1 Hitachi ID Suite

Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications

Hitachi ID Suite 8.1 Features and Technology.

2 Scope of the 8.1 release

The 8.1 release (2012-09) integrates all threeHitachi ID products:

• Hitachi ID Identity Manager,• Hitachi ID Password Manager and• Hitachi ID Privileged Access Manager

• Single instance or SSO betweeninstances.

• User interface refresh.• Technology refresh: faster, more robust

replication, multi-master.• Many new features and integrations.

© 2014 Hitachi ID Systems, Inc.. All rights reserved. 1

Slide Presentation

3 Enhancements in 8.1

Hitachi ID IdentityManager

Hitachi ID PasswordManager

Hitachi ID PrivilegedAccess Manager

General

• Single-user andad-hoccertification.

• Automaticallyassigned rolesand groups.

• Compare users– select what torequest.

• Self-servicefrom anydevice/location.

• HDD keyrecovery.

• Multiple PWpolicies persystem.

•Discovery/classificationof systems/acctsto manage.

• Easier toreplaceembedded PWs

• Secure, scalablesupport forservice acctpasswords.

• Sessionrecording,playback.

• New ACLmodel: basedon relationships

• Advancedsearch.

• Analytics andtrend analysis.

• Dashboards• New/refreshed

connectors.

4 Technology platform

© 2014 Hitachi ID Systems, Inc.. All rights reserved. 2

Slide Presentation

4.1 Multi-Master Architecture

Hitachi ID

Application Server(s)

TCP/IP + AES

Various Protocols

Secure Native Protocol

HTTPS

Remote Data Center

Remote Data CenterLocal Network

Emails

Tickets

Lookup & Trigger

Native

password

change

AD, Unix,

OS/390,

LDAP,

AS400

Validate PW

Web Services

SQLDB

SQLDB

Cloud-hosted,

SaaS apps

IVRServer

VPNServer

Reverse

Web

ProxyPassword Synch Trigger S

ystems

Firewall

Firewall

SMTP or

Notes Mail

Incident

Mgmt

System

System of

Record

Target

Systems

Proxy Server

(if needed)

SQL/

OracleLoad

BalancerTarget Systems with local agent:

OS/390, Unix, older RSA

Target Systems with remote agent:

AD, SQL, SAP, Notes, etc

4.2 Database architecture

Supported RDBMS Application platform Real-time replication

• Oracle 11gR1 or 11gR2,Enterprise Edition.

• Microsoft SQL Server2008 and 2008R2,Enterprise Edition.

• Microsoft SQL Server2008, Express Edition.

• Multi-master,active-activearchitecture.

• Presentation: HTML.• UI logic, processes:

native code.• Business logic:

expressions andplug-ins.

• Data access: storedprocedures.

• → fast, scalable.

• Real-time replication atthe app layer.

• Optimized for WANbetween data centers.

• Encrypted.• Tolerates high latency.• Tolerates low bandwidth.• Queues/retries failures.• → available.

© 2014 Hitachi ID Systems, Inc.. All rights reserved. 3

Slide Presentation

4.3 New approach to synchronization

Before: compare two directories.→ Now: detect and respond to changes.

Attribute synch Auto-roles, groups Scripts submit requests

• Map account attributesto profile attributes.

• Assign priorities tosystem/accounts and tothe UI.

• Track changes onselected attributes.

• Define user classesbased on profileattributes, other groups.

• Link user classes tomanaged groups andHitachi ID IdentityManager roles.

• Set auto-assign and/orauto-unassign.

• Throttle requests tosubmit per batch run.

• ID-Track replacesID-Compare.

• Aggregates account,group, attribute changesper user.

• Calls a script functionper changed user.

• Script constructs,submits changerequests.

5 Refreshed UI

5.1 User Profile Screen

© 2014 Hitachi ID Systems, Inc.. All rights reserved. 4

Slide Presentation

5.2 View Org Chart Data

5.3 Compare User Profiles

© 2014 Hitachi ID Systems, Inc.. All rights reserved. 5

Slide Presentation

5.4 Authentication Chains

• An authentication chain is a definedseries of steps.

• Special type:interactively choose a chain.

• Special type:programmatically limit available chains.

• Risk-analysis:VPN? admin user?

• Novel methods:PIN via SMS.

Check user profile:* Risk assessment* Location* Identity attributes* Login accounts

START

Choose Auth Chain

Fingerprint Biometric Password

Smart Card / PKI

Password

Security Questions

OTP PassCode

Send PIN to SMS # Security Questions

SAML Assertion

6 User classes and relationships

6.1 Access based on relationships

• BEFORE: access rights attached to requester.• NOW: rights attached to relationship between requester and recipient.• Rights may be to read/write identity attributes or perform actions.

Examples:

Read/write termination date • Requester in HR.• Requester not recipient.

Read/write termination date • Recipient reports to requester.

Read home address • Recipient has active profile.

Read/write home address • Requester is recipient.

Read SSN, DoB • Requester is recipient.

Write SSN, DoB • Requester in HR.

© 2014 Hitachi ID Systems, Inc.. All rights reserved. 6

Slide Presentation

6.2 Define a Relationship

6.3 Group Assignment Policy

© 2014 Hitachi ID Systems, Inc.. All rights reserved. 7

Slide Presentation

6.4 Contextual Password Policies

7 Search

7.1 Advanced search

New search infrastructure for critical objects.

• Dynamic SQL based on search parameters.• Multi-term searches with boolean AND/OR.• Find users, roles, groups, target systems, workflow requests, etc.

Examples:

• User with surname=X, in group Y on target Z, with last login before W.• Security group with name contains X in OU Y on target Z.• Active user with term date before next Saturday.

Special security features:

• Against SQL injection.• Information leakage (e.g., "Search for users with termination date this week").

© 2014 Hitachi ID Systems, Inc.. All rights reserved. 8

Slide Presentation

7.2 Advanced Search

8 Recertification

8.1 Ad-hoc and single-user certification

• Manager can certify a given subordinate’s entitlements ad-hoc.• Designated users can initiate certification rounds without administrative access.• Certification rounds can be shared among process initiators.• New access controls:

– Relational: can a given requester certify a given recipient?– Unary: can a given initiator configure new certification rounds?

© 2014 Hitachi ID Systems, Inc.. All rights reserved. 9

Slide Presentation

8.2 Single User Certification

9 Resources

© 2014 Hitachi ID Systems, Inc.. All rights reserved. 10

Slide Presentation

9.1 Extensible resource schema

Attributes per type of resource:

• Target systems.• Managed groups.• Roles, SoD policies.• Inventory object classes.

Attributes may represent:

• Ownership.• Physical location.• Department/division.• Risk score.• etc.

HiIM 8.0 includes:

• UI, ACLs to enter this data.• Available in advanced search.• Available in API.

Future releases:

• Synchronize with target system(e.g., read/update owner on managedgroup).

• Workflow for end-users to set attrs(not just admins).

• Link to certification(e.g., "recertify all entitlements indepartment X, risk score above Y).

9.2 Resource Attributes

10 Analytics, trends and dashboards

© 2014 Hitachi ID Systems, Inc.. All rights reserved. 11

Slide Presentation

10.1 Reports: workflow and analytics

Hitachi ID Identity Manager includes a rich set of reports.

Workflow Analytics General

• Most popular ...(request type,authorizer, implementer,entitlement, etc.)

• Stuck / delayedrequests.

• Participantresponsiveness.

• Request volume trendover time.

• Compare entitlementsbetween users in a set.

• Inconsistent or invalidattribute values.

• Requests / resourceswith inadequate / invalidauthorizers.

• Requests with invalidresources / users.

• All reports can bescheduled to runperiodically.

• Run time/date is aparameter to the query.

• HTML, CSV and PDFoutput.

• Dashboards: workflow,user adoption,certification.

10.2 Workflow Reports

11 Approach to workflow

© 2014 Hitachi ID Systems, Inc.. All rights reserved. 12

Slide Presentation

11.1 A simple IAM workflow

RequestForm

Inputvalidation

Selectapprovers

E-mailinvitations

Approval Fulfillment

START

CANCEL COMPLETE

11.2 Real-world complexity

RequestForm

Inputvalidation

Selectapprovers

E-mailinvitations

Approval Fulfillment

START

COMPLETE

Noresponse?

Escalation

Approved?Sufficient?

CANCEL

badinput

OK

No approval required

Find new approvers

Send reminders

Rejected

App

rove

d, s

uffic

ient

Approved, need more

Giv

e up

Wai

t...

© 2014 Hitachi ID Systems, Inc.. All rights reserved. 13

Slide Presentation

11.3 Combinatorial explosion

Request

Form

Input

validation

Select

approvers

E-mail

invitations

Approval Fulfillment

No

response?

Escalation

Approved?

Sufficient?

Onboard - employee

Request

Form

Input

validation

Select

approvers

E-mail

invitations

Approval Fulfillment

No

response?

Escalation

Approved?

Sufficient?

Onboard - contractor

Request

Form

Input

validation

Select

approvers

E-mail

invitations

Approval Fulfillment

No

response?

Escalation

Approved?

Sufficient?

Onboard - vendor

Request

Form

Input

validation

Select

approvers

E-mail

invitations

Approval Fulfillment

No

response?

Escalation

Approved?

Sufficient?

Onboard - temp

Request

Form

Input

validation

Select

approvers

E-mail

invitations

Approval Fulfillment

No

response?

Escalation

Approved?

Sufficient?

Contractor - end of term

Request

Form

Input

validation

Select

approvers

E-mail

invitations

Approval Fulfillment

No

response?

Escalation

Approved?

Sufficient?

Vendor - cancel contract

Request

Form

Input

validation

Select

approvers

E-mail

invitations

Approval Fulfillment

No

response?

Escalation

Approved?

Sufficient?

Employee - change dept.

Request

Form

Input

validation

Select

approvers

E-mail

invitations

Approval Fulfillment

No

response?

Escalation

Approved?

Sufficient?

General - update contact

Request

Form

Input

validation

Select

approvers

E-mail

invitations

Approval Fulfillment

No

response?

Escalation

Approved?

Sufficient?

Employee - leave of absence

Request

Form

Input

validation

Select

approvers

E-mail

invitations

Approval Fulfillment

No

response?

Escalation

Approved?

Sufficient?

Employee - retire

Request

Form

Input

validation

Select

approvers

E-mail

invitations

Approval Fulfillment

No

response?

Escalation

Approved?

Sufficient?

Employee - resign

Request

Form

Input

validation

Select

approvers

E-mail

invitations

Approval Fulfillment

No

response?

Escalation

Approved?

Sufficient?

Employee - termination

May require hundreds of flow-charts!

Each has embedded business rules.

11.4 Design challenges

• Should naturally support real-world requirements:

– Authorizers chosen at run-time, through various look-ups and policies.– Multiple authorizers, invited all at once.– Cannot say in advance how many invited, how many must approve.– Reminders to tardy participants.– Escalation from non-responsive participants to others.– Bonus: escalate early if out-of-office.

• Encourage code reuse.• Support revision control.• Upgradability: must not entangle business logic with product code.• Avoid a combinatorial explosion of objects.

© 2014 Hitachi ID Systems, Inc.. All rights reserved. 14

Slide Presentation

11.5 Policy-driven workflow

RequestForm

Inputvalidation

Selectapprovers

E-mailinvitations

Approval Fulfillment

Noresponse?

Escalation

Approved?Sufficient?

Built-in workflow processes: - Approval - Manual fulfillment - Recertification

Robust by design: - Serial, parallel approvals - Reminders, escalation - Pre-escalation, delegation

Attribute validationand auto-generation

Authorizer selection

Request rewrite

Customer business logic: - Code reuse - Process isolation

12 Demo

www.Hitachi-ID.com

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com

File: PRCS:presDate: April 8, 2014