1 Hitachi ID Suite
Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications
Administration and governance ofIdentities, entitlements and credentials.
2 Agenda
• Corporate• Identity and access management• Key business drivers• Hitachi ID Suite• Technology• Key competitors• Recorded demos• Differentiation
3 Corporate
© 2020 Hitachi ID Systems, Inc. All rights reserved. 1
Slide Presentation
3.1 Hitachi ID corporate overview
Hitachi ID delivers access governanceand identity administration solutionsto organizations globally.Hitachi ID IAM solutions are used by Fortune500companies to secure access to systemsin the enterprise and in the cloud.
• Founded as M-Tech in 1992.• A division of Hitachi, Ltd. since 2008.• Over 1200 customers.• More than 14M+ licensed users.• Offices in North America, Europe and
APAC.• Global partner network.
3.2 Representative customers
© 2020 Hitachi ID Systems, Inc. All rights reserved. 2
Slide Presentation
4 Identity and access management
4.1 IAM in silos
In most organizations, many processes affect many applications.This many-to-many relationship creates complexity:
© 2020 Hitachi ID Systems, Inc. All rights reserved. 3
Slide Presentation
4.2 Integrated IAM processes
Business processes
Systems and applications with users, passwords, groups, attributes
IT processes
Identity and Access Management System
Hire Retire Resign Finish contract
Transfer Fire Start contract
New application Retire application
Password resetPassword expiry
Operating
systems
Directory Application Database E-mail
system
ERP Legacy
app
Mainframe
4.3 Identity and access management
Identity and access management is software to automate processes to securely and efficiently manageidentities, entitlements and credentials:
Processes: Policies: Connectors:
• Data synchronization.• Request portal.• Workflows to invite
human participation.• Manual and automated
fulfillment.
• Unique ID generation.• Selection of approvers,
reviewers andimplementers.
• Access reviews.• Segregation of duties.• Role-based access.• Risk scores.• Visibility, privacy.
• Applications.• Databases.• Operating systems.• Directories.• On-premises.• Cloud-hosted.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 4
Slide Presentation
5 Key business drivers
5.1 Access and credential challenges (1/2)
For users For IT support
• How to request a change?• Who must approve the change?• When will the change be completed?• Too many passwords.• Too many login prompts.
• Onboarding, deactivation across manyapps is challenging.
• More apps all the time!• What data is trustworthy and what is
obsolete?• Not notified of new-hires/terminations on
time.• Hard to interpret end user requests.• Who can request, who should authorize
changes?• What entitlements are appropriate for
each user?• The problems increase as scope grows
from internal to external.
5.2 Access and credential challenges (2/2)
For Security / risk / audit For Developers
• Orphan, dormant accounts.• Too many people with privileged access.• Static admin, service passwords a
security risk.• Weak password, password-reset
processes.• Inappropriate, outdated entitlements.• Who owns ID X on system Y?• Who approved entitlement W on system
Z?• Limited/unreliable audit logs in apps.
• Temporary access (e.g., prod migration).• Half the code in every new app is the
same:
– Identify.– Authenticate.– Authorize.– Audit.– Manage the above.
• Mistakes in this infrastructure createsecurity holes.
6 Hitachi ID Suite
© 2020 Hitachi ID Systems, Inc. All rights reserved. 5
Slide Presentation
6.1 Hitachi ID Suite
6.2 An integrated solution
PM: Self-service password reset Hitachi ID PasswordManager
Manage other credentials (tokens, cert, smart cards, Q&A, biometricenrollment, pre-boot drive unlock, etc.)
Federated identity provider and web single sign-on
IAM: Automated joiner/mover/leaver processes Hitachi ID IdentityManager
Access request portal, approval workflows
Access certification, SoD policy, RBAC, risk scores
Lifecycle management of groups and memberships
PAM: Randomize, vault, retrieve passwords Hitachi ID PrivilegedAccess Manager
Session single sign-on, video capture/search/playback
Service and embedded accounts (non-human)
Built-in strong authentication (MFA) plus integrate with existing MFA All products
Access from smart phone, pre-boot, login screen, off-site (w/o public URL)
© 2020 Hitachi ID Systems, Inc. All rights reserved. 6
Slide Presentation
6.3 HiIM features
Automation:
• Monitor one or more systems of record (SoR).• Generate requests to grant, revoke access.
Integrations:
• 120+ bidirectional connectors, included.• Manage resources including mail boxes, home directories and
badges.• Incident management, SIEM, e-mail, 2FA.• Manage building access, physical assets.
Request portal:
• Users can request for themselves or others.• Access control model limits visibility, requestability.
Accounts and groups:
• Create, manage and delete accounts & groups across systems.• Update attributes and assign/revoke group memberships.
Workflow:
• Invite authorizers, implementers, certifiers to act.• Built-in reminders, escalation, delegation and more.• Selects participants via policy, not flow-charts.
Policies, controls:
• RBAC, SoD.• Risk scores, analytics.• Approvals, recertification.
Certification:
• Initiated by the system (event, schedule).• Stake-holders review identities, entitlements.• Generates deprovisioning requests.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 7
Slide Presentation
6.4 HiPM features
Password synch:
• Reduce the number of passwords per user.
Self-service:
• Password change, reset and unlock.• Token or smart card PIN reset.• Unlock encrypted drive with forgotten pre-boot password.
Value-add:
• 2FA – built-in for all users, including via mobile app.• Federated access – replace other apps’ login screens.• Password vault – users can store unmanaged passwords.
Access from:
• PC browser or login screen.• At the office or off-site.• Smart phone app or self-service phone call.
Assisted service:
• Password, token PIN, intruder lockout.
Policy enforcement:
• Two-factor authentication for all users.• Password complexity, expiry, history.• Non-password authentication.
Managed enrollment:
• Security questions.• Login IDs.• Mobile phone numbers.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 8
Slide Presentation
6.5 HiPAM features
Auto-discovery:
• Find systems, accounts.• Automatically attach policies via rules.
Passwords:
• Randomize on a schedule and after use.• Store in an encrypted, replicated, distributed vault.
Authorization:
• Policy-driven rules.• Pre-authorized and request/approval workflow if not routine.
Grant access:
• Single sign-on (login once, launch many).• Request multiple accounts, run commands across them.• Launch SSH, RDP, vSphere, SQL, etc.• Direct connection, VDI proxy or HTML5 proxy.• Password display and copy buffer integration.• Temporary group membership or SSH trust.
Application passwords:
• Notify SCM, IIS, Scheduler, DCOM of new passwords.• API replaces embedded passwords.
Logging:
• Requests, approvals, logins to privileged accounts.
Session monitoring:
• Screen, keyboard, webcam, process ID, window title, etc.• Keylog censorship protects passwords, SSN, CC numbers, etc.• Request/approval workflow protects staff privacy.
7 Technology
© 2020 Hitachi ID Systems, Inc. All rights reserved. 9
Slide Presentation
7.1 Delivery options
On-premises Hosted / SaaS
What/where
•Conventionalsoftware;or
• Virtualappliance.
• ManagedbycustomerIT; or
• managedby HitachiIDremotely;or
• managedby apartner.
• Dedicated instance per customer.• Minimum two servers, locations.• Proxy server on-premises.• Managed by Hitachi ID.• Regular upgrades.
Charges • Software: License, annualmaintenance.
• Virtual appliance: add OS, DBlicenses.
• Managed service: add annual fee.
• Monthly per-user fee.• Commitment for minimum
quantity, duration.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 10
Slide Presentation
7.2 Active-active architecture
“Cloud”
Reverse
web
proxyVPN server
IVR server
Load
balancers
system
Ticketing
system
HR
Hitachi ID
servers
Hitachi ID
servers
Firewalls
Proxy server
(if needed)
Mobile
proxy
SaaS apps
Managed
endpoints
Managed endpoints
with remote agent:
AD, SQL, SAP, Notes, etc
z/OS - local agent
MS SQL databases
Password synch
trigger systems
Native password
change
ManageMobile UI
AD, Unix, z/OS,
LDAP, iSeries
Validate pw
Replication
System of
record
Tickets
Notifications
and invitations
Data c
enter A
Data c
enter B
Remote
data
cente
r
TCP/IP + AES
Various protocols
Secure native protocol
HTTPS
© 2020 Hitachi ID Systems, Inc. All rights reserved. 11
Slide Presentation
7.3 Key architectural features
“Cloud”
SaaS apps
Data c
enter A
Data c
enter B
Remote
data
cente
r
TCP/IP + AES
Various protocols
Secure native protocol
HTTPS
Reach across firewalls
Load balanced
On premises and SaaS
BYOD enabled
Replicated across data centers
Horizontal scaling
© 2020 Hitachi ID Systems, Inc. All rights reserved. 12
Slide Presentation
7.4 IAMaaS architectural overview
Firewall
Private Corporate
Network
Internet
Firewall Firewall
IAM App Server IAM Proxy
IAM Database
Mobile Proxy
Firewall
SaaS App
HR DB
AD
On-Prem. App
On-Prem. App
SaaS App
IAM App Server
IAM Database
Mobile Proxy
VLAN /
Location 1
VLAN /
Location 2
IaaS Provider
Network
7.5 Included connectors
Directories: Databases: Server OS – X86/IA64: Server OS – Unix: Server OS – Mainframe:
Active Directory and AzureAD; any LDAP; NIS/NIS+ andeDirectory.
Oracle; SAP ASE and HANA;SQL Server; DB2/UDB;Hyperion; Caché; MySQL;OLAP and ODBC.
Windows: NT thru 2016; Linuxand *BSD.
Solaris, AIX and HP-UX. RAC/F, ACF/2 and TopSecret.
Server OS – Midrange: ERP, CRM and other apps: Messaging & collaboration: Smart cards and 2FA: Access managers / SSO:
iSeries (OS400); OpenVMSand HPE/Tandem NonStop.
Oracle EBS; SAP ECC andR/3; JD Edwards; PeopleSoft;Salesforce.com; Concur;Business Objects and Epic.
Microsoft Exchange, Lync andOffice 365; LotusNotes/Domino; Google Apps;Cisco WebEx, Call Managerand Unity.
Any RADIUS service or SAMLIdP; Duo Security; RSASecurID; SafeWord; Vasco;ActivIdentity andSchlumberger.
CA SiteMinder; IBM SecurityAccess Manager; Oracle AM;RSA Access Manager andImprivata OneSign.
Help desk / ITSM: PC filesystem encryption: Server health monitoring: HR / HCM: Extensible / scriptable:
ServiceNow; BMC Remedy,RemedyForce and Footprints;JIRA; HPE Service Manager;CA Service Desk; AxiosAssyst; Ivanti HEAT;Symantec Altiris; Track-It!; MSSCS Manager and Cherwell.
Microsoft BitLocker; McAfee;Symantec EndpointEncryption and PGP;CheckPoint and SophosSafeGuard.
HP iLO, Dell DRAC and IBMRSA.
WorkDay; PeopleSoft HR;SAP HCM andSuccessFactors.
CSV files; SCIM; SSH;Telnet/TN3270/TN5250;HTTP(S); SQL; LDAP;PowerShell and Python.
Hypervisors and IaaS: Mobile management: Network devices: Filesystems and content: SIEM:
AWS; vSphere and ESXi. BlackBerry Enterprise Serverand MobileIron.
Cisco IOS PIX and ASA;Juniper JunOS andScreenOS; F5 BigIP; HPProcurve; Brocade Fabric OSand CheckPointSecurePlatform.
Windows/CIFS/DFS;SharePoint; Samba; HitachiContent Platform and HCPAnywhere; Box.com andTwitter.
Splunk; ArcSight; RSAEnvision and QRadar. AnySIEM supporting SYSLOG orWindows events.
Management & inventory:
Qualys; McAfee ePO andMVM; Cisco ACS;ServiceNow ITAM; HPUCMDB; Hitachi HiTrack.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 13
Slide Presentation
7.6 Integration with custom apps
• Hitachi ID Suite easily integrates with custom, vertical and hosted applications using flexible agents.
• Each flexible agent connects to a class of applications:
– API bindings (C, C++, Java, COM, ActiveX, MQ Series).– Telnet / TN3270 / TN5250 / sessions with TLS or SSL.– SSH sessions.– HTTP(S) administrative interfaces.– Web services.– Win32 and Unix command-line administration programs.– SQL scripts.– Custom LDAP attributes.
• Integration takes a few hours to a few days.• Fixed cost service available from Hitachi ID.
8 Key competitors
8.1 Hitachi ID Competitors
Tier-1
Tier-2
Boutique
Overlap Technology
© 2020 Hitachi ID Systems, Inc. All rights reserved. 14
Slide Presentation
9 Recorded demos
9.1 Access request (new contractor)
Animation: ../../pics/camtasia/v10/hiim-onboarding-contractor-original-resolution.mp4
9.2 Self service creation of a new Active Directory group
Animation: ../../pics/camtasia/suite11/higm-group-create.mp4
9.3 Access review by managers
Animation: ../../pics/camtasia/suite11/org-cert.mp4
9.4 Password reset with WiFi, VPN and 2FA
Animation: ../../pics/camtasia/v10/hipm-ssa-windows-10.mp4
9.5 Federated access launchpad
Animation: ../../pics/camtasia/v10.1/federated-launchpad.mp4
9.6 Request and launch PuTTY to Linux
Animation: ../../pics/camtasia/v10/hipam-linux-preauth.mp4
9.7 Request, approve and play recording
Animation: ../../pics/camtasia/suite11/hipam-view-playback-nb.mp4
10 Differentiation
© 2020 Hitachi ID Systems, Inc. All rights reserved. 15
Slide Presentation
10.1 IM: What others miss
• Figuring out what to request is hard!
– Intercept ’access denied’ errors and navigate to the appropriate request page.– Compare user A to user B.– Suggestions based on a statistical model.
• Implementation can be costly/risky/long:
– Rich process automation, quickly with Hitachi ID Identity Express.– Services are a cash cow for some competitors.
• This should be just one product.
– "Provisioning," "Governance" and group management in one product.– Others have up to 8 (Oracle). Cash grab?
• Process automation is essential.
– Some vendors (e.g., SailPoint) really only offer access cert.– Customers spend millions without automating anything.
• BYOD for faster approval without a possibly insecure public URL.• Connectors are important.
– In base price, easy to turn on.– With some products, this is either complicated or costly.
10.2 PM: What others miss
• Accessible from the PC login screen?
– While off-site?
• Self-service if the user forgot their pre-boot (crypto) password?• Is 2FA included, in the base price?• Is federated access and SSO included?• Can users get to it with their phones?
– Without exposing this sensitive app to the Internet?
• Does it automatically remind users to enroll?
– ROI depends on user adoption.– Strong user engagement is mandatory.
• Can it manage every password, not just AD/Windows logins?
– Mainframe/legacy?– SaaS like SalesForce.com, O365, Google, WebEx?– ERP like SAP or Oracle EBS?– Custom apps and vertical market apps?
• Can it manage other credentials, like PINs on smart cards and tokens?
© 2020 Hitachi ID Systems, Inc. All rights reserved. 16
Slide Presentation
10.3 PAM: What others miss
• An active-active replicated architecture.
– Zero effort and delay to "recover" from a disaster.– Imperative in an emergency.– All competitors have a single point of failure, warm-standby architecture.
• Should be able to launch any kind of session, grant any kind of privilege:
– Hitachi ID supports non-human accounts, SSH trust, group memberships, etc.– Some competitors are just SSH/RDP proxies – very limited.
• Convenient, flexible logins to managed accounts:
– Login once, launch many sessions.– Request multiple accounts at once.– Direct connection (scales well).– VDI proxies (flexible, commodity).– HTML proxies (for untrusted clients/vendors, lowest cost).– Competitors mainly rely on "jump server" approaches (no SSO, not scalable).
• Automation must scale:
– Discover systems, accounts; classify, connect and onboard.– Most competitors are missing this.
• Some products are still delivered as appliances.
– The 1990s called and they want their hardware back...
11 Hitachi ID Suite summary
• Three integrated IAM products, licensed to over 14M users, that can:
– Discover and connect identities across systems and applications.– Securely and efficiently manage identities, groups, entitlements and credentials.– Secure and monitor access to privileged accounts.– Provide strong authentication and federated sign-on.
• Improve security to comply with regulations.• Reduce IT support cost and improve user productivity.• Consolidate management of on-premises and SaaS apps.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 17
Slide Presentation
12 Bonus: phrases to listen for
If you hear these phrases, there may be an opportunity...
• Identity (administration|management|governance)• Access (administration|management|governance)• Password (reset|synchronization)• Single sign-on or SSO• Privileged (user|account|ID|identity|password|access|session) management• Federated (access|identity)• (Strong|Two-factor authentication (2FA)|Multi-factor (MFA)) authentication
hitachi-id.com
500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 E-Mail: [email protected]
Date: 2020-03-23 | 2020-03-23 File: PRCS:pres
Top Related