Password Manager: Detailed presentation

1 Hitachi ID Password Manager

Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications

Integrated credential management for users:passwords, encryption keys, tokens, smart cards and more.

2 Agenda

• Hitachi ID corporate overview.• ID Management Suite overview.• Password problems and Hitachi ID Password Manager benefits.• The HiPM solution.• Software demonstration.

© 2012 Hitachi ID Systems, Inc.. All rights reserved. 1

http://Hitachi.com/

Slide Presentation

3 Hitachi ID Corporate Overview

Hitachi ID is a leading provider of identityand access management solutions.

• Founded as M-Tech in 1992.• A division of Hitachi, Ltd. since 2008.• Over 900 customers.• More than 11M+ licensed users.• Offices in North America, Europe and

APAC.• Partners globally.

4 Representative Hitachi ID Customers


Slide Presentation

5 ID Management Suite


Slide Presentation

6 PM Advantages

Hitachi IDPassword Manager

Others

Built-inFunctionality:

• Password synchronization• Password and PIN reset.• HDD crypto key recovery.• Enterprise single sign-on.

• Password reset.

Always available:

• Web browser, smart phone.• Phone call.• PC login screen.• At the office or mobile (WiFi,

VPN).

• Web browser.• PC login screen.• Only available at work.

Integrations:

• 110+ target types.• 10 ITSM systems.

• Typically 10-20 connectors.

Scalability:

• Built-in auto-discovery.• Built-in replication.• Managed enrollment.

• Single server.• Lots of scripting.


Slide Presentation

7 Problem: Too Many Passwords

Every login account has its own: Password complexity creates businessproblems:

• Password value.• User interface.• Strength rules.• Expiration date.

• High call volume :Users forget or lock out their passwords.This can be 30% of help desk workload.

• Sticky notes :Users write down their passwords andmay leave them in public view.

• Bad passwords :Users choose simple, easily guessedpasswords.

8 The HiPM Solution

Hitachi ID Password Manager addresses the problems that arise from password complexity:

• Cost savings from simplified password management, rapid deployment, low TCO and fast ROI.• Improved security from strong authentication, policy enforcement.• Scalability to hundreds of thousands of users.• Flexibility to integrate with existing infrastructure.

9 Problem: Password Management Costs

End users: Lose productivity when they have trouble logging in.

Support analysts: Spend much of their time resolving password problem calls. Must bestaffed for peak volume after holidays.

System administrators: Resolve escalated password problems.


Slide Presentation

10 HiPM Cost Savings

Synchronization: Eliminates 60% to 90% of password problems.

Self service reset: When adopted by 40% to 70% of users, diverts problem resolution awayfrom the help desk.

Assisted reset: Shortens remaining password reset HD calls by 50% or more, to about 1minute/call.

11 Problem: Password Security

Policy: Users prefer easily guessed passwords, write and share passwords.

Authentication: Weak caller authentication prior to HD password resets.

Delegation: Support staff require too many administrative logins.

Accountability: For support staff who perform resets.

Encryption: Passwords should not be sent or stored in the clear.

12 HiPM Security Benefits

Policy: Hitachi ID Password Manager can enforce over 50 password rules, on everysystem.

Synchronization: No need to write down multiple passwords.

Authentication: Users are identified before being allowed a HD password reset.

Delegation: Support staff no longer require administrative credentials.

Accountability: All password-related events logged.

Encryption: Sensitive data is sent and stored encrypted.


Slide Presentation

13 The Hitachi ID Solution is Flexible

Customize: Every aspect of the user interface

Integrate with: 110+ target system typesCall tracking systemsHR systemsAuthentication hardwareMeta directoriesIVR servers

Enforce: Password policyAuthentication rules

14 User Interface Flowchart

Update Passwords

Manage Q&A Profile

Register Voice Print

Manage H/W Token

Manage Login Profile

Password

Smart Card

Answer PersonalQuestions

Biometric Sample

Hardware Token

Network Login ID

Employee Number

E-mail Address

DesktopWeb Browser

PDA Web Browser

Telephone

WorkstationLogin Prompt

Access Identify Authenticate Action


Slide Presentation

15 Included Connectors

Many integrations to target systems included in the base price:

Directories:Any LDAP, AD, WinNT, NDS,eDirectory, NIS/NIS+.

Servers:Windows NT, 2000, 2003,2008, Samba, Novell,SharePoint.

Databases:Oracle, Sybase, SQL Server,DB2/UDB, Informix, ODBC.

Unix:Linux, Solaris, AIX, HPUX, 24more.

Mainframes, Midrange:z/OS: RACF, ACF2,TopSecret. iSeries,OpenVMS.

HDD Encryption:McAfee, CheckPoint.

ERP:JDE, Oracle eBiz, PeopleSoft,SAP R/3 and ECC 6, Siebel,Business Objects.

Collaboration:Lotus Notes, Exchange,GroupWise, BlackBerry ES.

Tokens, Smart Cards:RSA SecurID, SafeWord,RADIUS, ActivIdentity,Schlumberger.

WebSSO:CA Siteminder, IBM TAM,Oracle AM, RSA AccessManager.

Help Desk:BMC Remedy, SDE, HP SM,CA Unicenter, Assyst, HEAT,Altiris, Track-It!

Cloud/SaaS:WebEx, Google Apps,Salesforce.com, SOAP(generic).

16 Simple Integration with Custom Apps

• Hitachi ID Password Manager easily integrates with custom, vertical and hosted applications usingflexible agents .

• Each flexible agent connects to a class of applications:

– API bindings (C, C++, Java, COM, ActiveX, MQ Series).– Telnet / TN3270 / TN5250 / sessions with TLS or SSL.– SSH sessions.– HTTP(S) administrative interfaces.– Web services.– Win32 and Unix command-line administration programs.– SQL scripts.– Custom LDAP attributes.

• Integration takes a few hours to a few days.• Fixed cost service available from Hitachi ID.


Slide Presentation

17 Multi-Master Architecture

UserPasswordSynchTriggerSystems

Load Balancer

SMTP or Notes Mail

IncidentManagementSystem System of

Record

IVRServer

ReverseWeb Proxy

Target Systemswith local agent:OS/390, Unix, older RSA

Firewall

TCP/IP + AES

Various Protocols

Secure Native Protocol

HTTPS

Remote Data Center

Firewall

Local Network

Target Systemswith remote agent:AD, SQL, SAP, Notes, etc

Target SystemsEmails

Tickets

Lookup & Trigger

Native

password

change

AD, Unix,

OS/390,

LDAP,

AS400

Validate PW

Web Services

Proxy Server(if needed)

Hitachi IDApplicationServer(s)

SQL/Oracle

SQLDB

SQLDB

Cloud-hosted,

SaaS apps

VPNServer

18 Scalability and Fault-Tolerance

• Multiple Hitachi ID Password Manager servers can be configured for load balancing.• Data is automatically replicated between servers in real time.• Built-in high performance identity cache accelerates system response.• A service monitors the health of each server and may restart it or take it out of circulation.• A proxy server compensates for slow or insecure connectivity to remote target systems.• There are production customers with up to 300,000 users on just two servers.• Replication has been scaled to 20 servers.


Slide Presentation

19 Password Synchronization

Problem Solution

• Users have too many passwords:

– On different systems,– with different policies,– expiring at different times.

• Complexity leads users to do bad things:

– Write down passwords ("stickynotes").

– Forget/lock out passwords and callthe help desk.

– Reuse old passwords.

• Password synchronization pushespassword updates from one system toanother:

– Multiple physical passwords.– Same value everywhere.

• Password synchronization allows users to:

– Remember a single password value.– Manage it on a single schedule.– Comply with a single password

policy.

20 Transparent Password Synchronization

Password synchronization is designed to help users maintain a single, strong password acrossmultiple login IDs.Transparent password synchronization leverages an existing user interface.

• Users change their passwords natively on:

– WinNT/Win2K/Win2K3 servers,– Windows NT, Active Directory domains,– Unix servers,– LDAP directories,– OS400 / iSeries servers,– z/OS mainframes (RACF, CA-ACF2, CA-TopSecret)

• Hitachi ID Password Manager enforces a global policy, prohibiting users from choosing weakpasswords. Approved passwords are synchronized to other login accounts associated with thesame user.


Slide Presentation

21 Transparent Synchronization Architecture

UserPasswordSynchTriggerSystems

Load Balancer

Target Systemswith local agent:OS/390, Unix, RSA

Target Systemswith remote agent

Native

password

change

Start synch.

TCP/IP + AES


Hitachi IDManagement Suite

22 Web Password Synchronization

Password synchronization is designed to help users maintain a single, strong password acrossmultiple login IDs.Web password synchronization exposes a new user interface.

• Access a Web-based password change screen using any browser.• Enter a trusted network login ID and password.• Select a new password for one or all systems and accounts.• Review results from the password update on each system.


Slide Presentation

23 Web Password Synchronization Architecture

User

Load Balancer

Target Systemswith local agent:OS/390, Unix, RSA

TCP/IP + AES


Target Systemswith remote agent

Web

Web

Hitachi IDManagement Suite

24 Prompting Users to Synchronize

Users do not volunteer to change their passwords.

• Hitachi ID Password Manager can identify users who should change their passwords either basedon upcoming expiration on a target system, or based on the last HiPM update.

• Users are asked to change their passwords:

– By e-mail, with an embedded URL to the HiPM server.– By a Web browser, automatically opened during the network login script.


Slide Presentation

25 Benefits of Password Synchronization

• Improved user service.• Users have fewer password problems, so waste less time with login problems and call the help desk

less frequently.• New passwords meet global quality standards.• All passwords are changed regularly.

26 Self Service Password Reset

Problem Solution

• Some users continue to forget passwordsor trigger lockouts.

• These users still call the help desk.• High call volume is expensive.

• Self-service password reset enablesusers to authenticate themselves withsomething else (a token, biometric,personal questions, etc.) and reset theirown password(s).

• Hitachi ID Password Manager SSPRallows these users to resolve their ownproblems:

– This lowers help desk call volume.– User service is available 24x7.– Accessible via web browser, phone

or from the login prompt.

27 Access from Login Prompt

Problem Solution

Users who forget their network passwordcannot launch a Web browser to access the selfservice password reset application.

• Secure Kiosk Account (SKA): access toSSPR without client software ("guest"account).

• GINA service: access to SSPR from UIextension – no GINA DLL.

• Hitachi ID Phone Password Manager:turn-key telephone access to SSPR.

• Temporary VPN: access to SSPR fromoutside the corporate network.


Slide Presentation

28 Secure Kiosk Account (SKA)

Support locked out users without deploying client software.

• User signs on with the login ID HELP• No password is required to sign into the SKA.• The SKA account has a special security policy.• The policy specifies an alternate to the Windows shell.• The Hitachi ID Password Manager shell opens a kiosk-mode Web browser to the self service

password reset Web page.• Applies both to on-line and mobile users.• Can be used to reset/unlock both local and networked passwords.• No browser navigation, controls, border, etc.• Closing the browser logs the user off.

29 GINA Extensions

Support locked out users without a "generic" domain account:

• Extend the Windows Graphical Identification and Authentication (GINA) subsystem, which:

– is responsible for capturing Ctrl-Alt-Del,– presents the login screen and– handles screen savers.

• The Windows GINA can be replaced by third-party DLLs, such as:

– Novell NetWare.– Strong authentication products (smart cards, biometrics, etc.).

• Hitachi ID Password Manager includes two GINA extension approaches, both of them:

– Launch a kiosk-mode web browser.– Run the browser with an unprivileged account.

• The first is a GINA wrapper DLL that adds a password reset button in the login prompt.• The second is a GINA service program that adds a password reset button without modifying the

native GINA DLL.


Slide Presentation

30 Self-service via Telephone

• Identification options:

– Numeric ID (e.g., employee number).– Numeric mapping of network login ID.

• Authentication options:

– Numeric security questions (e.g., driver’s license, DoB).– Biometric voice print verification.– Hardware token.

• Features:

– Password reset / unlock.– Token PIN reset.– HDD encryption key recovery.

• Platform options:

– Use Phone Password Manager (turn-key system).– Extend call logic on an existing IVR, using Hitachi ID Password Manager API.

• Limitations:

– Cannot reset PINs on smart cards.– Cannot update cached credentials on mobile PCs.

31 Flexible, Secure Authentication

• Hardware tokens: generated password + keyed PIN.• Biometric: voice print, finger print.• PKI: smart cards, software certificates.• Challenge/response using:

– Built-in or external data source.– Both user-defined and standard questions.– A flexible algorithm to validate answers.– Multiple sets of multiple questions.

• Open architecture: Easily integrate with new authentication systems.


Slide Presentation

32 Benefits of Self Service Password Reset

Savings Security

40% to 70% of users resolve their own problem,and do not call the help desk.

• Stronger authentication prior to passwordresets.

• Reset passwords meet quality controls.• Detailed audit trail of authentication

attempts, resets.

33 Help Desk Password Reset

Problem Solution

• Even with synchronization and selfservice password reset, some userscontinue to call the help desk.

• These calls can take 5-15 minutes toresolve and cost $25 – $35.

• Assisted password reset shortenspassword-related support calls.

• One process and UI handles everything:

– Authenticate the analyst.– Authenticate the caller.– Reset multiple passwords.– Clear lockouts.– Create/close a support incident

(ticket).

• Reduce call duration to about 1 minutes.• Lower incident cost.

34 Assisted Password Reset Process

• Help desk analysts use a Hitachi ID Password Manager Web page to:

– Login (authenticate the analyst).– Look up the caller’s record.– Authenticate the caller.– Reset one or more passwords.– Automatically create a ticket in the call tracking system.

• Call resolution time is reduced to 1 – 2 minutes.• Help desk analysts don’t require direct access to target systems.


Slide Presentation

35 Call Tracking, E-mail Integration

Hitachi ID Password Manager has an open architecture to notify other systems of over 116 types ofevents.

• Simple configuration specifies what events to capture and what actions to take.• Binary integration programs are included for:

– Altiris– Assyst– BMC Remedy– BMC Service Desk Express– CA Unicenter– Clarify– HEAT– InfraHD HP Service Desk– Tivoli– Track-It!

• Open integrations via SMTP, HTTP, HTTPS, XML, ODBC interfaces.

36 HiPM Assisted Service Notes

Help desk analysts may:

• Either see, or be required to type answers to caller-authenticating questions.• Either reset passwords, or reset-and-expire passwords.• Enable or disable caller access to Hitachi ID Password Manager self service.• Be granted the ability to:

– See or edit answers to security questions.– See or edit login ID profiles data.– Manage SecurID tokens.


Slide Presentation

37 Benefits of Assisted Password Reset

Savings Security

Remaining password reset calls are reduced toapproximately 1 minute.

• Ensure that callers are alwaysauthenticated prior to password resets.

• Reduce the number of people withadministrative rights.

• Improve accountability for help deskpassword resets.

• Enforce password policy over resetpasswords.


Slide Presentation

38 Impact of Synchronization and SSPR

calls

problems


Slide Presentation

39 RSA SecurID Token Management

Problem Solution

Users with RSA SecurID tokens forget theirPINs, lose their tokens, require clocksynchronization, etc. These issues generatehelp desk calls.

Users can clear, synchronize or reset theirtoken PINs; synchronize their token clocks;enable/disable their tokens or get emergencyaccess passcodes using the Hitachi IDPassword Manager self service tokenmanagement feature. In addition, HiPM canauthenticate users by validating a current RSASecurID token pass-codes against the RSAserver.

40 Token Management Process

• Users authenticate with a password.• Once authenticated, users can:

– Enable / disable tokens.– Request emergency access codes.– Clear / set their PIN.– Re-synchronize tokens.

41 Benefits of Token Management

Savings Security

Fewer, shorter help desk calls for tokenproblems.

• Fewer people with ACE administrationprivileges.

• Stronger authentication prior to tokensupport.


Slide Presentation

42 Managed User Enrollment

Problem Solution

• Deployment may require new user profiledata:

– Question/answer pairs forauthentication.

– Login ID reconciliation betweensystems.

– Biometric samples (e.g., voiceprints).

• Hitachi ID Password Manager includes amanaged enrollment system, whichidentifies users that need to enroll andinvites them to do so.

43 Reconcile Login IDs Between Systems

Where login IDs are different on some systems, and there is no existing directory, metadirectory, matching attribute or map file to connect them, users can be prompted to "claim" theirown IDs:

• Users sign into a secure Hitachi ID Password Manager registration Web page.• Users enter a login ID and password.• HiPM finds unallocated instances of the login ID in the identity cache and tries to sign into those

target systems with the password the user provided.• The login ID / target system ID is added to the user’s profile if the password worked.

44 Benefits of Managed Enrollment

Savings Security

Rapid deployment, low-cost data gathering. • Secure authentication prior to registration.• Collect answers to security questions.• Correlate login IDs across all systems.• Identify orphan accounts.


Slide Presentation

45 Rapid Deployment and Low TCO

Optimized to minimize effort: Using Hitachi ID Password Managertechnology:

• Password management with HiPM:

– Initial deployment:4 to 8 weeks of effort.

– Ongoing maintenance:0.25 to 0.5 FTE.

• Built-in nightly auto-discovery of IDs,entitlements.

• Both attribute-based and self-service IDmapping.

• Automatically managed user enrollment• No requirement for client software.• 110 connectors out of the box.• Rapid integration with custom, vertical

apps.• Easy customization of GUI, business

logic.

46 Competitive Advantages

Unique features Rapid deployment

• Self-service password/PIN reset fromanywhere.

• Workflow to refresh OrgChart data.• Request for resources mapped to AD

groups.• Detect/block effective SoD violations.

• Key features built-in, not custom:

– Change request forms.– Authorization process.– Access certification UI.– Auto-discovery.

• Self-service ID mapping.• Unique approach to workflow.

Scalable platform Integrations

• Real-time data replication.• Multi-master architecture.• Proxy server to cross firewalls.• Stored procedures, native code for speed.

• 110+ included connectors.• Flexible connectors.• Built-in implementers workflow.• Integrated with incident management,

SIEM, etc.


Slide Presentation

47 HiPM Animated Demonstration

The following animations illustrate core Hitachi ID Password Manager user interfaces and processes:

• Security question enrollment:

– A user authenticates andcompletes his personal profile ofquestions and answers.

• Alias enrollment:

– A user attaches non-standard loginIDs to his profile.

• Password expiration:

– A user is invited, via e-mail, tochange soon-to-expire passwords.

• Self-service password reset (SSPR)using Secure Kiosk Account:

– A locked out user resolves his ownproblem, from the login prompt,without client software deployment.

• SSPR with GINA Extension:

– A locked out user resolves his ownproblem, from the login prompt,using a GINA extension.

• SSPR with Vista credential provider:

– A locked out user resolves his ownproblem, from the login prompt,using a Windows Vista credentialprovider.

• Assisted password reset:

– A help desk analyst signs in with anRSA SecurID token and resets acaller’s password.

• PIN Reset for an RSA SecurID token:

– A user resets his RSA SecurIDtoken PIN with HiPM.

48 Locked out Windows 7 user resets own password

Animation: ../pics/camtasia/psynch-2/win7-credential-provider.cam

49 Locked out Windows XP user resets own password

Animation: ../pics/camtasia/psynch-2/5-password-reset-gina.cam


Slide Presentation

50 Locked out Windows user resets own password (no softwarefootprint)

Animation: ../pics/camtasia/psynch-2/4-password-reset-ska.cam4

51 Enrollment of security questions

Animation: ../pics/camtasia/psynch-2/1-qa-enrollment.cam

52 Enrollment of non-standard login IDs

Animation: ../pics/camtasia/psynch-2/2-alias-enrollment.cam

53 RSA SecurID Self Service Token Support

Animation: ../pics/camtasia/psynch-2/8-rsa-token-reset.cam

54 Reminder to change passwords

Animation: ../pics/camtasia/psynch-2/3-password-expired-email.cam


Slide Presentation

55 Assisted Password Reset

Animation: ../pics/camtasia/psynch-2/7-password-reset.cam

56 Hitachi ID Professional Services

• Hitachi ID offers a variety of services relating to Hitachi ID Password Manager, including:

– Needs analysis and solution design.– Fixed price system deployment.– Project planning.– Roll-out management, including maximizing user adoption.– Ongoing system monitoring.– Training.

• Services are based on extensive experience with the Hitachi ID solution delivery process.• The Hitachi ID professional services team is highly technical and have years of experience deploying

IAM solutions.• Hitachi ID partners with integrators that also offer business process and system design services to

mutual customers.

57 Hitachi ID Solution Delivery Approach

Fixed-price: All work is delivered on a fixed-price, fixed-deliverables basis. The"meter" is never running.

Phases, milestones: Hitachi ID recommends breaking up long projects into phases of 1–3months. Work is reviewed and payment is due when milestones are met.

Open assignment: Each phase may be undertaken by Hitachi ID, the customer, a systemsintegrator or a combination of the participants.

Templates: Template documents and sample business logic are used to expeditework.

Customer portal: A self-service portal supports discovery, client/partner/vendor interaction,document distribution and more.


Slide Presentation

58 AdMax: Maximizing User Adoption

• Successful implementation of an identity and access management system must be supported by aneffective user adoption program.

• AdMax is an Hitachi ID professional services program, used to plan for and execute effective userenrollment projects.

• AdMax is designed to maximize adoption of and ROI from Hitachi ID identity management solutions,using:

– Best practices, case studies and industry norms.– Enrollment, user adoption and ROI measurement.– Incentive and disincentive programs.– Presentations and training materials for users and HD staff.– Project roles and responsibilities.– Sample project plans, promotional materials, e-mails, graphics and other user communications.– Workbooks for project implementation.

59 Summary

An integrated solution for managing credentials:

• Immediate security benefit: password policy, help desk caller authentication.• Low deployment cost, minimal ongoing investment, significant IT support savings.• Always accessible:

– Web browser on PC, phone or tablet.– Windows login prompt.– Pre-boot encryption password prompt.– Phone call / IVR.– Available at work and while off-site.

• 110+ connectors included.

Learn more at Hitachi-ID.com/Password-Manager

www.Hitachi-ID.com

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: [email protected]

File: PRCS:presDate: March 1, 2012

http://Hitachi-ID.com/Password-Manager/

http://Hitachi-ID.com/

Technology

Password Manager: Detailed presentation