Hitachi ID Password Manager

1 Hitachi ID Password Manager

Managing the User Lifecycle
Across On-Premises and
Cloud-Hosted Applications

Integrated credential management:
Passwords, security questions, certificates, tokens, smart cards and biometrics.

2 Agenda

• Corporate
• Hitachi ID Password Manager
• Recorded Demos
• Technology
• Implementation
• Differentiation

3 Corporate

© 2017 Hitachi ID Systems, Inc. All rights reserved. 1

Slide Presentation

3.1 Hitachi ID corporate overview

Hitachi ID delivers access governance
and identity administration solutions
to organizations globally.
Hitachi ID IAM solutions are used by Fortune
500
companies to secure access to systems
in the enterprise and in the cloud.

• Founded as M-Tech in 1992.
• A division of Hitachi, Ltd. since 2008.
• Over 1200 customers.
• More than 14M+ licensed users.
• Offices in North America, Europe and

APAC.
• Global partner network.

3.2 Representative customers

© 2017 Hitachi ID Systems, Inc. All rights reserved. 2

Slide Presentation

3.3 Hitachi ID Suite

4 Hitachi ID Password Manager

4.1 Too many passwords Solutions

Challenges • Synchronize passwords.
• Reduce to 1 or a few.
• Users have too many passwords. • Easier to remember.
• Write them on sticky notes. • Less likely to write down.
• Forget and call the help desk. • Opportunity to mandate stronger
• Pick trivial, insecure values.
passwords.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 3

4.2 Help desk call volume Slide Presentation

Challenges Solutions
• Self-service password reset.
• Users forget their passwords. • Clear intruder lockouts.
• Lock themselves out. • PIN resets and emergency pass-codes for
• Highest volume incident type. tokens.
• Peak volume at start of week.

4.3 Automated user enrollment Solutions

Challenges • Identify users with incomplete profiles.
• Invite them to sign up. Send reminders
• Self service depends on non-password
credentials: with increasing urgency:

– Security questions. – E-mail.
– Mobile phone number. – Open browser at login time.
– Personal e-mail address. – Forced enrollment (full screen,
– App on smart phone.
• This data rarely exists prior to locked browser.)
deployment.
• New hires must enroll too. • Throttle invitations:
• ROI depends on user adoption:
– Per user (e.g., once a week).
– Users tend to ignore invitations. – Overall (e.g., 500/day).

© 2017 Hitachi ID Systems, Inc. All rights reserved. 4

Slide Presentation

4.4 Password reset from difficult contexts

Challenges Solutions

• Users have trouble logging in: • Pre-boot:

– Forget their password. – Smart phone app or voice call to
– Trigger an intruder lockout. access service.
• User context can complicate assistance:
– Mediate filesystem unlock.
– Pre-boot? No OS yet! • Windows login screen:
– Login screen? How to navigate to
– Credential Provider extends the
self-service? Windows login UI.
– Off-site? Locally cached password.
– Smart phone app or voice call.
– Secure kiosk account if client

software is a problem.
• VPN integration:

– Update locally cached password for
off-site users.

4.5 Need consistently strong authentication

Challenges Solutions

• Few apps natively support multi-factor • Offer 2FA to all users:
logins.
– PIN to phone/email.
• Mandate strong authentication before – Smart phone app.
self-service password reset. – Existing OTP.
– Browser fingerprint (reduces the

nuisance of 2FA).
• Built into Hitachi ID Password Manager

– Leverage existing 2FA if available.
– Introduce zero-cost 2FA otherwise.
• Extend 2FA to other apps via federation:

– HiPM includes a built-in SAML IdP

© 2017 Hitachi ID Systems, Inc. All rights reserved. 5

Slide Presentation

4.6 SaaS apps demand stronger security

Challenges Solutions

• SaaS apps expose a public URL. • Offload login screens to a federated
• Unlike on-premises, they can be attacked access manager.

by anyone with an Internet connection. • Require 2FA at the consolidated login
screen.

• Fingerprint browsers to reduce the
nuisance of a two-step login.

4.7 Users want to manage their own passwords

Challenges Solutions

• Users sign into a variety of non-corporate • Offer them a secure alternative.
services. • Improves customer satisfaction with IT.
• Acts as an inducement to installing a 2FA
• Insurance, banking, e-mail, social
network, e-commerce, ... mobile app.

• They sometimes ask IT for help managing
these too.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 6

Slide Presentation

5 Recorded Demos

5.1 Off-site, Locked-out Password Reset

Animation: ../../pics/camtasia/v9/hipm-self-service-anywhere-nb/hipm-self-service-anywhere-nb.mp4

5.2 Activate Hitachi ID Mobile Access app

Animation: ../../pics/camtasia/v10/enable-mobile-device-1.mp4

5.3 Unlock pre-boot password

Animation: ../../pics/camtasia/v10/mcafee-drive-encryption.mp4

5.4 Add contact to phone

Animation: ../../pics/camtasia/v9/add-contact-to-phone-1/add-contact-to-phone-1.mp4

6 Technology

© 2017 Hitachi ID Systems, Inc. All rights reserved. 7

Slide Presentation

6.1 Multi-master architecture

Native password SaaS apps
change Password synch
trigger systems “Cloud”

AD, Unix, z/OS, Mobile
LDAP, iSeries proxy

z/OS - local agent Mobile UI Manage

Validate pw

Reverse Load Hitachi ID
web balancers servers
proxy
VPN server Replication Managed endpoints
with remote agent:
AD, SQL, SAP, Notes, etc

IVR server MS SQL databases

Notifications Hitachi ID Data center B center
and invitations servers Remote
Firewalls
E-mail Tickets data
system
System of
TCP/IP + AES Ticketing record
system
HR Data center A
Various protocols Managed
endpoints
Secure native protocol
Proxy server
HTTPS (if needed)

© 2017 Hitachi ID Systems, Inc. All rights reserved. 8

Slide Presentation

6.2 Key architectural features

BYOD enabled

On premises and SaaS SaaS apps

“Cloud”

Replicated across data centers
Horizontal scaling

Load balanced

Data center B data center
Remote

TCP/IP + AES Data center A Reach across firewalls
Various protocols
Secure native protocol
HTTPS

6.3 Internal architecture

• Multi-master, active-active out of the box.
• Built-in data replication between app nodes:

– Fault tolerant.
– Secure - encrypted.
– Reliable - queue and retry.
– App nodes need and should not be co-located.
• Native, 64-bit code:

– 2x faster than .NET.
– 10x faster than Java.
• Stored procedures:

– For all data lookups, inserts.
– Fast, efficient.
– Eliminates client/server chatter.
• Modern crypto: AES-256, SSHA-512

© 2017 Hitachi ID Systems, Inc. All rights reserved. 9

Slide Presentation

6.4 Authentication chains    ¡ §
£¢ ¦
• An authentication chain is a defined ¨
series of steps. ¤
£¥ ©
• Special type: £
interactively choose a chain. £
¦
• Special type: £
programmatically limit available chains.

• Risk-analysis:
VPN? admin user? ¥

6.5 User classes ©
¢


¨

  ©
£
¦
¦
¨
©
¢
©
¥
©
©
¢


1 (
0) 8
2
$ #
3 #
4 "
3 9
0) 3

' @
5
")
6
$
'
3
7)

 



¢
¨
¥



¨
£

©

A
6(
3

'
(
3

@
B
8
C
D

(
8

#
#
"
9
3

@

"! A
" 7
# $
$ &
&% 3

' )
! E'
(!
0) F
&
$
#

'
")
0
#

G
H
8
(
8
#
#
"
@
$

A A
0 7
$ $
&
@ 3
8
D )
I E'
"
' F
A &
P $
A #
Q
'
")
0
#

A
%
P
R
%
#
#
$
3
'
")
0

User classes define sets of individual users User classes are a natural way to define
or types of relationships between users: security policy:

• Sets of users: • Route requests
(requester+recipient/authorizer).
– By group membership
– In an OU • Invite reviewers (user/certifier).
– Having certain attributes • Escalate requests (old/new

• Types of relationships: participants).
• Limit visibility (viewer/user profile).
– Shared attributes (e.g., • Define what is requestable
department, location).
(requester/recipient).
– Group membership of participants
(e.g., security team).

– Direct or indirect manager.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 10

Slide Presentation

6.6 BYOD access to on-premises IAM system

The challenge Hitachi ID Mobile Access

• Users want access on their phones. • Install + activate iOS, Android app.
• Phone on the Internet, IAM on-prem. • Proxy service on DMZ or cloud.
• Don’t want attackers probing IAM from • IAM, phone both call the proxy - no

Internet. firewall changes.
• IAM not visible on Internet.

Internet Firewall Firewall IAM server

Personal DMZ Private corporate
device (1) network
(2) Outbound connections only Worker thread:
HTTPS request: “Give me an HTTP
“Includes userID, request”
deviceID”

Cloud (3)
proxy Message passing system

© 2017 Hitachi ID Systems, Inc. All rights reserved. 11

Slide Presentation

6.7 Included connectors

Many integrations to target systems included in the base price:

Directories: Servers: Databases:
Any LDAP, Active Directory, Windows NT, 2000, 2003, Oracle, Sybase, SQL Server,
NIS/NIS+. 2008[R2], 2012[R2], Samba. DB2/UDB, Informix, MySQL,
Hyperion, Cache, ODBC.
Unix: Mainframes, Midrange:
Linux, Solaris, AIX, HPUX, 24 z/OS: RACF, ACF2, HDD Encryption:
more variants. TopSecret. iSeries, McAfee, CheckPoint,
OpenVMS. BitLocker, PGP.
ERP:
JDE, Oracle eBiz, Collaboration: Tokens, Smart Cards:
PeopleSoft, PeopleSoft HR, Lotus Notes, iNotes, RSA SecurID, SafeWord,
SAP R/3 and ECC 6, Siebel, Exchange, SharePoint, Vasco, ActivIdentity,
Business Objects. BlackBerry ES. Schlumberger, RADIUS.

WebSSO: Help Desk: Cloud/SaaS:
CA Siteminder, IBM TAM, ServiceNow, BMC Remedy, WebEx, Google Apps, MS
Oracle AM, RSA Access SDE, HP SM, CA Unicenter, Office 365, Success Factors,
Manager. Assyst, HEAT, Altiris, Clarify, Salesforce.com, SOAP.
RSA Envision, Track-It!, MS
System Center

6.8 Rapid integration with custom apps

• Hitachi ID Password Manager easily integrates with custom, vertical and hosted applications using
flexible agents .

• Each flexible agent connects to a class of applications:

– API bindings (C, C++, Java, COM, ActiveX, MQ Series).
– Telnet / TN3270 / TN5250 / sessions with TLS or SSL.
– SSH sessions.
– HTTP(S) administrative interfaces.
– Web services.
– Win32 and Unix command-line administration programs.
– SQL scripts.
– Custom LDAP attributes.

• Integration takes a few hours to a few days.
• Fixed cost service available from Hitachi ID.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 12

Slide Presentation

6.9 SAMLv2 Federated IdP

• Externalize login process from third party web apps.
• Cloud: Google Apps, Office 365, Salesforce.com, WebEx, Concur, etc.
• On-premise: SharePoint (via ADFS), HCP Anywhere, etc.
• Basically respond to SAMLv2 requests with assertions.
• Leverage user classes for authorization control, authentication chains for 2FA/MFA.

6.10 Hitachi ID Mobile Access authentication factor

• Leverage Hitachi ID Mobile Access on user phones as a soft token.
• Zero extra cost: organizations have no excuse to revert to just Q&A or just a password on Extranet

logins.
• More secure password reset.
• 2FA for all Hitachi ID Privileged Access Manager logins, even if the network is down, AD or RADIUS

unreachable.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 13

Slide Presentation

6.11 HiTPM: self-service via phone call

Self-contained: Flexible:

• Hitachi ID Phone Password Manager runs • Fully scriptable and can implement any
on a Windows server with a Dialogic call logic.
phone card or with HMP software Dialogic
solution. • Multi-lingual: just record more voice
prompts.
• No IVR software is required.
• The default call logic is powerful and easy
to customize.

Integrated with Hitachi ID Password Scalable:
Manager:

• Manage user enrollment. • Multiple load balanced HiTPM servers.
• Map network login ID to digits. • Multiple load balanced HiPM servers.
• HiPM ties to target systems.

6.12 Language support

The Hitachi ID Password Manager UI can be rendered in many languages:

Languages are easy to add. Hitachi ID will do it for a nominal fee and customers can do it themselves.

7 Implementation

© 2017 Hitachi ID Systems, Inc. All rights reserved. 14

Slide Presentation

7.1 Hitachi ID professional services

• Hitachi ID offers a complete range of services relating to Hitachi ID Password Manager, including:

– Needs analysis and solution design.
– Fixed price system deployment.
– Project planning.
– Roll-out management, including maximizing user adoption.
– Ongoing system monitoring.
– Training.
• Services are based on extensive experience with the Hitachi ID solution delivery process.
• The Hitachi ID professional services team is highly technical and have years of experience deploying
IAM solutions.
• Hitachi ID partners with integrators that also offer business process and system design services to
mutual customers.
• All implementation services are fixed price:

– Solution design.
– Statement of work.

8 Differentiation

© 2017 Hitachi ID Systems, Inc. All rights reserved. 15

Slide Presentation

8.1 HiPM differentiation Always available

The most features

• Manage all credentials: • Corporate PCs:

– Passwords on directories, servers, – Pre-boot unlock screen.
apps, DBs. – Windows/MacOSX login screen.
– Desktop browser.
– On-premise and SaaS.
– Pre-boot passwords. • Smart phone app.
– Smart cards and tokens. • Voice call to IVR.
• At work and off-site.
• 2FA for all users.
• Personal password vault.
• Federated access (SAML IdP).
• 110+ connectors included.

Scalable The best ROI

• Multi-master, active-active. • Reduce problem frequency
• Load balanced, replicated.
• Geographically distributed. – Address root cause.
• Multi-lingual. – Don’t just download problem

resolution to users.

• Managed enrollment to maximize
adoption.

• Rapid deployment, minimal maintenance.

8.2 The leading vendor Ongoing support Low cost

Innovation • Responsive and skilled • Fixed-price
customer support. implementation.
• Self-Service, Anywhere.
• HDD unlock via call, • Unattended operation: • Minimal need for
ongoing maintenance.
smart phone app. – Auto-discovery.
• Integrated password – Managed

wallet. enrollment.
• Integrated federated – Metrics and trend

access. analysis.
• 2FA for everyone. – SIEM, help desk

integration.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 16

Slide Presentation

9 Summary

An integrated solution for managing credentials:
• Immediate security benefit: password policy, help desk caller authentication.
• Low deployment cost, minimal ongoing investment, significant IT support savings.
• Always accessible:
– Web browser on PC, phone or tablet.
– Windows login prompt.
– Pre-boot encryption password prompt.
– Apps on iOS, Android.
– Phone call / IVR.
– Available at work and while off-site.
• 110+ connectors included.

Learn more at Hitachi-ID.com/Password-Manager

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: [email protected]

ww w.Hitachi-ID.com Date: 2017-05-25 | 2017-05-25 File: PRCS:pres