1 Hitachi ID Identity Manager

Managing the User Lifecycle

Across On-Premises and
Cloud-Hosted Applications

Entitlement administration and governance:

Automation, requests, approvals, recertification, SoD and RBAC.

2 Agenda
Corporate
Hitachi ID Identity Manager
Recorded Demos
Technology
Implementation
Differentiation

3 Corporate

2017 Hitachi ID Systems, Inc. All rights reserved. 1

 Slide Presentation

3.1 Hitachi ID corporate overview

Hitachi ID delivers access governance

and identity administration solutions
to organizations globally.
Hitachi ID IAM solutions are used by Fortune
500
companies to secure access to systems
in the enterprise and in the cloud.
Founded as M-Tech in 1992.
A division of Hitachi, Ltd. since 2008.
Over 1200 customers.
More than 14M+ licensed users.
Offices in North America, Europe and
APAC.
Global partner network.

3.2 Representative customers

2017 Hitachi ID Systems, Inc. All rights reserved. 2


3.3 Hitachi ID Suite
4 Hitachi ID Identity Manager
4.1 Compliance / internal controls
Challenges
Slow and unreliable deactivation when
people leave.
Orphan and dormant accounts.
Users with no-longer-needed access.
Access that violates SoD policies or
represents high risk.
Unreliable approvals for access requests.
Audit failures and regulatory risk.
2017 Hitachi ID Systems, Inc. All rights reserved.
Slide Presentation
Solutions
Automate deactivation based on SoR
(HR).
Review and remediate excessive access
(certification).
Block requests that would violate SoD.
Analyze entitlements to find policy
violations, high risk users.
Automatically route access requests to
appropriate stake-holders.
3

4.2 Access administration cost
Challenges
Multiple FTEs required to setup,
deactivate access.
Additional burden on platform
administrators.
Audit requests can add significant strain.
4.3 Access changes take too long
Challenges
Approvers take too long.
Too many IT staff required to complete
approved requests.
Service is slow and expensive to deliver.
2017 Hitachi ID Systems, Inc. All rights reserved.
Slide Presentation
Solutions
Automate access setup, tear-down in
response to changes in systems of record
(SoRs).
Simple, business-friendly access request
forms.
Route requests to authorizers
automatically.
Automate fulfillment where possible.
Help auditors help themselves:
With certification, auditors focus on
process, not entitlements.
Reports and analytics.
Solutions
Automatically grant access:
Where predicted by job function,
location, ...
Eliminate request/approval process
where possible.
Streamline approvals:
Automatically assign authorizers,
based on policy.
Invite participants simultaneously,
not sequentially.
Enable approvals from smart-phone.
Pre-emptively escalate when
stake-holders are out of office.
Automate fulfillment where possible.
4
 Slide Presentation

4.4 Access requests are too complicated

Challenges
Requesting access is complex:
Where is the request form?
What access rights do I need?
How do I fill this in?
Who do I send it to, for approval?
Complexity creates frustration.
Solutions
Auto-assign access when possible.
Simplify request forms.
Intercept "access denied" errors:
Navigate lead users to appropriate
request forms.
Compare entitlements:
Help requesters select entitlements.
Compare recipient, model user
rights.
Select from a small set of
differences.
Automatically assign authorizers based
on policy.

5 Features

2017 Hitachi ID Systems, Inc. All rights reserved. 5

 Slide Presentation

5.1 HiIM features

Inputs Processes
Monitor SoRs (automation). Request forms.
Systems and apps - current state. Approval workflows.
Request portal: Access certification.
Manual fulfillment.
Self-service. Analytics.
Delegated.
Access admin.
Web services API.
Policies Outputs
Segregation of duties. Connectors to 110 systems and
Risk scores. applications.
Role based access control. E-mail.
Authorizer, certifier selection. Create/update/close tickets.
Visibility / privacy protection. Send events to SIEM.

5.2 Identity and entitlement lifecycle automation

Using Hitachi ID Identity Express, we recommend full automation of identity and entitlement
lifecycles out of the gate:
Joiners, movers, leavers processes.
Password management, strong authentication and federation.
Change requests, approval, review/certification.
Driven by both SoR data and requests.
No need to "clean up" entitlements before automating access changes.
Roles can be added later: not a pre-requisite.
Automate first, clean up afterwards:
Unlike with competitors, automation is pre-configured and easy.
Start with basic integrations, add connectors over time.
Leverage automation and user knowledge to help clean up.
Add roles and expand automation over time.

2017 Hitachi ID Systems, Inc. All rights reserved. 6

 Slide Presentation

5.3 Monitoring systems of record

Any target system can function as a system of record

(SoR).
Examples: HR apps, SQL databases, CSV files, ...
Hitachi ID Identity Manager can monitor multiple SoRs:

Multinationals: regional HR systems.

Colleges: students vs. faculty/staff.
Map attributes to user profiles and prioritize.
Automatically submit access requests in response to
detected changes.
Users can submit pre-emptive or corrective requests:
New hire not yet in HR.
HR data is wrong.
Override SoR data until HR updates it.
Request portal handles users who never appear in SoRs:

Contractors, partners, etc.

5.4 Requester usability

Users rarely know where or how to request access!

Windows shell extension, SharePoint error page:
Intercept "Access Denied" errors.
Navigate user to appropriate request URL.
Compare users:
Compare entitlements between the intended recipient and a
reference user.
Select entitlements from the variance.
Search for entitlements:
Keywords, description, metadata/tags.
Relationship between requester and recipient:
What recipients can the requester see?
What identity attributes are visible?
What kinds of requests are available?

2017 Hitachi ID Systems, Inc. All rights reserved. 7

 Slide Presentation

5.5 Robust, policy-driven workflow

Workflow invites stake-holders to participate in processes:

Approve or reject a request.
Review entitlements and recertify or remediate.
Fulfill an approved request.
Extensible. e.g., audit cases.
Stake-holders are invited based on policy:
No flow-charts or diagrams required.
Process is simple, transparent and secure.
Routing may be based on relationships, resource ownership, risk.
The process is robust, even when people arent:
Invite N participants, accept response from M (M<N).
Simultaneous invitations by default (sequential made sense for
paper forms).
Automatically send reminders.
Escalate (e.g., to manager) if unresponsive.
Check out-of-office message, pre-emptively escalate.
Accessible from smart phone, not just PC.

5.6 Reports, dashboards and analytics

Over 150 reports built in:

Many include multiple modes (e.g,. dormant vs. orphan accounts).

Identities, entitlements, history, system operation, trends, etc.
Easy to add custom reports.
Many dashboards included as well.
Run interactively or schedule (once, recurring).
Deliver output (HTML, CSV, PDF):
Interactively.
In e-mails.
Drop files on UNC shares.
Stream results via web services.
Actionable analytics:
Feedback from reports to requests.
Automated remediation.
Database is normalized, documented can use 3rd party tools too.

6 Recorded Demos

2017 Hitachi ID Systems, Inc. All rights reserved. 8

 Slide Presentation

6.1 Intercept Access Denied Dialogs

Animation: ../../pics/camtasia/v10/higm-A-request-folder.mp4

6.2 Authorization of a request for security group membership

Animation: ../../pics/camtasia/v10/higm-B-request-approve.mp4

6.3 Request approved, user can access the folder

Animation: ../../pics/camtasia/v10/higm-C-approved-open-file-nb.mp4

6.4 Mobile request approval

Animation: ../../pics/camtasia/v10/approve-request-group-membership-via-mobile-access-app-1.mp4

6.5 Compare user entitlements

Animation: ../../pics/camtasia/v10/hiim-model-after-ui.mp4

6.6 Application-centric certification

Animation: ../../pics/camtasia/v10/hiac-complete-app-centric-2.mp4

6.7 Add contact to phone

Animation: ../../pics/camtasia/v9/add-contact-to-phone-1/add-contact-to-phone-1.mp4

6.8 Actionable analytics: Disable orphan accounts

Animation: ../../pics/camtasia/v10/report2pdr-disable-orphan-accounts-1.mp4

7 Technology

2017 Hitachi ID Systems, Inc. All rights reserved. 9

 Slide Presentation

7.1 Multi-master architecture

Native password
change
Password synch
trigger systems SaaS apps

AD, Unix, z/OS, Mobile

LDAP, iSeries proxy

z/OS - local agent Mobile UI lo ud
Manage C
Validate pw

Hitachi ID
servers
Load
balancers
Reverse
web
proxy Managed endpoints
VPN server
with remote agent:
Replication AD, SQL, SAP, Notes, etc
IVR server MS SQL databases
B
Hitachi ID ter
Notifications servers c en r
t a te
and invitations
Da cen
E-mail Tickets data
ote
Firewalls
system m
System of Re
Ticketing record
TCP/IP + AES system
A
HR n ter Managed
Various protocols
ce endpoints
ta
Secure native protocol Da
Proxy server
HTTPS (if needed)

2017 Hitachi ID Systems, Inc. All rights reserved. 10

 Slide Presentation

7.2 Key architectural features

BYOD enabled
On premise and SaaS SaaS apps

lo ud
C
Replicated across data centers
Horizontal scaling

Load balanced

B
ter
c en r
t a te
Da cen
data
m ote
Re
TCP/IP + AES
A
nter
Various protocols
ce
ta Reach across firewalls
Secure native protocol Da

HTTPS

7.3 Internal architecture

Multi-master, active-active out of the box.
Built-in data replication between app nodes:

Fault tolerant.
Secure - encrypted.
Reliable - queue and retry.
App nodes need and should not be co-located.
Native, 64-bit code:

2x faster than .NET.

10x faster than Java.
Stored procedures:
For all data lookups, inserts.
Fast, efficient.
Eliminates client/server chatter.
Modern crypto: AES-256, SSHA-512

2017 Hitachi ID Systems, Inc. All rights reserved. 11

 Slide Presentation

7.4 BYOD access to on-premises IAM system

The challenge Hitachi ID Mobile Access

Users want access on their phones.
Phone on the Internet, IAM on-prem.
Dont want attackers probing IAM from
Internet.
Install + activate iOS, Android app.
Proxy service on DMZ or cloud.
IAM, phone both call the proxy - no
firewall changes.
IAM not visible on Internet.

Internet

Personal Firewall Firewall IAM server

device
(2)
HTTPS request: DMZ Private corporate
Includes userID, (1) network
Outbound connections only
deviceID Worker thread:
Give me an HTTP
request

Cloud (3)
proxy Message passing system

2017 Hitachi ID Systems, Inc. All rights reserved. 12

 Slide Presentation

7.5 Included connectors

Many integrations to target systems included in the base price:

Directories: Servers: Databases:

Any LDAP, Active Directory,
NIS/NIS+.
Unix:
Linux, Solaris, AIX, HPUX, 24
more variants.
ERP:
JDE, Oracle eBiz,
PeopleSoft, PeopleSoft HR,
SAP R/3 and ECC 6, Siebel,
Business Objects.
WebSSO:
CA Siteminder, IBM TAM,
Oracle AM, RSA Access
Manager.
Windows NT, 2000, 2003,
2008[R2], 2012[R2], Samba.
Mainframes, Midrange:
z/OS: RACF, ACF2,
TopSecret. iSeries,
OpenVMS.
Collaboration:
Lotus Notes, iNotes,
Exchange, SharePoint,
BlackBerry ES.
Help Desk:
ServiceNow, BMC Remedy,
SDE, HP SM, CA Unicenter,
Assyst, HEAT, Altiris, Clarify,
RSA Envision, Track-It!, MS
System Center
Oracle, Sybase, SQL Server,
DB2/UDB, Informix, Progress,
Hyperion, Cache, ODBC.
HDD Encryption:
McAfee, CheckPoint,
BitLocker, PGP.
Tokens, Smart Cards:
RSA SecurID, SafeWord,
Vasco, ActivIdentity,
Schlumberger, RADIUS.
Cloud/SaaS:
WebEx, Google Apps, MS
Office 365, Success Factors,
Salesforce.com, SOAP.

7.6 Rapid integration with custom apps

Hitachi ID Identity Manager easily integrates with custom, vertical and hosted applications using
flexible agents .
Each flexible agent connects to a class of applications:

API bindings (C, C++, Java, COM, ActiveX, MQ Series).

Telnet / TN3270 / TN5250 / sessions with TLS or SSL.
SSH sessions.
HTTP(S) administrative interfaces.
Web services.
Win32 and Unix command-line administration programs.
SQL scripts.
Custom LDAP attributes.
Integration takes a few hours to a few days.
Fixed cost service available from Hitachi ID.

2017 Hitachi ID Systems, Inc. All rights reserved. 13

 Slide Presentation

8 Implementation

8.1 Hitachi ID professional services

Hitachi ID offers a complete range of services relating to Hitachi ID Identity Manager, including:
Needs analysis and solution design.
Fixed price system deployment.
Project planning.
Roll-out management, including maximizing user adoption.
Ongoing system monitoring.
Training.
Services are based on extensive experience with the Hitachi ID solution delivery process.
The Hitachi ID professional services team is highly technical and have years of experience deploying
IAM solutions.
Hitachi ID partners with integrators that also offer business process and system design services to
mutual customers.
All implementation services are fixed price:
Solution design.
Statement of work.

2017 Hitachi ID Systems, Inc. All rights reserved. 14


8.2 ID Express
Before reference implementations:
Every implementation starts from
scratch.
Some code reuse, in the form of
libraries.
Even simple business processes have
complex boundary conditions:
Onboarding: initial passwords,
blocking rehires.
Termination: scheduled vs.
immediate, warnings, cleanup.
Transfers: move mailboxes and
homedirs, trigger recertification.
Complex processes often scripted.
Delay, cost, risk.
2017 Hitachi ID Systems, Inc. All rights reserved.
Slide Presentation
With Hitachi ID Identity Express:
Start with a fully configured system.
Handles all the basic user lifecycle
processes out of the box.
Basic integrations pre-configured (HR,
AD, Exchange, Windows).
Implementation means "adjust as
required" not "build from scratch."
Configuration is fully data driven (no
scripts).
Fast, efficient, reliable.
15
 Slide Presentation

8.3 ID Express - Corporate: details

Integrations: Automation:
SQL-based HR SoR. Onboard/deactivate based on SoR.
AD domain Identity attribute propagation.
Exchange domain (mailboxes) Self-service:
Windows filesystem (homedirs)
Entitlements: Password, security question
management.
Login IDs. Update to contact info.
Group memberships. Request for application, share, folder
Roles. access.
User communities: Delegated admin:
Employees. Same as self-service, plus recert.
Contractors/other. Approval workflows:
Configuration:
IT security (global rights).
Based on user classes, rules tables HR/managers (approve for
and lookup tables. each-other).
Near-zero script logic. Recertification:
Scheduled.
Ad-hoc.

2017 Hitachi ID Systems, Inc. All rights reserved. 16

 Slide Presentation

8.4 Services impact of ID Express

Documentation (5/5 days)

Production migration (2/2 days)

Implement new processes (30/5 days)

Test in prod., feedback, fixes (5/5 days)

Test, debug, fix (15/15 days)

Retest, adjust (10/10 days)

Pilot test, adjust (20/15 days) Test, debug, adjust (15/5 days)

Get feedback (15/5 days)

Production migration (2/2 days)

Test, debug, adjust (30/10 days)

Basic integrations (5/5 days) Advanced integrations (30/30 days)

Production migration (2/2 days)

Design new processes (30/5 days)

Implement new processes (30/5 days)

Deploy software (2/2 days)

Document old processes (30/5 days)

Initial planning (5/5 days)

9 Differentiation

2017 Hitachi ID Systems, Inc. All rights reserved. 17

 Slide Presentation

9.1 HiIM differentiation (1/3)

Feature Details Competitors

Hitachi ID Identity Express
Pre-configured Slow, risky deployment.
processes, policies. Never get around to J/M/L
Full implementation or process automation.
menu of components.
Rich processes.
Faster deployment.
Low implementation risk.

Requester usability
Intercept "access denied" Hard to find request
errors. portal.
Compare entitlements of Users dont know how to
recipient, model users. request access.
Usability aid for Low user adoption.
requesters. Reduced ROI.

SoD actually works

Hierarchy of roles, Fail to detect some
groups. violations.
Roles can contain Users can bypass
groups, more roles. controls.
Groups can contain other False sense of security.
groups. Audit failures.
SoD defined at one level, Regulatory risk.
violation may happen at
another.
Hitachi ID Identity
Manager reliably detects,
prevents violations.

2017 Hitachi ID Systems, Inc. All rights reserved. 18


9.2 HiIM differentiation (2/3)
Feature Details
Active-active architecture
Multiple servers.
Load balanced.
Geographically
distributed.
No single point of failure.
Scalable.
Smart phone access
Android and iOS apps.
Cloud-hosted proxy.
No public URL.
Approvals, 2FA, contact
download, etc.
Actionable analytics
Link report output to
request input.
Automated remediation.
Immediate or scheduled.
No coding.
2017 Hitachi ID Systems, Inc. All rights reserved.
Slide Presentation
Competitors
Single points of failure.
Costly to scale.
Slow to recover from
disasters.
Require a public URL.
Less secure / rarely
permitted.
No viable BYOD strategy.
Impacts security, approval
SLA.
Fewer reports, analytics.
No automated
remediation.
19
 Slide Presentation

9.3 HiIM differentiation (3/3)

Feature Details Competitors

Governance, provisioning in
one product
Governance: requests, Some focus on
approvals, certification, governance (no
SoD, RBAC, analytics. remediation, no J/M/L
Provisioning: process automation).
connectors, J/M/L Others focus on
process automation. provisioning (no
Single, integrated certification, limited
solution. analytics).
Higher total cost.
Integration risk.

Policies built on
relationships
Relationships drive all Hierarchical access
policies in Hitachi ID controls.
Identity Manager. Script code for
Who can a user search exceptions.
for? Costly, risky.
What data is visible? Hard to configure,
What changes are maintain.
requestable?
Who will be asked to
approve?
Escalation path?

10 Summary
An integrated solution for managing identities and entitlements:
Automation: onboarding, deactivation, detect out-of-band changes.
Self-service: profile updates, access requests.
Governance: certification, authorization workflow, RBAC, SoD, analytics.
Automatically manage identities, entitlements: 110 bidirectional connectors.
Other integrations: filesystem, collaboration, SIEM, incident management.
Rapid deployment: pre-configured Hitachi ID Identity Express.

Security, lower cost, faster service.

Learn more at Hitachi-ID.com/Identity-Manager

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com

www.Hitachi-ID.com Date: 2017-03-15 | 2017-03-15 File: PRCS:pres