1

Hitachi ID Identity Manager

Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Entitlement Administration and Governance: Automation, requests, approvals, recertication, SoD and RBAC.

Agenda
Introductions. Hitachi ID corporate overview. IDM Suite overview. Identity problems and Hitachi ID Identity Manager benets. The HiIM solution. Software demonstration.

2013 Hitachi ID Systems, Inc.. All rights reserved.

Slide Presentation

Hitachi ID Corporate Overview

Hitachi ID delivers access governance and identity administration solutions to organizations globally. Hitachi ID solutions are used by Fortune 500 companies to secure access to systems in the enterprise and in the cloud. Founded as M-Tech in 1992. A division of Hitachi, Ltd. since 2008. Over 1000 customers. More than 12M+ licensed users. Ofces in North America, Europe and APAC. Partners globally.

Representative Hitachi ID Customers

2013 Hitachi ID Systems, Inc.. All rights reserved.

Slide Presentation

IDM Suite

Identity and Access Problems

For users How to request a change? Who must approve the change? When will the change be completed? Too many passwords. Too many login prompts. For IT support Onboarding, deactivation across many apps is challenging. More apps all the time! What data is trustworthy and what is obsolete? Not notied of new-hires/terminations on time. Hard to interpret end user requests. Who can request, who should authorize changes? What entitlements are appropriate for each user? The problems increase as scope grows from internal to external.

2013 Hitachi ID Systems, Inc.. All rights reserved.

Slide Presentation

Identity and Access Problems (continued)

For Security / risk / audit Orphan, dormant accounts. Too many people with privileged access. Static admin, service passwords a security risk. Weak password, password-reset processes. Inappropriate, outdated entitlements. Who owns ID X on system Y? Who approved entitlement W on system Z? Limited/unreliable audit logs in apps. For Developers Need temporary access (e.g., prod migration). Half the code in every new app is the same: Identify. Authenticate. Authorize. Audit. Manage the above.

Mistakes in this infrastructure create security holes.

User Provisioning

User provisioning is dened as: Software to create, modify and delete users on different systems. It must include connectors: Directories. Operating systems. Applications. It also has to implement business process: Data synchronization from one system to another. Self-service requests. Authorization workows. Finally, it should enforce policy rules: Login ID assignment. Approvals rules. Segregation of duties.

2013 Hitachi ID Systems, Inc.. All rights reserved.

Slide Presentation

IDM Suite Component Overview

Hitachi ID Identity Manager
Create, manage and delete users and entitlements. Automation, self-service and delegation. Periodic review and cleanup of users and entitlements. Self service, resource-centric management of AD group membership. Synchronize, reset passwords. Manage RSA tokens, security questions, voice prints, PKI certs. Periodically randomize and control access to sensitive passwords. Addons

Hitachi ID Access Certier Hitachi ID Group Manager Hitachi ID Password Manager

Hitachi ID Org Manager Hitachi ID Phone PW Manager Hitachi ID Login Manager

Periodic updates to data mapping users to their managers. Turn-key IVR for password reset and token management. Auto-populate login IDs and synchronized passwords for users.

2013 Hitachi ID Systems, Inc.. All rights reserved.

Slide Presentation

10

IDM Suite

2013 Hitachi ID Systems, Inc.. All rights reserved.

Slide Presentation

11

IDM Suite in the User Lifecycle

Lifecycle stage Onboarding From HR (employees). Web UI (contractors). Role-based setup. Standardized IDs, OU, mail store, etc. Automation Self service / request workow Policy enforcement

Management Identity synchronization. Automatic role changes. Applications. Group membership. Prole updates. SoD enforcement. Authorize changes. ID mapping.

Support Password reset. Resolve access denied errors. Password strength. Password expiry.

Deactivation Autotermination. Access certication. Scheduled terminations. Archive mailboxes, home dirs, etc.

2013 Hitachi ID Systems, Inc.. All rights reserved.

Slide Presentation

12

HiIM Features
Automation: Provision joiners, deactivate leavers. Multiple HR feeds.

Requests portal: Self-service prole updates. Delegated security change requests.

Security controls: Access certication. RBAC and SoD. Reports on current entitlements, history.

Workow process: Authorizers. Implementers. Certiers.

Integrations: 110+ bidirectional connectors, included. Incident management, SIEM, e-mail interfaces. Manage building access, physical assets.

Identity synchronization: Consistent data among apps.

2013 Hitachi ID Systems, Inc.. All rights reserved.

Slide Presentation

13

Closed Loop IAM

Hitachi ID Management Suite
List people
Auto discovery

Integrated Systems of Record

List accounts Updates

Integrated Target Systems

Detected changes
Auto-provisioning Identity synch.

Identity Cache

Automatic request

Updates

Create, delete, update accounts

Non-integrated Systems

Requesters

Manual request Invitations

Requests Web UI

- Validate requests - Route for approval - Invite authorizers - Send reminders - Escalate - Delegate
Request Queue

Autofulllment
Work Queue

Manual fulllment

Connectors

Authorizers

Approve, reject, delegate Invitations

Approvals Web UI

Transaction Manager

Create, delete, update accounts

Invitations

Certifiers

Review, certify, correct

Certification Web UI

Workflow Manager

Implementer Web UI

Accept, conrm

Implementers

2013 Hitachi ID Systems, Inc.. All rights reserved.

Slide Presentation

14

IM Advantages
Integrated solution Administration and governance of identities and entitlements in a single product. Automation: included. Request portal: included. Approvals workow: included. Analytics: included. Certication: included. Scalability Multi-master architecture. Load balanced, replicated. Deploy across data centers. High performance: native code + stored procedures. Technology Most powerful SoD engine. Relationship-based ACLs. Parallel workow optimizes SLA. 110 built-in, bidirectional connectors.

Usability Business-friendly request process using roles, PDRs. Simple e-mail/web authorization. Integrated to Windows shell, SharePoint. One stop shopping: (human + automated fulllment). Multi-lingual.

15

The Hitachi ID Solution is Flexible

Customize: Every aspect of the user interface

Integrate with:

110+ target system types Call tracking systems HR systems Authentication hardware Meta directories

Enforce:

Password policy Authentication rules Change authorization rules User naming standards

2013 Hitachi ID Systems, Inc.. All rights reserved.

10

Slide Presentation

16

Scalability and Fault-Tolerance

Multiple, load-balanced Hitachi ID Identity Manager servers: Active/active architecture. Data replication between nodes: Built-in, easy to congure. WAN-friendly (high latency, low bandwidth, insecure channels). Reliable (multiple retry queues). Proxy servers resolve connection problems: Across rewalls. Over slow, insecure network routes. Large production deployments: 5M users. 130,000 managed systems. 12 load balanced IDM servers. 10,000 completed transactions/hour.

2013 Hitachi ID Systems, Inc.. All rights reserved.

11

Slide Presentation

17

Included Connectors

Many integrations to target systems included in the base price:

Directories: Any LDAP, AD, WinNT, NDS, eDirectory, NIS/NIS+.

Servers: Windows NT, 2000, 2003, 2008, 2008R2, Samba, Novell, SharePoint. Mainframes, Midrange: z/OS: RACF, ACF2, TopSecret. iSeries, OpenVMS. Collaboration: Lotus Notes, Exchange, GroupWise, BlackBerry ES.

Databases: Oracle, Sybase, SQL Server, DB2/UDB, Informix, ODBC, Oracle Hyperion EPM Shared Services, Cache. HDD Encryption: McAfee, CheckPoint, BitLocker, PGP. Tokens, Smart Cards: RSA SecurID, SafeWord, RADIUS, ActivIdentity, Schlumberger. Cloud/SaaS: WebEx, Google Apps, MS Ofce 365, Salesforce.com, SOAP (generic).

Unix: Linux, Solaris, AIX, HPUX, 24 more variants. ERP: JDE, Oracle eBiz, PeopleSoft, PeopleSoft HR, SAP R/3 and ECC 6, Siebel, Business Objects. WebSSO: CA Siteminder, IBM TAM, Oracle AM, RSA Access Manager.

Help Desk: ServiceNow, BMC Remedy, SDE, HP SM, CA Unicenter, Assyst, HEAT, Altiris, Clarify, RSA Envision, Track-It!, MS System Center Service Manager

2013 Hitachi ID Systems, Inc.. All rights reserved.

12

Slide Presentation

18

Rapid Integration with Custom Apps

Hitachi ID Identity Manager easily integrates with custom, vertical and hosted applications using exible agents . Each exible agent connects to a class of applications: API bindings (C, C++, Java, COM, ActiveX, MQ Series). Telnet / TN3270 / TN5250 / sessions with TLS or SSL. SSH sessions. HTTP(S) administrative interfaces. Web services. Win32 and Unix command-line administration programs. SQL scripts. Custom LDAP attributes.

Integration takes a few hours to a few days. Fixed cost service available from Hitachi ID.

19

Multi-Master Architecture
, nix , U 90, D 3 A S/ P, O DA 0 L S40 ve ord A i t Na assw ge n p ha c g Tri ch yn S ord PW ssw ate s) Pa lid er( a V erv

ms ste Sy r ge

r IVR erve S

se ver Re eb y W rox P N r VP erve S or il TP Ma SM otes N r ad ce Lo alan B

S ID hi on ac ati Hit pplic SQL A DB

SQL DB

TCP/IP + AES Various Protocols Secure Native Protocol HTTPS

ails Em nt ide Inc gmt em M yst S

L/ SQ racle O
Tic ts ke

up ok Lo of m ste d Sy ecor R

g rig &T

nt: ge la a oc hl A wit er RS s t: d m l en ste , o ag Sy Unix e t t o ge 0, s rem c Tar S/39 ce ork ith s, et O rvi w w e t e t s bS em No l Ne We yst P, t S L, SA oca e g Q L Tar D, S A all ew Fir er all ew Fir er erv y S ded) x o Pr f nee (i

, te d os s h ud app Clo aaS S

r nte e C ata D te mo e R

t ge ms Tar yste S

2013 Hitachi ID Systems, Inc.. All rights reserved.

13

Slide Presentation

20

Server Internal Architecture

Integrations
List, Inspect, Create, Delete, Modify: Users, Groups Execute

Secure RPC

Connector

IDWFM Workflow Manager IDTM Transaction Manager PSUPDATE Auto-Discovery IDTRACK Automation Engine IDDB Database Manager

HTTPS

Remote Site

Core Services

IIS or Apache

User Interface

User Web Browser

Exits
Target System Hitachi ID Proxy Server Execute

End User

Native API, Protocol

Business Logic Plugins

Admin/Config

Target System Hitachi ID Encrypted Protocol Local Agent Target System

Oracle or MSSQL
Real-Time Encrypted Replication Stored Procs

Hitachi ID Server

Identity Cache Requests Configuration History

IDM Database

Hitachi ID Server: Internal Components

21

Rapid Deployment and Low TCO

Optimized to minimize effort: User provisioning with HiIM: Initial deployment: 6 9 months. Ongoing maintenance: 0.5 1.0 FTE. Using Hitachi ID Identity Manager technology: Built-in nightly auto-discovery of IDs, entitlements. Both attribute-based and self-service ID mapping. Request, approvals screens and processes are built-in. Implementer infrastructure for non-integrated apps is built-in. Powerful authorization workow is built-in. Deployment does not depend on role engineering. 110 connectors out of the box. Rapid integration with custom, vertical apps. Easy customization of GUI, business logic.

2013 Hitachi ID Systems, Inc.. All rights reserved.

14

Slide Presentation

22

Competitive Advantages
Unique features "Provisioning" and "governance" in one product. Access, authorization built around relationships. Self-service from any device, any location. Users can request resources, not groups. SoD engine detects "effective" violations. Scalable platform Real-time data replication. Multi-master architecture. Proxy server to cross rewalls. Stored procedures, native code for speed. Rapid deployment Key features built-in, not custom: Request forms. Authorization workow. Access certication. Auto-discovery. Reports.

A product, not a devel. environment. Integrations 110+ included connectors. Flexible connectors. Built-in implementers workow. Incident management, SIEM, etc.

23

Hitachi ID Professional Services

Hitachi ID offers a variety of services relating to Hitachi ID Identity Manager, including: Needs analysis and solution design. Fixed price system deployment. Project planning. Roll-out management, including maximizing user adoption. Ongoing system monitoring. Training.

Services are based on extensive experience with the Hitachi ID solution delivery process. The Hitachi ID professional services team is highly technical and have years of experience deploying IAM solutions. Hitachi ID partners with integrators that also offer business process and system design services to mutual customers.

2013 Hitachi ID Systems, Inc.. All rights reserved.

15

Slide Presentation

24

Hitachi ID Solution Delivery Approach

Fixed-price: Phases, milestones: Open assignment: Templates: Customer portal: All work is delivered on a xed-price, xed-deliverables basis. The "meter" is never running. Hitachi ID recommends breaking up long projects into phases of 13 months. Work is reviewed and payment is due when milestones are met. Each phase may be undertaken by Hitachi ID, the customer, a systems integrator or a combination of the participants. Template documents and sample business logic are used to expedite work. A self-service portal supports discovery, client/partner/vendor interaction, document distribution and more.

25

AdMax: Maximizing User Adoption

Successful implementation of an identity and access management system must be supported by an effective user adoption program. AdMax is an Hitachi ID professional services program, used to plan for and execute effective user enrollment projects. AdMax is designed to maximize adoption of and ROI from Hitachi ID identity management solutions, using: Best practices, case studies and industry norms. Enrollment, user adoption and ROI measurement. Incentive and disincentive programs. Presentations and training materials for users and HD staff. Project roles and responsibilities. Sample project plans, promotional materials, e-mails, graphics and other user communications. Workbooks for project implementation.

2013 Hitachi ID Systems, Inc.. All rights reserved.

16

Slide Presentation

26

Summary

An integrated solution for managing identities and entitlements: Automation: onboarding, deactivation, detect out-of-band changes. Self-service: prole updates, access requests. Delegated management: requests, certication. Policy enforcement: RBAC, SoD, authorization. Analytics: current, historical entitlements. Explicit vs. actual. Patterns. Integrations: 110 bidirectional connectors. Windows, SharePoint, SIEM, help desk. Rapid deployment: built-in screens, workow processes, navigation, ACLs.

Security, lower cost, faster service. Learn more at Hitachi-ID.com/Identity-Manager

27

Getting an IAM Project Started

Build a business case. Get management sponsorship and a budget. Discovery phase, capture detailed requirements. Assemble a project team: security system administration user support etc.

Try before you buy: Demos, POCs, pilots. Install the software, roll to production. Enroll users, if/as required.

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com
File: PRCS:pres Date: September 19, 2013

www.Hitachi-ID.com