Post on 24-Mar-2018
transcript
1 Hitachi ID Collaboration
Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications
Introduction to Hitachi ID solutions, existing integrations and roadmap.
| 2014-03-10
2 Hitachi ID overview
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 1
Slide Presentation
2.1 Hitachi ID Corporate Overview
Hitachi ID delivers access governanceand identity administration solutionsto organizations globally.Hitachi ID solutions are used by Fortune 500companies to secure access to systemsin the enterprise and in the cloud.
• Founded as M-Tech in 1992.• A division of Hitachi, Ltd. since 2008.• Over 1100 customers.• More than 14M+ licensed users.• Offices in North America, Europe and
APAC.• Partners globally.
2.2 Representative Customers
3 Customer business drivers
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 2
Slide Presentation
3.1 The User Lifecycle
At a high level, the userlifecycle is essentiallythe same in allorganizations andacross all platforms.
3.2 IAM in Silos
In most organizations, many processes affect many applications.This many-to-many relationship creates complexity:
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 3
Slide Presentation
3.3 Identity and Access Problems
For users For IT support
• How to request a change?• Who must approve the change?• When will the change be completed?• Too many passwords.• Too many login prompts.
• Onboarding, deactivation across manyapps is challenging.
• More apps all the time!• What data is trustworthy and what is
obsolete?• Not notified of new-hires/terminations on
time.• Hard to interpret end user requests.• Who can request, who should authorize
changes?• What entitlements are appropriate for
each user?• The problems increase as scope grows
from internal to external.
3.4 Identity and Access Problems (continued)
For Security / risk / audit For Developers
• Orphan, dormant accounts.• Too many people with privileged access.• Static admin, service passwords a
security risk.• Weak password, password-reset
processes.• Inappropriate, outdated entitlements.• Who owns ID X on system Y?• Who approved entitlement W on system
Z?• Limited/unreliable audit logs in apps.
• Need temporary access (e.g., prodmigration).
• Half the code in every new app is thesame:
– Identify.– Authenticate.– Authorize.– Audit.– Manage the above.
• Mistakes in this infrastructure createsecurity holes.
3.5 Business Drivers for IAM
Security / controls. • Reliable deactivation.• Strong authentication.• Appropriate security entitlements.
Regulatorycompliance.
• PCI-DSS, SOX, HIPAA, EU Privacy Directive, etc.• Audit user access rights.
IT support costs. • Help desk call volume.• Time/effort to manage access rights.
Service / SLA. • Faster onboarding.• Simpler request / approvals process.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 4
Slide Presentation
3.6 IAM is Linked to Regulations
• Many regulations, in many jurisdictions, call for internal controls:
– This implies effective AAA: Authentication, Authorization and Audit.
• Every system already has AAA.
– The weakness is bad user/access data.
• The missing link is business process:
– Appropriate access rights.– Timely access termination.– Effective authentication.
• Identity and access management process and technology are needed to bridge the gap betweenbusiness requirements and AAA infrastructure.
4 Hitachi ID value proposition
4.1 Integrated IAM Processes
Business Processes IT Processes
Hire Retire New Application Retire ApplicationResign Finish Contract
Systems and Applications
Users
Passwords
Groups
Attributes
OperatingSystem
Directory Application Database E-mailSystem
ERP LegacyApp
Mainframe
Transfer Fire Start Contract Password Expiry Password Reset
Identity Management System
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 5
Slide Presentation
4.2 IDM Suite
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 6
Slide Presentation
4.3 HiIM Features
Automation:
• Provision joiners, deactivate leavers.• Multiple HR feeds.
Requests portal:
• Self-service profile updates.• Delegated security change requests.
Security controls:
• Access certification.• RBAC and SoD.• Reports on current entitlements, history.
Workflow process:
• Authorizers.• Implementers.• Certifiers.
Integrations:
• 110+ bidirectional connectors, included.• Incident management, SIEM, e-mail interfaces.• Manage building access, physical assets.
Identity synchronization:
• Consistent data among apps.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 7
Slide Presentation
4.4 HiPM Features
Password synch:
• Reduce the number of passwords per user.
Self service:
• Password reset.• Clear lockout.• Smart card PIN reset.• Token PIN reset.• HDD key recovery.
Access from:
• PC browser or login screen.• At the office or remote.• Smart phone or voice call.
Assisted service:
• Password, token PIN, intruder lockout.
Policy enforcement:
• Password complexity, expiry, history.• Non-password authentication.
Managed enrollment:
• Security questions.• Login IDs.• Mobile phone numbers.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 8
Slide Presentation
4.5 HiPAM Features
Auto-discovery:
• Find systems, accounts.• Attach policy.
Random passwords:
• Default is daily.
Secure storage:
• Replicated (with fault tolerance/queue).• Encrypted.• Geographically distributed.
Access controls:
• Policy: who can sign into which account?
Workflow controls:
• One time request/approval/login.
Single sign-on:
• Launch SSH, RDP, vSphere, SQL, etc.• Alternately: display password, temporary group membership,
temporary SSH trust/SUDO rights.
Application passwords:
• Notify SCM, IIS, Scheduler, DCOM of new passwords.• API to eliminate embedded passwords.
Logging:
• Requests, approvals, logins to privileged accounts.
Session monitoring:
• Screen, keyboard, webcam, process ID, window title, etc.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 9
Slide Presentation
4.6 Competitive Advantages
Unique features Rapid deployment
• "Provisioning" and "governance" in oneproduct.
• Access, authorization built aroundrelationships.
• Self-service from any device, anylocation.
• Users can request resources, not groups.• SoD engine detects "effective" violations.
• Key features built-in, not custom:
– Request forms.– Authorization workflow.– Access certification.– Auto-discovery.– Reports.
• A product, not a devel. environment.
Scalable platform Integrations
• Real-time data replication.• Multi-master architecture.• Proxy server to cross firewalls.• Stored procedures, native code for speed.
• 110+ included connectors.• Flexible connectors.• Built-in implementers workflow.• Incident management, SIEM, etc.
5 Technology
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 10
Slide Presentation
5.1 Included Connectors
Many integrations to target systems included in the base price:
Directories:Any LDAP, AD, WinNT, NDS,eDirectory, NIS/NIS+.
Servers:Windows NT, 2000, 2003,2008, 2008R2, 2012, Samba,Novell, SharePoint.
Databases:Oracle, Sybase, SQL Server,DB2/UDB, Informix, ODBC,Oracle Hyperion EPM SharedServices, Cache.
Unix:Linux, Solaris, AIX, HPUX, 24more variants.
Mainframes, Midrange:z/OS: RACF, ACF2,TopSecret. iSeries,OpenVMS.
HDD Encryption:McAfee, CheckPoint,BitLocker, PGP.
ERP:JDE, Oracle eBiz,PeopleSoft, PeopleSoft HR,SAP R/3 and ECC 6, Siebel,Business Objects.
Collaboration:Lotus Notes, iNotes,Exchange, GroupWise,BlackBerry ES.
Tokens, Smart Cards:RSA SecurID, SafeWord,RADIUS, ActivIdentity,Schlumberger.
WebSSO:CA Siteminder, IBM TAM,Oracle AM, RSA AccessManager.
Help Desk:ServiceNow, BMC Remedy,SDE, HP SM, CA Unicenter,Assyst, HEAT, Altiris, Clarify,RSA Envision, Track-It!, MSSystem Center ServiceManager
Cloud/SaaS:WebEx, Google Apps, MSOffice 365, Success Factors,Salesforce.com, SOAP(generic).
5.2 Rapid Integration with Custom Apps
• IDM Suite easily integrates with custom, vertical and hosted applications using flexible agents .• Each flexible agent connects to a class of applications:
– API bindings (C, C++, Java, COM, ActiveX, MQ Series).– Telnet / TN3270 / TN5250 / sessions with TLS or SSL.– SSH sessions.– HTTP(S) administrative interfaces.– Web services.– Win32 and Unix command-line administration programs.– SQL scripts.– Custom LDAP attributes.
• Integration takes a few hours to a few days.• Fixed cost service available from Hitachi ID.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 11
Slide Presentation
5.3 Multi-Master Architecture
Hitachi ID
Application Server(s)
TCP/IP + AES
Various Protocols
Secure Native Protocol
HTTPS
Remote Data Center
Remote Data CenterLocal Network
Emails
Tickets
Lookup & Trigger
Native
password
change
AD, Unix,
OS/390,
LDAP,
AS400
Validate PW
Web Services
SQLDB
SQLDB
Cloud-hosted,
SaaS apps
IVRServer
VPNServer
Reverse
Web
ProxyPassword Synch Trigger S
ystems
Firewall
Firewall
SMTP or
Notes Mail
Incident
Mgmt
System
System of
Record
Target
Systems
Proxy Server
(if needed)
SQL/
Oracle
Load
BalancerTarget Systems with local agent:
OS/390, Unix, older RSA
Target Systems with remote agent:
AD, SQL, SAP, Notes, etc
5.4 Corporate reference build: details
• Integrations:
– SQL-based HR SoR.– AD domain– Exchange domain (mailboxes)– Windows filesystem (homedirs)
• Entitlements:
– Login IDs.– Group memberships.– Roles.
• User communities:
– Employees.– Contractors/other.
• Configuration:
– Based on user classes, rules tablesand lookup tables.
– Near-zero script logic.
• Automation:
– Onboard/deactivate based on SoR.– Identity attribute propagation.
• Self-service:
– Password, security questionmanagement.
– Update to contact info.– Request for application, share, folder
access.
• Delegated admin:
– Same as self-service, plus recert.
• Approval workflows:
– IT security (global rights).– HR/managers (approve for
each-other).
• Recertification:
– Scheduled.– Ad-hoc.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 12
Slide Presentation
6 HDS integrations
6.1 Existing
• Hitachi ID Privileged Access Manager can secure and mediate access to:
– HiCommand.– HiTrack.– Storage Navigator Modular.
• HiPAM can store captured video from administrator login sessions on HCP.• Systems such as HCP/Anywhere authenticate users to an Active Directory domain:
– Hitachi ID Password Manager and Hitachi ID Identity Manager can help organizations manageusers, entitlements and passwords on AD.
– Enrollment, deactivation, password reset, etc.
6.2 Proposed
HDS and Hitachi ID are collaborating on a number of new integrations.
• General (apply to multiple HDS products):
– Hitachi ID Password Manager to provide strong authentication for HDS product logins.– Examples: smart card, token, SMS/PIN.
• HCP Anywhere:
– Hitachi ID Privileged Access Manager to manage encryption keys for endpoints.– Hitachi ID Group Manager to enable one user to request access to another’s documents.
• UCP Pro:
– HiPAM to suspend/resume managed VMs.– Improve operating efficiency of UCP Pro (fewer VMs running at a time).– Better vSphere management than EMC can offer.
7 Collaboration
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 13
Slide Presentation
7.1 Stronger customer relationship
Engage customers in a broader, deeper conversation:
• Before: Storage .• Now: Platform :
– Storage.– + Cloud and mobile (HCP/Anywhere).– + Compute and network (UCP Pro).– + Security and access control (Hitachi ID).
• Better positioned to compete with EMC, IBM who have platform solutions and IAG.• Improve HDS status as a trusted advisor across the data center.
7.2 Pre-sales
• Hitachi ID will help HDS reps identify opportunities:
– IAM project?– Retiring Sun/Waveset, BMC/Control-SA, Novell?– Audit findings around authentication, access governance, privileged accounts?– High help desk call volume?– Portal project (customers/partners need IDs)?
• Invite Hitachi ID sales team to help qualify and close the deal:
– HDS not expected to be IAM experts.– The HDS AM owns the account.– Delegate detailed work to Hitachi ID:
* Presentations.* RFx responses.* Demos and POCs.
7.3 Pre-sales process
• Register the lead.• Hitachi ID overlay team drives the entirety of the sales cycle.• Lots of material at hitachi-id.com.
7.4 Pricing, quotas, contracts
• HDS reps will be fully compensated on every deal.• We are working on getting Hitachi ID solutions into the HDS price list with some form of quota relief.• EULA will be between Hitachi ID and the end customer.
7.5 Post-sales process
• Customers call Hitachi ID for support, services.• Maintenance contracts entitle customers to unlimited incidents and version upgrades.• Hitachi ID offers services directly and increasingly through a network of integrator partners.• Hitachi ID customer support is industry leading!
– Customers love the depth of expertise they can access with a simple phone call.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 14
Slide Presentation
8 Discussion
www.Hitachi-ID.com
500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com
File: PRCS:presDate: March 24, 2014