LDAP) and meta-directories (e.g., WMI to Microsoft ILM).

• Password Manager can send e-mails to users asking them to register or to notify them of eventsimpacting their profiles. Over 189 events can trigger e-mail notification.

• Password Manager can create tickets on most common incident management systems, either record-ing completed activity or requesting assistance (security events, user service follow-up, etc.). Over189 events can trigger ticket generation. Binary integrations are available for 17 help desk applicationsand open integration is possible using mail, ODBC, SQL and web services.



6 Self-Service: Access and Authentication

6.1 Access For Locked Out Users

When users forget their primary password or trigger an intruder lockout, they are in a Catch-22 situation:they cannot log into their computer and open a web browser but cannot open a web browser to fix theirpassword and make it possible to log in.

Hitachi ID Password Manager includes a variety of mechanisms to address the problem of users locked outof their PC login screen. Each of these approaches has its own strengths and weaknesses, as describedbelow:

Option Pros Cons

1 Do nothing: users continue tocall the help desk.

• Inexpensive, nothing todeploy.

• The help desk continues tofield a high password resetcall volume.

• No solution for localpasswords or mobile users.

2 Ask a neighbor: Use someoneelse’s web browser to accessself-service password reset.

• Inexpensive, no clientsoftware to deploy.

• Users may be working aloneor at odd hours.

• No solution for localpasswords or mobile users.

• Wastes time for two users,rather than one.

• May violate a security policyin some organizations.

3 Secure kiosk account (SKA):Sign into any PC with a genericID such as “help” and nopassword. This launches akiosk-mode web browserdirected to the password resetweb page.

• Simple, inexpensivedeployment, with no clientsoftware component.

• Users can reset both localand network passwords.

• Introduces a “generic”account on the network,which may violate policy, nomatter how well it is lockeddown.

• One user can trigger anintruder lockout on the“help” account, denyingservice to other users whorequire a password reset.

• Does not help mobile users.



Option Pros Cons

4 Personalized SKA: Same asthe domain-wide SKA above,but the universal “help” accountis replaced with one personalaccount per user. For example,each user’s “help” accountcould have their employeenumber for a login ID and acombination of their SSN anddate of birth for a password.

• Eliminates the “guest”account on the domain,which does not have apassword.

• Requires creation ofthousands of additionaldomain accounts.

• Requires ongoing creationand deletion of domainaccounts.

• These new accounts arespecial – their passwords donot expire and would likelynot meet strength rules.

5 Local SKA: Same as thedomain-wide SKA above, butthe “help” account is created oneach computer, rather than onthe domain.

• Eliminates the “guest”account on the domain.

• Can be configured to assistmobile users who forgottheir cached domainpassword (by automaticallyestablishing a temporaryVPN connection).

• Requires a small footprinton each computer (the local“help” account.)

6 Telephone password reset:Users call an automatedsystem, identify themselvesusing touch-tone input of anumeric identifier, authenticatewith touch-tone input ofanswers to security questionsor with voice print biometricsand select a new password.

• Simple deployment ofcentralized infrastructure.

• No client software impact.• May leverage an existing

IVR system.• Helpful for remote users

who need assistanceconnecting to the corporateVPN.

• New physical infrastructureis usually required.

• Users generally don’t like to“talk to a machine” soadoption rates are lowerthan with a web portal.

• Does not help mobile userswho forgot their cacheddomain password.

• Does not help unlock PINson smart cards.

8 Physical kiosks: Deployphysical Intranet kiosks at eachoffice location.

• Eliminates generic or guestaccounts.

• May be used by multipleapplications that are suitablefor physically-present butunauthenticated users (e.g.,phone directory lookup,badge management, etc.).

• Costly to deploy – hardwareat many locations.

• Does not help mobile userswho forgot their cacheddomain password.

• Users may prefer to call thehelp desk, rather thanwalking over to a physicalkiosk.



Option Pros Cons

9 GINA DLL: Windows XP:Install a GINA DLL on usercomputers, which adds a “resetmy password” button to thelogin screen.

• User friendly, intuitiveaccess to self-service.


• Works on Windows TerminalServer and CitrixPresentation Manager.

• Requires intrusive softwareto be installed on everycomputer.

• Broken installation orout-of-order un-installationwill render the computerinoperable (i.e., “brick thePC”).

10 GINA Extension Service:Similar to the GINA DLL, butuses a sophisticated serviceinfrastructure to modify the UIof the native GINA, rather thaninstalling a GINA DLL.



• More robust, fault-tolerantinstallation process than theGINA DLL.

• Requires software to beinstalled on every computer.

• Does not work on CitrixPresentation Server orWindows Terminal Server –only works on personalcomputers.

11 Credential Provider: Theequivalent of a GINA DLL, butfor the login infrastructure onWindows Vista/7/8.



• Works on Windows TerminalServer and CitrixPresentation Manager.

• More robust infrastructurethan GINA DLLs onWindows XP.

• Deployment of intrusivesoftware to everyworkstation.

No other product or vendor supports as many options for assisting users locked out of their PC login screen.

6.2 Authenticating Users Without Passwords

Users may authenticate into Hitachi ID Password Manager as follows:



• On the web portal:

– By typing their current password to a trusted system (e.g., Windows/AD, LDAP, RAC/F, etc).

– By answering security questions.

– Using a security token (e.g., SecurID pass-code).

– Using a smart card with PKI certificate.

– Using Windows-integrated authentication.

– Using a SAML assertion issued by another server.

– By typing a PIN that was sent to their mobile phone via SMS.

– Using a combination of these mechanisms.

• Using a telephone, calling an automated IVR system:

– By keying in numeric answers to a series of security questions (e.g., employee number, date ofhire, driver’s license number).

– By speaking one or more phrases, where the Password Manager server compares the newspeech sample to one on record (biometric voice print verification)

• Using a telephone, calling an IT support technician:

– By answering a series of security questions, where the technician must type the answers into aweb portal to authenticate the caller.

6.3 Authentication Chains

Hitachi ID Password Manager includes a mechanism for authenticating users called authentication chains.This mechanism works by defining sequences of steps that can be used to authenticate a user and defininghow the authentication process proceeds from one step to the next.

Authentication chains allow Password Manager to:

1. Offer a user multiple authentication mechanisms. For example, type a password, answer securityquestions, use a token, etc.

2. Combine authentication mechanisms. For example, a user may be asked to type a password andanswer a subset of the security questions in his profile.

3. Select an authentication mechanism based on context. For example, require a user with elevatedprivileges or a user attached via VPN to satisfy a more robust process than an unprivileged userconnected to the corporate network.

Authentication chains allow Password Manager to implement flexible login processes. For example, mobilephones can be used as an authentication factor:



1. During enrollment, users are asked to identify their mobile phone provider and enter their mobilephone number.

2. At authentication time, a user is sent a random PIN via SMS, which he must enter correctly and withina short time window. This establishes that the user is in possession of his phone.

3. A second authentication step is to ask the user to answer a few security questions, which supportsthe user’s claimed identity through something he knows.



7 User Enrollment: Maximizing Adoption

In many organizations, deployment of a password management system requires a user enrollment pro-cess. Users may have to provide personal data such as answers to authentication questions (which cansubsequently be used to authenticate users who forgot their passwords or triggered a lockout). Users maybe asked to attach their non-standard IDs to their profiles. Users may have to provide biometric samples,likewise used for non-password authentication in the event of a future password problem. Finally, users maysimply be asked to review and agree to some corporate policy, for example regarding password sharing orwriting down their password.

If enrollment is required, it is helpful for the password management system to automate the process by iden-tifying users who must be enrolled, inviting and reminding them to enroll, provide a strongly authenticatedenrollment user interface, etc.

Hitachi ID Password Manager includes built-in infrastructure to securely and automatically manage the userenrollment process:

• By monitoring one or more systems of record, Password Manager automatically creates new andremoves old profile IDs.

• New users and existing users with incomplete profiles are automatically invited to complete theirprofiles (e.g., by answering security questions).

• Invitations to enroll may be e-mailed to users.

• Users may be more forcefully reminded to enroll by having a web browser automatically open to theenrollment page when they log into the network.

• Users may be forced to enroll, by opening a kiosk-mode web browser to the enrollment page whenthey sign into the network, and blocking access to the Windows desktop until users complete theirprofile. This process is typically controlled by placing users into a “mandatory enrollment” AD groupand attaching a suitable GPO to that group.

• To enroll, users must first authenticate. This is normally done by leveraging an existing strong authen-ticator – such as a network password or a token.

• A single, integrated enrollment system supports collecting answers to security questions, mappingdifferent login IDs, on different systems back to their owners and collecting biometric voice print sam-ples.

The enrollment system in Password Manager includes schedule controls. For example, the maximumnumber of invitations to send daily can be limited, as can the frequency of invitations per user. Days-of-week during which to send invitations are identified as are holidays during which no invitations should besent.



8 Telephony Integration

A popular option for extending password reset services to locked out users is to extend this service over atelephone, using an integrated voice response (IVR) system.

Users who forget their passwords can dial an IVR system with any telephone and initiate a password reset.Authentication using either touch-tone entry of personal secret information or using voice print verificationis supported. Existing IVR systems can be extended using a Hitachi ID Password Manager remote APIor Hitachi ID Telephone Password Manager – a turn-key IVR system specifically designed for passwordresets.

Overview:

Telephone Password Manager is a turn-key telephone user interface bundled with the Password Managercredential management solution. It enables organizations to quickly and inexpensively offer self-servicepassword reset, PIN reset and disk unlock to users over a telephone, without having to configure a complexIVR system.

Features:

Telephone Password Manager supports self-service management of authentication factors (credentials)and recovery of disk encryption keys over a telephone with:

• User identification:

Users who call Telephone Password Manager typically identify themselves by typing a personal iden-tifier on a touch-tone telephone keypad. The identifier may be a pre-existing numerical ID, such as anemployee number or a letters-to-digits mapping of an alpha-numeric ID, such as the user’s networklogin ID.

• User authentication:

Once identified, users must be authenticated. Telephone Password Manager supports authenticationwith a hardware token (e.g., RSA SecurID), by asking the user to key in answers to numeric securityquestions using a touch-tone telephone keypad on their phone (e.g., driver’s license number, SSN,date of birth, etc.) or using an optional biometric voice verification module.

• Password reset:

Once authenticated, users can initiate a password reset. This may be for one or all of their passwordsand the new password may either be randomly generated and read out to the user or user-specified.New passwords may be set to expire after first use.

• PIN reset:

Authenticated users can also use Telephone Password Manager to reset the PINs on their RSA Se-curID tokens. A randomly-generated or a user-specified PIN may be used.

• Disk unlock:



Users with a full disk encryption program protecting their computer can use Telephone PasswordManager to automate the key recovery process in the event that they forgot the password that unlockstheir computer.

• Text to speech:

Telephone Password Manager is normally configured to play .WAV audio files as asks for user input.It also includes a text to speech mechanism that makes it easier to develop new navigation menusand defer new voice recordings.

• Speech to text:

While text input into Telephone Password Manager is usually made with a touch-tone keypad, TelephonePassword Manager can be configured to recognize small dictionaries of spoken words, so that userscan make alphanumeric input by speaking the names of letters and digits.

• PBX integration:

Telephone Password Manager can be directly integrated into an existing PBX system, by installing theappropriate (to that PBX system) Dialogic telephony board on each Telephone Password Managerserver.

• VoIP integration:

Telephone Password Manager can also be connected to a voice-over-IP network and configured toaccept VoIP calls.

Benefits:

Telephone Password Manager lowers IT support costs and improves user service by enabling mobile, re-mote or locked out users to resolve problems with their password, hardware token or encrypted hard diskon their own, without calling the help desk.

Telephone Password Manager can improve the security of IT support processes by authenticating userswith biometric voice-print verification prior to offering services such as password or PIN reset.

Telephone Password Manager supports self-service management of authentication factors (credentials)and recovery of disk encryption keys over a telephone with:

• User identification:

Users who call Telephone Password Manager typically identify themselves by typing a personal iden-tifier on a touch-tone telephone keypad. The identifier may be a pre-existing numerical ID, such as anemployee number or a letters-to-digits mapping of an alpha-numeric ID, such as the user’s networklogin ID.

• User authentication:

Once identified, users must be authenticated. Telephone Password Manager supports authenticationwith a hardware token (e.g., RSA SecurID), by asking the user to key in answers to numeric securityquestions using a touch-tone telephone keypad on their phone (e.g., driver’s license number, SSN,date of birth, etc.) or using an optional biometric voice verification module.



• Password reset:

Once authenticated, users can initiate a password reset. This may be for one or all of their passwordsand the new password may either be randomly generated and read out to the user or user-specified.New passwords may be set to expire after first use.

• PIN reset:

Authenticated users can also use Telephone Password Manager to reset the PINs on their RSA Se-curID tokens. A randomly-generated or a user-specified PIN may be used.

• Disk unlock:

Users with a full disk encryption program protecting their computer can use Telephone PasswordManager to automate the key recovery process in the event that they forgot the password that unlockstheir computer.

• Text to speech:

Telephone Password Manager is normally configured to play .WAV audio files as asks for user input.It also includes a text to speech mechanism that makes it easier to develop new navigation menusand defer new voice recordings.

• Speech to text:

While text input into Telephone Password Manager is usually made with a touch-tone keypad, TelephonePassword Manager can be configured to recognize small dictionaries of spoken words, so that userscan make alphanumeric input by speaking the names of letters and digits.

• PBX integration:

Telephone Password Manager can be directly integrated into an existing PBX system, by installing theappropriate (to that PBX system) Dialogic telephony board on each Telephone Password Managerserver.

• VoIP integration:

Telephone Password Manager can also be connected to a voice-over-IP network and configured toaccept VoIP calls.



9 Managing PKI Certificate Passwords

PKI standards generally relate to certificate format and use, not to the administration of certificates – is-suance, delivery to users, installation on PCs and smart cards and revocation. Unfortunately, a major costof PKI is exactly these processes of managing certificates.

Hitachi ID Password Manager includes a significant and mature infrastructure for managing (provision, man-age passwords and other attributes, deliver to users and revoke) PKI certificates.

Of necessity, this infrastructure combines a general facility, related to business process and certificatestorage with a set of platform-specific bindings, for individual PKI/certificate authority products. Currently,Hitachi ID Systems provides a platform binding for Lotus Notes ID files, which is by far the most widelydeployed (though not necessarily standards-based) PKI infrastructure today:

Lotus Notes actually uses two separate passwords for each user:

• HTTPPassword hashes, stored on a Notes / Domino server.

These are a straight-forward password hash in a field in an .NSF file on the server. Password Managercan be configured to verify, change and reset these passwords directly.

• Passwords used to encrypt ID files, typically stored on user workstations. These cannot be adminis-tratively reset.

1. Password Manager includes technology to help organizations both build out and maintain arepository of every user’s ID file, along with a recoverably encrypted password for that ID file.

2. Password Manager simulates password resets on ID files by retrieving an ID file from the repos-itory, opening it with a password from the repository, changing the password to a new value anddelivering the new ID file to the user.

3. Both collection of ID files from users, to maintain the repository and delivery of updated ID filesback to users, supports multiple mechanisms, including via file synchronization and a sharedstaging directory (no client software required) and via a Notes Extension DLL installed on userworkstations (immediate and silent delivery and collection).

Password Manager is the only product to automate not only ID file password resets, but also construc-tion and maintenance of the ID file repository.

Hitachi ID Systems is working on bindings between the general-purpose PKI administration infrastructurein Password Manager and other PKI products, from Microsoft, Entrust, Verisign, GeoTrust and other PKIvendors. Unfortunately, none of these PKI products is currently widely deployed and customer demand forintegrations is therefore limited.



10 Support for Mobile, Disconnected Users

Hitachi ID Password Manager offers a unique set of technologies, collectively referred to as “Self-Service,Anywhere.” Using these technologies, users can resolve problems with their passwords, smart cards, tokensor full disk encryption software both at the office and mobile, from any endpoint device.

Self-Service, Anywhere automates problem resolution in a number of technically challenging and business-critical scenarios:

Mobile users warned of password expiry

Problem Solution Business impact

Mobile users are not notified byWindows when their passwordsare about to expire. Users whoinfrequently connect their laptopto the office network, insteadchecking e-mail with a solutionsuch as Outlook Web Access,suffer regular password expiryand require frequent passwordresets.

Password Manager sends userse-mails warning of imminentpassword expiry. Users changepasswords using a web browser.An ActiveX control refreshes thepassword on their laptop.

Fewer login problems that causea work interruption. Lower ITcall volume and support cost.

Reset forgotten, cached password while away from the office




Laptop users sometimeschange their password beforeleaving the office and may forgetthe new password when theyneed to use it while not attachedto the corporate network.Without a technical solution, theIT help desk cannot resolvethese users’ problem until theyreturn to the office. User laptopsare rendered inoperable untilthey return to the office.

A Password Manager clientsoftware component allowsusers who forgot their primary,cached Windows password andcannot sign into their PC toconnect to the Internet over aWiFi hotspot or using anair-card. Users locked out out oftheir PC login screen can alsoestablish a temporary Internetconnection using their homeInternet connection or a hotelEthernet service. Once theuser’s laptop is on the Internet,Password Manager establishesa temporary VPN connectionand launches a kiosk-mode (fullscreen, locked down) webbrowser. The user steps througha self-service password resetprocess and Password Manageruses an ActiveX component toreset the locally cachedpassword to the same newvalue as was set on the networkback at the office.

Forgotten passwords are amajor work disruption for mobileusers, since they cannot beresolved until the user visits theoffice. Password Managerallows users to re-enable theirlaptop in minutes.

Unlock encrypted hard disk




Organizations deploy full diskencryption (FDE) software toprotect against data leakage inthe event that a corporate laptopis lost or stolen. Users with FDEon their PCs normally have totype a password to unlock theirhard disk, before they can bootup an operating system. Thispassword is normallysynchronized with the user’sprimary Windows password, sothat the user only has toremember and type a singlepassword at login.

If a user forgets his hard diskencryption unlock password, theuser will be unable to start theiroperating system or use theircomputer. This is a seriousservice disruption for the userand can contribute to significantsupport costs for the IT helpdesk.

Most FDE packages include akey recovery process at the PCboot prompt. This normallyinvolves a challenge/responseprocess between the FDEsoftware, the user, an IT supportanalyst and a key recoveryserver. Password Manager canfront-end this process using anintegrated telephony option, sothat users can perform keyrecovery 24x7, from anylocation, using their telephoneand without talking to a humanhelp desk technician.

Key recovery is an essential ITsupport service fororganizations that havedeployed FDE. PasswordManager lowers the IT supportcost of key recovery by movingthe process to a self-servicemodel.

Smart card PIN resetProblem Solution Business impact

Organizations deploy smartcards to strengthen theirauthentication processes. Userstypically sign into their PC byinserting their smart card into areader and typing a PIN. If usersforget their PIN or leave theirsmart card at home, they cannotsign into their PC. PIN reset is acomplex support process sincethe new PIN has to be physicallyinstalled on the user’s smartcard. This means that ITsupport may trigger a physicalvisit to the help desk.

Password Manager allows usersto access a self-service webportal from anywhere, includingfrom the locked out login screenof their laptop, even away fromthe office (even using WiFi, asdescribed earlier). Once a usersigns into the self-service portal,Password Manager candownload an ActiveXcomponent to the user’s webbrowser, to communicate withthe smart card and reset theforgotten PIN. PasswordManager can also be used toassign a user a temporary loginpassword (often a very long andrandom one) to be used in theevent that a user left his smartcard at home.

While forgotten PINs areinfrequent – PINs are notusually set to expire – when theydo happen, they are extremelydisruptive. Assigning temporarypasswords is just as importantfor users who left their smartcard at home, which happensquite often.



11 Overcoming Active Directory Replication Delays

Please refer to Subsection 3.3 on Page 4 for an overview of the intruder lockout replication problem in ActiveDirectory.

Hitachi ID Password Manager uniquely circumvents the problem of slow replication of cleared intruder lock-outs between Active Directory domain controllers by automatically directing password resets and clearedintruder lockouts to a select set of domain controllers, which the user is most likely to access:

• DCs on the user’s home site, based on the user’s home directory UNC and the IP address of theserver that hosts this UNC.

• DCs on the user’s current site, based on the user’s web browser IP address (this only applies toself-service password reset).

• DCs mapped to either of these sites by an administrator-configured rule set. For example, at globalor regional data centers.



12 Built-in Single Sign-on Technology

Hitachi ID Login Manager, a module included with Hitachi ID Password Manager, is an enterprise singlesign-on solution. It automatically signs users into applications where the ID and/or passwords are the sameones users type to sign into Windows on their PC.

Login Manager leverages password synchronization instead of stored passwords. This means that it doesnot require a wallet and that users can continue to sign into their applications from devices other than theircorporate PC – such as a smart phone or tablet – for which a single sign-on client may not be available.

Login Manager does not require scripting or a credential vault, so has a much lower total cost of ownership(TCO) than alternative single sign-on tools.

Login Manager automatically fills in application login IDs and passwords on behalf of users, streamliningthe application sign-on process for users.

Login Manager works as follows:

• When users sign into their workstations, Login Manager acquires their network login ID and passwordfrom the Windows login process.

• Login Manager may (optionally) acquire additional login IDs (but not passwords) from the user’s ActiveDirectory profile.

• Login Manager monitors the Windows desktop for newly launched applications:

– It detects when the user types one of his known login IDs or his Windows password into anapplication dialog box, HTML form or mainframe terminal session. When this happens, thelocation of the matching input fields is stored on a local configuration file.

– Whenever Login Manager detects an application displaying a previously configured login screen,it automatically fills in the appropriate login ID and/or the current Windows password.

The net impact of Login Manager is that login prompts for applications with well-known IDs and passwordsthat authenticate to AD or are synchronized with AD are automatically filled in. This is done without:

• Interfering with user access to applications from devices not equipped with the SSO software, suchas their smart phones.

• Having to deploy a secure location in which to store application credentials.

• Writing scripts.

Login Manager is installed as a simple, self-contained MSI package. It does not require a schema extensionto Active Directory.

The reduced sign-on process used by Login Manager has several advantages over traditional E-SSO tech-niques:



• There is no global directory or database with user credentials:

– There is no target for a would-be attacker.

– There is no single point of failure which could cause a widespread disruption to users who wishto sign into applications.

– There is no need to enroll users by having them provide their passwords.

• There are no manually written scripts:

– No manual configuration is required.

– No infrastructure is required to distribute script files to PCs.

• Continued access to applications:

– Users sometimes need to sign into application from devices other than their work PC.

– Since passwords are synchronized and users know their own password, they can still sign in,even without the SSO software.

– In contrast, with other E-SSO products, users may not know their own application passwords.This disrupts application access using a smart phone, home PC, Internet kiosk, etc.

These advantages significantly reduce the cost and risk associated with deploying and managing LoginManager.



13 Return on Investment

Deploying Hitachi ID Password Manager saves money for three groups of people in an organization:

• Users:

Password synchronization reduces the incidence of password problems. In most organizations, over80% of problems are eliminated. Accordingly, users waste less time making unsuccessful attempts tolog into systems.

• Support staff:

Both password synchronization and self-service password resets eliminate calls to the help desk.Together, they normally reduce password-related call volume by over 90%.

Once calls reach the help desk, they are resolved much more quickly, using a single tool that integratescaller authentication, multiple password resets and creation of problem tickets. Using a web browser,support staff can resolve password calls in 1-2 minutes.

• System administrators:

Without Password Manager, most support organizations escalate some password calls to system ad-ministrators. This is done when the support organization does not have training or security clearanceto reset passwords on the systems in question.

Password Manager eliminates password problem escalation.

Example savings calculation

The following example illustrates how Password Manager reduces the cost of password management:

• 10000 users experience 3000 password problems per month. Users spend 10 minutes with a pass-word problem before calling for help.

• The help desk takes 10 minutes to resolve password problems.

• 1/6 of calls are escalated from the help desk to system administrators.

• Password Manager eliminates 80% of password problems, and reduces problem resolution time 2minutes.

Monthly cost Initial Password Manager Savings

Users 3000 calls × 20 minutes × $40/hr 600 calls × 12 minutes × $40/hr

= $40,000 = $4,800 $35,200

Help desk 3000 calls × 10 minutes × $40/h 600 calls × 2 minutes × $40/hr

= $20,000 = $800 $19,200

Administrators 500 calls × 5 minutes × $40/hr

= $1,670 0 $1,670

Monthly Total $61,670 $5,600 $56,070



To estimate the cost savings in your organization, try our on-line calculator at:

http://Hitachi-ID.com/Password-Manager/roi/


http://Hitachi-ID.com/Password-Manager/roi/


14 Platform Support

Hitachi ID Password Manager can manage passwords on most systems directly. It includes built-in supportfor the following systems:

Directories: Servers: Databases:

Any LDAP, AD, NDS,eDirectory, NIS/NIS+.

Windows 2000–2012,Samba, NDS, SharePoint.

Oracle, Sybase, SQL Server,DB2/UDB, ODBC, Informix.

Unix: Mainframes: Midrange:

Linux, Solaris, AIX, HPUX,24 more variants.

z/OS with RAC/F, ACF/2 orTopSecret.

iSeries (OS400), OpenVMS.

ERP: Collaboration: Tokens, Smart Cards:

JDE, Oracle eBiz,PeopleSoft, SAP R/3, SAPECC 6, Siebel, BusinessObjects.

Lotus Notes, Exchange,GroupWise, BlackBerry ES.

RSA SecurID, SafeWord,RADIUS, ActivIdentity,Schlumberger.

WebSSO: Help Desk: HDD Encryption:

CA Siteminder, IBM TAM,Oracle AM, RSA AccessManager.

BMC Remedy, BMC SDE,ServiceNow, HP ServiceManager, CA Unicenter,Assyst, HEAT, Altiris, Clarify,Track-It!, RSA Envision, MSSCS Manager.

McAfee, CheckPoint,BitLocker, PGP.

SaaS: Miscellaneous: Extensible:

Salesforce.com, WebEx,Google Apps, MS Office365, SOAP (generic).

OLAP, Hyperion, iLearn,Caché, Success Factors,VMWare vSphere.

SSH, Telnet, TN3270,HTTP(S), SQL, LDAP,command-line.

Password Manager includes a number of flexible connectors, each of which is used to script integrationwith a common protocol or mechanism. These connectors allow organizations to quickly and inexpen-sively integrate Password Manager with custom and vertical market applications. The ability to quickly andinexpensively add integrations increases the value of the Password Manager system as a whole.

There are flexible connectors to script interaction with:

API binding: Terminalemulation:

Web services: Back endintegration:

Command-line:

• C, C++• Java, J2EE• .NET• COM,

ActiveX• MQ Series

• SSH• Telnet• TN3270,

TN5250• Simulated

browser

• SOAP• WebRPC• Pure

HTTP(S)

• SQLInjection

• LDAPattributes

• Windows• Power Shell• Unix/Linux



Organizations that wish to write a completely new connector to integrate with a custom or vertical marketapplication may do so using whatever development environment they prefer (J2EE, .NET, Perl, etc.) andinvoke it as either a command-line program or web service.

If an organization develops their own integrations, an effort of between four hours and four days is typical.Alternately, Hitachi ID Systems offers fixed-cost custom integrations for a nominal fee.



15 Rapid Deployment

Hitachi ID Systems solutions are optimized for rapid deployment – this is a core design principle acrossall products in the Hitachi ID Management Suite. Rapid deployment is largely a feature of (a) including asmany built-in features as possible and (b) making common use cases easier to configure.

Hitachi ID Identity Manager minimizes deployment cost using a built-in request portal, a built-in approvalsprocess and by enabling organizations to define categories of relationships, which then drive what one usercan see of another, what changes one user can submit on behalf of another, who is invited to approvechange requests and more.

Hitachi ID Password Manager minimizes deployment cost using built-in processes for enrollment of securityquestions, login IDs, mobile phone numbers and voice biometrics. This is augmented by built-in processesto control the pace of user invitations.

Hitachi ID Privileged Access Manager minimizes deployment cost using built-in processes for auto-discoveryand automated classification of systems and accounts to be managed. It also includes a robust, built-in pro-cess for authorizing one-time access requests.

All Hitachi ID Systems products include a rich set of over 110 connectors, built-in reports, a robust andtranslation-friendly web portal, e-mail and incident management system integration, multi-node databasereplication and more. These are all things that Hitachi ID Systems customers need not hand-craft, reducingproject time and cost.

Password Manager is designed for rapid deployment:

• No client software required, even for access to self-service password reset from the workstationlogin prompt.

• Automated discovery of every login ID on every target system, nightly.

• Self-service login ID reconciliation where login IDs on different systems are different and there isno pre-existing correlation data.

• A built-in identity cache that captures user profile data and eliminates the need to install or managea database or directory before installing Password Manager.

• Built-in connectors for every common system and application eliminating the need for customersto develop their own connectors to common, off-the-shelf target systems.

• Remote connectors mean that Password Manager can manage users and passwords on systemswithout requiring the installation of intrusive local software on each target system.

• Flexible connectors enable organizations to integrate Password Manager with custom applications,vertical market software, application service providers (ASPs) and service bureaus quickly – takingjust 2 hours to 4 days per new target system.

.

www.Hitachi-ID.com

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: [email protected]

File: /pub/wp/documents/white/psynch/hipam-white-22.texDate: 2011-05-15
