Password Manager: Detailed Presentation.
Password Manager: Detailed Presentation.
Password Manager: Detailed Presentation.
Integrated Credential Management for Users: Passwords, encryption keys, tokens, smart cards and more.
Agenda
Hitachi ID corporate overview. IDM Suite overview. Password problems and Hitachi ID Password Manager benets. The HiPM solution. Software demonstration.
Slide Presentation
Hitachi ID delivers access governance and identity administration solutions to organizations globally. Hitachi ID solutions are used by Fortune 500 companies to secure access to systems in the enterprise and in the cloud. Founded as M-Tech in 1992. A division of Hitachi, Ltd. since 2008. Over 1000 customers. More than 12M+ licensed users. Ofces in North America, Europe and APAC. Partners globally.
Slide Presentation
IDM Suite
Slide Presentation
PM Advantages
Hitachi ID Password Manager
Built-in Functionality: Password synchronization Password and PIN reset. HDD crypto key recovery. Enterprise single sign-on. Others
Password reset.
Always available: Web browser, smart phone. Phone call. PC login screen. At the ofce or mobile (WiFi, VPN). Web browser. PC login screen. Only available at work.
Scalability: Built-in auto-discovery. Built-in replication. Managed enrollment. Single server. Lots of scripting.
Slide Presentation
Hitachi ID Password Manager addresses the problems that arise from password complexity:
Slide Presentation
10
11
12
Slide Presentation
13
Integrate with:
110+ target system types Call tracking systems HR systems Authentication hardware Meta directories IVR servers Password policy Authentication rules
Enforce:
Slide Presentation
14
Identify
Network Login ID
Authenticate
Network Password
Action
Update Passwords
E-mail Address
Hardware Token
Smart Phone
Employee Number
Smart Card
Voice Call
SMS/PIN
Slide Presentation
15
Included Connectors
Servers: Windows NT, 2000, 2003, 2008, 2008R2, Samba, Novell, SharePoint. Mainframes, Midrange: z/OS: RACF, ACF2, TopSecret. iSeries, OpenVMS. Collaboration: Lotus Notes, Exchange, GroupWise, BlackBerry ES.
Databases: Oracle, Sybase, SQL Server, DB2/UDB, Informix, ODBC, Oracle Hyperion EPM Shared Services, Cache. HDD Encryption: McAfee, CheckPoint, BitLocker, PGP. Tokens, Smart Cards: RSA SecurID, SafeWord, RADIUS, ActivIdentity, Schlumberger. Cloud/SaaS: WebEx, Google Apps, MS Ofce 365, Salesforce.com, SOAP (generic).
Unix: Linux, Solaris, AIX, HPUX, 24 more variants. ERP: JDE, Oracle eBiz, PeopleSoft, PeopleSoft HR, SAP R/3 and ECC 6, Siebel, Business Objects. WebSSO: CA Siteminder, IBM TAM, Oracle AM, RSA Access Manager.
Help Desk: ServiceNow, BMC Remedy, SDE, HP SM, CA Unicenter, Assyst, HEAT, Altiris, Clarify, RSA Envision, Track-It!, MS System Center Service Manager
Slide Presentation
16
Integration takes a few hours to a few days. Fixed cost service available from Hitachi ID.
17
Multi-Master Architecture
, nix , U 90, D 3 A S/ P, O DA 0 L S40 ve ord A i t Na assw ge n p ha c g Tri ch yn S ord PW ssw ate s) Pa lid er( a V erv
ms ste Sy r ge
r IVR erve S
SQL DB
L/ SQ racle O
Tic ts ke
up ok Lo of m ste d Sy ecor R
g rig &T
nt: ge la a oc hl A wit er RS s t: d m l en ste , o ag Sy Unix e t t o ge 0, s rem c Tar S/39 ce ork ith s, et O rvi w w e t e t s bS em No l Ne We yst P, t S L, SA oca e g Q L Tar D, S A all ew Fir er all ew Fir er erv y S ded) x o Pr f nee (i
r nte e C ata D te mo e R
t ge ms Tar yste S
10
Slide Presentation
18
19
Password Synchronization
Problem Users have too many passwords: On different systems, with different policies, expiring at different times. Complexity leads users to do bad things: Write down passwords ("sticky notes"). Forget/lock out passwords and call the help desk. Reuse old passwords. Solution Password synchronization pushes password updates from one system to another: Multiple physical passwords. Same value everywhere. Password synchronization allows users to: Remember a single password value. Manage it on a single schedule. Comply with a single password policy.
11
Slide Presentation
20
Password synchronization is designed to help users maintain a single, strong password across multiple login IDs. Transparent password synchronization leverages an existing user interface. Users change their passwords natively on: WinNT/Win2K/Win2K3 servers, Windows NT, Active Directory domains, Unix servers, LDAP directories, OS400 / iSeries servers, z/OS mainframes (RACF, CA-ACF2, CA-TopSecret)
Hitachi ID Password Manager enforces a global policy, prohibiting users from choosing weak passwords. Approved passwords are synchronized to other login accounts associated with the same user.
21
User
Sta r ad ce Lo alan B
. ch yn s rt
i ID ch gem a t Hi ana M
ite Su t en
12
Slide Presentation
22
Password synchronization is designed to help users maintain a single, strong password across multiple login IDs. Web password synchronization exposes a new user interface. Access a Web-based password change screen using any browser. Enter a trusted network login ID and password. Select a new password for one or all systems and accounts. Review results from the password update on each system.
23
User
b We b We
e uit
13
Slide Presentation
24
Users do not volunteer to change their passwords. Hitachi ID Password Manager can identify users who should change their passwords either based on upcoming expiration on a target system, or based on the last HiPM update. Users are asked to change their passwords: By e-mail, with an embedded URL to the HiPM server. By a Web browser, automatically opened during the network login script.
25
26
14
Slide Presentation
27
28
Support locked out users without deploying client software. User signs on with the login ID HELP No password is required to sign into the SKA. The SKA account has a special security policy. The policy species an alternate to the Windows shell. The Hitachi ID Password Manager shell opens a kiosk-mode Web browser to the self service password reset Web page. Applies both to on-line and mobile users. Can be used to reset/unlock both local and networked passwords. No browser navigation, controls, border, etc. Closing the browser logs the user off.
15
Slide Presentation
29
GINA Extensions
Extend the Windows Graphical Identication and Authentication (GINA) subsystem, which: is responsible for capturing Ctrl-Alt-Del, presents the login screen and handles screen savers. The Windows GINA can be replaced by third-party DLLs, such as: Novell NetWare. Strong authentication products (smart cards, biometrics, etc.). Hitachi ID Password Manager includes two GINA extension approaches, both of them: Launch a kiosk-mode web browser. Run the browser with an unprivileged account. The rst is a GINA wrapper DLL that adds a password reset button in the login prompt. The second is a GINA service program that adds a password reset button without modifying the native GINA DLL.
30
16
Slide Presentation
31
32
33
17
Slide Presentation
34
Call resolution time is reduced to 1 2 minutes. Help desk analysts dont require direct access to target systems.
35
Hitachi ID Password Manager has an open architecture to notify other systems of over 116 types of events. Simple conguration species what events to capture and what actions to take. Binary integration programs are included for: Altiris Assyst BMC Remedy BMC Service Desk Express CA Unicenter Clarify HEAT InfraHD HP Service Desk Tivoli Track-It!
18
Slide Presentation
36
37
19
Slide Presentation
38
40
80% of problems Combine problem reduced by simplied reduction with password management self-service adoption 20 20 20
Synch only
Both
39
20
Slide Presentation
40
41
42
21
Slide Presentation
43
Where login IDs are different on some systems, and there is no existing directory, meta directory, matching attribute or map le to connect them, users can be prompted to "claim" their own IDs: Users sign into a secure Hitachi ID Password Manager registration Web page. Users enter a login ID and password. HiPM nds unallocated instances of the login ID in the identity cache and tries to sign into those target systems with the password the user provided. The login ID / target system ID is added to the users prole if the password worked.
44
45
22
Slide Presentation
46
Competitive Advantages
Unique features "Provisioning" and "governance" in one product. Access, authorization built around relationships. Self-service from any device, any location. Users can request resources, not groups. SoD engine detects "effective" violations. Scalable platform Real-time data replication. Multi-master architecture. Proxy server to cross rewalls. Stored procedures, native code for speed. Rapid deployment Key features built-in, not custom: Request forms. Authorization workow. Access certication. Auto-discovery. Reports.
A product, not a devel. environment. Integrations 110+ included connectors. Flexible connectors. Built-in implementers workow. Incident management, SIEM, etc.
23
Slide Presentation
47
The following animations illustrate core Hitachi ID Password Manager user interfaces and processes:
Security question enrollment: A user authenticates and completes his personal prole of questions and answers. Alias enrollment: A user attaches non-standard login IDs to his prole. Password expiration: A user is invited, via e-mail, to change soon-to-expire passwords. Self-service password reset (SSPR) using Secure Kiosk Account: A locked out user resolves his own problem, from the login prompt, without client software deployment.
SSPR with GINA Extension: A locked out user resolves his own problem, from the login prompt, using a GINA extension. SSPR with Vista credential provider: A locked out user resolves his own problem, from the login prompt, using a Windows Vista credential provider. Assisted password reset: A help desk analyst signs in with an RSA SecurID token and resets a callers password. PIN Reset for an RSA SecurID token: A user resets his RSA SecurID token PIN with HiPM.
48
Animation: ../pics/camtasia/v8/hipm-pw-reset-vista/hipm-pw-reset-vista.cam
49
Animation: ../pics/camtasia/v8/hipm-pw-reset-gina/hipm-pw-reset-gina.cam
24
Slide Presentation
50
Locked out Windows user resets own password (no software footprint)
Animation: ../pics/camtasia/v8/hipm-pw-reset-ska/hipm-pw-reset-ska.cam
51
Animation: ../pics/camtasia/v8/hipm-qa-enrollment/hipm-qa-enrollment.cam
52
Animation: ../pics/camtasia/v8/hipm-alias-enrollment/hipm-alias-enrollment.cam
53
Animation: ../pics/camtasia/v8/hipm-rsa-token-reset/hipm-rsa-token-reset.cam
54
Animation: ../pics/camtasia/v8/hipm-pw-expired-email/hipm-pw-expired-email.cam
25
Slide Presentation
55
Animation: ../pics/camtasia/v8/hipm-assisted-pw-reset/hipm-assisted-pw-reset.cam
56
Services are based on extensive experience with the Hitachi ID solution delivery process. The Hitachi ID professional services team is highly technical and have years of experience deploying IAM solutions. Hitachi ID partners with integrators that also offer business process and system design services to mutual customers.
57
26
Slide Presentation
58
59
Summary
An integrated solution for managing credentials: Immediate security benet: password policy, help desk caller authentication. Low deployment cost, minimal ongoing investment, signicant IT support savings. Always accessible: Web browser on PC, phone or tablet. Windows login prompt. Pre-boot encryption password prompt. Phone call / IVR. Available at work and while off-site.
500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com
File: PRCS:pres Date: September 19, 2013
www.Hitachi-ID.com