Idan Shoham, CTO & Co-Founder
By definition, an identity and access management (IAM) system picks up where the programmer left off, as the discipline that enables “the right individuals to access the right resources at the right time and for the right reasons.” Assigning appropriate access rights to business users and revoking access when no longer needed can create tremendous pressure on IT as the interface between business users and technical infrastructure. IT is burdened with cost (workers tasked with granting and revoking access), governance (audit and regulatory requirements for appropriate internal controls), and service (users wanting access immediately and via a friendly request process). The function of an IAM system is to balance these obligations and provide a user-friendly, responsive process to assign and revoke access rights to users while meeting security obligations and delivering all this cost-effectively.
There are multiple disciplines within IAM, such as automated provisioning and de-provisioning, access certification/governance, password management and management of other types of credentials, strong authentication, federated or web single sign-on, legacy single sign-on, privileged access management, and more. Organizations need all of these and more.
Hitachi ID Systems, the IAM subsidiary of Hitachi, Ltd., understands the needs of enterprises today and is, uniquely, able to deliver many of the aforementioned IAM capabilities in a single product. “We offer multiple IAM capabilities, all in one installation, behind a single ‘pane of glass,’ running on a shared platform,” states Idan Shoham, CTO and co-founder of Hitachi ID Systems.
The Voice of the User—Real IAM Pain Points
With shrinking budgets, the move to a more mobile workforce, and the scarcity of IAM professionals available for hire, it is important to deliver IAM systems with a low total cost of ownership (TCO), either on-premises or in the cloud.
“We offer multiple IAM capabilities, all in one installation, behind a single ‘pane of glass,’ running on a shared platform”
Today, enterprises reach for one tool for access governance, another to automate onboarding and deactivation based on a system of record, and possibly another to present users with an access request portal, password resets, or more general self-service credential management. Organizations deploy additional tools for privileged access management (i.e., to secure embedded passwords, to broker human administrator login sessions, to record administrative login sessions), for multi-factor authentication (MFA) and for federated access or single sign-on. Each of these complementary tools is built on a different platform, has its own UI, runs on its own operating system instance, requires its own backend database, gets updated on a unique schedule, and requires staff to manage. With such a diversity of tools, the cost of both procuring and operating the aggregate solution is substantial.
Lower Cost and Risk through an Integrated IAM Platform
Hitachi ID Systems’ solution offers a single, integrated platform with multiple capabilities that add up to a comprehensive IAM feature set. This includes:
• Automated identity and access administration based on authoritative data feeds
• A request portal and approval workflow
• Access governance (reviews followed by certification or revocation)
• Control policies for segregation of duties (SoD), risk assessment, authorization, role-based access control (RBAC), etc.
• Group lifecycle management (to create, modify, and populate group objects on AD, LDAP, etc.)
• Self-service credential management for passwords, drive encryption, RSA and similar OTP tokens, smart cards, biometrics, KBA, and more
• Privileged access management for both human-used administrative accounts and non-human embedded and service accounts—including password randomization, vaulting, single sign-on, and session monitoring
Some of our competitors don’t think that managing VMs or CRM contacts is an IDM problem. We think it is!
•Both the ability to leverage existing MFA and a built-in MFA solution leveraging an included mobile phone app that combines with KBA or existing passwords
•Federated access to SaaS and other web apps.
These capabilities can be deployed on-premises or accessed as a cloud-hosted service (SaaS), and businesses can choose some or all of these features and combine them with existing security infrastructure, either through direct integration or simple coexistence. This gives organizations a lot of choices and creates an opportunity to consolidate elements of their IAM infrastructure into a single application.
These capabilities are licensed via just three products, which in reality can be co-installed in a single instance. This compares favorably with competitors. For example, most PAM vendors offer “suites” with distinct products to vault and randomize passwords, to integrate with various kinds of systems, to record user activity or to replace embedded passwords. Few if any of Hitachi’s competitors bundle MFA or federated SSO as base features, rather than separate (costly) products.
Hitachi ID also recognizes that the largest contributor to the cost of an IAM system is the consulting services required to deploy it initially and expand it over time. To address this, several editions of “Hitachi ID Identity Express” are offered, each of which encapsulates best practices business processes for a given user pattern— such as managing the identity and access lifecycles of employees and contractors, or of the staff of business partners. Organizations adopt these to gain rich process automation while minimizing cost, risk, and delay.
Integration helps with Security
Bundling a diverse feature set in each product is helpful for security too. For example, Hitachi ID includes MFA with every product, so when Hitachi customers say “we don’t have the budget to deploy MFA” the answer is “sure you do—it’s included!” Likewise, access certification, SoD policy, and detecting out-of-band changes to group memberships are included in Hitachi’s Privileged Access Manager, which means that organizations who leverage AD or LDAP groups to inform access decisions in PAM can rely on these groups being well managed, even if they did not already have a robust IAM system in place.
Scalability, Flexibility, and Resiliency
The Hitachi ID System solution set offers an open and flexible architecture and is relatively easy to deploy. Shoham adds, “No other IAM suite includes identity management, access governance, group lifecycle management, credential management, privileged access management, strong authentication, and federated access. The Hitachi ID Suite comprises all these, behind a single user interface, running as a single instance, with a single backend database and using shared connectors and reports.”
Flexible, Robust Architecture
The Hitachi ID Suite incorporates peer-to-peer data replication for active-active, load balanced deployment. Organizations deploy at least two application servers in at least two data centers to create service resiliency. Smartphone access is included and does not require a public URL—an important capability for security-sensitive organizations. The Hitachi ID Suite includes many connectors that support integration with a variety of systems and applications where identities, entitlements, and credentials must be managed.
While all Hitachi ID connectors will write updates to target systems in real time, some connectors (notably AD and AD-LDS) also detect changes in real time. This means, for example, that unauthorized changes to security groups such as “Domain Administrators” can be detected and reversed immediately, rather than waiting for a once-a-day discovery process.
Usability is Key
Hitachi ID has incorporated a wide variety of usability aids in its suite. In the context of Identity Manager, this means mechanisms to help users select entitlements to request. In Privileged Access Manager, this means options for connecting users to privileged login sessions.
In Password Manager, this means offering a self-service resolution to login problems in difficult contexts such as pre-boot (encrypted drive/forgotten password) or off-site (forgotten, locally cached password).
A key challenge in most IAM systems is requester usability. Users must request access rights that are not (easily) predictable and may be confronted with a “menu” of millions of groups or roles that the system can assign. Which one do they choose? The naive, popular, and insecure approach is to ask IT to copy all entitlements from one user to another. Hitachi ID addresses this challenge head-on with a rich set of tools:
• One strategy is to write a policy to assign access rights automatically. This is ideal when entitlements are predictable, but has limits.
• Another is to let the user try to access a file, share, folder or SharePoint site. This won’t work, but the error dialog can be instrumented with navigation to an appropriate request page.
• One more approach is to compare the entitlements of two users: what does user A have and user B need? The differences between the two users are few and easy to navigate.
• A final approach is for the IAM system to make recommendations. Here, the system collects users into groups of peers that have the same values for key attributes (e.g., location, department, manager, etc.). Requestable entitlements are ranked based on popularity amongst peers, such that the requester will likely select an item from the top of the search results—similar to Google’s page ranking.
With Hitachi ID Password Manager, usability means enabling users to resolve login problems in whatever context they find themselves. It allows off-site users who forgot their locally cached password to access self-service via a login screen tile that integrates with Wi-Fi, with the corporate VPN and with Active Directory (AD). It also empowers users whose laptop is protected by drive encryption and who forgot their pre-boot password to unlock it using a smartphone app or voice call to an IVR system.
For privileged access, users interact with the PAM system frequently. System administrators, database administrators, network administrators, and many others may sign into the PAM system when they start their day and launch logins to various systems all day. For these users, usability means minimizing clicks and navigational complexity to select the endpoints and accounts they wish to connect to, allowing them to use their tools of choice and ensuring that connections are fast. The Hitachi ID Privileged Access Manager accommodates these requirements by supporting direct connections, not only connections routed through “jump servers.” It allows users to identify “favorite” accounts and account sets which they request access to in a single click. Off-site users—such as vendors—can launch sessions inside their web browser (displayed on an HTML5 canvas) and users may request temporary privilege elevation for their own, existing account instead of access to vaulted passwords.
When one of Hitachi ID’s customers, a financial sector firm, was experiencing huge helpdesk call volumes due to the retail staff frequently forgetting their passwords, they projected a need to hire 100 additional helpdesk staff and acquire a facility to house them. With self-service password resets for AD, mainframe, databases, pre-boot passwords, and more, Hitachi ID was able to push the call volume down and save the customer about $4 million a year.
Innovation and Roadmap
Hitachi ID Systems is always looking for opportunities to solve new problems for customers. The objective is to identify and address material business challenges, rather than adding “me too” functionality and sometimes requires innovative technology. For example, Hitachi ID has developed a mechanism that allows users who forgot their locally cached password to access self-service password reset and resolve their problem, without having to bring their PC back to the office. Another example is incorporating an accurate model of nested groups and roles in Identity Manager and incorporating it into policy decisions such as SoD rule evaluation or workflow requests such as “create group.” Hitachi ID Systems continues to innovate and expand the capabilities of their products. They are starting to use access governance features to manage the lifecycles of things that are not people, to answer problems such as “who owns that VM and can we shut it off?” Shoham signs off with a nod to that by stating, “Some of our competitors don’t think that managing VMs or CRM contacts is an IDM problem. We think it is!”