1 Hitachi ID Identity Manager

Managing the User Lifecycle

Across On-Premises and
Cloud-Hosted Applications

Entitlement administration and governance:

Automation, requests, approvals, recertification, SoD and RBAC.

2 Agenda
Corporate
Hitachi ID Identity Manager
Recorded Demos
Technology
Implementation
Differentiation

3 Corporate

2017 Hitachi ID Systems, Inc. All rights reserved. 1

 Slide Presentation

3.1 Hitachi ID corporate overview

Hitachi ID delivers access governance

and identity administration solutions
to organizations globally.
Hitachi ID IAM solutions are used by Fortune
500
companies to secure access to systems
in the enterprise and in the cloud.
Founded as M-Tech in 1992.
A division of Hitachi, Ltd. since 2008.
Over 1200 customers.
More than 14M+ licensed users.
Offices in North America, Europe and
APAC.
Global partner network.

3.2 Representative customers

2017 Hitachi ID Systems, Inc. All rights reserved. 2

 Slide Presentation

3.3 Hitachi ID Suite

4 Hitachi ID Identity Manager

4.1 Compliance / internal controls

Challenges Solutions
Slow and unreliable deactivation when Automate deactivation based on SoR
people leave. (HR).
Orphan and dormant accounts. Review and remediate excessive access
Users with no-longer-needed access. (certification).
Access that violates SoD policies or Block requests that would violate SoD.
represents high risk. Analyze entitlements to find policy
Unreliable approvals for access requests. violations, high risk users.
Audit failures and regulatory risk. Automatically route access requests to
appropriate stake-holders.

2017 Hitachi ID Systems, Inc. All rights reserved. 3

 Slide Presentation

4.2 Access administration cost

Challenges Solutions
Multiple FTEs required to setup, Automate access setup, tear-down in
deactivate access. response to changes in systems of record
Additional burden on platform (SoRs).
administrators. Simple, business-friendly access request
Audit requests can add significant strain. forms.
Route requests to authorizers
automatically.
Automate fulfillment where possible.
Help auditors help themselves:

With certification, auditors focus on

process, not entitlements.
Reports and analytics.

4.3 Access changes take too long

Challenges Solutions
Approvers take too long. Automatically grant access:
Too many IT staff required to complete
approved requests. Where predicted by job function,
Service is slow and expensive to deliver. location, ...
Eliminate request/approval process
where possible.
Streamline approvals:
Automatically assign authorizers,
based on policy.
Invite participants simultaneously,
not sequentially.
Enable approvals from smart-phone.
Pre-emptively escalate when
stake-holders are out of office.
Automate fulfillment where possible.

2017 Hitachi ID Systems, Inc. All rights reserved. 4

 Slide Presentation

4.4 Access requests are too complicated

Challenges Solutions
Requesting access is complex: Auto-assign access when possible.
Simplify request forms.
Where is the request form? Intercept "access denied" errors:
What access rights do I need?
How do I fill this in? Navigate lead users to appropriate
Who do I send it to, for approval? request forms.
Complexity creates frustration. Compare entitlements:
Help requesters select entitlements.
Compare recipient, model user
rights.
Select from a small set of
differences.
Automatically assign authorizers based
on policy.

5 Features

2017 Hitachi ID Systems, Inc. All rights reserved. 5

 Slide Presentation

5.1 HiIM features

Inputs Processes
Monitor SoRs (automation). Request forms.
Systems and apps - current state. Approval workflows.
Request portal: Access certification.
Manual fulfillment.
Self-service. Analytics.
Delegated.
Access admin.
Web services API.
Policies Outputs
Segregation of duties. Connectors to 110 systems and
Risk scores. applications.
Role based access control. E-mail.
Authorizer, certifier selection. Create/update/close tickets.
Visibility / privacy protection. Send events to SIEM.

5.2 Identity and entitlement lifecycle automation

Using Hitachi ID Identity Express, we recommend full automation of identity and entitlement
lifecycles out of the gate:
Joiners, movers, leavers processes.
Password management, strong authentication and federation.
Change requests, approval, review/certification.
Driven by both SoR data and requests.
No need to "clean up" entitlements before automating access changes.
Roles can be added later: not a pre-requisite.
Automate first, clean up afterwards:
Unlike with competitors, automation is pre-configured and easy.
Start with basic integrations, add connectors over time.
Leverage automation and user knowledge to help clean up.
Add roles and expand automation over time.

2017 Hitachi ID Systems, Inc. All rights reserved. 6

 Slide Presentation

5.3 Monitoring systems of record

Any target system can function as a system of record

(SoR).
Examples: HR apps, SQL databases, CSV files, ...
Hitachi ID Identity Manager can monitor multiple SoRs:

Multinationals: regional HR systems.

Colleges: students vs. faculty/staff.
Map attributes to user profiles and prioritize.
Automatically submit access requests in response to
detected changes.
Users can submit pre-emptive or corrective requests:
New hire not yet in HR.
HR data is wrong.
Override SoR data until HR updates it.
Request portal handles users who never appear in SoRs:

Contractors, partners, etc.

5.4 Requester usability

Users rarely know where or how to request access!

Windows shell extension, SharePoint error page:
Intercept "Access Denied" errors.
Navigate user to appropriate request URL.
Compare users:
Compare entitlements between the intended recipient and a
reference user.
Select entitlements from the variance.
Search for entitlements:
Keywords, description, metadata/tags.
Relationship between requester and recipient:
What recipients can the requester see?
What identity attributes are visible?
What kinds of requests are available?

2017 Hitachi ID Systems, Inc. All rights reserved. 7

 Slide Presentation

5.5 Robust, policy-driven workflow

Workflow invites stake-holders to participate in processes:

Approve or reject a request.
Review entitlements and recertify or remediate.
Fulfill an approved request.
Extensible. e.g., audit cases.
Stake-holders are invited based on policy:
No flow-charts or diagrams required.
Process is simple, transparent and secure.
Routing may be based on relationships, resource ownership, risk.
The process is robust, even when people arent:
Invite N participants, accept response from M (M<N).
Simultaneous invitations by default (sequential made sense for
paper forms).
Automatically send reminders.
Escalate (e.g., to manager) if unresponsive.
Check out-of-office message, pre-emptively escalate.
Accessible from smart phone, not just PC.

5.6 Reports, dashboards and analytics

Over 150 reports built in:

Many include multiple modes (e.g,. dormant vs. orphan accounts).

Identities, entitlements, history, system operation, trends, etc.
Easy to add custom reports.
Many dashboards included as well.
Run interactively or schedule (once, recurring).
Deliver output (HTML, CSV, PDF):
Interactively.
In e-mails.
Drop files on UNC shares.
Stream results via web services.
Actionable analytics:
Feedback from reports to requests.
Automated remediation.
Database is normalized, documented can use 3rd party tools too.

6 Recorded Demos

2017 Hitachi ID Systems, Inc. All rights reserved. 8

 Slide Presentation

6.1 Intercept Access Denied Dialogs

Animation: ../../pics/camtasia/v10/higm-A-request-folder.mp4

6.2 Authorization of a request for security group membership

Animation: ../../pics/camtasia/v10/higm-B-request-approve.mp4

6.3 Request approved, user can access the folder

Animation: ../../pics/camtasia/v10/higm-C-approved-open-file-nb.mp4

6.4 Mobile request approval

Animation: ../../pics/camtasia/v10/approve-request-group-membership-via-mobile-access-app-1.mp4

6.5 Compare user entitlements

Animation: ../../pics/camtasia/v10/hiim-model-after-ui.mp4

6.6 Application-centric certification

Animation: ../../pics/camtasia/v10/hiac-complete-app-centric-2.mp4

6.7 Add contact to phone

Animation: ../../pics/camtasia/v9/add-contact-to-phone-1/add-contact-to-phone-1.mp4

6.8 Actionable analytics: Disable orphan accounts

Animation: ../../pics/camtasia/v10/report2pdr-disable-orphan-accounts-1.mp4

7 Technology

2017 Hitachi ID Systems, Inc. All rights reserved. 9

 Slide Presentation

7.1 Multi-master architecture

Native password
change
Password synch
trigger systems SaaS apps

AD, Unix, z/OS, Mobile

LDAP, iSeries proxy

z/OS - local agent Mobile UI lo ud
Manage C
Validate pw

Hitachi ID
servers
Load
balancers
Reverse
web
proxy Managed endpoints
VPN server
with remote agent:
Replication AD, SQL, SAP, Notes, etc
IVR server MS SQL databases
B
Hitachi ID ter
Notifications servers c en r
t a te
and invitations
Da cen
E-mail Tickets data
ote
Firewalls
system m
System of Re
Ticketing record
TCP/IP + AES system
A
HR n ter Managed
Various protocols
ce endpoints
ta
Secure native protocol Da
Proxy server
HTTPS (if needed)

2017 Hitachi ID Systems, Inc. All rights reserved. 10

 Slide Presentation

7.2 Key architectural features

BYOD enabled
On premise and SaaS SaaS apps

lo ud
C
Replicated across data centers
Horizontal scaling

Load balanced

B
ter
c en r
t a te
Da cen
data
m ote
Re
TCP/IP + AES
A
nter
Various protocols
ce
ta Reach across firewalls
Secure native protocol Da

HTTPS

7.3 Internal architecture

Multi-master, active-active out of the box.
Built-in data replication between app nodes:

Fault tolerant.
Secure - encrypted.
Reliable - queue and retry.
App nodes need and should not be co-located.
Native, 64-bit code:

2x faster than .NET.

10x faster than Java.
Stored procedures:
For all data lookups, inserts.
Fast, efficient.
Eliminates client/server chatter.
Modern crypto: AES-256, SSHA-512

2017 Hitachi ID Systems, Inc. All rights reserved. 11

 Slide Presentation

7.4 BYOD access to on-premises IAM system

The challenge Hitachi ID Mobile Access

Users want access on their phones. Install + activate iOS, Android app.
Phone on the Internet, IAM on-prem. Proxy service on DMZ or cloud.
Dont want attackers probing IAM from IAM, phone both call the proxy - no
Internet. firewall changes.
IAM not visible on Internet.

Internet

Personal Firewall Firewall IAM server

device
(2)
HTTPS request: DMZ Private corporate
Includes userID, (1) network
Outbound connections only
deviceID Worker thread:
Give me an HTTP
request

Cloud (3)
proxy Message passing system

2017 Hitachi ID Systems, Inc. All rights reserved. 12

 Slide Presentation

7.5 Included connectors

Many integrations to target systems included in the base price:

Directories: Servers: Databases:

Any LDAP, Active Directory, Windows NT, 2000, 2003, Oracle, Sybase, SQL Server,
NIS/NIS+. 2008[R2], 2012[R2], Samba. DB2/UDB, Informix, Progress,
Hyperion, Cache, ODBC.
Unix: Mainframes, Midrange: HDD Encryption:
Linux, Solaris, AIX, HPUX, 24 z/OS: RACF, ACF2, McAfee, CheckPoint,
more variants. TopSecret. iSeries, BitLocker, PGP.
OpenVMS.
ERP: Collaboration: Tokens, Smart Cards:
JDE, Oracle eBiz, Lotus Notes, iNotes, RSA SecurID, SafeWord,
PeopleSoft, PeopleSoft HR, Exchange, SharePoint, Vasco, ActivIdentity,
SAP R/3 and ECC 6, Siebel, BlackBerry ES. Schlumberger, RADIUS.
Business Objects.
WebSSO: Help Desk: Cloud/SaaS:
CA Siteminder, IBM TAM, ServiceNow, BMC Remedy, WebEx, Google Apps, MS
Oracle AM, RSA Access SDE, HP SM, CA Unicenter, Office 365, Success Factors,
Manager. Assyst, HEAT, Altiris, Clarify, Salesforce.com, SOAP.
RSA Envision, Track-It!, MS
System Center

7.6 Rapid integration with custom apps

Hitachi ID Identity Manager easily integrates with custom, vertical and hosted applications using
flexible agents .
Each flexible agent connects to a class of applications:

API bindings (C, C++, Java, COM, ActiveX, MQ Series).

Telnet / TN3270 / TN5250 / sessions with TLS or SSL.
SSH sessions.
HTTP(S) administrative interfaces.
Web services.
Win32 and Unix command-line administration programs.
SQL scripts.
Custom LDAP attributes.
Integration takes a few hours to a few days.
Fixed cost service available from Hitachi ID.

2017 Hitachi ID Systems, Inc. All rights reserved. 13

 Slide Presentation

8 Implementation

8.1 Hitachi ID professional services

Hitachi ID offers a complete range of services relating to Hitachi ID Identity Manager, including:
Needs analysis and solution design.
Fixed price system deployment.
Project planning.
Roll-out management, including maximizing user adoption.
Ongoing system monitoring.
Training.
Services are based on extensive experience with the Hitachi ID solution delivery process.
The Hitachi ID professional services team is highly technical and have years of experience deploying
IAM solutions.
Hitachi ID partners with integrators that also offer business process and system design services to
mutual customers.
All implementation services are fixed price:
Solution design.
Statement of work.

2017 Hitachi ID Systems, Inc. All rights reserved. 14

 Slide Presentation

8.2 ID Express

Before reference implementations: With Hitachi ID Identity Express:

Every implementation starts from Start with a fully configured system.
scratch. Handles all the basic user lifecycle
Some code reuse, in the form of processes out of the box.
libraries. Basic integrations pre-configured (HR,
Even simple business processes have AD, Exchange, Windows).
complex boundary conditions: Implementation means "adjust as
required" not "build from scratch."
Onboarding: initial passwords, Configuration is fully data driven (no
blocking rehires. scripts).
Termination: scheduled vs. Fast, efficient, reliable.
immediate, warnings, cleanup.
Transfers: move mailboxes and
homedirs, trigger recertification.
Complex processes often scripted.
Delay, cost, risk.

2017 Hitachi ID Systems, Inc. All rights reserved. 15

 Slide Presentation

8.3 ID Express - Corporate: details

Integrations: Automation:
SQL-based HR SoR. Onboard/deactivate based on SoR.
AD domain Identity attribute propagation.
Exchange domain (mailboxes) Self-service:
Windows filesystem (homedirs)
Entitlements: Password, security question
management.
Login IDs. Update to contact info.
Group memberships. Request for application, share, folder
Roles. access.
User communities: Delegated admin:
Employees. Same as self-service, plus recert.
Contractors/other. Approval workflows:
Configuration:
IT security (global rights).
Based on user classes, rules tables HR/managers (approve for
and lookup tables. each-other).
Near-zero script logic. Recertification:
Scheduled.
Ad-hoc.

2017 Hitachi ID Systems, Inc. All rights reserved. 16

 Slide Presentation

8.4 Services impact of ID Express

Documentation (5/5 days)

Production migration (2/2 days)

Implement new processes (30/5 days)

Test in prod., feedback, fixes (5/5 days)

Test, debug, fix (15/15 days)

Retest, adjust (10/10 days)

Pilot test, adjust (20/15 days) Test, debug, adjust (15/5 days)

Get feedback (15/5 days)

Production migration (2/2 days)

Test, debug, adjust (30/10 days)

Basic integrations (5/5 days) Advanced integrations (30/30 days)

Production migration (2/2 days)

Design new processes (30/5 days)

Implement new processes (30/5 days)

Deploy software (2/2 days)

Document old processes (30/5 days)

Initial planning (5/5 days)

9 Differentiation

2017 Hitachi ID Systems, Inc. All rights reserved. 17

 Slide Presentation

9.1 HiIM differentiation (1/3)

Feature Details Competitors

Hitachi ID Identity Express
Pre-configured Slow, risky deployment.
processes, policies. Never get around to J/M/L
Full implementation or process automation.
menu of components.
Rich processes.
Faster deployment.
Low implementation risk.

Requester usability
Intercept "access denied" Hard to find request
errors. portal.
Compare entitlements of Users dont know how to
recipient, model users. request access.
Usability aid for Low user adoption.
requesters. Reduced ROI.

SoD actually works

Hierarchy of roles, Fail to detect some
groups. violations.
Roles can contain Users can bypass
groups, more roles. controls.
Groups can contain other False sense of security.
groups. Audit failures.
SoD defined at one level, Regulatory risk.
violation may happen at
another.
Hitachi ID Identity
Manager reliably detects,
prevents violations.

2017 Hitachi ID Systems, Inc. All rights reserved. 18

 Slide Presentation

9.2 HiIM differentiation (2/3)

Feature Details Competitors

Active-active architecture
Multiple servers. Single points of failure.
Load balanced. Costly to scale.
Geographically Slow to recover from
distributed. disasters.
No single point of failure.
Scalable.

Smart phone access

Android and iOS apps. Require a public URL.
Cloud-hosted proxy. Less secure / rarely
No public URL. permitted.
Approvals, 2FA, contact No viable BYOD strategy.
download, etc. Impacts security, approval
SLA.

Actionable analytics
Link report output to Fewer reports, analytics.
request input. No automated
Automated remediation. remediation.
Immediate or scheduled.
No coding.

2017 Hitachi ID Systems, Inc. All rights reserved. 19

 Slide Presentation

9.3 HiIM differentiation (3/3)

Feature Details Competitors

Governance, provisioning in
one product
Governance: requests, Some focus on
approvals, certification, governance (no
SoD, RBAC, analytics. remediation, no J/M/L
Provisioning: process automation).
connectors, J/M/L Others focus on
process automation. provisioning (no
Single, integrated certification, limited
solution. analytics).
Higher total cost.
Integration risk.

Policies built on
relationships
Relationships drive all Hierarchical access
policies in Hitachi ID controls.
Identity Manager. Script code for
Who can a user search exceptions.
for? Costly, risky.
What data is visible? Hard to configure,
What changes are maintain.
requestable?
Who will be asked to
approve?
Escalation path?

10 Summary
An integrated solution for managing identities and entitlements:
Automation: onboarding, deactivation, detect out-of-band changes.
Self-service: profile updates, access requests.
Governance: certification, authorization workflow, RBAC, SoD, analytics.
Automatically manage identities, entitlements: 110 bidirectional connectors.
Other integrations: filesystem, collaboration, SIEM, incident management.
Rapid deployment: pre-configured Hitachi ID Identity Express.

Security, lower cost, faster service.

Learn more at Hitachi-ID.com/Identity-Manager

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com

www.Hitachi-ID.com Date: 2017-03-15 | 2017-03-15 File: PRCS:pres