1 Hitachi ID Password Manager. 2 Agenda. Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Transcription

1 1 Hitachi ID Password Manager Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications Integrated Credential Management for Users: Passwords, encryption keys, tokens, smart cards and more. 2 Agenda Introducing Hitachi ID. Credential management challenges. Hitachi ID Password Manager: Features. Technology. Impact Hitachi ID Systems, Inc. All rights reserved. 1

2 3 Hitachi ID Corporate Overview Hitachi ID delivers access governance and identity administration solutions to organizations globally. Hitachi ID solutions are used by Fortune 500 companies to secure access to systems in the enterprise and in the cloud. Founded as M-Tech in A division of Hitachi, Ltd. since Over 1200 customers. More than 14M+ licensed users. Offices in North America, Europe and APAC. Partners globally Hitachi ID Systems, Inc. All rights reserved. 2

3 4 Representative Customers 5 Hitachi ID Suite 2015 Hitachi ID Systems, Inc. All rights reserved. 3

4 Slide Presentation 6 The Credentials Landscape PIN SaaS password Smart card PIN RS Secu A rid 159 The Cloud 759 OTP token Boot password OS password AD password Cached password Encryption key ERP password Laptop Mainframe pw App password Local password Cached password At office Phone ipad Local password Mobile Cached password Tablet At home 2015 Hitachi ID Systems, Inc. All rights reserved. 4

5 7 Problems Due To Complexity Security / Internal Controls IT Support Cost Sticky notes. Guessable passwords. Social engineering the help desk. High call volume. #1 incident type. Staffing for peak load. Audit User Service Is authentication reliable? What users are triggering lockouts? Who can or did reset whose password? Too many passwords. Too many login prompts. Frequent login problems Hitachi ID Systems, Inc. All rights reserved. 5

6 8 Too many passwords Hard to remember passwords Synchronize passwords High help desk call volume. Users write down passwords. Fewer, stronger passwords. Easy to remember, change. Lower help desk call volume. 9 Synchronization Features Transparent: Triggered from native password change. Available on AD, LDAP, RAC/F, etc. Web-based: Change passwords using web browser. Interactively show systems, policies. Expired password notification: . Web popup. Pre-empt native expiry Hitachi ID Systems, Inc. All rights reserved. 6

7 Slide Presentation 10 Users forget their password or PIN Users forget or lock out their password/pin Self-service reset sel f ser vi ce Business interruption: can t login. Support cost: high call volume. Security: help desk fooled into improper password resets. Fewer, shorter business interruptions. Lower support cost. Available 24x7, everywhere. Secure and convenient. 11 Self-Service Password/PIN Reset Reset passwords and/or clear lockouts: Directory, OS, DB, application. On-premise and SaaS (cloud). Server-based and cached on the user s device. Reset PINs: One time password tokens (e.g., RSA SecurID). Smart cards. Always accessible: PC, tablet or phone web browser. PC login screen. On the corporate network and over public Internet/WiFi/VPN. Via telephone call Hitachi ID Systems, Inc. All rights reserved. 7

8 12 Authentication prior to support Need to authenticate users without asking for their (forgotten) password or PIN Managed enrollment process Backup authentication factors are a pre-requisite to self-service. Automatically invite users to enroll. Forms for Q&A; phone number, etc. High user adoption leads to good ROI. 13 Managed Enrollment Prior enrollment is often a pre-requisite to self-service. Enrollment may include: Security questions. Mobile phone number (for SMS/PIN). Non-standard login IDs. Voice samples for biometric authentication. Hitachi ID Password Manager includes a robust, automated system to manage the enrollment process: Identify users who need to enroll. Send out invitations. Automated reminders. Launch browser to enrollment page at PC login time. Control pace of invitations (globally and per user). Mandatory enrollment is possible. Automated, managed enrollment significantly improves user adoption Hitachi ID Systems, Inc. All rights reserved. 8

9 14 Users tired of typing many passwords Users enter too many passwords Copy credentials from Windows to application login screens Friction between users and apps. User frustration. Faster, simpler logins. Business happier with IT. 15 HiLM Operation Users log into their workstation as before, using their network login ID and password. Hitachi ID Login Manager installs a network provider, which picks up the user s primary ID and password. HiLM monitors the applications that a user launches, watching for instances where the user retypes the primary ID and password. HiLM stores the locations where the user reused his/her primary ID or password. When a familiar authentication prompt reappears, HiLM automatically fills in the ID and/or password. HiLM can read login ID aliases from an AD attribute at login time, eliminating the need to synchronize login IDs Hitachi ID Systems, Inc. All rights reserved. 9

10 16 Mobile users have login problems Users may forget their primary or VPN password while off-site. Reset cached, VPN passwords over WiFi+VPN VPN Link WiFi Internet Laptop Cafe VPN Server HiPM Server Forgot cached Windows password: PC is a brick. Forgot VPN password: cannot communicate. Users can get back to work. Self-service from any device, at any location, any time. 17 Self-Service, Anywhere Self-service is complicated by connectivity and device options. User location Endpoint device Connectivity Reset/unlock Work. Home. Airport. Cafe. Partner office. Laptop. Tablet. Smart phone. Wired at work. Wired at home. WiFi at home. Public WiFi. Tethered phone. Cell modem. Network password. Cached password. Smart card PIN. Token PIN. Encrypted HDD. Example scenarios supported by Hitachi ID Password Manager: Reset forgotten, cached AD password at airport. Recover from forgotten full disk encryption password (via phone) Hitachi ID Systems, Inc. All rights reserved. 10

11 Slide Presentation 18 Off-site, Locked-out Password Reset Animation:../../pics/camtasia/v82/hipm-self-service-anywhere/hipm-self-service-anywhere.cam 19 Hitachi ID Mobile Access overview The challenge Hitachi ID Mobile Access Users want access to IAM from phone. Phone on the Internet, IAM on-prem. Don t want attackers probing IAM from Internet. 3 App for ios, Android. Device activation required (install key). Proxy service on DMZ or cloud. IAM, phone both call the proxy. No firewall changes required. IAM not visible on Internet. Messaging passing system: Exchange requests Outbound connections only Cloud Proxy 4G Firewall 70% 3:06 PM Firewall 1 Mon, 15 June 2015 Type to search... Personal Device 2 Public Internet DMZ Private Corporate Network IAM Server Worker thread: Give me an HTTP request HTTPS request: Includes userid, deviceid 20 Activate Mobile Access Animation:../../pics/camtasia/v9/enable-mobile-device-1/enable-mobile-device-1.mp Hitachi ID Systems, Inc. All rights reserved. 11

12 21 Forgotten encryption passwords Users with a cryptographically secured PC forget their pre-boot password Self-service key recovery over telephone/ivr Phone System Laptop User Phone HiTPM Key Recovery Server PC is a brick until unlocked. Support calls are long and costly. Users get back to work quickly. No costly help desk support call Hitachi ID Systems, Inc. All rights reserved. 12

13 22 Impact of Synchronization and SSPR calls problems 2015 Hitachi ID Systems, Inc. All rights reserved. 13

14 23 Multi-Master Architecture IVR server VPN server TCP/IP + AES Various Protocols Secure Native Protocol HTTPS Reverse web proxy system Load balancer Notifications and invitations Incident mgmt system Validate pw Tickets HR SQL DB Hitachi ID server System of record Native password change AD, Unix, OS/390, LDAP, AS400 Load balancer Password synch trigger systems SQL DB Replication Firewall Hitachi ID server Firewall Target systems with local agent: OS/390, unix, older RSA Proxy server (if needed) Data center A Data center B Web services Target systems with remote agent: AD, SQL, SAP, Notes, etc Target Systems Cloud-hosted, SaaS apps Remote Remote data data center center 2015 Hitachi ID Systems, Inc. All rights reserved. 14

15 24 Included Connectors Many integrations to target systems included in the base price: Directories: Any LDAP, AD, WinNT, NDS, edirectory, NIS/NIS+. Unix: Linux, Solaris, AIX, HPUX, 24 more variants. ERP: JDE, Oracle ebiz, PeopleSoft, PeopleSoft HR, SAP R/3 and ECC 6, Siebel, Business Objects. WebSSO: CA Siteminder, IBM TAM, Oracle AM, RSA Access Manager. Servers: Windows NT, 2000, 2003, 2008[R2], 2012, Samba, Novell, SharePoint. Mainframes, Midrange: z/os: RACF, ACF2, TopSecret. iseries, OpenVMS. Collaboration: Lotus Notes, inotes, Exchange, GroupWise, BlackBerry ES. Help Desk: ServiceNow, BMC Remedy, SDE, HP SM, CA Unicenter, Assyst, HEAT, Altiris, Clarify, RSA Envision, Track-It!, MS System Center Service Manager Databases: Oracle, Sybase, SQL Server, DB2/UDB, Informix, Progress, ODBC, Oracle Hyperion EPM Shared Services, Cache. HDD Encryption: McAfee, CheckPoint, BitLocker, PGP. Tokens, Smart Cards: RSA SecurID, SafeWord, RADIUS, ActivIdentity, Schlumberger. Cloud/SaaS: WebEx, Google Apps, MS Office 365, Success Factors, Salesforce.com, SOAP (generic) Hitachi ID Systems, Inc. All rights reserved. 15

16 25 Rapid Integration with Custom Apps Hitachi ID Password Manager easily integrates with custom, vertical and hosted applications using flexible agents. Each flexible agent connects to a class of applications: API bindings (C, C++, Java, COM, ActiveX, MQ Series). Telnet / TN3270 / TN5250 / sessions with TLS or SSL. SSH sessions. HTTP(S) administrative interfaces. Web services. Win32 and Unix command-line administration programs. SQL scripts. Custom LDAP attributes. Integration takes a few hours to a few days. Fixed cost service available from Hitachi ID. 26 Competitive Differentiation Integrated solution Always available Manage all credentials: OS, app passwords. Pre-boot passwords. On-premise and SaaS. Smart cards. OTP tokens connectors included. Full or phone browser. Voice call. PC login screen. Pre-boot (encrypted HDD). At work and off-site. Scalability Cost savings Multi-master architecture. Load balanced, replicated. Deploy across data centers. Multi-lingual. Reduce problem frequency (not just self-service). Managed enrollment to maximize adoption. Easy to deploy, maintain Hitachi ID Systems, Inc. All rights reserved. 16

17 27 The Leading Vendor Innovation Ongoing support Low cost Self-Service, Anywhere. Crypto key recovery. SSO without a password wallet. Responsive and skilled customer support. Unattended operation: Auto-discovery. Managed enrollment. Metrics and trend analysis. SIEM, help desk integration. Lost cost deployments. Minimal need for ongoing maintenance. Fixed-price engagements. 28 Summary An integrated solution for managing credentials: Immediate security benefit: password policy, help desk caller authentication. Low deployment cost, minimal ongoing investment, significant IT support savings. Always accessible: Web browser on PC, phone or tablet. Windows login prompt. Pre-boot encryption password prompt. Phone call / IVR. Available at work and while off-site connectors included. Learn more at Hitachi-ID.com/Password-Manager 500, Street SE, Calgary AB Canada T2G 2J3 Tel: Fax: sales@hitachi-id.com Date: May 22, 2015 File: PRCS:pres