integrated credential management: passwords, security ... · cloud-hosted applications ... –...

1 Hitachi ID Password Manager

Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications

Integrated credential management:Passwords, security questions, certificates, tokens, smart cards and biometrics.

2 Agenda

• Corporate• Hitachi ID Password Manager• Recorded Demos• Technology• Implementation• Differentiation

3 Corporate

© 2018 Hitachi ID Systems, Inc. All rights reserved. 1

http://Hitachi.com/

Slide Presentation

3.1 Hitachi ID corporate overview

Hitachi ID delivers access governanceand identity administration solutionsto organizations globally.Hitachi ID IAM solutions are used by Fortune500companies to secure access to systemsin the enterprise and in the cloud.

• Founded as M-Tech in 1992.• A division of Hitachi, Ltd. since 2008.• Over 1200 customers.• More than 14M+ licensed users.• Offices in North America, Europe and

APAC.• Global partner network.

3.2 Representative customers


Slide Presentation

3.3 Hitachi ID Suite

4 Hitachi ID Password Manager

4.1 Too many passwords

Challenges Solutions

• Users have too many passwords.• Write them on sticky notes.• Forget and call the help desk.• Pick trivial, insecure values.

• Synchronize passwords.• Reduce to 1 or a few.• Easier to remember.• Less likely to write down.• Opportunity to mandate stronger

passwords.


Slide Presentation

4.2 Help desk call volume


• Users forget their passwords.• Lock themselves out.• Highest volume incident type.• Peak volume at start of week.

• Self-service password reset.• Clear intruder lockouts.• PIN resets and emergency pass-codes for

tokens.

4.3 Automated user enrollment


• Self service depends on non-passwordcredentials:

– Security questions.– Mobile phone number.– Personal e-mail address.– App on smart phone.

• This data rarely exists prior todeployment.

• New hires must enroll too.• ROI depends on user adoption:

– Users tend to ignore invitations.

• Identify users with incomplete profiles.• Invite them to sign up. Send reminders

with increasing urgency:

– E-mail.– Open browser at login time.– Forced enrollment (full screen,

locked browser.)

• Throttle invitations:

– Per user (e.g., once a week).– Overall (e.g., 500/day).


Slide Presentation

4.4 Password reset from difficult contexts


• Users have trouble logging in:

– Forget their password.– Trigger an intruder lockout.

• User context can complicate assistance:

– Pre-boot? No OS yet!– Login screen? How to navigate to

self-service?– Off-site? Locally cached password.

• Pre-boot:

– Smart phone app or voice call toaccess service.

– Encrypted drive unlock.

• Windows login screen:

– Credential Provider extends theWindows login UI.

– Smart phone app or voice call.– Secure kiosk account if client

software is a problem.

• VPN integration:

– Update locally cached password foroff-site users.

4.5 Need consistently strong authentication


• Few apps natively support multi-factorlogins.

• Mandate strong authentication beforeself-service password reset.

• Offer 2FA to all users:

– PIN to phone/email.– Smart phone app.– Existing OTP.– Browser fingerprint (reduces the

nuisance of 2FA).

• Built into Hitachi ID Password Manager

– Leverage existing 2FA if available.– Introduce zero-cost 2FA otherwise.

• Extend 2FA to other apps via federation:

– HiPM includes a built-in SAML IdP


Slide Presentation

4.6 SaaS apps demand stronger security


• SaaS apps expose a public URL.• Unlike on-premises, they can be attacked

by anyone with an Internet connection.

• Offload login screens to a federatedaccess manager.

• Require 2FA at the consolidated loginscreen.

• Fingerprint browsers to reduce thenuisance of a two-step login.

4.7 Users have personal passwords


• Users sign into a variety of non-corporateservices.

• Insurance, banking, e-mail, socialnetwork, e-commerce, ...

• They sometimes ask IT for help managingthese too.

• Offer them a secure alternative.• Improves customer satisfaction with IT.• Acts as an inducement to installing a 2FA

mobile app.


Slide Presentation

5 Recorded Demos

5.1 Password reset with WiFi, VPN and 2FA

Animation: ../../pics/camtasia/v10/hipm-ssa-windows-10.mp4

5.2 Federated access launchpad

Animation: ../../pics/camtasia/v10.1/federated-launchpad.mp4

5.3 Activate Mobile Access app

Animation: ../../pics/camtasia/suite11/enable-mobile-device-1.mp4

5.4 Unlock pre-boot password

Animation: ../../pics/camtasia/v10/mcafee-drive-encryption.mp4

5.5 Add contact to phone

Animation: ../../pics/camtasia/v9/add-contact-to-phone-1/add-contact-to-phone-1.mp4

6 Technology


Slide Presentation

6.1 Active-active architecture

“Cloud”

Reverse

web

proxyVPN server

IVR server

Load

balancers

E-mail

system

Ticketing

system

HR

Hitachi ID

servers

Hitachi ID

servers

Firewalls

Proxy server

(if needed)

Mobile

proxy

SaaS apps

Managed

endpoints

Managed endpoints

with remote agent:

AD, SQL, SAP, Notes, etc

z/OS - local agent

MS SQL databases

Password synch

trigger systems

Native password

change

ManageMobile UI

AD, Unix, z/OS,

LDAP, iSeries

Validate pw

Replication

System of

record

Tickets

Notifications

and invitations

Data c

enter A

Data c

enter B

Remote

data

cente

r

TCP/IP + AES

Various protocols

Secure native protocol

HTTPS


Slide Presentation

6.2 Key architectural features

“Cloud”

SaaS apps

Data c

enter A

Data c

enter B

Remote

data

cente

r

TCP/IP + AES

Various protocols

Secure native protocol

HTTPS

Reach across firewalls

Load balanced

On premises and SaaS

BYOD enabled

Replicated across data centers

Horizontal scaling


Slide Presentation

6.3 Delivery options

On-premises Hosted / SaaS

What/where

•Conventionalsoftware;or

• Virtualappliance.

• ManagedbycustomerIT; or

• managedby HitachiIDremotely;or

• managedby apartner.

• Dedicated instance per customer.• Minimum two servers, locations.• Proxy server on-premises.• Managed by Hitachi ID.• Regular upgrades.

Charges • Software: License, annualmaintenance.

• Virtual appliance: add OS, DBlicenses.

• Managed service: add annual fee.

• Monthly per-user fee.• Commitment for minimum

quantity, duration.

6.4 Internal architecture

• Multi-master, active-active out of the box.• Built-in data replication between app nodes:

– Fault tolerant.– Secure - encrypted.– Reliable - queue and retry.– App nodes need and should not be co-located.

• Native, 64-bit code:

– 2x faster than .NET.– 10x faster than Java.

• Stored procedures:

– For all data lookups, inserts.– Fast, efficient.– Eliminates client/server chatter.

• Modern crypto: AES-256, SSHA-512


Slide Presentation

6.5 Authentication chains

• An authentication chain is a definedseries of steps.

• Special type:interactively choose a chain.

• Special type:programmatically limit available chains.

• Risk-analysis:VPN? admin user?

� � ��

� � � � ! " ! �� # �� $ � � ! �% &� � � '� ! () $� ! � �� ! ( * & + ,&� � � '� ! () �% � ! � �- . � � � � �� / 0 & &� � � �� ( �) �� ( & , 1 �� ) 2 ) 3 ) �% � ! � � - . � � � � �� ) � 2 4 � � � � ! � �� 6.6 User classes

User classes define sets of individual usersor types of relationships between users:

• Sets of users:

– By group membership– In an OU– Having certain attributes

• Types of relationships:

– Shared attributes (e.g.,department, location).

– Group membership of participants(e.g., security team).

– Direct or indirect manager.

User classes are a natural way to definesecurity policy:

• Route requests(requester+recipient/authorizer).

• Invite reviewers (user/certifier).• Escalate requests (old/new

participants).• Limit visibility (viewer/user profile).• Define what is requestable

(requester/recipient).


Slide Presentation

6.7 BYOD access to on-premises IAM system

The challenge Hitachi ID Mobile Access

• Users want access on their phones.• Phone on the Internet, IAM on-prem.• Don’t want attackers probing IAM from

Internet.

• Install + activate iOS, Android app.• Proxy service on DMZ or cloud.• IAM, phone both call the proxy - no

firewall changes.• IAM not visible on Internet.

Outbound connections only

DMZ Private corporate

network

Personal

device

FirewallFirewall

Internet

(3)

Message passing system

(1)

Worker thread:

“Give me an HTTP

request”

(2)

HTTPS request:

“Includes userID,

deviceID”

IAM server

Cloud

proxy


Slide Presentation

6.8 Included connectors

Directories: Databases: Server OS – X86/IA64: Server OS – Unix: Server OS – Mainframe:

Active Directory and AzureAD; any LDAP; NIS/NIS+ andeDirectory.

Oracle; SAP ASE and HANA;SQL Server; DB2/UDB;Hyperion; Caché; MySQL;OLAP and ODBC.

Windows: NT thru 2016; Linuxand *BSD.

Solaris, AIX and HP-UX. RAC/F, ACF/2 and TopSecret.

Server OS – Midrange: ERP, CRM and other apps: Messaging & collaboration: Smart cards and 2FA: Access managers / SSO:

iSeries (OS400); OpenVMSand HPE/Tandem NonStop.

Oracle EBS; SAP ECC andR/3; JD Edwards; PeopleSoft;Salesforce.com; Concur;Business Objects and Epic.

Microsoft Exchange, Lync andOffice 365; LotusNotes/Domino; Google Apps;Cisco WebEx, Call Managerand Unity.

Any RADIUS service or SAMLIdP; Duo Security; RSASecurID; SafeWord; Vasco;ActivIdentity andSchlumberger.

CA SiteMinder; IBM SecurityAccess Manager; Oracle AM;RSA Access Manager andImprivata OneSign.

Help desk / ITSM: PC filesystem encryption: Server health monitoring: HR / HCM: Extensible / scriptable:

ServiceNow; BMC Remedy,RemedyForce and Footprints;JIRA; HPE Service Manager;CA Service Desk; AxiosAssyst; Ivanti HEAT;Symantec Altiris; Track-It!; MSSCS Manager and Cherwell.

Microsoft BitLocker; McAfee;Symantec EndpointEncryption and PGP;CheckPoint and SophosSafeGuard.

HP iLO, Dell DRAC and IBMRSA.

WorkDay; PeopleSoft HR;SAP HCM andSuccessFactors.

CSV files; SCIM; SSH;Telnet/TN3270/TN5250;HTTP(S); SQL; LDAP;PowerShell and Python.

Hypervisors and IaaS: Mobile management: Network devices: Filesystems and content: SIEM:

AWS; vSphere and ESXi. BlackBerry Enterprise Serverand MobileIron.

Cisco IOS PIX and ASA;Juniper JunOS andScreenOS; F5 BigIP; HPProcurve; Brocade Fabric OSand CheckPointSecurePlatform.

Windows/CIFS/DFS;SharePoint; Samba; HitachiContent Platform and HCPAnywhere; Box.com andTwitter.

Splunk; ArcSight; RSAEnvision and QRadar. AnySIEM supporting SYSLOG orWindows events.

Management & inventory:

Qualys; McAfee ePO andMVM; Cisco ACS;ServiceNow ITAM; HPUCMDB; Hitachi HiTrack.

6.9 Integration with custom apps

• Hitachi ID Password Manager easily integrates with custom, vertical and hosted applications usingflexible agents .

• Each flexible agent connects to a class of applications:

– API bindings (C, C++, Java, COM, ActiveX, MQ Series).– Telnet / TN3270 / TN5250 / sessions with TLS or SSL.– SSH sessions.– HTTP(S) administrative interfaces.– Web services.– Win32 and Unix command-line administration programs.– SQL scripts.– Custom LDAP attributes.

• Integration takes a few hours to a few days.• Fixed cost service available from Hitachi ID.


Slide Presentation

6.10 SAMLv2 Federated IdP

• Externalize login process from third party web apps.• Cloud: Google Apps, Office 365, Salesforce.com, WebEx, Concur, etc.• On-premise: SharePoint (via ADFS), HCP Anywhere, etc.• Basically respond to SAMLv2 requests with assertions.• Leverage user classes for authorization control, authentication chains for 2FA/MFA.

6.11 Hitachi ID Mobile Access authentication factor

• Leverage Hitachi ID Mobile Access on user phones as a soft token.• Zero extra cost: organizations have no excuse to revert to just Q&A or just a password on Extranet

logins.• More secure password reset.• 2FA for all Hitachi ID Privileged Access Manager logins, even if the network is down, AD or RADIUS

unreachable.


Slide Presentation

6.12 HiTPM: self-service via phone call

Self-contained: Flexible:

• Hitachi ID Phone Password Manager runson a Windows server with a Dialogicphone card or with HMP software Dialogicsolution.

• No IVR software is required.

• Fully scriptable and can implement anycall logic.

• Multi-lingual: just record more voiceprompts.

• The default call logic is powerful and easyto customize.

Integrated with Hitachi ID PasswordManager:

Scalable:

• Manage user enrollment.• Map network login ID to digits.• HiPM ties to target systems.

• Multiple load balanced HiTPM servers.• Multiple load balanced HiPM servers.

6.13 Language supportThe Hitachi ID Password Manager UI can be rendered in many languages:

Languages are easy to add. Hitachi ID will do it for a nominal fee and customers can do it themselves.

7 Implementation


Slide Presentation

7.1 Hitachi ID professional services

• Hitachi ID offers a complete range of services relating to Hitachi ID Password Manager, including:

– Needs analysis and solution design.– Fixed price system deployment.– Project planning.– Roll-out management, including maximizing user adoption.– Ongoing system monitoring.– Training.

• Services are based on extensive experience with the Hitachi ID solution delivery process.• The Hitachi ID professional services team is highly technical and have years of experience deploying

IAM solutions.• Hitachi ID partners with integrators that also offer business process and system design services to

mutual customers.• All implementation services are fixed price:

– Solution design.– Statement of work.

8 Differentiation


Slide Presentation

8.1 HiPM differentiation

The most features

• Manage all credentials:

– Passwords on directories, servers,apps, DBs.

– On-premises and SaaS.– Pre-boot passwords.– Smart cards and tokens.

• 2FA for all users.• Personal password vault.• Federated single sign-on (SAML IdP).• 120+ connectors included.

Always available

• Corporate PCs:

– Pre-boot unlock screen.– Windows/MacOSX login screen.– Desktop browser.

• Smart phone app.• Voice call to IVR.• At work and off-site.

Scalable

• Multi-master, active-active.• Load balanced, replicated.• Geographically distributed.• Multi-lingual.

The best ROI

• Reduce problem frequency

– Address root cause.– Don’t just download problem

resolution to users.

• Managed enrollment to maximizeadoption.

• Rapid deployment, minimal maintenance.

8.2 The leading PM vendor

Innovation Ongoing support Low cost

• Self-Service, Anywhere.• Drive unlock via smart

phone app or call to IVR.• Integrated password

wallet.• Integrated federated

access and SSO.• 2FA for everyone.

• Responsive and skilledcustomer support.

• Unattended operation:

– Auto-discovery.– Managed

enrollment.– Metrics and trend

analysis.– SIEM, help desk

integration.

• Fixed-priceimplementation.

• Minimal need forongoing maintenance.


Slide Presentation

9 Summary

An integrated solution for managing credentials:

• Immediate security benefit: password policy, help desk caller authentication.• Low deployment cost, minimal ongoing investment, significant IT support savings.• Always accessible:

– Web browser on PC, phone or tablet.– Windows login prompt.– Pre-boot encryption password prompt.– Apps on iOS, Android.– Phone call / IVR.– Available at work and while off-site.

• 120+ connectors included.

Learn more at Hitachi-ID.com/Password-Manager

hitachi-id.com

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: [email protected]

Date: 2018-06-14 | 2018-06-14 File: PRCS:pres

http://Hitachi-ID.com/Password-Manager/

https://Hitachi-ID.com

integrated credential management: passwords, security ... · cloud-hosted applications ... –...

Documents