Managing the User Lifecycle Across ... - Identity Management · 1 Hitachi ID Identity Manager Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications Manage identities,
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1 Hitachi ID Identity Manager
Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications
Manage identities, accounts, groups and roles:Automation, requests, approvals, reviews, SoD and RBAC.
2 Agenda
• Corporate• Hitachi ID Identity Manager• Recorded Demos• Technology• Implementation• Differentiation
Hitachi ID delivers access governanceand identity administration solutionsto organizations globally.Hitachi ID IAM solutions are used by Fortune500companies to secure access to systemsin the enterprise and in the cloud.
• Founded as M-Tech in 1992.• A division of Hitachi, Ltd. since 2008.• Over 1200 customers.• More than 14M+ licensed users.• Offices in North America, Europe and
• Users can request for themselves or others.• Access control model limits visibility, requestability.
Accounts and groups:
• Create, manage and delete accounts & groups across systems.• Update attributes and assign/revoke group memberships.
Workflow:
• Invite authorizers, implementers, certifiers to act.• Built-in reminders, escalation, delegation and more.• Selects participants via policy, not flow-charts.
• Segregation of duties.• Risk scores.• Role based access control.• Authorizer, certifier selection.• Visibility / privacy protection.
• Manage accounts and groups via 120connectors.
• E-mail.• Create/update/close tickets.• Send events to SIEM.
5.3 Process automation, then access cleanup
• Using Hitachi ID Identity Express, we recommend full automation of identity and entitlementlifecycles out of the gate:
– Joiners, movers, leavers processes.– Password management, strong authentication and federation.– Change requests, approval, review/certification.– Driven by both SoR data and requests.
• No need to "clean up" entitlements before automating access changes.• Roles can be added later: not a pre-requisite.• Automate first, clean up afterwards:
– Unlike with competitors, automation is pre-configured and easy.– Start with basic integrations, add connectors over time.– Leverage automation and user knowledge to help clean up.– Add roles and expand automation over time.
• Hitachi ID Identity Manager can manage groups as well as accounts on target systems.• This includes:
– Create new group.– Assign/revoke members.– Modify group owners, description and meta data.– Manage parent/child relationships.– Rename/move (change CN or OU).
• All change requests, applied to identities, accounts or groups flow through workflow:
– Hidden and calculated elements.– Validation and policy checking.– Policy-based approvals.– Change history.
• Group memberships and role assignments can be:
– Requested, subject to approval, review and revocation.– Calculated, based on identity attributes and other groups.– Scheduled with a start and end date.
• A dedicated UI is provided for group members and owners to make changes.
5.5 Monitoring systems of record
• Any target system can function as a system of record(SoR).
• Examples: HR apps, SQL databases, CSV files, ...• Hitachi ID Identity Manager can monitor multiple SoR’s:
– Multinationals: regional HR systems.– Colleges: students vs. faculty/staff.
• Map attributes to user profiles and prioritize.• Automatically submit access requests in response to
detected changes.• Users can submit pre-emptive or corrective requests:
– New hire not yet in HR.– HR data is wrong.– Override SoR data until HR updates it.
• Request portal handles users who never appear in SoRs:
• Users rarely know where or how to request access!• Make recommendations:
– What entitlements do peers of the recipient have?– Rank by popularity, omit already-held rights.
• Windows shell extension, SharePoint error page:
– Intercept "Access Denied" errors.– Navigate user to appropriate request URL.
• Compare users:
– Compare entitlements between the intended recipient and areference user.
– Select entitlements from the variance.
• Search for entitlements:
– Keywords, description, metadata/tags.
• Relationship between requester and recipient:
– What recipients can the requester see?– What identity attributes are visible?– What kinds of requests are available?
5.7 Robust, policy-driven workflow
• Workflow invites stake-holders to participate in processes:
– Approve or reject a request.– Review entitlements and recertify or remediate.– Fulfill an approved request.– Extensible. e.g., audit cases.
• Stake-holders are invited based on policy:
– No flow-charts or diagrams required.– Process is simple, transparent and secure.– Routing may be based on relationships, resource ownership, risk.
• The process is robust, even when people aren’t:
– Invite N participants, accept response from M (M<N).– Simultaneous invitations by default (sequential made sense for
paper forms).– Automatically send reminders.– Escalate (e.g., to manager) if unresponsive.– Check out-of-office message, pre-emptively escalate.– Accessible from smart phone, not just PC.
– Many include multiple modes (e.g,. dormant vs. orphan accounts).– Identities, entitlements, history, system operation, trends, etc.– Easy to add custom reports.
• Many dashboards included as well.• Run interactively or schedule (once, recurring).• Deliver output (HTML, CSV, PDF):
– Interactively.– In e-mails.– Drop files on UNC shares.– Stream results via web services.
• Actionable analytics:
– Feedback from reports to requests.– Automated remediation.
• Database is normalized, documented – can use 3rd party tools too.
Directories: Databases: Server OS – X86/IA64: Server OS – Unix: Server OS – Mainframe:
Active Directory and AzureAD; any LDAP; NIS/NIS+ andeDirectory.
Oracle; SAP ASE and HANA;SQL Server; DB2/UDB;Hyperion; Caché; MySQL;OLAP and ODBC.
Windows: NT thru 2016; Linuxand *BSD.
Solaris, AIX and HP-UX. RAC/F, ACF/2 and TopSecret.
Server OS – Midrange: ERP, CRM and other apps: Messaging & collaboration: Smart cards and 2FA: Access managers / SSO:
iSeries (OS400); OpenVMSand HPE/Tandem NonStop.
Oracle EBS; SAP ECC andR/3; JD Edwards; PeopleSoft;Salesforce.com; Concur;Business Objects and Epic.
Microsoft Exchange, Lync andOffice 365; LotusNotes/Domino; Google Apps;Cisco WebEx, Call Managerand Unity.
Any RADIUS service or SAMLIdP; Duo Security; RSASecurID; SafeWord; Vasco;ActivIdentity andSchlumberger.
CA SiteMinder; IBM SecurityAccess Manager; Oracle AM;RSA Access Manager andImprivata OneSign.
Help desk / ITSM: PC filesystem encryption: Server health monitoring: HR / HCM: Extensible / scriptable:
ServiceNow; BMC Remedy,RemedyForce and Footprints;JIRA; HPE Service Manager;CA Service Desk; AxiosAssyst; Ivanti HEAT;Symantec Altiris; Track-It!; MSSCS Manager and Cherwell.
Microsoft BitLocker; McAfee;Symantec EndpointEncryption and PGP;CheckPoint and SophosSafeGuard.
HP iLO, Dell DRAC and IBMRSA.
WorkDay; PeopleSoft HR;SAP HCM andSuccessFactors.
CSV files; SCIM; SSH;Telnet/TN3270/TN5250;HTTP(S); SQL; LDAP;PowerShell and Python.
Hypervisors and IaaS: Mobile management: Network devices: Filesystems and content: SIEM:
AWS; vSphere and ESXi. BlackBerry Enterprise Serverand MobileIron.
• Hitachi ID offers a complete range of services relating to Hitachi ID Identity Manager, including:
– Needs analysis and solution design.– Fixed price system deployment.– Project planning.– Roll-out management, including maximizing user adoption.– Ongoing system monitoring.– Training.
• Services are based on extensive experience with the Hitachi ID solution delivery process.• The Hitachi ID professional services team is highly technical and have years of experience deploying
IAM solutions.• Hitachi ID partners with integrators that also offer business process and system design services to
mutual customers.• All implementation services are fixed price:
– Solution design.– Statement of work.
8.2 ID Express
Before reference implementations:
• Every implementation starts fromscratch.
• Some code reuse, in the form oflibraries.
• Even simple business processes havecomplex boundary conditions: