2 scope of the 8.1 release - hitachi id...
TRANSCRIPT
1 Hitachi ID Suite
Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications
Hitachi ID Suite 8.1 Features and Technology.
2 Scope of the 8.1 release
The 8.1 release (2012-09) integrates all threeHitachi ID products:
• Hitachi ID Identity Manager,• Hitachi ID Password Manager and• Hitachi ID Privileged Access Manager
• Single instance or SSO betweeninstances.
• User interface refresh.• Technology refresh: faster, more robust
replication, multi-master.• Many new features and integrations.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 1
Slide Presentation
3 Enhancements in 8.1
Hitachi ID IdentityManager
Hitachi ID PasswordManager
Hitachi ID PrivilegedAccess Manager
General
• Single-user andad-hoccertification.
• Automaticallyassigned rolesand groups.
• Compare users– select what torequest.
• Self-servicefrom anydevice/location.
• HDD keyrecovery.
• Multiple PWpolicies persystem.
•Discovery/classificationof systems/acctsto manage.
• Easier toreplaceembedded PWs
• Secure, scalablesupport forservice acctpasswords.
• Sessionrecording,playback.
• New ACLmodel: basedon relationships
• Advancedsearch.
• Analytics andtrend analysis.
• Dashboards• New/refreshed
connectors.
4 Technology platform
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 2
Slide Presentation
4.1 Multi-Master Architecture
Hitachi ID
Application Server(s)
TCP/IP + AES
Various Protocols
Secure Native Protocol
HTTPS
Remote Data Center
Remote Data CenterLocal Network
Emails
Tickets
Lookup & Trigger
Native
password
change
AD, Unix,
OS/390,
LDAP,
AS400
Validate PW
Web Services
SQLDB
SQLDB
Cloud-hosted,
SaaS apps
IVRServer
VPNServer
Reverse
Web
ProxyPassword Synch Trigger S
ystems
Firewall
Firewall
SMTP or
Notes Mail
Incident
Mgmt
System
System of
Record
Target
Systems
Proxy Server
(if needed)
SQL/
OracleLoad
BalancerTarget Systems with local agent:
OS/390, Unix, older RSA
Target Systems with remote agent:
AD, SQL, SAP, Notes, etc
4.2 Database architecture
Supported RDBMS Application platform Real-time replication
• Oracle 11gR1 or 11gR2,Enterprise Edition.
• Microsoft SQL Server2008 and 2008R2,Enterprise Edition.
• Microsoft SQL Server2008, Express Edition.
• Multi-master,active-activearchitecture.
• Presentation: HTML.• UI logic, processes:
native code.• Business logic:
expressions andplug-ins.
• Data access: storedprocedures.
• → fast, scalable.
• Real-time replication atthe app layer.
• Optimized for WANbetween data centers.
• Encrypted.• Tolerates high latency.• Tolerates low bandwidth.• Queues/retries failures.• → available.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 3
Slide Presentation
4.3 New approach to synchronization
Before: compare two directories.→ Now: detect and respond to changes.
Attribute synch Auto-roles, groups Scripts submit requests
• Map account attributesto profile attributes.
• Assign priorities tosystem/accounts and tothe UI.
• Track changes onselected attributes.
• Define user classesbased on profileattributes, other groups.
• Link user classes tomanaged groups andHitachi ID IdentityManager roles.
• Set auto-assign and/orauto-unassign.
• Throttle requests tosubmit per batch run.
• ID-Track replacesID-Compare.
• Aggregates account,group, attribute changesper user.
• Calls a script functionper changed user.
• Script constructs,submits changerequests.
5 Refreshed UI
5.1 User Profile Screen
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 4
Slide Presentation
5.2 View Org Chart Data
5.3 Compare User Profiles
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 5
Slide Presentation
5.4 Authentication Chains
• An authentication chain is a definedseries of steps.
• Special type:interactively choose a chain.
• Special type:programmatically limit available chains.
• Risk-analysis:VPN? admin user?
• Novel methods:PIN via SMS.
Check user profile:* Risk assessment* Location* Identity attributes* Login accounts
START
Choose Auth Chain
Fingerprint Biometric Password
Smart Card / PKI
Password
Security Questions
OTP PassCode
Send PIN to SMS # Security Questions
SAML Assertion
6 User classes and relationships
6.1 Access based on relationships
• BEFORE: access rights attached to requester.• NOW: rights attached to relationship between requester and recipient.• Rights may be to read/write identity attributes or perform actions.
Examples:
Read/write termination date • Requester in HR.• Requester not recipient.
Read/write termination date • Recipient reports to requester.
Read home address • Recipient has active profile.
Read/write home address • Requester is recipient.
Read SSN, DoB • Requester is recipient.
Write SSN, DoB • Requester in HR.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 6
Slide Presentation
6.2 Define a Relationship
6.3 Group Assignment Policy
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 7
Slide Presentation
6.4 Contextual Password Policies
7 Search
7.1 Advanced search
New search infrastructure for critical objects.
• Dynamic SQL based on search parameters.• Multi-term searches with boolean AND/OR.• Find users, roles, groups, target systems, workflow requests, etc.
Examples:
• User with surname=X, in group Y on target Z, with last login before W.• Security group with name contains X in OU Y on target Z.• Active user with term date before next Saturday.
Special security features:
• Against SQL injection.• Information leakage (e.g., "Search for users with termination date this week").
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 8
Slide Presentation
7.2 Advanced Search
8 Recertification
8.1 Ad-hoc and single-user certification
• Manager can certify a given subordinate’s entitlements ad-hoc.• Designated users can initiate certification rounds without administrative access.• Certification rounds can be shared among process initiators.• New access controls:
– Relational: can a given requester certify a given recipient?– Unary: can a given initiator configure new certification rounds?
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 9
Slide Presentation
8.2 Single User Certification
9 Resources
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 10
Slide Presentation
9.1 Extensible resource schema
Attributes per type of resource:
• Target systems.• Managed groups.• Roles, SoD policies.• Inventory object classes.
Attributes may represent:
• Ownership.• Physical location.• Department/division.• Risk score.• etc.
HiIM 8.0 includes:
• UI, ACLs to enter this data.• Available in advanced search.• Available in API.
Future releases:
• Synchronize with target system(e.g., read/update owner on managedgroup).
• Workflow for end-users to set attrs(not just admins).
• Link to certification(e.g., "recertify all entitlements indepartment X, risk score above Y).
9.2 Resource Attributes
10 Analytics, trends and dashboards
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 11
Slide Presentation
10.1 Reports: workflow and analytics
Hitachi ID Identity Manager includes a rich set of reports.
Workflow Analytics General
• Most popular ...(request type,authorizer, implementer,entitlement, etc.)
• Stuck / delayedrequests.
• Participantresponsiveness.
• Request volume trendover time.
• Compare entitlementsbetween users in a set.
• Inconsistent or invalidattribute values.
• Requests / resourceswith inadequate / invalidauthorizers.
• Requests with invalidresources / users.
• All reports can bescheduled to runperiodically.
• Run time/date is aparameter to the query.
• HTML, CSV and PDFoutput.
• Dashboards: workflow,user adoption,certification.
10.2 Workflow Reports
11 Approach to workflow
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 12
Slide Presentation
11.1 A simple IAM workflow
RequestForm
Inputvalidation
Selectapprovers
E-mailinvitations
Approval Fulfillment
START
CANCEL COMPLETE
11.2 Real-world complexity
RequestForm
Inputvalidation
Selectapprovers
E-mailinvitations
Approval Fulfillment
START
COMPLETE
Noresponse?
Escalation
Approved?Sufficient?
CANCEL
badinput
OK
No approval required
Find new approvers
Send reminders
Rejected
App
rove
d, s
uffic
ient
Approved, need more
Giv
e up
Wai
t...
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 13
Slide Presentation
11.3 Combinatorial explosion
Request
Form
Input
validation
Select
approvers
invitations
Approval Fulfillment
No
response?
Escalation
Approved?
Sufficient?
Onboard - employee
Request
Form
Input
validation
Select
approvers
invitations
Approval Fulfillment
No
response?
Escalation
Approved?
Sufficient?
Onboard - contractor
Request
Form
Input
validation
Select
approvers
invitations
Approval Fulfillment
No
response?
Escalation
Approved?
Sufficient?
Onboard - vendor
Request
Form
Input
validation
Select
approvers
invitations
Approval Fulfillment
No
response?
Escalation
Approved?
Sufficient?
Onboard - temp
Request
Form
Input
validation
Select
approvers
invitations
Approval Fulfillment
No
response?
Escalation
Approved?
Sufficient?
Contractor - end of term
Request
Form
Input
validation
Select
approvers
invitations
Approval Fulfillment
No
response?
Escalation
Approved?
Sufficient?
Vendor - cancel contract
Request
Form
Input
validation
Select
approvers
invitations
Approval Fulfillment
No
response?
Escalation
Approved?
Sufficient?
Employee - change dept.
Request
Form
Input
validation
Select
approvers
invitations
Approval Fulfillment
No
response?
Escalation
Approved?
Sufficient?
General - update contact
Request
Form
Input
validation
Select
approvers
invitations
Approval Fulfillment
No
response?
Escalation
Approved?
Sufficient?
Employee - leave of absence
Request
Form
Input
validation
Select
approvers
invitations
Approval Fulfillment
No
response?
Escalation
Approved?
Sufficient?
Employee - retire
Request
Form
Input
validation
Select
approvers
invitations
Approval Fulfillment
No
response?
Escalation
Approved?
Sufficient?
Employee - resign
Request
Form
Input
validation
Select
approvers
invitations
Approval Fulfillment
No
response?
Escalation
Approved?
Sufficient?
Employee - termination
May require hundreds of flow-charts!
Each has embedded business rules.
11.4 Design challenges
• Should naturally support real-world requirements:
– Authorizers chosen at run-time, through various look-ups and policies.– Multiple authorizers, invited all at once.– Cannot say in advance how many invited, how many must approve.– Reminders to tardy participants.– Escalation from non-responsive participants to others.– Bonus: escalate early if out-of-office.
• Encourage code reuse.• Support revision control.• Upgradability: must not entangle business logic with product code.• Avoid a combinatorial explosion of objects.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 14
Slide Presentation
11.5 Policy-driven workflow
RequestForm
Inputvalidation
Selectapprovers
E-mailinvitations
Approval Fulfillment
Noresponse?
Escalation
Approved?Sufficient?
Built-in workflow processes: - Approval - Manual fulfillment - Recertification
Robust by design: - Serial, parallel approvals - Reminders, escalation - Pre-escalation, delegation
Attribute validationand auto-generation
Authorizer selection
Request rewrite
Customer business logic: - Code reuse - Process isolation
12 Demo
www.Hitachi-ID.com
500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: [email protected]
File: PRCS:presDate: April 8, 2014