Você está na página 1de 17

1 Hitachi ID Password Manager

Managing the User Lifecycle


Across On-Premises and
Cloud-Hosted Applications

Integrated credential management:


Passwords, security questions, certificates, tokens, smart cards and biometrics.

2 Agenda
Corporate
Hitachi ID Password Manager
Recorded Demos
Technology
Implementation
Differentiation

3 Corporate

2017 Hitachi ID Systems, Inc. All rights reserved. 1


Slide Presentation

3.1 Hitachi ID corporate overview

Hitachi ID delivers access governance


and identity administration solutions
to organizations globally.
Hitachi ID IAM solutions are used by Fortune
500
companies to secure access to systems
in the enterprise and in the cloud.
Founded as M-Tech in 1992.
A division of Hitachi, Ltd. since 2008.
Over 1200 customers.
More than 14M+ licensed users.
Offices in North America, Europe and
APAC.
Global partner network.

3.2 Representative customers

2017 Hitachi ID Systems, Inc. All rights reserved. 2


Slide Presentation

3.3 Hitachi ID Suite

4 Hitachi ID Password Manager

4.1 Too many passwords

Challenges Solutions
Users have too many passwords. Synchronize passwords.
Write them on sticky notes. Reduce to 1 or a few.
Forget and call the help desk. Easier to remember.
Pick trivial, insecure values. Less likely to write down.
Opportunity to mandate stronger
passwords.

2017 Hitachi ID Systems, Inc. All rights reserved. 3


Slide Presentation

4.2 Help desk call volume

Challenges Solutions
Users forget their passwords. Self-service password reset.
Lock themselves out. Clear intruder lockouts.
Highest volume incident type. PIN resets and emergency pass-codes for
Peak volume at start of week. tokens.

4.3 Automated user enrollment

Challenges Solutions
Self service depends on non-password Identify users with incomplete profiles.
credentials: Invite them to sign up. Send reminders
with increasing urgency:
Security questions.
Mobile phone number. E-mail.
Personal e-mail address. Open browser at login time.
App on smart phone. Forced enrollment (full screen,
This data rarely exists prior to locked browser.)
deployment. Throttle invitations:
New hires must enroll too.
ROI depends on user adoption: Per user (e.g., once a week).
Overall (e.g., 500/day).
Users tend to ignore invitations.

2017 Hitachi ID Systems, Inc. All rights reserved. 4


Slide Presentation

4.4 Password reset from difficult contexts

Challenges Solutions
Users have trouble logging in: Pre-boot:
Forget their password. Smart phone app or voice call to
Trigger an intruder lockout. access service.
User context can complicate assistance: Mediate filesystem unlock.
Windows login screen:
Pre-boot? No OS yet!
Login screen? How to navigate to Credential Provider extends the
self-service? Windows login UI.
Off-site? Locally cached password. Smart phone app or voice call.
Secure kiosk account if client
software is a problem.
VPN integration:
Update locally cached password for
off-site users.

4.5 Need consistently strong authentication

Challenges Solutions
Offer 2FA to all users:
Few apps natively support multi-factor PIN to phone/email.
logins. Smart phone app.
Mandate strong authentication before Existing OTP.
self-service password reset. Browser fingerprint (reduces the
nuisance of 2FA).
Built into Hitachi ID Password Manager
Leverage existing 2FA if available.
Introduce zero-cost 2FA otherwise.
Extend 2FA to other apps via federation:
HiPM includes a built-in SAML IdP

2017 Hitachi ID Systems, Inc. All rights reserved. 5


Slide Presentation

4.6 SaaS apps demand stronger security

Challenges Solutions

SaaS apps expose a public URL. Offload login screens to a federated


Unlike on-premises, they can be attacked access manager.
by anyone with an Internet connection. Require 2FA at the consolidated login
screen.
Fingerprint browsers to reduce the
nuisance of a two-step login.

4.7 Users want to manage their own passwords

Challenges Solutions

Users sign into a variety of non-corporate Offer them a secure alternative.


services. Improves customer satisfaction with IT.
Insurance, banking, e-mail, social Acts as an inducement to installing a 2FA
network, e-commerce, ... mobile app.
They sometimes ask IT for help managing
these too.

2017 Hitachi ID Systems, Inc. All rights reserved. 6


Slide Presentation

5 Recorded Demos

5.1 Off-site, Locked-out Password Reset

Animation: ../../pics/camtasia/v9/hipm-self-service-anywhere-nb/hipm-self-service-anywhere-nb.mp4

5.2 Activate Hitachi ID Mobile Access app

Animation: ../../pics/camtasia/v10/enable-mobile-device-1.mp4

5.3 Unlock pre-boot password

Animation: ../../pics/camtasia/v10/mcafee-drive-encryption.mp4

5.4 Add contact to phone

Animation: ../../pics/camtasia/v9/add-contact-to-phone-1/add-contact-to-phone-1.mp4

6 Technology

2017 Hitachi ID Systems, Inc. All rights reserved. 7


Slide Presentation

6.1 Multi-master architecture

Native password
change
Password synch
trigger systems SaaS apps

AD, Unix, z/OS, Mobile


LDAP, iSeries proxy

z/OS - local agent Mobile UI lo ud
Manage C
Validate pw

Hitachi ID
servers
Load
balancers
Reverse
web
proxy Managed endpoints
VPN server
with remote agent:
Replication AD, SQL, SAP, Notes, etc
IVR server MS SQL databases
B
Hitachi ID ter
Notifications servers c en r
t a te
and invitations
Da cen
E-mail Tickets data
ote
Firewalls
system m
System of Re
Ticketing record
TCP/IP + AES system
A
HR n ter Managed
Various protocols
ce endpoints
ta
Secure native protocol Da
Proxy server
HTTPS (if needed)

2017 Hitachi ID Systems, Inc. All rights reserved. 8


Slide Presentation

6.2 Key architectural features

BYOD enabled
On premises and SaaS SaaS apps

d
lou
C
Replicated across data centers
Horizontal scaling

Load balanced

terB
en
t ac ter
Da cen
data
te
emo
R
TCP/IP + AES
A
n ter
Various protocols
ce
ta Reach across firewalls
Secure native protocol Da

HTTPS

6.3 Internal architecture


Multi-master, active-active out of the box.
Built-in data replication between app nodes:

Fault tolerant.
Secure - encrypted.
Reliable - queue and retry.
App nodes need and should not be co-located.
Native, 64-bit code:

2x faster than .NET.


10x faster than Java.
Stored procedures:
For all data lookups, inserts.
Fast, efficient.
Eliminates client/server chatter.
Modern crypto: AES-256, SSHA-512

2017 Hitachi ID Systems, Inc. All rights reserved. 9


Slide Presentation

6.4 Authentication chains

An authentication chain is a defined


series of steps.
Special type:
interactively choose a chain.



&

(


"

'

!
Special type:

&

,
$

!
programmatically limit available chains.

&

(


'

!
Risk-analysis:





/

&

&

(
VPN? admin user?


)

&





)





6.5 User classes

User classes define sets of individual users User classes are a natural way to define
or types of relationships between users: security policy:
Sets of users: Route requests
(requester+recipient/authorizer).
By group membership Invite reviewers (user/certifier).
In an OU Escalate requests (old/new
Having certain attributes participants).
Types of relationships: Limit visibility (viewer/user profile).
Define what is requestable
Shared attributes (e.g., (requester/recipient).
department, location).
Group membership of participants
(e.g., security team).
Direct or indirect manager.

2017 Hitachi ID Systems, Inc. All rights reserved. 10


Slide Presentation

6.6 BYOD access to on-premises IAM system

The challenge Hitachi ID Mobile Access


Users want access on their phones. Install + activate iOS, Android app.
Phone on the Internet, IAM on-prem. Proxy service on DMZ or cloud.
Dont want attackers probing IAM from IAM, phone both call the proxy - no
Internet. firewall changes.
IAM not visible on Internet.

Internet

Personal Firewall Firewall IAM server


device
(2)
HTTPS request: DMZ Private corporate
Includes userID, (1) network
Outbound connections only
deviceID Worker thread:
Give me an HTTP
request

Cloud (3)
proxy Message passing system

2017 Hitachi ID Systems, Inc. All rights reserved. 11


Slide Presentation

6.7 Included connectors

Many integrations to target systems included in the base price:

Directories: Servers: Databases:


Any LDAP, Active Directory, Windows NT, 2000, 2003, Oracle, Sybase, SQL Server,
NIS/NIS+. 2008[R2], 2012[R2], Samba. DB2/UDB, Informix, MySQL,
Hyperion, Cache, ODBC.
Unix: Mainframes, Midrange: HDD Encryption:
Linux, Solaris, AIX, HPUX, 24 z/OS: RACF, ACF2, McAfee, CheckPoint,
more variants. TopSecret. iSeries, BitLocker, PGP.
OpenVMS.
ERP: Collaboration: Tokens, Smart Cards:
JDE, Oracle eBiz, Lotus Notes, iNotes, RSA SecurID, SafeWord,
PeopleSoft, PeopleSoft HR, Exchange, SharePoint, Vasco, ActivIdentity,
SAP R/3 and ECC 6, Siebel, BlackBerry ES. Schlumberger, RADIUS.
Business Objects.
WebSSO: Help Desk: Cloud/SaaS:
CA Siteminder, IBM TAM, ServiceNow, BMC Remedy, WebEx, Google Apps, MS
Oracle AM, RSA Access SDE, HP SM, CA Unicenter, Office 365, Success Factors,
Manager. Assyst, HEAT, Altiris, Clarify, Salesforce.com, SOAP.
RSA Envision, Track-It!, MS
System Center

6.8 Rapid integration with custom apps


Hitachi ID Password Manager easily integrates with custom, vertical and hosted applications using
flexible agents .
Each flexible agent connects to a class of applications:

API bindings (C, C++, Java, COM, ActiveX, MQ Series).


Telnet / TN3270 / TN5250 / sessions with TLS or SSL.
SSH sessions.
HTTP(S) administrative interfaces.
Web services.
Win32 and Unix command-line administration programs.
SQL scripts.
Custom LDAP attributes.
Integration takes a few hours to a few days.
Fixed cost service available from Hitachi ID.

2017 Hitachi ID Systems, Inc. All rights reserved. 12


Slide Presentation

6.9 SAMLv2 Federated IdP


Externalize login process from third party web apps.
Cloud: Google Apps, Office 365, Salesforce.com, WebEx, Concur, etc.
On-premise: SharePoint (via ADFS), HCP Anywhere, etc.
Basically respond to SAMLv2 requests with assertions.
Leverage user classes for authorization control, authentication chains for 2FA/MFA.

6.10 Hitachi ID Mobile Access authentication factor


Leverage Hitachi ID Mobile Access on user phones as a soft token.
Zero extra cost: organizations have no excuse to revert to just Q&A or just a password on Extranet
logins.
More secure password reset.
2FA for all Hitachi ID Privileged Access Manager logins, even if the network is down, AD or RADIUS
unreachable.

2017 Hitachi ID Systems, Inc. All rights reserved. 13


Slide Presentation

6.11 HiTPM: self-service via phone call

Self-contained: Flexible:
Hitachi ID Phone Password Manager runs Fully scriptable and can implement any
on a Windows server with a Dialogic call logic.
phone card or with HMP software Dialogic Multi-lingual: just record more voice
solution. prompts.
No IVR software is required. The default call logic is powerful and easy
to customize.
Integrated with Hitachi ID Password Scalable:
Manager:
Manage user enrollment. Multiple load balanced HiTPM servers.
Map network login ID to digits. Multiple load balanced HiPM servers.
HiPM ties to target systems.

6.12 Language support


The Hitachi ID Password Manager UI can be rendered in many languages:

Languages are easy to add. Hitachi ID will do it for a nominal fee and customers can do it themselves.

7 Implementation

2017 Hitachi ID Systems, Inc. All rights reserved. 14


Slide Presentation

7.1 Hitachi ID professional services


Hitachi ID offers a complete range of services relating to Hitachi ID Password Manager, including:

Needs analysis and solution design.


Fixed price system deployment.
Project planning.
Roll-out management, including maximizing user adoption.
Ongoing system monitoring.
Training.
Services are based on extensive experience with the Hitachi ID solution delivery process.
The Hitachi ID professional services team is highly technical and have years of experience deploying
IAM solutions.
Hitachi ID partners with integrators that also offer business process and system design services to
mutual customers.
All implementation services are fixed price:
Solution design.
Statement of work.

8 Differentiation

2017 Hitachi ID Systems, Inc. All rights reserved. 15


Slide Presentation

8.1 HiPM differentiation


The most features Always available

Manage all credentials: Corporate PCs:


Passwords on directories, servers, Pre-boot unlock screen.
apps, DBs. Windows/MacOSX login screen.
On-premise and SaaS. Desktop browser.
Pre-boot passwords. Smart phone app.
Smart cards and tokens. Voice call to IVR.
2FA for all users. At work and off-site.
Personal password vault.
Federated access (SAML IdP).
110+ connectors included.

Scalable The best ROI

Multi-master, active-active. Reduce problem frequency


Load balanced, replicated.
Geographically distributed. Address root cause.
Multi-lingual. Dont just download problem
resolution to users.
Managed enrollment to maximize
adoption.
Rapid deployment, minimal maintenance.

8.2 The leading vendor


Innovation Ongoing support Low cost
Self-Service, Anywhere. Responsive and skilled Fixed-price
HDD unlock via call, customer support. implementation.
smart phone app. Unattended operation: Minimal need for
Integrated password ongoing maintenance.
wallet. Auto-discovery.
Integrated federated Managed
access. enrollment.
2FA for everyone. Metrics and trend
analysis.
SIEM, help desk
integration.

2017 Hitachi ID Systems, Inc. All rights reserved. 16


Slide Presentation

9 Summary
An integrated solution for managing credentials:
Immediate security benefit: password policy, help desk caller authentication.
Low deployment cost, minimal ongoing investment, significant IT support savings.
Always accessible:
Web browser on PC, phone or tablet.
Windows login prompt.
Pre-boot encryption password prompt.
Apps on iOS, Android.
Phone call / IVR.
Available at work and while off-site.
110+ connectors included.

Learn more at Hitachi-ID.com/Password-Manager

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com

www.Hitachi-ID.com Date: 2017-05-25 | 2017-05-25 File: PRCS:pres

Você também pode gostar