1 Hitachi ID Identity Manager

Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications

User provisioning, RBAC, SoD and access certification.

2 Agenda

• Introductions.• Hitachi ID corporate overview.• ID Management Suite overview.• Identity problems and Hitachi ID Identity Manager benefits.• The HiIM solution.• Software demonstration.

© 2012 Hitachi ID Systems, Inc.. All rights reserved. 1

Slide Presentation

3 Hitachi ID Corporate Overview

Hitachi ID is a leading provider of identityand access management solutions.

• Founded as M-Tech in 1992.• A division of Hitachi, Ltd. since 2008.• Over 900 customers.• More than 11M+ licensed users.• Offices in North America, Europe and

APAC.• Partners globally.

4 Representative Hitachi ID Customers

© 2012 Hitachi ID Systems, Inc.. All rights reserved. 2

Slide Presentation

5 ID Management Suite

6 Identity and Access Problems

For users For IT support

• How to request a change?• Who must approve the change?• When will the change be completed?• Too many passwords.• Too many login prompts.

• Onboarding, deactivation across manyapps is challenging.

• More apps all the time!• What data is trustworthy and what is

obsolete?• Not notified of new-hires/terminations on

time.• Hard to interpret end user requests.• Who can request, who should authorize

changes?• What entitlements are appropriate for

each user?• The problems increase as scope grows

from internal to external.

© 2012 Hitachi ID Systems, Inc.. All rights reserved. 3

Slide Presentation

7 Identity and Access Problems (continued)

For Security / risk / audit For Developers

• Orphan, dormant accounts.• Too many people with privileged access.• Static admin, service passwords a

security risk.• Weak password, password-reset

processes.• Inappropriate, outdated entitlements.• Who owns ID X on system Y?• Who approved entitlement W on system

Z?• Limited/unreliable audit logs in apps.

• Need temporary access (e.g., prodmigration).

• Half the code in every new app is thesame:

– Identify.– Authenticate.– Authorize.– Audit.– Manage the above.

• Mistakes in this infrastructure createsecurity holes.

8 User Provisioning

User provisioning is defined as:

• Software to create, modify and delete users on different systems.• It must include connectors:

– Directories.– Operating systems.– Applications.

• It also has to implement business process:

– Data synchronization from one system to another.– Self-service requests.– Authorization workflows.

• Finally, it should enforce policy rules:

– Login ID assignment.– Approvals rules.– Segregation of duties.

© 2012 Hitachi ID Systems, Inc.. All rights reserved. 4

Slide Presentation

9 ID Management Suite Component Overview

Hitachi IDIdentity Manager

Create, manage and delete users and entitlements.Automation, self-service and delegation.

Hitachi IDAccess Certifier

Periodic review and cleanup of users and entitlements.

Hitachi IDGroup Manager

Self service, resource-centric management of ADgroup membership.

Hitachi IDPassword Manager

Synchronize, reset passwords.Manage RSA tokens, security questions, voice prints,PKI certs.

Periodically randomize and control access to sensitivepasswords.

Addons

Hitachi IDOrg Manager

Periodic updates to data mapping users to theirmanagers.

Hitachi IDPhone PW Manager

Turn-key IVR for password reset and tokenmanagement.

Hitachi IDLogin Manager

Auto-populate login IDs and synchronized passwordsfor users.

© 2012 Hitachi ID Systems, Inc.. All rights reserved. 5

Slide Presentation

10 ID Management Suite

© 2012 Hitachi ID Systems, Inc.. All rights reserved. 6

Slide Presentation

11 ID Management Suite in the User Lifecycle

Lifecyclestage

Automation Self service /request workflow

Policy enforcement

Onboarding

• From HR(employ-ees).

• Web UI (contractors). • Role-basedsetup.

• StandardizedIDs, OU, mailstore, etc.

Management

• Identitysynchro-nization.

• Automaticrolechanges.

• Applications.• Group membership.• Profile updates.

• SoDenforcement.

• Authorizechanges.

• ID mapping.

Support

• Password reset.• Resolve access denied

errors.

• Passwordstrength.

• Passwordexpiry.

Deactivation

• Auto-termination.

• Access certification.• Scheduled terminations.

• Archivemailboxes,home dirs, etc.

© 2012 Hitachi ID Systems, Inc.. All rights reserved. 7

Slide Presentation

12 HiIM Features

Automation:

• Provision joiners, deactivate leavers.• Multiple HR feeds.

Requests portal:

• Self-service profile updates.• Delegated security change requests.

Security controls:

• Access certification.• RBAC and SoD.• Reports on current entitlements, history.

Workflow process:

• Authorizers.• Implementers.• Certifiers.

Integrations:

• 110+ connectors, included.• Incident management, SIEM, e-mail interfaces.• Manage building access, physical assets.

Identity synchronization:

• Consistent data among apps.

© 2012 Hitachi ID Systems, Inc.. All rights reserved. 8

Slide Presentation

13 Closed Loop IAM

IntegratedSystems

of Record Autodiscovery

Auto-provisioningIdentity synch.

IdentityCache

IntegratedTarget Systems

Non-integratedSystems

Transaction Manager

Connectors

List accounts

Create,delete,update

accountsUpdates

UpdatesDetectedchanges

Listpeople

Authorizers Approve,reject,delegate

Invitations

ApprovalsWeb UI

Certifiers Review,certify,correct

Invitations

CertificationWeb UI

Requesters Manualrequest

RequestsWeb UI

- Validate requests- Route for approval- Invite authorizers- Send reminders- Escalate- Delegate

Manualfulfillment

Auto-fulfillment

Create,delete,updateaccounts

Automaticrequest

ImplementersAccept,confirm

Invitations

ImplementerWeb UI

RequestQueue

WorkflowManager

Hitachi ID Management Suite

WorkQueue

© 2012 Hitachi ID Systems, Inc.. All rights reserved. 9

Slide Presentation

14 Competitive Differentiation

Consistency

• Manage all identities and entitlements• On-premise and SaaS.• Accounts, entitlements and resources.• 110+ connectors included.

Full featured

• Administration and governance in a singleproduct.

• Triggers: automation and request portal.• Controls: policy, authorization workflow,

certification.

Scalability

• Multi-master architecture.• Load balanced, replicated.• Deploy across data centers.• Multi-lingual.

Usability

• Business-friendly request process usingroles, PDRs.

• Simple e-mail/web authorization.• Windows shell extension.• Fulfillment by both connectors and

humans.

15 The Hitachi ID Solution is Flexible

Customize: Every aspect of the user interface

Integrate with: 110+ target system typesCall tracking systemsHR systemsAuthentication hardwareMeta directories

Enforce: Password policyAuthentication rulesChange authorization rulesUser naming standards

© 2012 Hitachi ID Systems, Inc.. All rights reserved. 10

Slide Presentation

16 Scalability and Fault-Tolerance

• Multiple Hitachi ID Identity Manager servers can be configured for load balancing.• Data is automatically replicated between servers in real time.• Built-in high performance identity cache accelerates system response.• A service monitors the health of each server and may restart it or take it out of circulation.• A proxy server compensates for slow or insecure connectivity to remote target systems.• There are production customers with up to 300,000 users on just two servers.• Replication has been scaled to 20 servers.

17 Included Connectors

Many integrations to target systems included in the base price:

Directories:Any LDAP, AD, WinNT, NDS,eDirectory, NIS/NIS+.

Servers:Windows NT, 2000, 2003,2008, Samba, Novell,SharePoint.

Databases:Oracle, Sybase, SQL Server,DB2/UDB, Informix, ODBC.

Unix:Linux, Solaris, AIX, HPUX, 24more.

Mainframes, Midrange:z/OS: RACF, ACF2,TopSecret. iSeries,OpenVMS.

HDD Encryption:McAfee, CheckPoint.

ERP:JDE, Oracle eBiz, PeopleSoft,SAP R/3 and ECC 6, Siebel,Business Objects.

Collaboration:Lotus Notes, Exchange,GroupWise, BlackBerry ES.

Tokens, Smart Cards:RSA SecurID, SafeWord,RADIUS, ActivIdentity,Schlumberger.

WebSSO:CA Siteminder, IBM TAM,Oracle AM, RSA AccessManager.

Help Desk:BMC Remedy, SDE, HP SM,CA Unicenter, Assyst, HEAT,Altiris, Track-It!

Cloud/SaaS:WebEx, Google Apps,Salesforce.com, SOAP(generic).

© 2012 Hitachi ID Systems, Inc.. All rights reserved. 11

Slide Presentation

18 Simple Integration with Custom Apps

• Hitachi ID Identity Manager easily integrates with custom, vertical and hosted applications usingflexible agents .

• Each flexible agent connects to a class of applications:

– API bindings (C, C++, Java, COM, ActiveX, MQ Series).– Telnet / TN3270 / TN5250 / sessions with TLS or SSL.– SSH sessions.– HTTP(S) administrative interfaces.– Web services.– Win32 and Unix command-line administration programs.– SQL scripts.– Custom LDAP attributes.

• Integration takes a few hours to a few days.• Fixed cost service available from Hitachi ID.

19 Multi-Master Architecture

UserPasswordSynchTriggerSystems

Load Balancer

SMTP or Notes Mail

IncidentManagementSystem System of

Record

IVRServer

ReverseWeb Proxy

Target Systemswith local agent:OS/390, Unix, older RSA

Firewall

TCP/IP + AES

Various Protocols

Secure Native Protocol

HTTPS

Remote Data Center

Firewall

Local Network

Target Systemswith remote agent:AD, SQL, SAP, Notes, etc

Target SystemsEmails

Tickets

Lookup & Trigger

Native

password

change

AD, Unix,

OS/390,

LDAP,

AS400

Validate PW

Web Services

Proxy Server(if needed)

Hitachi IDApplicationServer(s)

SQL/Oracle

SQLDB

SQLDB

Cloud-hosted,

SaaS apps

VPNServer

© 2012 Hitachi ID Systems, Inc.. All rights reserved. 12

Slide Presentation

20 Server Internal Architecture

Hitachi ID Server:InternalComponents

Remote Site

User InterfaceUser WebBrowser

Hitachi IDProxy Server

Hitachi IDServer

TargetSystem

TargetSystem

TargetSystem

Stored Procs

Secu

re R

PC

Execu

teList, Inspect,Create, Delete,Modify:Users, Groups

Native API,Protocol

Hitachi IDEncryptedProtocol

LocalAgent

Real-TimeEncryptedReplication

Execu

te

HTTPS

Admin/Config

Connector IDWFMWorkflow Manager

IDTMTransaction Manager

PSUPDATEAuto-Discovery

IDTRACKAutomation Engine

Exits

Plugins

Core ServicesIntegrations

Business Logic

Identity CacheRequests

ConfigurationHistory

IDM Database

Oracle or MSSQL

End User

IIS or Apache

IDDBDatabase Manager

21 Rapid Deployment and Low TCO

Optimized to minimize effort: Using Hitachi ID Identity Managertechnology:

• User provisioning with HiIM:

– Initial deployment:6 – 9 months.

– Ongoing maintenance:0.5 – 1.0 FTE.

• Built-in nightly auto-discovery of IDs,entitlements.

• Both attribute-based and self-service IDmapping.

• Request, approvals screens andprocesses are built-in.

• Implementer infrastructure fornon-integrated apps is built-in.

• Powerful authorization workflow is built-in.• Deployment does not depend on role

engineering.• 110 connectors out of the box.• Rapid integration with custom, vertical

apps.• Easy customization of GUI, business

logic.

© 2012 Hitachi ID Systems, Inc.. All rights reserved. 13

Slide Presentation

22 Competitive Advantages

Unique features Rapid deployment

• Self-service password/PIN reset fromanywhere.

• Workflow to refresh OrgChart data.• Request for resources mapped to AD

groups.• Detect/block effective SoD violations.

• Key features built-in, not custom:

– Change request forms.– Authorization process.– Access certification UI.– Auto-discovery.

• Self-service ID mapping.• Unique approach to workflow.

Scalable platform Integrations

• Real-time data replication.• Multi-master architecture.• Proxy server to cross firewalls.• Stored procedures, native code for speed.

• 110+ included connectors.• Flexible connectors.• Built-in implementers workflow.• Integrated with incident management,

SIEM, etc.

23 Hitachi ID Professional Services

• Hitachi ID offers a variety of services relating to Hitachi ID Identity Manager, including:

– Needs analysis and solution design.– Fixed price system deployment.– Project planning.– Roll-out management, including maximizing user adoption.– Ongoing system monitoring.– Training.

• Services are based on extensive experience with the Hitachi ID solution delivery process.• The Hitachi ID professional services team is highly technical and have years of experience deploying

IAM solutions.• Hitachi ID partners with integrators that also offer business process and system design services to

mutual customers.

© 2012 Hitachi ID Systems, Inc.. All rights reserved. 14

Slide Presentation

24 Hitachi ID Solution Delivery Approach

Fixed-price: All work is delivered on a fixed-price, fixed-deliverables basis. The"meter" is never running.

Phases, milestones: Hitachi ID recommends breaking up long projects into phases of 1–3months. Work is reviewed and payment is due when milestones are met.

Open assignment: Each phase may be undertaken by Hitachi ID, the customer, a systemsintegrator or a combination of the participants.

Templates: Template documents and sample business logic are used to expeditework.

Customer portal: A self-service portal supports discovery, client/partner/vendor interaction,document distribution and more.

25 AdMax: Maximizing User Adoption

• Successful implementation of an identity and access management system must be supported by aneffective user adoption program.

• AdMax is an Hitachi ID professional services program, used to plan for and execute effective userenrollment projects.

• AdMax is designed to maximize adoption of and ROI from Hitachi ID identity management solutions,using:

– Best practices, case studies and industry norms.– Enrollment, user adoption and ROI measurement.– Incentive and disincentive programs.– Presentations and training materials for users and HD staff.– Project roles and responsibilities.– Sample project plans, promotional materials, e-mails, graphics and other user communications.– Workbooks for project implementation.

© 2012 Hitachi ID Systems, Inc.. All rights reserved. 15

Slide Presentation

26 Summary

Hitachi ID Identity Manager enables automated, self-service and policy-driven management of identitiesand entitlements:

• Automation: onboarding, deactivation, identity synchronization.• Self-service: profile updates.• Delegated administration: access requests, approvals workflow.• Policy engines: RBAC, SoD, standard setup for new users.• Reports: who-has-what, change history.• Integrations: 110 connectors built-in.• Rapid deployment: built-in screens, processes, features minimize custom coding.

More secure infrastructure, lower IT management costs and faster user service.

Learn more at Hitachi-ID.com/Identity-Manager

27 Getting an IAM Project Started

• Build a business case.• Get management sponsorship and a budget.• Discovery phase, capture detailed requirements.• Assemble a project team:

– security– system administration– user support– etc.

• Try before you buy: Demos, POCs, pilots.• Install the software, roll to production.• Enroll users, if/as required.

www.Hitachi-ID.com

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com

File: PRCS:presDate: March 1, 2012