Managing the User Lifecycle Across On-Premises … › password-manager › largedocs › ...1 Hitachi ID Suite Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1 Hitachi ID Suite
Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications
Administration and governance ofIdentities, entitlements and credentials.
2 Agenda
• Corporate• Identity and access management• Key business drivers• Hitachi ID Suite• Technology• Key competitors• Recorded demos• Differentiation
Hitachi ID delivers access governanceand identity administration solutionsto organizations globally.Hitachi ID IAM solutions are used by Fortune500companies to secure access to systemsin the enterprise and in the cloud.
• Founded as M-Tech in 1992.• A division of Hitachi, Ltd. since 2008.• Over 1200 customers.• More than 14M+ licensed users.• Offices in North America, Europe and
• Users can request for themselves or others.• Access control model limits visibility, requestability.
Accounts and groups:
• Create, manage and delete accounts & groups across systems.• Update attributes and assign/revoke group memberships.
Workflow:
• Invite authorizers, implementers, certifiers to act.• Built-in reminders, escalation, delegation and more.• Selects participants via policy, not flow-charts.
• Password change, reset and unlock.• Token or smart card PIN reset.• Unlock encrypted drive with forgotten pre-boot password.
Value-add:
• 2FA – built-in for all users, including via mobile app.• Federated access – replace other apps’ login screens.• Password vault – users can store unmanaged passwords.
Access from:
• PC browser or login screen.• At the office or off-site.• Smart phone app or self-service phone call.
Assisted service:
• Password, token PIN, intruder lockout.
Policy enforcement:
• Two-factor authentication for all users.• Password complexity, expiry, history.• Non-password authentication.
Managed enrollment:
• Security questions.• Login IDs.• Mobile phone numbers.
• Find systems, accounts.• Automatically attach policies via rules.
Passwords:
• Randomize on a schedule and after use.• Store in an encrypted, replicated, distributed vault.
Authorization:
• Policy-driven rules.• Pre-authorized and request/approval workflow if not routine.
Grant access:
• Single sign-on (login once, launch many).• Request multiple accounts, run commands across them.• Launch SSH, RDP, vSphere, SQL, etc.• Direct connection, VDI proxy or HTML5 proxy.• Password display and copy buffer integration.• Temporary group membership or SSH trust.
Application passwords:
• Notify SCM, IIS, Scheduler, DCOM of new passwords.• API replaces embedded passwords.
Logging:
• Requests, approvals, logins to privileged accounts.
Directories: Databases: Server OS – X86/IA64: Server OS – Unix: Server OS – Mainframe:
Active Directory and AzureAD; any LDAP; NIS/NIS+ andeDirectory.
Oracle; SAP ASE and HANA;SQL Server; DB2/UDB;Hyperion; Caché; MySQL;OLAP and ODBC.
Windows: NT thru 2016; Linuxand *BSD.
Solaris, AIX and HP-UX. RAC/F, ACF/2 and TopSecret.
Server OS – Midrange: ERP, CRM and other apps: Messaging & collaboration: Smart cards and 2FA: Access managers / SSO:
iSeries (OS400); OpenVMSand HPE/Tandem NonStop.
Oracle EBS; SAP ECC andR/3; JD Edwards; PeopleSoft;Salesforce.com; Concur;Business Objects and Epic.
Microsoft Exchange, Lync andOffice 365; LotusNotes/Domino; Google Apps;Cisco WebEx, Call Managerand Unity.
Any RADIUS service or SAMLIdP; Duo Security; RSASecurID; SafeWord; Vasco;ActivIdentity andSchlumberger.
CA SiteMinder; IBM SecurityAccess Manager; Oracle AM;RSA Access Manager andImprivata OneSign.
Help desk / ITSM: PC filesystem encryption: Server health monitoring: HR / HCM: Extensible / scriptable:
ServiceNow; BMC Remedy,RemedyForce and Footprints;JIRA; HPE Service Manager;CA Service Desk; AxiosAssyst; Ivanti HEAT;Symantec Altiris; Track-It!; MSSCS Manager and Cherwell.
Microsoft BitLocker; McAfee;Symantec EndpointEncryption and PGP;CheckPoint and SophosSafeGuard.
HP iLO, Dell DRAC and IBMRSA.
WorkDay; PeopleSoft HR;SAP HCM andSuccessFactors.
CSV files; SCIM; SSH;Telnet/TN3270/TN5250;HTTP(S); SQL; LDAP;PowerShell and Python.
Hypervisors and IaaS: Mobile management: Network devices: Filesystems and content: SIEM:
AWS; vSphere and ESXi. BlackBerry Enterprise Serverand MobileIron.
– Intercept ’access denied’ errors and navigate to the appropriate request page.– Compare user A to user B.– Suggestions based on a statistical model.
• Implementation can be costly/risky/long:
– Rich process automation, quickly with Hitachi ID Identity Express.– Services are a cash cow for some competitors.
• This should be just one product.
– "Provisioning," "Governance" and group management in one product.– Others have up to 8 (Oracle). Cash grab?
• Process automation is essential.
– Some vendors (e.g., SailPoint) really only offer access cert.– Customers spend millions without automating anything.
• BYOD for faster approval without a possibly insecure public URL.• Connectors are important.
– In base price, easy to turn on.– With some products, this is either complicated or costly.
10.2 PM: What others miss
• Accessible from the PC login screen?
– While off-site?
• Self-service if the user forgot their pre-boot (crypto) password?• Is 2FA included, in the base price?• Is federated access and SSO included?• Can users get to it with their phones?
– Without exposing this sensitive app to the Internet?
• Does it automatically remind users to enroll?
– ROI depends on user adoption.– Strong user engagement is mandatory.
• Can it manage every password, not just AD/Windows logins?
– Mainframe/legacy?– SaaS like SalesForce.com, O365, Google, WebEx?– ERP like SAP or Oracle EBS?– Custom apps and vertical market apps?
• Can it manage other credentials, like PINs on smart cards and tokens?
– Zero effort and delay to "recover" from a disaster.– Imperative in an emergency.– All competitors have a single point of failure, warm-standby architecture.
• Should be able to launch any kind of session, grant any kind of privilege:
– Hitachi ID supports non-human accounts, SSH trust, group memberships, etc.– Some competitors are just SSH/RDP proxies – very limited.
• Convenient, flexible logins to managed accounts:
– Login once, launch many sessions.– Request multiple accounts at once.– Direct connection (scales well).– VDI proxies (flexible, commodity).– HTML proxies (for untrusted clients/vendors, lowest cost).– Competitors mainly rely on "jump server" approaches (no SSO, not scalable).
• Automation must scale:
– Discover systems, accounts; classify, connect and onboard.– Most competitors are missing this.
• Some products are still delivered as appliances.
– The 1990s called and they want their hardware back...
11 Hitachi ID Suite summary
• Three integrated IAM products, licensed to over 14M users, that can:
– Discover and connect identities across systems and applications.– Securely and efficiently manage identities, groups, entitlements and credentials.– Secure and monitor access to privileged accounts.– Provide strong authentication and federated sign-on.
• Improve security to comply with regulations.• Reduce IT support cost and improve user productivity.• Consolidate management of on-premises and SaaS apps.