1 Hitachi ID Suite. 2 Agenda. 3 Corporate. Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Transcription

1 1 Hitachi ID Suite Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications Administration and Governance of Identities, Entitlements and Credentials. 2 Agenda Corporate. IAM problems / Hitachi ID solutions. Technology. Privileged Access Example deployments. Discussion. 3 Corporate 2015 Hitachi ID Systems, Inc. All rights reserved. 1

2 3.1 Hitachi ID Corporate Overview Hitachi ID delivers access governance and identity administration solutions to organizations globally. Hitachi ID solutions are used by Fortune 500 companies to secure access to systems in the enterprise and in the cloud. Founded as M-Tech in A division of Hitachi, Ltd. since Over 1200 customers. More than 14M+ licensed users. Offices in North America, Europe and APAC. Partners globally. 3.2 Representative Customers 4 Products 2015 Hitachi ID Systems, Inc. All rights reserved. 2

3 4.1 Hitachi ID Suite 2015 Hitachi ID Systems, Inc. All rights reserved. 3

4 4.2 HiIM Features Automation: Provision joiners, deactivate leavers. Multiple HR feeds. Requests portal: Self-service profile updates. Delegated security change requests. Security controls: Access certification. RBAC and SoD. Reports on current entitlements, history. Workflow process: Authorizers. Implementers. Certifiers. Integrations: 110+ bidirectional connectors, included. Incident management, SIEM, interfaces. Manage building access, physical assets. Identity synchronization: Consistent data among apps Hitachi ID Systems, Inc. All rights reserved. 4

5 4.3 HiPM Features Password synch: Reduce the number of passwords per user. Self-service: Password reset. Clear lockout. Smart card PIN reset. Token PIN reset. HDD key recovery. Access from: PC browser or login screen. At the office or remote. Smart phone or voice call. Assisted service: Password, token PIN, intruder lockout. Policy enforcement: Password complexity, expiry, history. Non-password authentication. Managed enrollment: Security questions. Login IDs. Mobile phone numbers. 5 Technology 2015 Hitachi ID Systems, Inc. All rights reserved. 5

6 5.1 Multi-Master Architecture IVR server VPN server TCP/IP + AES Various Protocols Secure Native Protocol HTTPS Reverse web proxy system Load balancer Notifications and invitations Incident mgmt system Validate pw Tickets HR SQL DB Hitachi ID server System of record Native password change AD, Unix, OS/390, LDAP, AS400 Load balancer Password synch trigger systems SQL DB Replication Firewall Hitachi ID server Firewall Target systems with local agent: OS/390, unix, older RSA Proxy server (if needed) Data center A Data center B Web services Target systems with remote agent: AD, SQL, SAP, Notes, etc Target Systems Cloud-hosted, SaaS apps Remote Remote data data center center 2015 Hitachi ID Systems, Inc. All rights reserved. 6

7 5.2 Key Architectural Features Replicated across data centers Horizontal scaling On premise and SaaS SQL DB SQL DB Load balanced Reach across firewalls 5.3 Multi-master Replication Avoid data loss and service interruption: Multiple copies of the vault in different cities. Real-time data replication. Fault-tolerant. Bandwidth efficient, latency tolerant. Best practice: multiple servers in multiple data centers. Active/active Load balanced Hitachi ID Systems, Inc. All rights reserved. 7

8 5.4 Included Connectors Many integrations to target systems included in the base price: Directories: Any LDAP, AD, WinNT, NDS, edirectory, NIS/NIS+. Unix: Linux, Solaris, AIX, HPUX, 24 more variants. ERP: JDE, Oracle ebiz, PeopleSoft, PeopleSoft HR, SAP R/3 and ECC 6, Siebel, Business Objects. WebSSO: CA Siteminder, IBM TAM, Oracle AM, RSA Access Manager. Servers: Windows NT, 2000, 2003, 2008[R2], 2012, Samba, Novell, SharePoint. Mainframes, Midrange: z/os: RACF, ACF2, TopSecret. iseries, OpenVMS. Collaboration: Lotus Notes, inotes, Exchange, GroupWise, BlackBerry ES. Help Desk: ServiceNow, BMC Remedy, SDE, HP SM, CA Unicenter, Assyst, HEAT, Altiris, Clarify, RSA Envision, Track-It!, MS System Center Service Manager Databases: Oracle, Sybase, SQL Server, DB2/UDB, Informix, Progress, ODBC, Oracle Hyperion EPM Shared Services, Cache. HDD Encryption: McAfee, CheckPoint, BitLocker, PGP. Tokens, Smart Cards: RSA SecurID, SafeWord, RADIUS, ActivIdentity, Schlumberger. Cloud/SaaS: WebEx, Google Apps, MS Office 365, Success Factors, Salesforce.com, SOAP (generic). 5.5 Rapid Integration with Custom Apps Hitachi ID Suite easily integrates with custom, vertical and hosted applications using flexible agents. Each flexible agent connects to a class of applications: API bindings (C, C++, Java, COM, ActiveX, MQ Series). Telnet / TN3270 / TN5250 / sessions with TLS or SSL. SSH sessions. HTTP(S) administrative interfaces. Web services. Win32 and Unix command-line administration programs. SQL scripts. Custom LDAP attributes. Integration takes a few hours to a few days. Fixed cost service available from Hitachi ID Hitachi ID Systems, Inc. All rights reserved. 8

9 6 Privileged Access 2015 Hitachi ID Systems, Inc. All rights reserved. 9

10 6.1 HiPAM Features Auto-discovery: Find systems, accounts. Attach policy. Random passwords: Default is daily. Secure storage: Replicated (with fault tolerance/queue). Encrypted. Geographically distributed. Access controls: Policy: who can sign into which account? Workflow controls: One time request/approval/login. Single sign-on: Launch SSH, RDP, vsphere, SQL, etc. Alternately: display password, temporary group membership, temporary SSH trust/sudo rights. Application passwords: Notify SCM, IIS, Scheduler, DCOM of new passwords. API to eliminate embedded passwords. Logging: Requests, approvals, logins to privileged accounts. Session monitoring: Screen, keyboard, webcam, process ID, window title, etc Hitachi ID Systems, Inc. All rights reserved. 10

11 6.2 Securing Privileged Accounts Thousands of IT assets: Servers, network devices, databases and applications: Numerous. High value. Heterogeneous. Workstations: Mobile dynamic IPs. Powered on or off. Direct-attached or firewalled. Who has the keys to the kingdom? Every IT asset has sensitive passwords: Administrator passwords: Used to manage each system. Service passwords: Provide security context to service programs. Application: Allows one application to connect to another. Do these passwords ever change? Plaintext in configuration files? Who knows these passwords? (ex-staff?) Audit: who did what? 6.3 Types of Privileged Accounts Definition: Administrator Embedded Service Interactive logins. Client tools: PuTTY, RDP, SQL Studio, etc. May be used at a physical console. One application connects to another. DB logins, web services, etc. Interactive logins for troubleshooting. Run service programs with limited rights. Windows requires a password! Challenges: Access control. Audit/accountability. Single sign-on. Session capture. Authenticating apps prior to password disclosure. Caching, key management. Avoiding service interruption due to failed notification: 2015 Hitachi ID Systems, Inc. All rights reserved. 11

12 6.4 Securing Administrator Accounts 7 Example Deployments 7.1 Case Study: Industrial Conglomerate Customer description: Product: Industry: Target systems: Functionality: Main business driver: Business impact: Global industrial conglomerate with energy utility subsidiaries. Hitachi ID Identity Manager Industrials, energy utilities Windows/AD, Oracle EBS, mainframe, databases. Onboard, deactivate, manage access of over 10,000 employees and contractors. Automation, self-service, policy enforcement. Lower IT support cost and improve SLA. Retired home-grown IAM and access reporting system. Lower IT security management workload Hitachi ID Systems, Inc. All rights reserved. 12

13 7.2 Case Study: Energy Company Customer description: Product: Number of users: 100,000+ Functionality: Main business driver: Business impact: 7.3 Case Study: US Bank Customer description: Product: Industry: Global energy company Hitachi ID Group Manager Self-service requests to access network shares, folders. Reduce IT support call volume. Replace "access denied" help desk calls with self-service infrastructure. US bank Hitachi ID Password Manager Banking Number of users: 150,000 Functionality: Main business driver: Business impact: 7.4 Case Study: Investment Bank Password reset via telephone, web browser Reduce IT support cost, improve authentication security when users call for help. Eliminated 33,000 help desk calls/month. Saved at least US$ 4,000,000/year. Customer description: Product: Top-10 global investment bank. Industry: Target systems: Functionality: Main business driver: Finance Windows, Unix/Linux, MSSQL. Randomize passwords weekly on 122,000 systems around the world. Deployed 12 servers in 4 data centers globally for super-high availability and fault tolerance. Eliminate static, shared, administrative passwords to comply with audit, regulatory requirements. Business impact: Control, audit administrator logins to privileged accounts on 122,000 systems globally. Pass audits Hitachi ID Systems, Inc. All rights reserved. 13

14 8 Differentiation 8.1 IM Advantages Reference build Built-in features: User friendly requests: Robust policy enforcement: Architecture: HiIM Pre-configured with most common scenarios. Request portal. Access certification. Approval workflow Windows Shell extension. SharePoint integration. Compare users. SoD with deep inspection. Policy-driven approvals. Privacy protection. Scalable: multi-master, load-balanced. Fault tolerant: active-active. Others Every deployment is custom, new. Custom forms. Custom workflows. Users must know what entitlements to request. SoD easily bypassed. Hard-coded approvals. No privacy protection. DB is choke point, single point of failure. Only hot standby Hitachi ID Systems, Inc. All rights reserved. 14

15 8.2 PM Advantages HiPM Self-service unlock for pre-boot password / full disk encryption. Self-service password reset for Windows login screen, even when remote. Included enterprise single sign-on for synchronized passwords. All connectors included in base price. Multiple servers, CPUs, load balancing, replication included. Web browser, smart-phone, PC login screen, telephony all included. Built-in managed enrollment system: maximizes user adoption. Others Call the help desk. Fix the problem when you get back to the office. No E-SSO - buy another product. Some vendors charge per-connector. Extra cost for additional servers. Hot standby at best. Some channels cost extra. Roll your own enrollment system extra cost, lower ROI. 8.3 PAM Advantages (technical) Hitachi ID Privileged Access Manager Multi-master, active-active. Temporary privilege elevation. Secure laptops (mobile, NAT, firewalled). Proxy servers to integrate with remote systems. Can launch RDP, SSH, vsphere, SQL, etc. sessions Competitors Hot standby, "offline" mode. Only password display/injection. Endpoints not really supported. Extra cost (more appliances?). Only RDP, SSH Hitachi ID Systems, Inc. All rights reserved. 15

16 8.4 PAM Advantages (commercial) Hitachi ID Privileged Access Manager Manage groups that control access policy. Proxy servers to integrate with remote systems. Secure Windows service acct passwords. Secure API replaces embedded passwords. Session recording included. Over 110 connectors included. Unlimited users. Competitors Need a separate IAM system for that. Extra cost (more appliances?). Separate product. Separate product. Separate product. Some connectors cost more. Fee per user. 9 Discussion 500, Street SE, Calgary AB Canada T2G 2J3 Tel: Fax: sales@hitachi-id.com Date: May 22, 2015 File: PRCS:pres