1

Hitachi ID Identity Manager

Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Entitlement Administration and Governance: Automation, requests, approvals, recertication, SoD and RBAC.

Agenda
Hitachi ID corporate overview. Identity and entitlement management challenges. Hitachi ID Identity Manager: Features. Technology. Impact.

2013 Hitachi ID Systems, Inc.. All rights reserved.

Slide Presentation

Hitachi ID Corporate Overview

Hitachi ID delivers access governance and identity administration solutions to organizations globally. Hitachi ID solutions are used by Fortune 500 companies to secure access to systems in the enterprise and in the cloud. Founded as M-Tech in 1992. A division of Hitachi, Ltd. since 2008. Over 1000 customers. More than 12M+ licensed users. Ofces in North America, Europe and APAC. Partners globally.

Representative Hitachi ID Customers

2013 Hitachi ID Systems, Inc.. All rights reserved.

Slide Presentation

IDM Suite

The Identity and Entitlement Landscape

Onboarding

Change management

Apps

Audits

Deactivation

2013 Hitachi ID Systems, Inc.. All rights reserved.

Slide Presentation

Problems Due To Complexity

Security / Internal Controls Orphan accounts (no owner). Dormant accounts (unused). Segregation of duties (fraud risk). Inconsistent, unreliable approvals. Stale, inappropriate rights. IT Support Volume of change requests. Ambiguous problem descriptions.

Audit Difcult to audit (who has what?). No history (how did they get it?). Weak link between accounts and human owners. Weak link between entitlements and business need.

User Service Obscure change request forms. Slow approvals, service fulllment. Language barrier between IT and business users.

E-A-G
Identity administration: Onboard, deactivate, change. Focus on identiers: name, department, location, etc. Entitlement management: Expand scope to group memberships. Access governance: Approvals, recertication, policy controls. Entitlement administration and governance: Entitlements and identities should be managed simultaneously. Administration and controls are inseparable.

2013 Hitachi ID Systems, Inc.. All rights reserved.

Slide Presentation

Inconsistent processes
Different forms, approvals, admins for each system Enterprise-wide processes

Deactivation

Onboarding
Apps

Change

Confusing to users. Some may be insecure. Difcult to audit.

Processes centered on users, not infrastructure. Simpler, faster change management.

2013 Hitachi ID Systems, Inc.. All rights reserved.

Slide Presentation

10

Inappropriate security rights

Orphan accounts, dormant accounts, SoD violations, stale privileges. Enterprise-wide policy enforcement, certication and deactivation

Stale and excess rights create risk of abuse. Audit failures and regulatory compliance problems.

Eliminate inappropriate security entitlements. Reduce risk prole. Pass audits.

2013 Hitachi ID Systems, Inc.. All rights reserved.

Slide Presentation

11

Slow onboarding
It can take days to setup access for new hires. Automation and workow accelerate onboarding. Optimized approvals and fulllment.

Multiple request forms. Slow approvals processes. Coordination between multiple admins.

Automated onboarding in many cases. Friendly request forms where automation impossible. Faster onboarding, improved SLA. Recovered productivity.

2013 Hitachi ID Systems, Inc.. All rights reserved.

Slide Presentation

12

High change request volume

Security team overloaded by request volume. Automation and self-service reduce and divert the workload

Onboarding. Job and location changes. Application and lesystem access.

Routine requests fully automated. Focus security team on unusual and complex tasks.

2013 Hitachi ID Systems, Inc.. All rights reserved.

Slide Presentation

13

Complex request process

Users dont know or cant explain what they need. Simplify request forms and link to point of access.

1040

Form

Department of the TreasuryInternal Revenue Service

U.S. Individual Income Tax Return

Last name Last name

(99)

20 11
, 2011, ending

OMB No. 1545-0074 , 20

IRS Use OnlyDo not write or staple in this space.

For the year Jan. 1Dec. 31, 2011, or other tax year beginning Your rst name and initial If a joint return, spouses rst name and initial

See separate instructions.

Your social security number Spouses social security number Apt. no.

Home address (number and street). If you have a P.O. box, see instructions. City, town or post ofce, state, and ZIP code. If you have a foreign address, also complete spaces below (see instructions). Foreign country name Foreign province/county

Make sure the SSN(s) above and on line 6c are correct. Presidential Election Campaign

Name: Company: Address: Phone: Postal: E-mail: Users:

Check here if you, or your spouse if ling jointly, want $3 to go to this fund. Checking Foreign postal code a box below will not change your tax or refund. You Spouse

Filing Status
Check only one box.

1 2 3 6a b c

Single Married ling jointly (even if only one had income) Married ling separately. Enter spouses SSN above and full name here. Spouse . Dependents: . . . . . . . . . . . .

Head of household (with qualifying person). (See instructions.) If the qualifying person is a child but not your dependent, enter this childs name here.

5 . . .

Qualifying widow(er) with dependent child

Exemptions

Yourself. If someone can claim you as a dependent, do not check box 6a . . . . .

(2) Dependents social security number (3) Dependents relationship to you

. .

. .

. .

. .

(1) First name

Last name

(4) if child under age 17 qualifying for child tax credit (see instructions)

Boxes checked on 6a and 6b No. of children on 6c who: lived with you

did not live with you due to divorce or separation (see instructions) Dependents on 6c not entered above

If more than four dependents, see instructions and check here d Total number of exemptions claimed . . . . . . . . . . . . . . . . . . . . . . . 8b . 9b . . . . . . . . . . . . . . . . . . 10 11 12 13 14 15b 16b 17 18 19 20b 21 22 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 8a 9a

Add numbers on lines above

Income
Attach Form(s) W-2 here. Also attach Forms W-2G and 1099-R if tax was withheld.

7 8a b 9a b 10 11 12 13 14 15a 16a 17 18 19 20a 21 22 23 24 25 26 27 28 29 30 31a 32 33 34 35 36 37

Wages, salaries, tips, etc. Attach Form(s) W-2 . Taxable interest. Attach Schedule B if required . Tax-exempt interest. Do not include on line 8a . Ordinary dividends. Attach Schedule B if required Qualied dividends . . . . . . . . .

Taxable refunds, credits, or offsets of state and local income taxes Alimony received . . . . . . . . . . . . . . .

If you did not get a W-2, see instructions. Enclose, but do not attach, any payment. Also, please use Form 1040-V.

Business income or (loss). Attach Schedule C or C-EZ . . . . . . . . Capital gain or (loss). Attach Schedule D if required. If not required, check here Other gains or (losses). Attach Form 4797 . IRA distributions . 15a . . . . . . . . . . . . b Taxable amount

Pensions and annuities 16a b Taxable amount . . . Rental real estate, royalties, partnerships, S corporations, trusts, etc. Attach Schedule E Farm income or (loss). Attach Schedule F . Unemployment compensation . . . . Social security benets 20a . . . . . . . . . . . . . . . . . . . . b Taxable amount . . . . . . . . .

Other income. List type and amount Combine the amounts in the far right column for lines 7 through 21. This is your total income Educator expenses . . . . . . . . . . 23 24 25 26 27 28 29 30 31a 32 33 34 . . . . . . . . . . . Certain business expenses of reservists, performing artists, and fee-basis government ofcials. Attach Form 2106 or 2106-EZ Health savings account deduction. Attach Form 8889 Moving expenses. Attach Form 3903 . . . . . . . . . . . . . . . . . . .

Adjusted Gross Income

Deductible part of self-employment tax. Attach Schedule SE . Self-employed SEP, SIMPLE, and qualied plans Self-employed health insurance deduction . . Penalty on early withdrawal of savings . Alimony paid b Recipients SSN IRA deduction . . . . . . . Student loan interest deduction . . Tuition and fees. Attach Form 8917 . . . . . . . . . . . . . . . .

Domestic production activities deduction. Attach Form 8903 35 Add lines 23 through 35 . . . . . . . . . . . . . Subtract line 36 from line 22. This is your adjusted gross income

36 37
Form

For Disclosure, Privacy Act, and Paperwork Reduction Act Notice, see separate instructions.

Cat. No. 11320B

1040

(2011)

"Make Bob like Mary." Different names for the same system or entitlement. Complex yet free-form request forms.

Easier to nd request forms. Easier to ll in. Fewer mistakes fewer rejections faster service.

2013 Hitachi ID Systems, Inc.. All rights reserved.

Slide Presentation

14

Costly audits
Audits are difcult to execute and consume a large proportion of administrator time. Empower auditors to run reports on entitlements and change history

Up to 50% of admin time is spent responding to audit requests. Records of change requests/approvals may be inadequate. Both administrators and auditors are frustrated.

Auditors can answer their own questions. Administrators can focus on change management.

15

Usability
Challenges Business users dont understand or care about entitlements, identities or governance ... but Their input is essential: Self-service manage security questions and passwords. Request input for themselves or others. Authorization approve or reject change requests. Access certication review entitlements of others. Need to maximize comprehension and minimize time spent. 10 Solutions Simple self-service UI. Roles: request sets of entitlements with a friendly name. Pre-dened requests: simplify common transformations, such as change of address, scheduled termination, etc. Windows shell extension and SharePoint integration: trigger requests from "access denied" error dialog. "Model after" UI: compare entitlements between two users.

2013 Hitachi ID Systems, Inc.. All rights reserved.

Slide Presentation

16

Controls
Challenges Enforce policy over all changes. Find and eliminate inappropriate entitlements. Audit requests consume signicant administration time. Audit failures. Solutions SoD engine: prevent new and detect existing violations. Authorization workow: N of M approvers, reminders, escalation, delegation. Access certication, both scheduled and on-demand. Detect and respond to unauthorized changes on integrated apps. Report on current and historical entitlements.

17

Included Connectors

Many integrations to target systems included in the base price:

Directories: Any LDAP, AD, WinNT, NDS, eDirectory, NIS/NIS+.

Servers: Windows NT, 2000, 2003, 2008, 2008R2, Samba, Novell, SharePoint. Mainframes, Midrange: z/OS: RACF, ACF2, TopSecret. iSeries, OpenVMS. Collaboration: Lotus Notes, Exchange, GroupWise, BlackBerry ES.

Databases: Oracle, Sybase, SQL Server, DB2/UDB, Informix, ODBC, Oracle Hyperion EPM Shared Services, Cache. HDD Encryption: McAfee, CheckPoint, BitLocker, PGP. Tokens, Smart Cards: RSA SecurID, SafeWord, RADIUS, ActivIdentity, Schlumberger. Cloud/SaaS: WebEx, Google Apps, MS Ofce 365, Salesforce.com, SOAP (generic).

Unix: Linux, Solaris, AIX, HPUX, 24 more variants. ERP: JDE, Oracle eBiz, PeopleSoft, PeopleSoft HR, SAP R/3 and ECC 6, Siebel, Business Objects. WebSSO: CA Siteminder, IBM TAM, Oracle AM, RSA Access Manager.

Help Desk: ServiceNow, BMC Remedy, SDE, HP SM, CA Unicenter, Assyst, HEAT, Altiris, Clarify, RSA Envision, Track-It!, MS System Center Service Manager

2013 Hitachi ID Systems, Inc.. All rights reserved.

11

Slide Presentation

18

Rapid Integration with Custom Apps

Hitachi ID Identity Manager easily integrates with custom, vertical and hosted applications using exible agents . Each exible agent connects to a class of applications: API bindings (C, C++, Java, COM, ActiveX, MQ Series). Telnet / TN3270 / TN5250 / sessions with TLS or SSL. SSH sessions. HTTP(S) administrative interfaces. Web services. Win32 and Unix command-line administration programs. SQL scripts. Custom LDAP attributes.

Integration takes a few hours to a few days. Fixed cost service available from Hitachi ID.

19

Multi-Master Architecture
, nix , U 90, D 3 A S/ P, O DA 0 L S40 ve ord A i t Na assw ge n p ha c g Tri ch yn S ord PW ssw ate s) Pa lid er( a V erv

ms ste Sy r ge

r IVR erve S

se ver Re eb y W rox P N r VP erve S or il TP Ma SM otes N r ad ce Lo alan B

S ID hi on ac ati Hit pplic SQL A DB

SQL DB

TCP/IP + AES Various Protocols Secure Native Protocol HTTPS

ails Em nt ide Inc gmt em M yst S

L/ SQ racle O
Tic ts ke

up ok Lo of m ste d Sy ecor R

g rig &T

nt: ge la a oc hl A wit er RS s t: d m l en ste , o ag Sy Unix e t t o ge 0, s rem c Tar S/39 ce ork ith s, et O rvi w w e t e t s bS em No l Ne We yst P, t S L, SA oca e g Q L Tar D, S A all ew Fir er all ew Fir er erv y S ded) x o Pr f nee (i

, te d os s h ud app Clo aaS S

r nte e C ata D te mo e R

t ge ms Tar yste S

2013 Hitachi ID Systems, Inc.. All rights reserved.

12

Slide Presentation

20

Rapid Deployment and Low TCO

Optimized to minimize effort: Using Hitachi ID Identity Manager technology: Built-in nightly auto-discovery of IDs, entitlements. Both attribute-based and self-service ID mapping. 110 connectors out of the box. Rapid integration with custom, vertical apps. Easy customization of GUI, business logic.

21

Rapid Deployment and Low TCO

Optimized to minimize effort: User provisioning with HiIM: Initial deployment: 6 9 months. Ongoing maintenance: 0.5 1.0 FTE. Using Hitachi ID Identity Manager technology: Built-in nightly auto-discovery of IDs, entitlements. Both attribute-based and self-service ID mapping. Request, approvals screens and processes are built-in. Implementer infrastructure for non-integrated apps is built-in. Powerful authorization workow is built-in. Deployment does not depend on role engineering. 110 connectors out of the box. Rapid integration with custom, vertical apps. Easy customization of GUI, business logic.

2013 Hitachi ID Systems, Inc.. All rights reserved.

13

Slide Presentation

22

Hitachi ID Professional Services

Hitachi ID offers a variety of services relating to Hitachi ID Identity Manager, including: Needs analysis and solution design. Fixed price system deployment. Project planning. Roll-out management, including maximizing user adoption. Ongoing system monitoring. Training.

Services are based on extensive experience with the Hitachi ID solution delivery process. The Hitachi ID professional services team is highly technical and have years of experience deploying IAM solutions. Hitachi ID partners with integrators that also offer business process and system design services to mutual customers.

23

Hitachi ID Solution Delivery Approach

Fixed-price: Phases, milestones: Open assignment: Templates: Customer portal: All work is delivered on a xed-price, xed-deliverables basis. The "meter" is never running. Hitachi ID recommends breaking up long projects into phases of 13 months. Work is reviewed and payment is due when milestones are met. Each phase may be undertaken by Hitachi ID, the customer, a systems integrator or a combination of the participants. Template documents and sample business logic are used to expedite work. A self-service portal supports discovery, client/partner/vendor interaction, document distribution and more.

2013 Hitachi ID Systems, Inc.. All rights reserved.

14

Slide Presentation

24

Summary

An integrated solution for managing identities and entitlements: Automation: onboarding, deactivation, detect out-of-band changes. Self-service: prole updates, access requests. Delegated management: requests, certication. Policy enforcement: RBAC, SoD, authorization. Analytics: current, historical entitlements. Explicit vs. actual. Patterns. Integrations: 110 bidirectional connectors. Windows, SharePoint, SIEM, help desk. Rapid deployment: built-in screens, workow processes, navigation, ACLs.

Security, lower cost, faster service. Learn more at Hitachi-ID.com/Identity-Manager

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com
File: PRCS:pres Date: September 19, 2013

www.Hitachi-ID.com