This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1 Hitachi ID Password Manager
Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications
Reasons to upgrade, migration process. Version 11.1.1 is current.
2 Focus on password management
This presentation focuses on Hitachi ID Password Manager, not other Hitachi ID Suite products.
• Details for organizations currently using 6.x, thru 11.x.• Architectural changes.• New features.• Upgrade path.• Services.
– Increase proportion of users who have enrolled Q&A.– "Re-think" the questions being asked of users to comply with today’s policies.– Increase adoption of self-service.– Reduce help desk calls due to login problems.
• Increase accessibility
– Pre-boot – full disk encryption software / password prompt.– Windows login screen – on-premises and off-site.– BYOD – Android, iOS device.
• Solve real world problems:
– Call volume creeping back up.– Users increasingly off-site, can’t access password reset.– Deploying full disk encryption, need self-service unlock pre-boot.– Refresh integrations – Windows 2016, Office 365, SaaS apps, etc.
• Security, cloud:
– SaaS applications call for more than just a password login.– Hitachi ID Password Manager now includes federated access and 2FA, out-of-the-box.
4 Platform changes from 6.x
4.1 SQL replaces embedded DB
6.x Now Notes
Embedded: CodeBase. SQL Server 2016/12. Standard, scalable, open.
DB replication built-in. N/C Easier, more secure thanDB-native.
Multi-master architecture. N/C If it’s not broken...
DB on each server. Local or separate DB. Scale up with more HW.
1 DB instance per PW server. DB can be shared. Leverage corporate DBclusters.
Limited Unicode support (e.g.,security Qs).
Full Unicode support (e.g.,attributes, IDs).
Better for Asian users.
Direct access to data. All access via stored procs. Better performance.
– Used to run 100% as a DLL in Kernel-space on Windows servers.– Now a service offloads much of the work.– Less code running in the kernel.– New features: user filtering, queue/retry.
• Logging subsystem:
– Individual log files are gone.– High performance, consolidated logging system added.– Easier to plug into SIEM, syslog, etc.– Search/examine from web UI.
• Continuous operation:
– No more brief outage to merge databases nightly.– Helpful for truly global organizations.
• Multiple password policies:
– Per group of systems (if mutually exclusive requirements).– Per group of users (based on risk).
– Untrained, non-technical users asked to perform tasks.– Sessions recorded and analyzed.– UI "tweaked" - nav, instructions, layout and more.– More users asked to repeat, to validate results.
• The entire UI was refreshed as a result:
– Easier to navigate.– Easier to understand.– Less time per session.
• Other changes:
– Left-side navigation bar dropped – easier to embed UI in portals.– Overhauled login screens, to support new authentication models.– Dynamic evaluation of password policy compliance as you type.
• User signs on to manage identity, entitlements, credentials.• Examples:
– Change my password(s).– Enroll or update security questions.– Enter mobile number, personal e-mail address.– Update mailing address.– Request access to a share, folder or app.– Lookup co-worker and add contact to mobile.– Recertify users, entitlements.– Approve/reject open requests.
5 Platform changes since 7.x
5.1 One-click: new node
• Easier to add an app node:
– Increase capacity.– Recover from hardware or facility problem.
• Replicas:
– Need not be configured in advance.– Are somewhat disposable.
• Mechanism:
– Configure a new replica, in disabled state.– Send it a full data set.– Queue up changes while sending bulk data.– Enable the node when ready.– Aware of schema dependencies – sends data over in a safe order.
Directories: Databases: Server OS – X86/IA64: Server OS – Unix: Server OS – Mainframe:
Active Directory and AzureAD; any LDAP; NIS/NIS+ andeDirectory.
Oracle; SAP ASE and HANA;SQL Server; DB2/UDB;Hyperion; Caché; MySQL;OLAP and ODBC.
Windows: NT thru 2016; Linuxand *BSD.
Solaris, AIX and HP-UX. RAC/F, ACF/2 and TopSecret.
Server OS – Midrange: ERP, CRM and other apps: Messaging & collaboration: Smart cards and 2FA: Access managers / SSO:
iSeries (OS400); OpenVMSand HPE/Tandem NonStop.
Oracle EBS; SAP ECC andR/3; JD Edwards; PeopleSoft;Salesforce.com; Concur;Business Objects and Epic.
Microsoft Exchange, Lync andOffice 365; LotusNotes/Domino; Google Apps;Cisco WebEx, Call Managerand Unity.
Any RADIUS service or SAMLIdP; Duo Security; RSASecurID; SafeWord; Vasco;ActivIdentity andSchlumberger.
CA SiteMinder; IBM SecurityAccess Manager; Oracle AM;RSA Access Manager andImprivata OneSign.
Help desk / ITSM: PC filesystem encryption: Server health monitoring: HR / HCM: Extensible / scriptable:
ServiceNow; BMC Remedy,RemedyForce and Footprints;JIRA; HPE Service Manager;CA Service Desk; AxiosAssyst; Ivanti HEAT;Symantec Altiris; Track-It!; MSSCS Manager and Cherwell.
Microsoft BitLocker; McAfee;Symantec EndpointEncryption and PGP;CheckPoint and SophosSafeGuard.
HP iLO, Dell DRAC and IBMRSA.
WorkDay; PeopleSoft HR;SAP HCM andSuccessFactors.
CSV files; SCIM; SSH;Telnet/TN3270/TN5250;HTTP(S); SQL; LDAP;PowerShell and Python.
Hypervisors and IaaS: Mobile management: Network devices: Filesystems and content: SIEM:
AWS; vSphere and ESXi. BlackBerry Enterprise Serverand MobileIron.
• Mostly for Extranet access and B2C deployments.• Enroll new users with their Facebook, Google, etc. account.• Login using the same social credentials.• reCAPTCHA and AreYouAHuman samples provided.
• Externalize login process from third party web apps.• Cloud: Google Apps, Office 365, Salesforce.com, WebEx, Concur, etc.• On-premise: SharePoint (via ADFS), HCP Anywhere, etc.• Basically respond to SAMLv2 requests with assertions.• Leverage user classes for authorization control, authentication chains for 2FA/MFA.
11.2 Policy-driven single sign-on
• Hitachi ID Password Manager can beused as an application launchpad forfederated logins.
• Password Manager can also respond toSAML requests to authenticate andauthorize user access (IdP responses toSP requests).
• Whether to allow user authentication topersist, and for how long depends onpolicy:
– Is this a high risk user?– Is the user connecting from an
untrusted device or location?– Is this a normal work day and time
for the user?
• Policy uses rules to decide whether andfor how long to persist login sessions.
11.3 Hitachi ID Mobile Access authentication factor
• Leverage Hitachi ID Mobile Access on user phones as a soft token.• Zero extra cost: organizations have no excuse to revert to just Q&A or just a password on Extranet
logins.• More secure password reset.• 2FA for all Hitachi ID Privileged Access Manager logins, even if the network is down, AD or RADIUS
unreachable.
12 Personal password vault
12.1 Personal vaults
• Users want secure, convenient access to all their credentials, not just those related to work.• Access should work on all devices (PC, phone, etc.).• The user’s employer should not be able to access/decrypt this data – this is just a friendly service
offered by IT, but not a compromise of PII.• Similar to FastPass, LastPass, LogMeIn, etc. but no extra cost for employees• Built into Hitachi ID Password Manager starting with 10.0.
• The AD and AD-LDS connectors support persistent listing.• A Persistent Connector Service (PCS) launches the connector in a special mode:
– Initially runs a full discovery.– Keeps the connector attached to the target system.
• Every few seconds, the connector asks for directory changes:
– Changes may have originated on the DC or come from replication.– Tokens track which changes have been exported.– The process can be moved across servers or DCs without data loss.
• Changes:
– Update the internal Hitachi ID Suite database.– Trigger the same business logic as bulk auto-discovery.– Update cached user classes membership.
• A full synchronization is required after target configuration changes:
– Changed scope (OUs, domain names).– Changes to attribute mapping.
• It is feasible to integrate with very large directories:
– 10,000,000 objects.– Long-running discovery is no longer a constraint.
• Auto-discovery time is significantly reduced:
– Listing and loading from AD usually takes longer than other targets.– Removing list + load times from AD can cut periodic auto-discovery time in half.– It becomes feasible to run all remaining discovery tasks more often.
• New accounts, group memberships have an immediate impact:
– Unauthorized group membership?Revoke and alert in real time.
– Change in group membership or attribute?Can perform newly-authorized actions immediately.
– New account onboarded?Can manage passwords without delay.