Hitachi ID Suite 9.0 Features and Technology

Hitachi ID Suite 9.0 Features and Technology

• 1.
  1 Hitachi IDSuite Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications Hitachi ID Suite 9.0 Features and Technology. 2 Overview • Hitachi ID Suite 9.0 is a major release. Almost all components of the software have seen some enhancements. • Major new capabilities: – Mobile access. – Actionable analytics. – Check-out account sets. – More interactive UI. – Moved to 64-bit platform. • Next release will be 10.0 – ETA Q4/2015. © 2015 Hitachi ID Systems, Inc. All rights reserved. 1
• 2.
  Slide Presentation 3 Enhancementsin 9.0 General HiPAM HiIM • Move platform to 64-bit. • Stronger default crypto (AES-256, SHA-512). • Support new MSSQL, Oracle back ends. • Mobile: skin, iOS and Android apps. • Usability improvements: JS in UI, clickable objects, sortable report output, ... • Analytics: report output → request input. • Many new reports, some with graphical dashboards. • Account-set check-out. • Run commands across managed systems. • LWS improved scalability. • HiPAM reference build. • Certification via arbitrary relationships. • Hierarchical attributes. • Usability improvements to PDRs. • Photo upload. • VCARD links on user profiles. • Deployability: componentize reference builds. 4 Mobile / BYOD 4.1 Mobile UI for web apps Enabling a mobile UI to an enterprise app is a two part problem. • The UI has to fit on small screens: – Narrow width. – Vertical scroll. • Connectivity is required: – The device is on the public Internet. – Hitachi ID Privileged Access Manager server is usually on a private network. © 2015 Hitachi ID Systems, Inc. All rights reserved. 2
• 3.
  Slide Presentation 4.2 Mobileapp architecture (1/4) DMZ Private Corporate Network Public Internet Personal Device Mon, 15 June 2015 3:06 PM Type to search... 4G 70% IAM Server Firewall Firewall • The user’s phone probably has no VPN client installed. • The phone – via a data plan – is connected to the public Internet. • The IAM system is attached to the corporate network, behind multiple firewalls. 4.3 Mobile app architecture (2/4) Simple, uncontroversial firewall configuration Risky, controversial, likely not allowed DMZ Private Corporate Network Public Internet Personal Device Mon, 15 June 2015 3:06 PM Type to search... 4G 70% IAM Server Firewall Firewall • Firewalls are designed to block inbound connections. • Outbound connections are usually allowed or easily justified. • Inbound connections would require: – Port forwarding; or – A reverse web proxy. • We want to minimize the set of attackers who can probe the IAM system. © 2015 Hitachi ID Systems, Inc. All rights reserved. 3
• 4.
  Slide Presentation 4.4 Mobileapp architecture (3/4) How can a smart phone app, without a VPN, access an API or web UI published by an on-premise application server? Simple, uncontroversial firewall configuration Risky, controversial, likely not allowed DMZ Private Corporate Network Public Internet Personal Device Mon, 15 June 2015 3:06 PM Type to search... 4G 70% IAM Server Firewall Firewall 4.5 Mobile app architecture (4/4) DMZ Private Corporate Network Public Internet Firewall Firewall Messaging passing system: “Exchange requests” Worker thread: “Give me an HTTP request” HTTPS request: “Includes userID, deviceID” Cloud Proxy Personal Device Mon, 15 June 2015 3:06 PM Type to search... 4G 70% IAM Server 2 3 1 • The solution is to insert a proxy between the BYOD and IAM system. • The proxy is on the Internet, so reachable by both. • Connections from both ends are authenticated. © 2015 Hitachi ID Systems, Inc. All rights reserved. 4
• 5.
  Slide Presentation 4.6 Securityfeatures Problem Solution • Only accept connections from activated devices. • Deploy an app to the device. • Install a personal key at activation time. • Proxy rejects connections with a bad/missing key. • IAM system only receives valid traffic. • Denial of service attacks • Proxy is efficient but somewhat vulnerable. • Attackers have no key – DDoS attacks never reach the IAM system. • Lost/stolen device • Keys can be revoked. • Users still need to authenticate. • Two factor authentication • Use of a valid key is a first authentication step. • Follow up with password, security questions, etc. 4.7 Activate Mobile Access Animation: ../../pics/camtasia/v9/enable-mobile-device-1/enable-mobile-device-1.mp4 5 Mobile use cases 5.1 Add contact to phone Animation: ../../pics/camtasia/v9/add-contact-to-phone-1/add-contact-to-phone-1.mp4 5.2 Scan contact QR code Animation: ../../pics/camtasia/v9/find-download-contact-info-1/find-download-contact-info-1.mp4 5.3 Mobile request approval Animation: ../../pics/camtasia/v9/approve-request-group-membership-via-mobile-access-app-1/approve-request-group-me © 2015 Hitachi ID Systems, Inc. All rights reserved. 5
• 6.
  Slide Presentation 5.4 Unlockpre-boot password Animation: ../../pics/camtasia/v9/unlock-epo-pba-password-1/unlock-epo-pba-password-1.mp4 5.5 Request groupset Animation: ../../pics/camtasia/v9/request-groupset-1/request-groupset-1.mp4 5.6 Password display Animation: ../../pics/camtasia/v9/pw-disp-scaled-1/pw-disp-scaled-1.mp4 6 UI: AJAX and clickable objects 6.1 Hierarchical attributes © 2015 Hitachi ID Systems, Inc. All rights reserved. 6
• 7.
  Slide Presentation 6.2 Dynamicreport output 6.3 Clickable objects in UI © 2015 Hitachi ID Systems, Inc. All rights reserved. 7
• 8.
  Slide Presentation 6.4 Objecttypes – visible detail Object in UI Click for details Object in UI Click for details User name • User ID • Profile attributes. • Entitlements. Group name • Target system • Membership. • Owner/authorizers. • History. Request ID • Meta data. • Authorizers. • Operations. Role • ID, description. • Entitlements. • Users with the role. • Owner/authorizers. Managed system (HiPAM) • Attributes. • Attached policy. • Groups, services and accounts. • Attached policies. Managed account (HiPAM) • Attributes. • Groups and services. • Managed system. • Attached policies. 7 More and more powerful reports © 2015 Hitachi ID Systems, Inc. All rights reserved. 8
• 9.
  Slide Presentation 7.1 Reportoutput to request input 7.2 Graphical report summaries © 2015 Hitachi ID Systems, Inc. All rights reserved. 9
• 10.
  Slide Presentation 7.3 Manybuilt-in reports • More than 150 built-in report programs. • Some reports have as many as 10 different modes. – (orphan accounts / orphan profiles / dormant accounts / dormant profiles). • Various areas of the product: – 20 HiPAM specific. – 10 data quality. – 7 entitlement analysis. – etc. • Reports callable via API – Integration with enterprise dashboards. 7.4 Hitachi ID Privileged Access Manager Reports Operation Policy, configuration Trends © 2015 Hitachi ID Systems, Inc. All rights reserved. 10
• 11.
  Slide Presentation 7.5 WorkflowTrend Dashboard 8 Actionable Analytics 8.1 PDR: New Employee Animation: ../../pics/camtasia/v9/pdr-config-new-employee-1/pdr-config-new-employee-1.mp4 8.2 Report2PDR: Onboard employees Animation: ../../pics/camtasia/v9/report2pdr-new-user-1/report2pdr-new-user-1.mp4 8.3 Report2PDR: Approve and first login Animation: ../../pics/camtasia/v9/approve-new-employee-first-login-1/approve-new-employee-first-login-1.mp4 8.4 Report2PDR: Disable orphan accounts Animation: ../../pics/camtasia/v9/report2pdr-disable-orphan-accounts-1/report2pdr-disable-orphan-accounts-1.mp4 9 Account sets © 2015 Hitachi ID Systems, Inc. All rights reserved. 11
• 12.
  Slide Presentation 9.1 Accountsets Definitions Use cases • A saved search. • Returns managed accounts on managed systems. • Example: search on OS, subnet, login ID. • Can also include accounts, systems individually. • Check out multiple accounts at once: – e.g., all systems requiring a patch. – e.g., all systems supporting an n-tier app. • Launch multiple login sessions at once: – RDP, SSH, vSphere, SQL Studio, Toad, etc. • Push commands to run on all checked out systems, accounts: – Retrieve status from end systems. – Make configuration changes. – Apply patches. 9.2 Account set checkout Animation: ../../pics/camtasia/v9/account-set-checkout-1/account-set-checkout-1.mp4 10 Reference builds 10.1 Need but hate code • Most enterprise-scale deployments require some business logic. • In practice, business logic looks like either script code or intricate flow charts. • Nobody wants to write or maintain these things: – Costly. – Risky. – Easy to make mistakes. – Hard to find/keep staff with the skills. • Reference builds are intended to eliminate this. © 2015 Hitachi ID Systems, Inc. All rights reserved. 12
• 13.
  Slide Presentation 10.2 HiPAMReference Build Business decisions: Policy rules: • What authentication processes should be allowed for this user, at this time, from this IP and device? • What systems can a user see? • What accounts and group sets can a user request? • Is access pre-authorized? • Who must approve access? • If authorizers do not respond, who should we escalate to? • What disclosure mechanisms should be allowed? • What, if any, session data should be recorded? • All rules tables have two parts: – Left: match on the current session on request. – Right: make a policy decision or take action. • Authentication chain selection. • System/account filter (visibility). • Authorizer selection and threshold setting. • Escalation routing. • Disclosure mechanism selection. • Session data stream selection. 10.3 Authorization policy © 2015 Hitachi ID Systems, Inc. All rights reserved. 13
• 14.
  Slide Presentation 10.4 Exampleauthorization policy rules If ... ... Then If ... ... Then • Account request, • Recipient matches EMERGENCY- RECOVERY. • Empty authorizer list, • Auto-approve, • No more rules. • Account request, • Recipient matches UNIX-ADMINS, • MSPID is UNIX- SYSTEMS. • Auto-approve, • Empty authorizer list, • No more rules. • Groupset request, • Recipient matches VENDORS. • Add authorizers from VENDOR- ACCESS, • Sample 3, • Minimum 1. • Accountset request, • MSPID is UNIX- SYSTEMS. • Add authorizers from UNIX-ADMINS, • Sample 2, • Minimum 1. 10.5 Sample rule: emergency access 11 Identity Manager © 2015 Hitachi ID Systems, Inc. All rights reserved. 14
• 15.
  Slide Presentation 11.1 Certifier/uservia relationship 11.2 More interactive input fields © 2015 Hitachi ID Systems, Inc. All rights reserved. 15
• 16.
  Slide Presentation 11.3 Pictureupload 12 Discussion www.Hitachi-ID.com 500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: [email protected] Date: May 22, 2015 File: PRCS:pres