1 Hitachi ID Suite

Managing the User Lifecycle

Across On-Premises and
Cloud-Hosted Applications

Administration and governance of

Identities, entitlements and credentials.

2 Agenda
Corporate.
IAM problems / Hitachi ID solutions.
Technology.
Privileged Access
Example deployments.
Discussion.

3 Corporate

2017 Hitachi ID Systems, Inc. All rights reserved. 1

 Slide Presentation

3.1 Hitachi ID corporate overview

Hitachi ID delivers access governance

and identity administration solutions
to organizations globally.
Hitachi ID IAM solutions are used by Fortune
500
companies to secure access to systems
in the enterprise and in the cloud.
Founded as M-Tech in 1992.
A division of Hitachi, Ltd. since 2008.
Over 1200 customers.
More than 14M+ licensed users.
Offices in North America, Europe and
APAC.
Global partner network.

3.2 Representative customers

4 Products

2017 Hitachi ID Systems, Inc. All rights reserved. 2

 Slide Presentation

4.1 Hitachi ID Suite

2017 Hitachi ID Systems, Inc. All rights reserved. 3

 Slide Presentation

4.2 HiIM features

Automation:
Monitor one or more systems of record (SoR).
Generate requests to grant, revoke access.

Request portal:
Users can request for themselves or others.
Access control model limits visibility, requestability.

Certification:
Initiated by the system (event, schedule).
Stake-holders review identities, entitlements.
Generates deprovisioning requests.

Workflow:
Invite authorizers, implementers, certifiers to act.
Built-in reminders, escalation, delegation and more.
Selects participants via policy, not flow-charts.

Policies, controls:
RBAC.
SoD.
Risk scores.
Approvals.
Entitlement analytics.

Integrations:
110+ bidirectional connectors, included.
Incident management, SIEM, e-mail interfaces.
Manage building access, physical assets.

2017 Hitachi ID Systems, Inc. All rights reserved. 4

 Slide Presentation

4.3 HiPM features

Password synch:
Reduce the number of passwords per user.

Self-service:
Password reset.
Clear lockout.
Smart card PIN reset.
Token PIN reset.
Encrypted filesystem unlock.

Value-add:
Federated access replace other apps login screens.
Password vault users can store unmanaged passwords.

Access from:
PC browser or login screen.
At the office or remote.
Smart phone or voice call.

Assisted service:
Password, token PIN, intruder lockout.

Policy enforcement:
Two-factor authentication for all users.
Password complexity, expiry, history.
Non-password authentication.

Managed enrollment:
Security questions.
Login IDs.
Mobile phone numbers.

5 Technology

2017 Hitachi ID Systems, Inc. All rights reserved. 5

 Slide Presentation

5.1 Multi-master architecture

Native password
change
Password synch
trigger systems SaaS apps

AD, Unix, z/OS, Mobile

LDAP, iSeries proxy

z/OS - local agent Mobile UI lo ud
Manage C
Validate pw

Hitachi ID
servers
Load
balancers
Reverse
web
proxy Managed endpoints
VPN server
with remote agent:
Replication AD, SQL, SAP, Notes, etc
IVR server MS SQL databases
B
Hitachi ID ter
Notifications servers c en r
t a te
and invitations
Da cen
E-mail Tickets data
ote
Firewalls
system m
System of Re
Ticketing record
TCP/IP + AES system
A
HR n ter Managed
Various protocols
ce endpoints
ta
Secure native protocol Da
Proxy server
HTTPS (if needed)

2017 Hitachi ID Systems, Inc. All rights reserved. 6

 Slide Presentation

5.2 Key architectural features

BYOD enabled
On premise and SaaS SaaS apps

lo ud
C
Replicated across data centers
Horizontal scaling

Load balanced

B
ter
c en r
t a te
Da cen
data
m ote
Re
TCP/IP + AES
A
nter
Various protocols
ce
ta Reach across firewalls
Secure native protocol Da

HTTPS

5.3 Multi-master replication

Avoid data loss and service interruption:

Multiple copies of the vault in different cities.

Real-time data replication.

Fault-tolerant.
Bandwidth efficient, latency
tolerant.
Best practice: multiple
servers in multiple data
centers.
Active/active
Load balanced.

2017 Hitachi ID Systems, Inc. All rights reserved. 7

 Slide Presentation

5.4 Included connectors

Many integrations to target systems included in the base price:

Directories: Servers: Databases:

Any LDAP, Active Directory,
NIS/NIS+.
Unix:
Linux, Solaris, AIX, HPUX, 24
more variants.
ERP:
JDE, Oracle eBiz,
PeopleSoft, PeopleSoft HR,
SAP R/3 and ECC 6, Siebel,
Business Objects.
WebSSO:
CA Siteminder, IBM TAM,
Oracle AM, RSA Access
Manager.
Windows NT, 2000, 2003,
2008[R2], 2012[R2], Samba.
Mainframes, Midrange:
z/OS: RACF, ACF2,
TopSecret. iSeries,
OpenVMS.
Collaboration:
Lotus Notes, iNotes,
Exchange, SharePoint,
BlackBerry ES.
Help Desk:
ServiceNow, BMC Remedy,
SDE, HP SM, CA Unicenter,
Assyst, HEAT, Altiris, Clarify,
RSA Envision, Track-It!, MS
System Center
Oracle, Sybase, SQL Server,
DB2/UDB, Informix, Progress,
Hyperion, Cache, ODBC.
HDD Encryption:
McAfee, CheckPoint,
BitLocker, PGP.
Tokens, Smart Cards:
RSA SecurID, SafeWord,
Vasco, ActivIdentity,
Schlumberger, RADIUS.
Cloud/SaaS:
WebEx, Google Apps, MS
Office 365, Success Factors,
Salesforce.com, SOAP.

5.5 Rapid integration with custom apps

Hitachi ID Suite easily integrates with custom, vertical and hosted applications using flexible agents
.
Each flexible agent connects to a class of applications:

API bindings (C, C++, Java, COM, ActiveX, MQ Series).

Telnet / TN3270 / TN5250 / sessions with TLS or SSL.
SSH sessions.
HTTP(S) administrative interfaces.
Web services.
Win32 and Unix command-line administration programs.
SQL scripts.
Custom LDAP attributes.
Integration takes a few hours to a few days.
Fixed cost service available from Hitachi ID.

2017 Hitachi ID Systems, Inc. All rights reserved. 8

 Slide Presentation

6 Privileged Access

2017 Hitachi ID Systems, Inc. All rights reserved. 9

 Slide Presentation

6.1 HiPAM features

Auto-discovery:
Find systems, accounts.
Attach policy.

Random passwords:
Default is daily.

Secure storage:
Replicated (with fault tolerance/queue).
Encrypted.
Geographically distributed.

Access controls:
Policy: who can sign into which account?

Workflow controls:
One time request/approval/login.

Single sign-on:
Launch SSH, RDP, vSphere, SQL, etc.
Alternately: display password, temporary group membership,
temporary SSH trust/SUDO rights.

Application passwords:
Notify SCM, IIS, Scheduler, DCOM of new passwords.
API to eliminate embedded passwords.

Logging:
Requests, approvals, logins to privileged accounts.

Session monitoring:
Screen, keyboard, webcam, process ID, window title, etc.

2017 Hitachi ID Systems, Inc. All rights reserved. 10

 Slide Presentation

6.2 Securing privileged accounts

Thousands of IT assets: Who has the keys to the kingdom?

Servers, network devices, databases and Every IT asset has sensitive passwords:
applications:
Administrator passwords:
Numerous. Used to manage each system.
High value. Service passwords:
Heterogeneous. Provide security context to service
Workstations: programs.
Application:
Mobile dynamic IPs. Allows one application to connect to
Powered on or off. another.
Direct-attached or firewalled. Do these passwords ever change?
Plaintext in configuration files?
Who knows these passwords? (ex-staff?)
Who made what changes, when and why?

6.3 Types of privileged accounts

Shared Administrative Embedded Service

Definition: Interactive logins One application Run service
used by humans. connects to programs with
Client tools: another. admin or limited
PuTTY, RDP, SQL DB logins, web rights.
Studio, etc. services, etc. Windows requires a
May be used at a password.
physical console. Scheduled tasks,
IIS, DCOM, SCM,
etc.
Challenges: Access control. Authenticating apps Avoiding service
Audit/accountability. prior to password interruption.
Single sign-on. disclosure. Restart service if
Session capture. Caching, key reqd.
management.

2017 Hitachi ID Systems, Inc. All rights reserved. 11

 Slide Presentation

6.4 Securing administrator accounts

7 Example Deployments

7.1 Case Study: Industrial conglomerate

Customer description: Global industrial conglomerate with energy utility subsidiaries.

Product: Hitachi ID
Identity Manager
Industry: Industrials, energy utilities
Target systems: Windows/AD, Oracle EBS, mainframe, databases.
Functionality: Onboard, deactivate, manage access of over 10,000 employees and
contractors. Automation, self-service, policy enforcement.
Main business driver: Lower IT support cost and improve SLA.
Business impact: Retired home-grown IAM and access reporting system. Lower IT
security management workload.

2017 Hitachi ID Systems, Inc. All rights reserved. 12

 Slide Presentation

7.2 Case Study: Energy company

Customer description: Global energy company

Product: Hitachi ID
Group Manager
Number of users: 100,000+
Functionality: Self-service requests to access network shares, folders.
Main business driver: Reduce IT support call volume.
Business impact: Replace "access denied" help desk calls with self-service
infrastructure.

7.3 Case Study: US bank

Customer description: US bank

Product: Hitachi ID
Password Manager
Industry: Banking
Number of users: 150,000
Functionality: Password reset via telephone, web browser
Main business driver: Reduce IT support cost, improve authentication security when users
call for help.
Business impact: Eliminated 33,000 help desk calls/month.
Saved at least US$ 4,000,000/year.

7.4 Case Study: Investment bank

Customer description: Top-10 global investment bank.

Product:

Industry: Finance
Target systems: Windows, Unix/Linux, MSSQL.
Functionality: Randomize passwords weekly on 122,000 systems around the world.
Deployed 12 servers in 4 data centers globally for super-high
availability and fault tolerance.
Main business driver: Eliminate static, shared, administrative passwords to comply with
audit, regulatory requirements.
Business impact: Control, audit administrator logins to privileged accounts on 122,000
systems globally. Pass audits.

2017 Hitachi ID Systems, Inc. All rights reserved. 13

 Slide Presentation

8 Differentiation

8.1 HiIM advantages

HiIM
Hitachi ID Identity Express
Built-in features:
User friendly requests:
Robust policy enforcement:
Architecture:
Others
Pre-configured with most
common scenarios.
Request portal.
Access certification.
Approval workflow
Windows Shell extension.
SharePoint integration.
Compare users.
SoD with deep inspection.
Policy-driven approvals.
Privacy protection.
Scalable: multi-master,
load-balanced.
Fault tolerant:
active-active.
Every deployment is
custom, new.
Custom forms.
Custom workflows.
Users must know what
entitlements to request.
SoD easily bypassed.
Hard-coded approvals.
No privacy protection.
DB is choke point, single
point of failure.
Only hot standby.

2017 Hitachi ID Systems, Inc. All rights reserved. 14

 Slide Presentation

8.2 HiPM advantages

HiPM Others
2FA, Federation included for all users. Extra products required.

Access from smart phones (BYOD). Only with a public URL.

Unlock encrypted filesystem - pre-boot Call the help desk.

password prompt.

Access from Windows login screen, even Come back to the office or ship laptop to
when off-site. dept

Access from domain-member MacOSX Call the help desk.

login screen.

All connectors included in base price. Some charge per-connector.

Web browser, smart-phone, PC login Extra features, extra cost.

screen, telephony all included.

Managed enrollment, max. adoption. Write scripts extra cost, lower ROI.

Active-active replication: scalable and Hot standby at best.

reliable. May cost extra.

8.3 HiPAM advantages (technical)

Hitachi ID Privileged Access Manager Competitors

Multi-master, active-active. Hot standby, "offline" mode.

2FA for everyone, no extra cost. Either purchase a separate 2FA system
or rely on AD passwords.

BYOD access, including approvals Fire up your laptop, sign into the VPN.

Check-out multiple accounts in one One account at a time.

request.

Temporary privilege elevation. Only password display/injection.

Secure laptops (mobile, NAT, firewalled). Endpoints not really supported.

Direct connect, HTML5, RDP+launch Only via proxy.

proxy.

Proxy servers to integrate with remote Extra cost (more appliances?).

systems.

Run any admin tool, with any protocol. Can only launch RDP, SSH.

2017 Hitachi ID Systems, Inc. All rights reserved. 15

 Slide Presentation

8.4 HiPAM advantages (commercial)

Hitachi ID Privileged Access Manager Competitors

Manage groups that control access policy. Need a separate IAM system for that.

Proxy servers to integrate with remote Extra cost (more appliances?).

systems.

Secure Windows service acct passwords. Separate product.

Secure API replaces embedded Separate product.

passwords.

Session recording included. Separate product.

Over 110 connectors included. Some connectors cost more.

Unlimited users. Fee per user.

9 Discussion

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com

www.Hitachi-ID.com Date: 2017-03-15 | 2017-03-15 File: PRCS:pres