Password Manager: Detailed presentation


Published on

Hitachi ID Password Manager:

Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Integrated credential management for users: passwords, encryption keys, tokens, smart cards and more.

Published in: Technology
1 Comment
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Password Manager: Detailed presentation

  1. 1. 1 Hitachi ID Password Manager Managing the User Lifecycle Across On-Premises and Cloud-Hosted ApplicationsIntegrated credential management for users:passwords, encryption keys, tokens, smart cards and more.2 Agenda • Hitachi ID corporate overview. • ID Management Suite overview. • Password problems and Hitachi ID Password Manager benefits. • The HiPM solution. • Software demonstration. © 2012 Hitachi ID Systems, Inc.. All rights reserved. 1
  2. 2. Slide Presentation3 Hitachi ID Corporate Overview Hitachi ID is a leading provider of identity and access management solutions. • Founded as M-Tech in 1992. • A division of Hitachi, Ltd. since 2008. • Over 900 customers. • More than 11M+ licensed users. • Offices in North America, Europe and APAC. • Partners globally.4 Representative Hitachi ID Customers © 2012 Hitachi ID Systems, Inc.. All rights reserved. 2
  3. 3. Slide Presentation5 ID Management Suite © 2012 Hitachi ID Systems, Inc.. All rights reserved. 3
  4. 4. Slide Presentation6 PM Advantages Hitachi ID Others Password Manager Built-in Functionality: • Password synchronization • Password reset. • Password and PIN reset. • HDD crypto key recovery. • Enterprise single sign-on. Always available: • Web browser, smart phone. • Web browser. • Phone call. • PC login screen. • PC login screen. • Only available at work. • At the office or mobile (WiFi, VPN). Integrations: • 110+ target types. • Typically 10-20 connectors. • 10 ITSM systems. Scalability: • Built-in auto-discovery. • Single server. • Built-in replication. • Lots of scripting. • Managed enrollment. © 2012 Hitachi ID Systems, Inc.. All rights reserved. 4
  5. 5. Slide Presentation7 Problem: Too Many Passwords Every login account has its own: Password complexity creates business problems: • Password value. • High call volume : • User interface. Users forget or lock out their passwords. • Strength rules. This can be 30% of help desk workload. • Expiration date. • Sticky notes : Users write down their passwords and may leave them in public view. • Bad passwords : Users choose simple, easily guessed passwords.8 The HiPM SolutionHitachi ID Password Manager addresses the problems that arise from password complexity: • Cost savings from simplified password management, rapid deployment, low TCO and fast ROI. • Improved security from strong authentication, policy enforcement. • Scalability to hundreds of thousands of users. • Flexibility to integrate with existing infrastructure.9 Problem: Password Management Costs End users: Lose productivity when they have trouble logging in. Support analysts: Spend much of their time resolving password problem calls. Must be staffed for peak volume after holidays. System administrators: Resolve escalated password problems. © 2012 Hitachi ID Systems, Inc.. All rights reserved. 5
  6. 6. Slide Presentation10 HiPM Cost Savings Synchronization: Eliminates 60% to 90% of password problems. Self service reset: When adopted by 40% to 70% of users, diverts problem resolution away from the help desk. Assisted reset: Shortens remaining password reset HD calls by 50% or more, to about 1 minute/call.11 Problem: Password Security Policy: Users prefer easily guessed passwords, write and share passwords. Authentication: Weak caller authentication prior to HD password resets. Delegation: Support staff require too many administrative logins. Accountability: For support staff who perform resets. Encryption: Passwords should not be sent or stored in the clear.12 HiPM Security Benefits Policy: Hitachi ID Password Manager can enforce over 50 password rules, on every system. Synchronization: No need to write down multiple passwords. Authentication: Users are identified before being allowed a HD password reset. Delegation: Support staff no longer require administrative credentials. Accountability: All password-related events logged. Encryption: Sensitive data is sent and stored encrypted. © 2012 Hitachi ID Systems, Inc.. All rights reserved. 6
  7. 7. Slide Presentation13 The Hitachi ID Solution is Flexible Customize: Every aspect of the user interface Integrate with: 110+ target system types Call tracking systems HR systems Authentication hardware Meta directories IVR servers Enforce: Password policy Authentication rules14 User Interface Flowchart Access Identify Authenticate Action Desktop Network Login ID Password Update Passwords Web Browser Workstation E-mail Address Hardware Token Manage Login Profile Login Prompt PDA Web Browser Employee Number Smart Card Manage Q&A Profile Telephone Answer Personal Register Voice Print Questions Biometric Sample Manage H/W Token © 2012 Hitachi ID Systems, Inc.. All rights reserved. 7
  8. 8. Slide Presentation15 Included ConnectorsMany integrations to target systems included in the base price: Directories: Servers: Databases: Any LDAP, AD, WinNT, NDS, Windows NT, 2000, 2003, Oracle, Sybase, SQL Server, eDirectory, NIS/NIS+. 2008, Samba, Novell, DB2/UDB, Informix, ODBC. SharePoint. Unix: Mainframes, Midrange: HDD Encryption: Linux, Solaris, AIX, HPUX, 24 z/OS: RACF, ACF2, McAfee, CheckPoint. more. TopSecret. iSeries, OpenVMS. ERP: Collaboration: Tokens, Smart Cards: JDE, Oracle eBiz, PeopleSoft, Lotus Notes, Exchange, RSA SecurID, SafeWord, SAP R/3 and ECC 6, Siebel, GroupWise, BlackBerry ES. RADIUS, ActivIdentity, Business Objects. Schlumberger. WebSSO: Help Desk: Cloud/SaaS: CA Siteminder, IBM TAM, BMC Remedy, SDE, HP SM, WebEx, Google Apps, Oracle AM, RSA Access CA Unicenter, Assyst, HEAT,, SOAP Manager. Altiris, Track-It! (generic).16 Simple Integration with Custom Apps • Hitachi ID Password Manager easily integrates with custom, vertical and hosted applications using flexible agents . • Each flexible agent connects to a class of applications: – API bindings (C, C++, Java, COM, ActiveX, MQ Series). – Telnet / TN3270 / TN5250 / sessions with TLS or SSL. – SSH sessions. – HTTP(S) administrative interfaces. – Web services. – Win32 and Unix command-line administration programs. – SQL scripts. – Custom LDAP attributes. • Integration takes a few hours to a few days. • Fixed cost service available from Hitachi ID. © 2012 Hitachi ID Systems, Inc.. All rights reserved. 8
  9. 9. Slide Presentation17 Multi-Master Architecture ix, Un , D, /390 A S P, d O DA 0 e tiv or L S40 d, Na assw ge A st e p han Password -ho pps User c Synch ud a Trigger Target Systems Clo aaS Systems S with local agent: OS/390, Unix, PW Reverse ate Hitachi ID older RSA lid Web Proxy Va Application VPN s Target Systems Server(s) ice Server erv with remote agent: IVR bS SQL Server DB We AD, SQL, SAP, Notes, etc ork Load SQL etw Balancer DB lN ca ails Lo Target Systems Em SQL/Oracle ter en Firewall SMTP or ets Notes Mail Tic k ge r t aC &T r ig Da Incident up te TCP/IP + AES Management Lo ok mo Various Protocols System System of Firewall Re Record Proxy Server Secure Native Protocol (if needed) HTTPS18 Scalability and Fault-Tolerance • Multiple Hitachi ID Password Manager servers can be configured for load balancing. • Data is automatically replicated between servers in real time. • Built-in high performance identity cache accelerates system response. • A service monitors the health of each server and may restart it or take it out of circulation. • A proxy server compensates for slow or insecure connectivity to remote target systems. • There are production customers with up to 300,000 users on just two servers. • Replication has been scaled to 20 servers. © 2012 Hitachi ID Systems, Inc.. All rights reserved. 9
  10. 10. Slide Presentation19 Password Synchronization Problem Solution • Users have too many passwords: • Password synchronization pushes password updates from one system to – On different systems, another: – with different policies, – expiring at different times. – Multiple physical passwords. • Complexity leads users to do bad things: – Same value everywhere. • Password synchronization allows users to: – Write down passwords ("sticky notes"). – Remember a single password value. – Forget/lock out passwords and call – Manage it on a single schedule. the help desk. – Comply with a single password – Reuse old passwords. policy.20 Transparent Password SynchronizationPassword synchronization is designed to help users maintain a single, strong password acrossmultiple login IDs.Transparent password synchronization leverages an existing user interface. • Users change their passwords natively on: – WinNT/Win2K/Win2K3 servers, – Windows NT, Active Directory domains, – Unix servers, – LDAP directories, – OS400 / iSeries servers, – z/OS mainframes (RACF, CA-ACF2, CA-TopSecret) • Hitachi ID Password Manager enforces a global policy, prohibiting users from choosing weak passwords. Approved passwords are synchronized to other login accounts associated with the same user. © 2012 Hitachi ID Systems, Inc.. All rights reserved. 10
  11. 11. Slide Presentation21 Transparent Synchronization Architecture e d Password tiv or User Na assw ge Synch p han c Trigger Systems Target Systems . with local agent: ch OS/390, Unix, RSA rt syn Sta Hitachi ID Target Systems Management Suite with remote agent Load Balancer TCP/IP + AES Secure Native Protocol22 Web Password SynchronizationPassword synchronization is designed to help users maintain a single, strong password acrossmultiple login IDs.Web password synchronization exposes a new user interface. • Access a Web-based password change screen using any browser. • Enter a trusted network login ID and password. • Select a new password for one or all systems and accounts. • Review results from the password update on each system. © 2012 Hitachi ID Systems, Inc.. All rights reserved. 11
  12. 12. Slide Presentation23 Web Password Synchronization Architecture User b We Target Systems with local agent: b OS/390, Unix, RSA We Hitachi ID Management Suite Target Systems with remote agent Load Balancer TCP/IP + AES Secure Native Protocol24 Prompting Users to SynchronizeUsers do not volunteer to change their passwords. • Hitachi ID Password Manager can identify users who should change their passwords either based on upcoming expiration on a target system, or based on the last HiPM update. • Users are asked to change their passwords: – By e-mail, with an embedded URL to the HiPM server. – By a Web browser, automatically opened during the network login script. © 2012 Hitachi ID Systems, Inc.. All rights reserved. 12
  13. 13. Slide Presentation25 Benefits of Password Synchronization • Improved user service. • Users have fewer password problems, so waste less time with login problems and call the help desk less frequently. • New passwords meet global quality standards. • All passwords are changed regularly.26 Self Service Password Reset Problem Solution • Some users continue to forget passwords • Self-service password reset enables or trigger lockouts. users to authenticate themselves with • These users still call the help desk. something else (a token, biometric, • High call volume is expensive. personal questions, etc.) and reset their own password(s). • Hitachi ID Password Manager SSPR allows these users to resolve their own problems: – This lowers help desk call volume. – User service is available 24x7. – Accessible via web browser, phone or from the login prompt.27 Access from Login Prompt Problem Solution Users who forget their network password • Secure Kiosk Account (SKA): access to cannot launch a Web browser to access the self SSPR without client software ("guest" service password reset application. account). • GINA service: access to SSPR from UI extension – no GINA DLL. • Hitachi ID Phone Password Manager: turn-key telephone access to SSPR. • Temporary VPN: access to SSPR from outside the corporate network. © 2012 Hitachi ID Systems, Inc.. All rights reserved. 13
  14. 14. Slide Presentation28 Secure Kiosk Account (SKA)Support locked out users without deploying client software. • User signs on with the login ID HELP • No password is required to sign into the SKA. • The SKA account has a special security policy. • The policy specifies an alternate to the Windows shell. • The Hitachi ID Password Manager shell opens a kiosk-mode Web browser to the self service password reset Web page. • Applies both to on-line and mobile users. • Can be used to reset/unlock both local and networked passwords. • No browser navigation, controls, border, etc. • Closing the browser logs the user off.29 GINA ExtensionsSupport locked out users without a "generic" domain account: • Extend the Windows Graphical Identification and Authentication (GINA) subsystem, which: – is responsible for capturing Ctrl-Alt-Del, – presents the login screen and – handles screen savers. • The Windows GINA can be replaced by third-party DLLs, such as: – Novell NetWare. – Strong authentication products (smart cards, biometrics, etc.). • Hitachi ID Password Manager includes two GINA extension approaches, both of them: – Launch a kiosk-mode web browser. – Run the browser with an unprivileged account. • The first is a GINA wrapper DLL that adds a password reset button in the login prompt. • The second is a GINA service program that adds a password reset button without modifying the native GINA DLL. © 2012 Hitachi ID Systems, Inc.. All rights reserved. 14
  15. 15. Slide Presentation30 Self-service via Telephone • Identification options: – Numeric ID (e.g., employee number). – Numeric mapping of network login ID. • Authentication options: – Numeric security questions (e.g., driver’s license, DoB). – Biometric voice print verification. – Hardware token. • Features: – Password reset / unlock. – Token PIN reset. – HDD encryption key recovery. • Platform options: – Use Phone Password Manager (turn-key system). – Extend call logic on an existing IVR, using Hitachi ID Password Manager API. • Limitations: – Cannot reset PINs on smart cards. – Cannot update cached credentials on mobile PCs.31 Flexible, Secure Authentication • Hardware tokens: generated password + keyed PIN. • Biometric: voice print, finger print. • PKI: smart cards, software certificates. • Challenge/response using: – Built-in or external data source. – Both user-defined and standard questions. – A flexible algorithm to validate answers. – Multiple sets of multiple questions. • Open architecture: Easily integrate with new authentication systems. © 2012 Hitachi ID Systems, Inc.. All rights reserved. 15
  16. 16. Slide Presentation32 Benefits of Self Service Password Reset Savings Security 40% to 70% of users resolve their own problem, • Stronger authentication prior to password and do not call the help desk. resets. • Reset passwords meet quality controls. • Detailed audit trail of authentication attempts, resets.33 Help Desk Password Reset Problem Solution • Even with synchronization and self • Assisted password reset shortens service password reset, some users password-related support calls. continue to call the help desk. • One process and UI handles everything: • These calls can take 5-15 minutes to resolve and cost $25 – $35. – Authenticate the analyst. – Authenticate the caller. – Reset multiple passwords. – Clear lockouts. – Create/close a support incident (ticket). • Reduce call duration to about 1 minutes. • Lower incident cost.34 Assisted Password Reset Process • Help desk analysts use a Hitachi ID Password Manager Web page to: – Login (authenticate the analyst). – Look up the caller’s record. – Authenticate the caller. – Reset one or more passwords. – Automatically create a ticket in the call tracking system. • Call resolution time is reduced to 1 – 2 minutes. • Help desk analysts don’t require direct access to target systems. © 2012 Hitachi ID Systems, Inc.. All rights reserved. 16
  17. 17. Slide Presentation35 Call Tracking, E-mail IntegrationHitachi ID Password Manager has an open architecture to notify other systems of over 116 types ofevents. • Simple configuration specifies what events to capture and what actions to take. • Binary integration programs are included for: – Altiris – Assyst – BMC Remedy – BMC Service Desk Express – CA Unicenter – Clarify – HEAT – InfraHD HP Service Desk – Tivoli – Track-It! • Open integrations via SMTP, HTTP, HTTPS, XML, ODBC interfaces.36 HiPM Assisted Service NotesHelp desk analysts may: • Either see, or be required to type answers to caller-authenticating questions. • Either reset passwords, or reset-and-expire passwords. • Enable or disable caller access to Hitachi ID Password Manager self service. • Be granted the ability to: – See or edit answers to security questions. – See or edit login ID profiles data. – Manage SecurID tokens. © 2012 Hitachi ID Systems, Inc.. All rights reserved. 17
  18. 18. Slide Presentation37 Benefits of Assisted Password Reset Savings Security Remaining password reset calls are reduced to • Ensure that callers are always approximately 1 minute. authenticated prior to password resets. • Reduce the number of people with administrative rights. • Improve accountability for help desk password resets. • Enforce password policy over reset passwords. © 2012 Hitachi ID Systems, Inc.. All rights reserved. 18
  19. 19. Slide Presentation38 Impact of Synchronization and SSPR calls problems © 2012 Hitachi ID Systems, Inc.. All rights reserved. 19
  20. 20. Slide Presentation39 RSA SecurID Token Management Problem Solution Users with RSA SecurID tokens forget their Users can clear, synchronize or reset their PINs, lose their tokens, require clock token PINs; synchronize their token clocks; synchronization, etc. These issues generate enable/disable their tokens or get emergency help desk calls. access passcodes using the Hitachi ID Password Manager self service token management feature. In addition, HiPM can authenticate users by validating a current RSA SecurID token pass-codes against the RSA server.40 Token Management Process • Users authenticate with a password. • Once authenticated, users can: – Enable / disable tokens. – Request emergency access codes. – Clear / set their PIN. – Re-synchronize tokens.41 Benefits of Token Management Savings Security Fewer, shorter help desk calls for token • Fewer people with ACE administration problems. privileges. • Stronger authentication prior to token support. © 2012 Hitachi ID Systems, Inc.. All rights reserved. 20
  21. 21. Slide Presentation42 Managed User Enrollment Problem Solution • Deployment may require new user profile • Hitachi ID Password Manager includes a data: managed enrollment system, which identifies users that need to enroll and – Question/answer pairs for invites them to do so. authentication. – Login ID reconciliation between systems. – Biometric samples (e.g., voice prints).43 Reconcile Login IDs Between SystemsWhere login IDs are different on some systems, and there is no existing directory, metadirectory, matching attribute or map file to connect them, users can be prompted to "claim" theirown IDs: • Users sign into a secure Hitachi ID Password Manager registration Web page. • Users enter a login ID and password. • HiPM finds unallocated instances of the login ID in the identity cache and tries to sign into those target systems with the password the user provided. • The login ID / target system ID is added to the user’s profile if the password worked.44 Benefits of Managed Enrollment Savings Security Rapid deployment, low-cost data gathering. • Secure authentication prior to registration. • Collect answers to security questions. • Correlate login IDs across all systems. • Identify orphan accounts. © 2012 Hitachi ID Systems, Inc.. All rights reserved. 21
  22. 22. Slide Presentation45 Rapid Deployment and Low TCO Optimized to minimize effort: Using Hitachi ID Password Manager technology: • Password management with HiPM: • Built-in nightly auto-discovery of IDs, entitlements. – Initial deployment: • Both attribute-based and self-service ID 4 to 8 weeks of effort. mapping. – Ongoing maintenance: • Automatically managed user enrollment 0.25 to 0.5 FTE. • No requirement for client software. • 110 connectors out of the box. • Rapid integration with custom, vertical apps. • Easy customization of GUI, business logic.46 Competitive Advantages Unique features Rapid deployment • Self-service password/PIN reset from • Key features built-in, not custom: anywhere. • Workflow to refresh OrgChart data. – Change request forms. • Request for resources mapped to AD – Authorization process. groups. – Access certification UI. • Detect/block effective SoD violations. – Auto-discovery. • Self-service ID mapping. • Unique approach to workflow. Scalable platform Integrations • Real-time data replication. • 110+ included connectors. • Multi-master architecture. • Flexible connectors. • Proxy server to cross firewalls. • Built-in implementers workflow. • Stored procedures, native code for speed. • Integrated with incident management, SIEM, etc. © 2012 Hitachi ID Systems, Inc.. All rights reserved. 22
  23. 23. Slide Presentation47 HiPM Animated DemonstrationThe following animations illustrate core Hitachi ID Password Manager user interfaces and processes: • Security question enrollment: • SSPR with GINA Extension: – A user authenticates and – A locked out user resolves his own completes his personal profile of problem, from the login prompt, questions and answers. using a GINA extension. • Alias enrollment: • SSPR with Vista credential provider: – A user attaches non-standard login – A locked out user resolves his own IDs to his profile. problem, from the login prompt, • Password expiration: using a Windows Vista credential provider. – A user is invited, via e-mail, to • Assisted password reset: change soon-to-expire passwords. • Self-service password reset (SSPR) – A help desk analyst signs in with an using Secure Kiosk Account: RSA SecurID token and resets a caller’s password. – A locked out user resolves his own • PIN Reset for an RSA SecurID token: problem, from the login prompt, without client software deployment. – A user resets his RSA SecurID token PIN with HiPM.48 Locked out Windows 7 user resets own passwordAnimation: ../pics/camtasia/psynch-2/win7-credential-provider.cam49 Locked out Windows XP user resets own passwordAnimation: ../pics/camtasia/psynch-2/ © 2012 Hitachi ID Systems, Inc.. All rights reserved. 23
  24. 24. Slide Presentation50 Locked out Windows user resets own password (no software footprint)Animation: ../pics/camtasia/psynch-2/4-password-reset-ska.cam451 Enrollment of security questionsAnimation: ../pics/camtasia/psynch-2/1-qa-enrollment.cam52 Enrollment of non-standard login IDsAnimation: ../pics/camtasia/psynch-2/2-alias-enrollment.cam53 RSA SecurID Self Service Token SupportAnimation: ../pics/camtasia/psynch-2/8-rsa-token-reset.cam54 Reminder to change passwordsAnimation: ../pics/camtasia/psynch-2/ © 2012 Hitachi ID Systems, Inc.. All rights reserved. 24
  25. 25. Slide Presentation55 Assisted Password ResetAnimation: ../pics/camtasia/psynch-2/7-password-reset.cam56 Hitachi ID Professional Services • Hitachi ID offers a variety of services relating to Hitachi ID Password Manager, including: – Needs analysis and solution design. – Fixed price system deployment. – Project planning. – Roll-out management, including maximizing user adoption. – Ongoing system monitoring. – Training. • Services are based on extensive experience with the Hitachi ID solution delivery process. • The Hitachi ID professional services team is highly technical and have years of experience deploying IAM solutions. • Hitachi ID partners with integrators that also offer business process and system design services to mutual customers.57 Hitachi ID Solution Delivery Approach Fixed-price: All work is delivered on a fixed-price, fixed-deliverables basis. The "meter" is never running. Phases, milestones: Hitachi ID recommends breaking up long projects into phases of 1–3 months. Work is reviewed and payment is due when milestones are met. Open assignment: Each phase may be undertaken by Hitachi ID, the customer, a systems integrator or a combination of the participants. Templates: Template documents and sample business logic are used to expedite work. Customer portal: A self-service portal supports discovery, client/partner/vendor interaction, document distribution and more. © 2012 Hitachi ID Systems, Inc.. All rights reserved. 25
  26. 26. Slide Presentation 58 AdMax: Maximizing User Adoption • Successful implementation of an identity and access management system must be supported by an effective user adoption program. • AdMax is an Hitachi ID professional services program, used to plan for and execute effective user enrollment projects. • AdMax is designed to maximize adoption of and ROI from Hitachi ID identity management solutions, using: – Best practices, case studies and industry norms. – Enrollment, user adoption and ROI measurement. – Incentive and disincentive programs. – Presentations and training materials for users and HD staff. – Project roles and responsibilities. – Sample project plans, promotional materials, e-mails, graphics and other user communications. – Workbooks for project implementation. 59 Summary An integrated solution for managing credentials: • Immediate security benefit: password policy, help desk caller authentication. • Low deployment cost, minimal ongoing investment, significant IT support savings. • Always accessible: – Web browser on PC, phone or tablet. – Windows login prompt. – Pre-boot encryption password prompt. – Phone call / IVR. – Available at work and while off-site. • 110+ connectors included. Learn more at, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: File: Date: March 1, 2012