1

Hitachi ID Password Manager

Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Integrated Credential Management for Users: Passwords, encryption keys, tokens, smart cards and more.

Agenda
Hitachi ID corporate overview. IDM Suite overview. Password problems and Hitachi ID Password Manager benets. The HiPM solution. Software demonstration.

2013 Hitachi ID Systems, Inc.. All rights reserved.

Slide Presentation

Hitachi ID Corporate Overview

Hitachi ID delivers access governance and identity administration solutions to organizations globally. Hitachi ID solutions are used by Fortune 500 companies to secure access to systems in the enterprise and in the cloud. Founded as M-Tech in 1992. A division of Hitachi, Ltd. since 2008. Over 1000 customers. More than 12M+ licensed users. Ofces in North America, Europe and APAC. Partners globally.

Representative Hitachi ID Customers

2013 Hitachi ID Systems, Inc.. All rights reserved.

Slide Presentation

IDM Suite

2013 Hitachi ID Systems, Inc.. All rights reserved.

Slide Presentation

PM Advantages
Hitachi ID Password Manager
Built-in Functionality: Password synchronization Password and PIN reset. HDD crypto key recovery. Enterprise single sign-on. Others

Password reset.

Always available: Web browser, smart phone. Phone call. PC login screen. At the ofce or mobile (WiFi, VPN). Web browser. PC login screen. Only available at work.

Integrations: 110+ target types. 10 ITSM systems. Typically 10-20 connectors.

Scalability: Built-in auto-discovery. Built-in replication. Managed enrollment. Single server. Lots of scripting.

2013 Hitachi ID Systems, Inc.. All rights reserved.

Slide Presentation

Problem: Too Many Passwords

Every login account has its own: Password value. User interface. Strength rules. Expiration date. Password complexity creates business problems: High call volume : Users forget or lock out their passwords. This can be 30% of help desk workload. Sticky notes : Users write down their passwords and may leave them in public view. Bad passwords : Users choose simple, easily guessed passwords.

The HiPM Solution

Cost savings from simplied password management, rapid deployment, low TCO and fast ROI. Improved security from strong authentication, policy enforcement. Scalability to hundreds of thousands of users. Flexibility to integrate with existing infrastructure.

Hitachi ID Password Manager addresses the problems that arise from password complexity:

Problem: Password Management Costs

End users: Support analysts: System administrators: Lose productivity when they have trouble logging in. Spend much of their time resolving password problem calls. Must be staffed for peak volume after holidays. Resolve escalated password problems.

2013 Hitachi ID Systems, Inc.. All rights reserved.

Slide Presentation

10

HiPM Cost Savings

Synchronization: Self service reset: Assisted reset: Eliminates 60% to 90% of password problems. When adopted by 40% to 70% of users, diverts problem resolution away from the help desk. Shortens remaining password reset HD calls by 50% or more, to about 1 minute/call.

11

Problem: Password Security

Policy: Authentication: Delegation: Accountability: Encryption: Users prefer easily guessed passwords, write and share passwords. Weak caller authentication prior to HD password resets. Support staff require too many administrative logins. For support staff who perform resets. Passwords should not be sent or stored in the clear.

12

HiPM Security Benets

Policy: Synchronization: Authentication: Delegation: Accountability: Encryption: Hitachi ID Password Manager can enforce over 50 password rules, on every system. No need to write down multiple passwords. Users are identied before being allowed a HD password reset. Support staff no longer require administrative credentials. All password-related events logged. Sensitive data is sent and stored encrypted.

2013 Hitachi ID Systems, Inc.. All rights reserved.

Slide Presentation

13

The Hitachi ID Solution is Flexible

Customize: Every aspect of the user interface

Integrate with:

110+ target system types Call tracking systems HR systems Authentication hardware Meta directories IVR servers Password policy Authentication rules

Enforce:

2013 Hitachi ID Systems, Inc.. All rights reserved.

Slide Presentation

14

User Interface Flowchart

Access
Desktop Web Browser

Identify
Network Login ID

Authenticate
Network Password

Action
Update Passwords

Workstation Login Prompt

E-mail Address

Hardware Token

Attach Login IDs

Smart Phone

Employee Number

Smart Card

Enroll Security Questions

Voice Call

Answer Security Questions

Register Voice Print

Biometric Sample (voiceprint)

Unlock OTP Device

SMS/PIN

PIN Reset on Smart Card

Unlock Encrypted HDD

2013 Hitachi ID Systems, Inc.. All rights reserved.

Slide Presentation

15

Included Connectors

Many integrations to target systems included in the base price:

Directories: Any LDAP, AD, WinNT, NDS, eDirectory, NIS/NIS+.

Servers: Windows NT, 2000, 2003, 2008, 2008R2, Samba, Novell, SharePoint. Mainframes, Midrange: z/OS: RACF, ACF2, TopSecret. iSeries, OpenVMS. Collaboration: Lotus Notes, Exchange, GroupWise, BlackBerry ES.

Databases: Oracle, Sybase, SQL Server, DB2/UDB, Informix, ODBC, Oracle Hyperion EPM Shared Services, Cache. HDD Encryption: McAfee, CheckPoint, BitLocker, PGP. Tokens, Smart Cards: RSA SecurID, SafeWord, RADIUS, ActivIdentity, Schlumberger. Cloud/SaaS: WebEx, Google Apps, MS Ofce 365, Salesforce.com, SOAP (generic).

Unix: Linux, Solaris, AIX, HPUX, 24 more variants. ERP: JDE, Oracle eBiz, PeopleSoft, PeopleSoft HR, SAP R/3 and ECC 6, Siebel, Business Objects. WebSSO: CA Siteminder, IBM TAM, Oracle AM, RSA Access Manager.

Help Desk: ServiceNow, BMC Remedy, SDE, HP SM, CA Unicenter, Assyst, HEAT, Altiris, Clarify, RSA Envision, Track-It!, MS System Center Service Manager

2013 Hitachi ID Systems, Inc.. All rights reserved.

Slide Presentation

16

Rapid Integration with Custom Apps

Hitachi ID Password Manager easily integrates with custom, vertical and hosted applications using exible agents . Each exible agent connects to a class of applications: API bindings (C, C++, Java, COM, ActiveX, MQ Series). Telnet / TN3270 / TN5250 / sessions with TLS or SSL. SSH sessions. HTTP(S) administrative interfaces. Web services. Win32 and Unix command-line administration programs. SQL scripts. Custom LDAP attributes.

Integration takes a few hours to a few days. Fixed cost service available from Hitachi ID.

17

Multi-Master Architecture
, nix , U 90, D 3 A S/ P, O DA 0 L S40 ve ord A i t Na assw ge n p ha c g Tri ch yn S ord PW ssw ate s) Pa lid er( a V erv

ms ste Sy r ge

r IVR erve S

se ver Re eb y W rox P N r VP erve S or il TP Ma SM otes N r ad ce Lo alan B

S ID hi on ac ati Hit pplic SQL A DB

SQL DB

TCP/IP + AES Various Protocols Secure Native Protocol HTTPS

ails Em nt ide Inc gmt em M yst S

L/ SQ racle O
Tic ts ke

up ok Lo of m ste d Sy ecor R

g rig &T

nt: ge la a oc hl A wit er RS s t: d m l en ste , o ag Sy Unix e t t o ge 0, s rem c Tar S/39 ce ork ith s, et O rvi w w e t e t s bS em No l Ne We yst P, t S L, SA oca e g Q L Tar D, S A all ew Fir er all ew Fir er erv y S ded) x o Pr f nee (i

, te d os s h ud app Clo aaS S

r nte e C ata D te mo e R

t ge ms Tar yste S

2013 Hitachi ID Systems, Inc.. All rights reserved.

10

Slide Presentation

18

Scalability and Fault-Tolerance

Multiple, load-balanced Hitachi ID Password Manager servers: Active/active architecture. Data replication between nodes: Built-in, easy to congure. WAN-friendly (high latency, low bandwidth, insecure channels). Reliable (multiple retry queues). Proxy servers resolve connection problems: Across rewalls. Over slow, insecure network routes. Large production deployments: 5M users. 130,000 managed systems. 12 load balanced IDM servers. 10,000 completed transactions/hour.

19

Password Synchronization
Problem Users have too many passwords: On different systems, with different policies, expiring at different times. Complexity leads users to do bad things: Write down passwords ("sticky notes"). Forget/lock out passwords and call the help desk. Reuse old passwords. Solution Password synchronization pushes password updates from one system to another: Multiple physical passwords. Same value everywhere. Password synchronization allows users to: Remember a single password value. Manage it on a single schedule. Comply with a single password policy.

2013 Hitachi ID Systems, Inc.. All rights reserved.

11

Slide Presentation

20

Transparent Password Synchronization

Password synchronization is designed to help users maintain a single, strong password across multiple login IDs. Transparent password synchronization leverages an existing user interface. Users change their passwords natively on: WinNT/Win2K/Win2K3 servers, Windows NT, Active Directory domains, Unix servers, LDAP directories, OS400 / iSeries servers, z/OS mainframes (RACF, CA-ACF2, CA-TopSecret)

Hitachi ID Password Manager enforces a global policy, prohibiting users from choosing weak passwords. Approved passwords are synchronized to other login accounts associated with the same user.

21

Transparent Synchronization Architecture

User

d e tiv or Na assw ge p han c

Sta r ad ce Lo alan B

. ch yn s rt

h nc Sy ems d t r o ys ssw r S Pa rigge T

i ID ch gem a t Hi ana M

ite Su t en

ms t: ste gen RSA y t S l a x, ge ca ni Tar ith lo 90, U w S/3 O

s t em gen yst te a S t o ge em Tar ith r w

TCP/IP + AES Secure Native Protocol

2013 Hitachi ID Systems, Inc.. All rights reserved.

12

Slide Presentation

22

Web Password Synchronization

Password synchronization is designed to help users maintain a single, strong password across multiple login IDs. Web password synchronization exposes a new user interface. Access a Web-based password change screen using any browser. Enter a trusted network login ID and password. Select a new password for one or all systems and accounts. Review results from the password update on each system.

23

Web Password Synchronization Architecture

User

b We b We

S ID nt hi eme c a g Hit ana M

r ad ce Lo alan B

e uit

ms t: ste gen RSA y t S l a x, ge ca ni Tar ith lo 90, U w S/3 O

s t em gen yst te a S t o ge em Tar ith r w

TCP/IP + AES Secure Native Protocol

2013 Hitachi ID Systems, Inc.. All rights reserved.

13

Slide Presentation

24

Prompting Users to Synchronize

Users do not volunteer to change their passwords. Hitachi ID Password Manager can identify users who should change their passwords either based on upcoming expiration on a target system, or based on the last HiPM update. Users are asked to change their passwords: By e-mail, with an embedded URL to the HiPM server. By a Web browser, automatically opened during the network login script.

25

Benets of Password Synchronization

Improved user service. Users have fewer password problems, so waste less time with login problems and call the help desk less frequently. New passwords meet global quality standards. All passwords are changed regularly.

26

Self Service Password Reset

Problem Some users continue to forget passwords or trigger lockouts. These users still call the help desk. High call volume is expensive. Solution Self-service password reset enables users to authenticate themselves with something else (a token, biometric, personal questions, etc.) and reset their own password(s). Hitachi ID Password Manager SSPR allows these users to resolve their own problems: This lowers help desk call volume. User service is available 24x7. Accessible via web browser, phone or from the login prompt.

2013 Hitachi ID Systems, Inc.. All rights reserved.

14

Slide Presentation

27

Access from Login Prompt

Problem Users who forget their network password cannot launch a Web browser to access the self service password reset application. Solution Secure Kiosk Account (SKA): access to SSPR without client software ("guest" account). GINA service: access to SSPR from UI extension no GINA DLL. Hitachi ID Phone Password Manager: turn-key telephone access to SSPR. Temporary VPN: access to SSPR from outside the corporate network.

28

Secure Kiosk Account (SKA)

Support locked out users without deploying client software. User signs on with the login ID HELP No password is required to sign into the SKA. The SKA account has a special security policy. The policy species an alternate to the Windows shell. The Hitachi ID Password Manager shell opens a kiosk-mode Web browser to the self service password reset Web page. Applies both to on-line and mobile users. Can be used to reset/unlock both local and networked passwords. No browser navigation, controls, border, etc. Closing the browser logs the user off.

2013 Hitachi ID Systems, Inc.. All rights reserved.

15

Slide Presentation

29

GINA Extensions
Extend the Windows Graphical Identication and Authentication (GINA) subsystem, which: is responsible for capturing Ctrl-Alt-Del, presents the login screen and handles screen savers. The Windows GINA can be replaced by third-party DLLs, such as: Novell NetWare. Strong authentication products (smart cards, biometrics, etc.). Hitachi ID Password Manager includes two GINA extension approaches, both of them: Launch a kiosk-mode web browser. Run the browser with an unprivileged account. The rst is a GINA wrapper DLL that adds a password reset button in the login prompt. The second is a GINA service program that adds a password reset button without modifying the native GINA DLL.

Support locked out users without a "generic" domain account:

30

Self-service via Telephone

Identication options: Numeric ID (e.g., employee number). Numeric mapping of network login ID. Authentication options: Numeric security questions (e.g., drivers license, DoB). Biometric voice print verication. Hardware token. Features: Password reset / unlock. Token PIN reset. HDD encryption key recovery. Platform options: Use HiTPM (turn-key system). Extend call logic on an existing IVR, using Hitachi ID Password Manager API. Limitations: Cannot reset PINs on smart cards. Cannot update cached credentials on mobile PCs.
2013 Hitachi ID Systems, Inc.. All rights reserved.

16

Slide Presentation

31

Flexible, Secure Authentication

Hardware tokens: generated password + keyed PIN. Biometric: voice print, nger print. PKI: smart cards, software certicates. Challenge/response using: Built-in or external data source. Both user-dened and standard questions. A exible algorithm to validate answers. Multiple sets of multiple questions.

Open architecture: Easily integrate with new authentication systems.

32

Benets of Self Service Password Reset

Savings 40% to 70% of users resolve their own problem, and do not call the help desk. Security Stronger authentication prior to password resets. Reset passwords meet quality controls. Detailed audit trail of authentication attempts, resets.

33

Help Desk Password Reset

Problem Even with synchronization and self service password reset, some users continue to call the help desk. These calls can take 5-15 minutes to resolve and cost $25 $35. Solution Assisted password reset shortens password-related support calls. One process and UI handles everything: Authenticate the analyst. Authenticate the caller. Reset multiple passwords. Clear lockouts. Create/close a support incident (ticket).

Reduce call duration to about 1 minutes. Lower incident cost.

2013 Hitachi ID Systems, Inc.. All rights reserved.

17

Slide Presentation

34

Assisted Password Reset Process

Help desk analysts use a Hitachi ID Password Manager Web page to: Login (authenticate the analyst). Look up the callers record. Authenticate the caller. Reset one or more passwords. Automatically create a ticket in the call tracking system.

Call resolution time is reduced to 1 2 minutes. Help desk analysts dont require direct access to target systems.

35

Call Tracking, E-mail Integration

Hitachi ID Password Manager has an open architecture to notify other systems of over 116 types of events. Simple conguration species what events to capture and what actions to take. Binary integration programs are included for: Altiris Assyst BMC Remedy BMC Service Desk Express CA Unicenter Clarify HEAT InfraHD HP Service Desk Tivoli Track-It!

Open integrations via SMTP, HTTP, HTTPS, XML, ODBC interfaces.

2013 Hitachi ID Systems, Inc.. All rights reserved.

18

Slide Presentation

36

HiPM Assisted Service Notes

Either see, or be required to type answers to caller-authenticating questions. Either reset passwords, or reset-and-expire passwords. Enable or disable caller access to Hitachi ID Password Manager self service. Be granted the ability to: See or edit answers to security questions. See or edit login ID proles data. Manage SecurID tokens.

Help desk analysts may:

37

Benets of Assisted Password Reset

Savings Remaining password reset calls are reduced to approximately 1 minute. Security Ensure that callers are always authenticated prior to password resets. Reduce the number of people with administrative rights. Improve accountability for help desk password resets. Enforce password policy over reset passwords.

2013 Hitachi ID Systems, Inc.. All rights reserved.

19

Slide Presentation

38

Password Management Savings

User problems Help desk calls

100 90 80 70 60 50 40 30 20 10 0 Baseline Self Reset only

100 100 100 60% user adoption of self-service password reset

40

80% of problems Combine problem reduced by simplied reduction with password management self-service adoption 20 20 20

Synch only

Both

39

RSA SecurID Token Management

Problem Users with RSA SecurID tokens forget their PINs, lose their tokens, require clock synchronization, etc. These issues generate help desk calls. Solution Users can clear, synchronize or reset their token PINs; synchronize their token clocks; enable/disable their tokens or get emergency access passcodes using the Hitachi ID Password Manager self service token management feature. In addition, HiPM can authenticate users by validating a current RSA SecurID token pass-codes against the RSA server.

2013 Hitachi ID Systems, Inc.. All rights reserved.

20

Slide Presentation

40

Token Management Process

Users authenticate with a password. Once authenticated, users can: Enable / disable tokens. Request emergency access codes. Clear / set their PIN. Re-synchronize tokens.

41

Benets of Token Management

Savings Fewer, shorter help desk calls for token problems. Security Fewer people with ACE administration privileges. Stronger authentication prior to token support.

42

Managed User Enrollment

Problem Deployment may require new user prole data: Question/answer pairs for authentication. Login ID reconciliation between systems. Biometric samples (e.g., voice prints). Solution Hitachi ID Password Manager includes a managed enrollment system, which identies users that need to enroll and invites them to do so.

2013 Hitachi ID Systems, Inc.. All rights reserved.

21

Slide Presentation

43

Reconcile Login IDs Between Systems

Where login IDs are different on some systems, and there is no existing directory, meta directory, matching attribute or map le to connect them, users can be prompted to "claim" their own IDs: Users sign into a secure Hitachi ID Password Manager registration Web page. Users enter a login ID and password. HiPM nds unallocated instances of the login ID in the identity cache and tries to sign into those target systems with the password the user provided. The login ID / target system ID is added to the users prole if the password worked.

44

Benets of Managed Enrollment

Savings Rapid deployment, low-cost data gathering. Security Secure authentication prior to registration. Collect answers to security questions. Correlate login IDs across all systems. Identify orphan accounts.

45

Rapid Deployment and Low TCO

Optimized to minimize effort: Password management with HiPM: Initial deployment: 4 to 8 weeks of effort. Ongoing maintenance: 0.25 to 0.5 FTE. Using Hitachi ID Password Manager technology: Built-in nightly auto-discovery of IDs, entitlements. Both attribute-based and self-service ID mapping. Automatically managed user enrollment No requirement for client software. 110 connectors out of the box. Rapid integration with custom, vertical apps. Easy customization of GUI, business logic.

2013 Hitachi ID Systems, Inc.. All rights reserved.

22

Slide Presentation

46

Competitive Advantages
Unique features "Provisioning" and "governance" in one product. Access, authorization built around relationships. Self-service from any device, any location. Users can request resources, not groups. SoD engine detects "effective" violations. Scalable platform Real-time data replication. Multi-master architecture. Proxy server to cross rewalls. Stored procedures, native code for speed. Rapid deployment Key features built-in, not custom: Request forms. Authorization workow. Access certication. Auto-discovery. Reports.

A product, not a devel. environment. Integrations 110+ included connectors. Flexible connectors. Built-in implementers workow. Incident management, SIEM, etc.

2013 Hitachi ID Systems, Inc.. All rights reserved.

23

Slide Presentation

47

HiPM Animated Demonstration

The following animations illustrate core Hitachi ID Password Manager user interfaces and processes:

Security question enrollment: A user authenticates and completes his personal prole of questions and answers. Alias enrollment: A user attaches non-standard login IDs to his prole. Password expiration: A user is invited, via e-mail, to change soon-to-expire passwords. Self-service password reset (SSPR) using Secure Kiosk Account: A locked out user resolves his own problem, from the login prompt, without client software deployment.

SSPR with GINA Extension: A locked out user resolves his own problem, from the login prompt, using a GINA extension. SSPR with Vista credential provider: A locked out user resolves his own problem, from the login prompt, using a Windows Vista credential provider. Assisted password reset: A help desk analyst signs in with an RSA SecurID token and resets a callers password. PIN Reset for an RSA SecurID token: A user resets his RSA SecurID token PIN with HiPM.

48

Locked out Windows 7 user resets own password

Animation: ../pics/camtasia/v8/hipm-pw-reset-vista/hipm-pw-reset-vista.cam

49

Locked out Windows XP user resets own password

Animation: ../pics/camtasia/v8/hipm-pw-reset-gina/hipm-pw-reset-gina.cam

2013 Hitachi ID Systems, Inc.. All rights reserved.

24

Slide Presentation

50

Locked out Windows user resets own password (no software footprint)

Animation: ../pics/camtasia/v8/hipm-pw-reset-ska/hipm-pw-reset-ska.cam

51

Enrollment of security questions

Animation: ../pics/camtasia/v8/hipm-qa-enrollment/hipm-qa-enrollment.cam

52

Enrollment of non-standard login IDs

Animation: ../pics/camtasia/v8/hipm-alias-enrollment/hipm-alias-enrollment.cam

53

RSA SecurID Self Service Token Support

Animation: ../pics/camtasia/v8/hipm-rsa-token-reset/hipm-rsa-token-reset.cam

54

Reminder to change passwords

Animation: ../pics/camtasia/v8/hipm-pw-expired-email/hipm-pw-expired-email.cam

2013 Hitachi ID Systems, Inc.. All rights reserved.

25

Slide Presentation

55

Assisted Password Reset

Animation: ../pics/camtasia/v8/hipm-assisted-pw-reset/hipm-assisted-pw-reset.cam

56

Hitachi ID Professional Services

Hitachi ID offers a variety of services relating to Hitachi ID Password Manager, including: Needs analysis and solution design. Fixed price system deployment. Project planning. Roll-out management, including maximizing user adoption. Ongoing system monitoring. Training.

Services are based on extensive experience with the Hitachi ID solution delivery process. The Hitachi ID professional services team is highly technical and have years of experience deploying IAM solutions. Hitachi ID partners with integrators that also offer business process and system design services to mutual customers.

57

Hitachi ID Solution Delivery Approach

Fixed-price: Phases, milestones: Open assignment: Templates: Customer portal: All work is delivered on a xed-price, xed-deliverables basis. The "meter" is never running. Hitachi ID recommends breaking up long projects into phases of 13 months. Work is reviewed and payment is due when milestones are met. Each phase may be undertaken by Hitachi ID, the customer, a systems integrator or a combination of the participants. Template documents and sample business logic are used to expedite work. A self-service portal supports discovery, client/partner/vendor interaction, document distribution and more.

2013 Hitachi ID Systems, Inc.. All rights reserved.

26

Slide Presentation

58

AdMax: Maximizing User Adoption

Successful implementation of an identity and access management system must be supported by an effective user adoption program. AdMax is an Hitachi ID professional services program, used to plan for and execute effective user enrollment projects. AdMax is designed to maximize adoption of and ROI from Hitachi ID identity management solutions, using: Best practices, case studies and industry norms. Enrollment, user adoption and ROI measurement. Incentive and disincentive programs. Presentations and training materials for users and HD staff. Project roles and responsibilities. Sample project plans, promotional materials, e-mails, graphics and other user communications. Workbooks for project implementation.

59

Summary

An integrated solution for managing credentials: Immediate security benet: password policy, help desk caller authentication. Low deployment cost, minimal ongoing investment, signicant IT support savings. Always accessible: Web browser on PC, phone or tablet. Windows login prompt. Pre-boot encryption password prompt. Phone call / IVR. Available at work and while off-site.

110+ connectors included.

Learn more at Hitachi-ID.com/Password-Manager

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: [email protected]
File: PRCS:pres Date: September 19, 2013

www.Hitachi-ID.com