Hitachi ID Identity Manager

1 Hitachi ID Identity Manager

Managing the User Lifecycle
Across On-Premises and
Cloud-Hosted Applications

Entitlement Administration and Governance:
Automation, requests, approvals, recertification, SoD and RBAC.

2 Agenda

• Introductions.
• Hitachi ID corporate overview.
• Hitachi ID Suite overview.
• Identity problems and Hitachi ID Identity Manager benefits.
• The HiIM solution.
• Software demonstration.

© 2015 Hitachi ID Systems, Inc. All rights reserved. 1

Slide Presentation

3 Hitachi ID Corporate Overview

Hitachi ID delivers access governance
and identity administration solutions
to organizations globally.
Hitachi ID solutions are used by Fortune 500
companies to secure access to systems
in the enterprise and in the cloud.

• Founded as M-Tech in 1992.
• A division of Hitachi, Ltd. since 2008.
• Over 1200 customers.
• More than 14M+ licensed users.
• Offices in North America, Europe and

APAC.
• Partners globally.

© 2015 Hitachi ID Systems, Inc. All rights reserved. 2

Slide Presentation

4 Representative Customers

5 Hitachi ID Suite

© 2015 Hitachi ID Systems, Inc. All rights reserved. 3

Slide Presentation

6 Identity and Access Problems

For users For IT support

• How to request a change? • Onboarding, deactivation across many
• Who must approve the change? apps is challenging.
• When will the change be completed?
• Too many passwords. • More apps all the time!
• Too many login prompts. • What data is trustworthy and what is

obsolete?
• Not notified of new-hires/terminations on

time.
• Hard to interpret end user requests.
• Who can request, who should authorize

changes?
• What entitlements are appropriate for

each user?
• The problems increase as scope grows

from internal to external.

7 Identity and Access Problems (continued)

For Security / risk / audit For Developers

• Orphan, dormant accounts. • Need temporary access (e.g., prod
• Too many people with privileged access. migration).
• Static admin, service passwords a
• Half the code in every new app is the
security risk. same:
• Weak password, password-reset
– Identify.
processes. – Authenticate.
• Inappropriate, outdated entitlements. – Authorize.
• Who owns ID X on system Y? – Audit.
• Who approved entitlement W on system – Manage the above.

Z? • Mistakes in this infrastructure create
• Limited/unreliable audit logs in apps. security holes.

© 2015 Hitachi ID Systems, Inc. All rights reserved. 4

Slide Presentation

8 Identity and access management

Identity and access management is
software to automate processes
to securely and efficiently manage
identities, entitlements and credentials:

Processes: Policies: Connectors:

• Data synchronization. • Login ID assignment. • Applications.
• Self-service requests. • Approvals workflow. • Databases.
• Authorization workflows. • Segregation of duties. • Operating systems.
• Manual and automated • Visibility, privacy. • Directories.

fulfillment.

9 Hitachi ID Suite Component Overview

Hitachi ID Create, manage and delete users and entitlements.
Identity Manager Automation, self-service and delegation.
Hitachi ID
Access Certifier Periodic review and cleanup of users and entitlements.
Hitachi ID
Group Manager Self service, resource-centric management of AD
Hitachi ID group membership.
Password Manager
Synchronize, reset passwords.
Addons Manage RSA tokens, security questions, voice prints,
PKI certs.
Hitachi ID Periodically randomize and control access to sensitive
Org Manager passwords.
Hitachi ID
Phone PW Manager Periodic updates to data mapping users to their
Hitachi ID managers.
Login Manager
Turn-key IVR for password reset and token
management.

Auto-populate login IDs and synchronized passwords
for users.

© 2015 Hitachi ID Systems, Inc. All rights reserved. 5

Slide Presentation

10 Hitachi ID Suite

© 2015 Hitachi ID Systems, Inc. All rights reserved. 6

Slide Presentation

11 Hitachi ID Suite in the User Lifecycle

Lifecycle Automation Self-service / Policy enforcement
stage request workflow
• Role-based
Onboarding setup.

• From HR • Web UI (contractors). • Standardized
(employ- IDs, OU, mail
ees). store, etc.

Management

• Identity • Applications. • SoD
synchro- • Group membership. enforcement.
nization. • Profile updates.
• Authorize
• Automatic changes.
role
changes. • ID mapping.

Support

• Password reset. • Password
• Resolve access denied strength.

errors. • Password
expiry.

Deactivation

• Auto- • Access certification. • Archive
termination. • Scheduled terminations. mailboxes,
home dirs, etc.

© 2015 Hitachi ID Systems, Inc. All rights reserved. 7

Slide Presentation

12 HiIM Features • Provision joiners, deactivate leavers.
• Multiple HR feeds.
Automation:
Requests portal: • Self-service profile updates.
Security controls: • Delegated security change requests.

Workflow process: • Access certification.
• RBAC and SoD.
Integrations: • Reports on current entitlements, history.

Identity synchronization: • Authorizers.
• Implementers.
• Certifiers.

• 110+ bidirectional connectors, included.
• Incident management, SIEM, e-mail interfaces.
• Manage building access, physical assets.

• Consistent data among apps.

© 2015 Hitachi ID Systems, Inc. All rights reserved. 8

Slide Presentation

13 Closed Loop IAM

Integrated List Auto Hitachi ID Suite Integrated
Systems people discovery Target
List accounts Systems
of Record Manual Detected
request changes Updates
Requesters Invitations
Approve, Auto-provisioning Identity Create, Non-integrated
Authorizers reject, Identity synch. Cache delete, Systems
delegate update
Automatic Updates accounts
request

Requests - Validate requests Auto-
Web UI - Route for approval fulfillment
- Invite authorizers
- Send reminders Manual Work Create,
- Escalate fulfillment Queue delete,
- Delegate update
Transaction accounts
Request Connectors Manager
Queue
Approvals
Web UI

Invitations Invitations

Certifiers Review, Certification Workflow Implementer Accept, Implementers
certify, Web UI Manager Web UI confirm
correct

© 2015 Hitachi ID Systems, Inc. All rights reserved. 9

Slide Presentation

14 Technology Advantages

Unique features Rapid deployment
• Reference builds accelerate deployment.
• "Administration" and "governance" in one • Key features built-in:
product. – Request forms.
– Authorization workflow.
• Access, authorization built around – Access certification.
relationships.
Integrations
• Self-service from any device, any • 110+ included connectors.
location. • Flexible/scriptable connectors.
• Incident management/ticketing.
• Intercept "Access Denied" errors to • SIEM.
simplify requests.

• "One stop shopping" with implementer
workflows.

• SoD engine detects effective violations.

Scalable platform

• Real-time data replication.
• Multi-master, active-active.
• Proxy server to cross firewalls.
• Native code + stored procedures.

15 The Hitachi ID Solution is Flexible

Customize: Every aspect of the user interface
Integrate with: Input validation
Attribute mapping to target systems

110+ target system types
Call tracking systems
HR systems
Authentication hardware
Meta directories

Enforce: Password policy
Authentication rules
Change authorization rules
User naming standards

© 2015 Hitachi ID Systems, Inc. All rights reserved. 10

Slide Presentation

16 Scalability and Fault-Tolerance

• Multiple, load-balanced Hitachi ID Identity Manager servers:
– Active/active architecture.

• Data replication between nodes:
– Built-in, easy to configure.
– WAN-friendly (high latency, low bandwidth, insecure channels).
– Reliable (multiple retry queues).

• Proxy servers resolve connection problems:
– Across firewalls.
– Over slow, insecure network routes.

• Large production deployments:
– 5M users.
– 130,000 managed systems.
– 12 load balanced IAM servers.
– 10,000 completed transactions/hour.

© 2015 Hitachi ID Systems, Inc. All rights reserved. 11

Slide Presentation

17 Included Connectors

Many integrations to target systems included in the base price:

Directories: Servers: Databases:
Any LDAP, AD, WinNT, NDS, Windows NT, 2000, 2003, Oracle, Sybase, SQL Server,
eDirectory, NIS/NIS+. 2008[R2], 2012, Samba, DB2/UDB, Informix, Progress,
Novell, SharePoint. ODBC, Oracle Hyperion EPM
Shared Services, Cache.
Unix: Mainframes, Midrange:
Linux, Solaris, AIX, HPUX, 24 z/OS: RACF, ACF2, HDD Encryption:
more variants. TopSecret. iSeries, McAfee, CheckPoint,
OpenVMS. BitLocker, PGP.
ERP:
JDE, Oracle eBiz, Collaboration: Tokens, Smart Cards:
PeopleSoft, PeopleSoft HR, Lotus Notes, iNotes, RSA SecurID, SafeWord,
SAP R/3 and ECC 6, Siebel, Exchange, GroupWise, RADIUS, ActivIdentity,
Business Objects. BlackBerry ES. Schlumberger.

WebSSO: Help Desk: Cloud/SaaS:
CA Siteminder, IBM TAM, ServiceNow, BMC Remedy, WebEx, Google Apps, MS
Oracle AM, RSA Access SDE, HP SM, CA Unicenter, Office 365, Success Factors,
Manager. Assyst, HEAT, Altiris, Clarify, Salesforce.com, SOAP
RSA Envision, Track-It!, MS (generic).
System Center Service
Manager

© 2015 Hitachi ID Systems, Inc. All rights reserved. 12

Slide Presentation

18 Rapid Integration with Custom Apps

• Hitachi ID Identity Manager easily integrates with custom, vertical and hosted applications using
flexible agents .

• Each flexible agent connects to a class of applications:

– API bindings (C, C++, Java, COM, ActiveX, MQ Series).
– Telnet / TN3270 / TN5250 / sessions with TLS or SSL.
– SSH sessions.
– HTTP(S) administrative interfaces.
– Web services.
– Win32 and Unix command-line administration programs.
– SQL scripts.
– Custom LDAP attributes.

• Integration takes a few hours to a few days.
• Fixed cost service available from Hitachi ID.

19 Multi-Master Architecture

Rewveerbseproxy Validate pwNactihvaenpgaesswordPAaDstOr,siUSgwLg/no3Deirx9AArd,0SsP,sy,4ys0nt0cehms CloSuada-Shoasptpesd,

LoabdalancerHitachi ID Tarlgoecutanlsiayxsg,teoenlmdt:esOrwRSiS/t3hA90, WTaerrbgeemsSteoAsrtvyPesi,ctaNeegosmetensstw:, AeitDthc, SQL,
server

SQL
DB

VPsNerver NLooatinabfiddaclaiantnivocitneasTrtiicoknests Replication Data center B
ID
IVRserver SQL
DB

Hitachi
server

E-msyasiltem Sysotfermecord Firewall TaRrSgeyestmtemoste data center

TCP/IP + AES Incmidgemntt system HcRenter A Firewall
Various Protocols Pro(ixfynseeerdveedr)
Secure Native Protocol Data
HTTPS

© 2015 Hitachi ID Systems, Inc. All rights reserved. 13

Slide Presentation

20 Server Internal Architecture

Remote Site Integrations Execute Core Services IIS or Apache HTTPS
Connector
List, Inspect, Exits IDWFM Secure RPC User Interface User Web
Create, Delete, Workflow Manager End User Browser
Modify: Business Logic Admin/Config
Users, Groups Plugins IDTM
Transaction Manager
Target Hitachi ID
System Proxy Server PSUPDATE
Auto-Discovery
Native API, Execute
Protocol IDTRACK
Automation Engine
Target
System Hitachi ID IDDB
Database Manager
Encrypted
Protocol Oracle or MSSQL Hitachi ID
Server:
Local Identity Cache Stored Procs Internal
Agent Requests Components
IDM
Target Configuration Database
System History

Real-Time
Encrypted
Replication

Hitachi ID
Server

21 Rapid Deployment and Low TCO

Optimized to minimize effort: Using Hitachi ID Identity Manager
technology:
• HiIM:
• Reference implementations – typical use
– Initial deployment: cases preconfigured.
2 – 4 months.
• Built-in discovery, mapping of IDs,
– Ongoing maintenance: entitlements.
0.5 – 1.0 FTE.
• Policy driven workflow, included.
• Implementer process for small apps.
• RBAC (can be costly) is optional.
• 110 connectors out of the box (more easy

to add).

© 2015 Hitachi ID Systems, Inc. All rights reserved. 14

Slide Presentation

22 Technology Advantages

Unique features Rapid deployment
• Reference builds accelerate deployment.
• "Administration" and "governance" in one • Key features built-in:
product. – Request forms.
– Authorization workflow.
• Access, authorization built around – Access certification.
relationships.
Integrations
• Self-service from any device, any • 110+ included connectors.
location. • Flexible/scriptable connectors.
• Incident management/ticketing.
• Intercept "Access Denied" errors to • SIEM.
simplify requests.

• "One stop shopping" with implementer
workflows.

• SoD engine detects effective violations.

Scalable platform

• Real-time data replication.
• Multi-master, active-active.
• Proxy server to cross firewalls.
• Native code + stored procedures.

23 Hitachi ID Professional Services

• Hitachi ID offers a variety of services relating to Hitachi ID Identity Manager, including:

– Needs analysis and solution design.
– Fixed price system deployment.
– Project planning.
– Roll-out management, including maximizing user adoption.
– Ongoing system monitoring.
– Training.

• Services are based on extensive experience with the Hitachi ID solution delivery process.
• The Hitachi ID professional services team is highly technical and have years of experience deploying

IAM solutions.
• Hitachi ID partners with integrators that also offer business process and system design services to

mutual customers.
• All implementation services are fixed price:

– Solution design.
– Statement of work.

© 2015 Hitachi ID Systems, Inc. All rights reserved. 15

Slide Presentation

24 Hitachi ID Solution Delivery Approach

Fixed-price: All work is delivered on a fixed-price, fixed-deliverables basis. The
Phases, milestones: "meter" is never running.
Open assignment:
Templates: Hitachi ID recommends breaking up long projects into phases of 1–3
Customer portal: months. Work is reviewed and payment is due when milestones are met.

Each phase may be undertaken by Hitachi ID, the customer, a systems
integrator or a combination of the participants.

Template documents and sample business logic are used to expedite
work.

A self-service portal supports discovery, client/partner/vendor interaction,
document distribution and more.

25 AdMax: Maximizing User Adoption

• Successful implementation of an identity and access management system must be supported by an
effective user adoption program.

• AdMax is an Hitachi ID professional services program, used to plan for and execute effective user
enrollment projects.

• AdMax is designed to maximize adoption of and ROI from Hitachi ID identity management solutions,
using:

– Best practices, case studies and industry norms.
– Enrollment, user adoption and ROI measurement.
– Incentive and disincentive programs.
– Presentations and training materials for users and HD staff.
– Project roles and responsibilities.
– Sample project plans, promotional materials, e-mails, graphics and other user communications.
– Workbooks for project implementation.

© 2015 Hitachi ID Systems, Inc. All rights reserved. 16

Slide Presentation

26 Summary

An integrated solution for managing identities and entitlements:
• Automation: onboarding, deactivation, detect out-of-band changes.
• Self-service: profile updates, access requests.
• Governance: certification, authorization workflow, RBAC, SoD, analytics.
• Automatically manage identities, entitlements: 110 bidirectional connectors.
• Other integrations: filesystem, collaboration, SIEM, incident management.
• Rapid deployment: pre-configured reference implementation.

Security, lower cost, faster service.

Learn more at Hitachi-ID.com/Identity-Manager

27 Getting an IAM Project Started

• Build a business case.
• Get management sponsorship and a budget.
• Discovery phase, capture detailed requirements.
• Assemble a project team:

– security
– system administration
– user support
– etc.
• Try before you buy: Demos, POCs, pilots.
• Install the software, roll to production.
• Enroll users, if/as required.

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: [email protected]

ww w.Hitachi-ID.com Date: May 22, 2015 File: PRCS:pres