Hitachi ID Systems, Inc.

Hitachi

Products Releases
certification

Product Sites

Hitachi ID Management Suite Release 6.0 Frequently Asked Questions

  1. What is Version 6.0 of the Hitachi ID Management Suite?

    2. Version 6.0 is the latest release of the Hitachi ID Management Suite, available to Hitachi ID Systems customers starting in February 1, 2009. It is a comprehensive solution for onboarding new users, deactivating access for departing users and managing identity and privilege data throughout each user's life cycle in an organization.


  2. What are the major features of the Hitachi ID Management Suite?
    3. The Hitachi ID Management Suite is a complete identity and access management solution that enables organizations to more securely and efficiently manage the user lifecycle across enterprise applications and systems.

    The Hitachi ID Management Suite is designed to efficiently create, manage and deactivate user objects, identity attributes and security privileges across multiple applications in medium to large organizations. This is done using a combination of automation and self-service:

    • Automation propagates changes from one system to another.
    • Workflow invites business users to participate by completing their own profiles, authorizing changes and reviewing the current state of users and privileges.
    • Consolidated management enables security staff to manage access with a user-centric, rather than application-centric view.
    • Password synchronization and enterprise single sign-on reduce the number of passwords that users must remember and type.
    • Reports enable auditors, security officers and system administrators to analyze current state and review historical changes.

    A rich set of connectors are included, to easily integrate with over most common systems and applications and to manage credentials including passwords, challenge/response profiles, biometric samples, OTP devices, PKI certificates and smart cards.

  3. Which components of Hitachi ID Management Suite are refreshed with Version 6.0?

    4. Version 6.0 includes the following components:

    1. Hitachi ID Identity Manager -- User provisioning, RBAC, SoD and access certification
    2. Hitachi ID Access Certifier -- Periodic review and cleanup of security entitlements
    3. Hitachi ID Group Manager -- Self-service management of security group membership
    4. Hitachi ID Org Manager -- Delegated construction and maintenance of Orgchart data

  4. Do the components of Hitachi ID Management Suite 6.0 integrate with Hitachi ID Password Manager (formerly P-Synch)?

    5. As pointed out in the previous question, Hitachi ID Management Suite 6.0 includes all of the identity and access management components of Hitachi ID Management Suite, but does not refresh the password management products, including Password Manager.

    An integration with Password Manager is included in Hitachi ID Management Suite 6.0, however. This integration notifies Password Manager of new and deleted users and login IDs in real time. This enables Password Manager to manage passwords on new login IDs immediately after they are created.

    Hitachi ID Systems plans to release new versions of the password management products in Hitachi ID Management Suite later in 2009, using the new platform in Hitachi ID Management Suite 6.0.

  5. How does Version 6.0 differ from previous releases?

    6. New or Improved Features

    The Hitachi ID Management Suite 6.0 is a major release, with changes to almost every component of the product. Notable changes include:

    1. Infrastructure changes:
      1. The internal data store moves from DBF files to the customer's choice of an Oracle or Microsoft SQL Server.
      2. Support for Unicode in user identifiers and attributes.
      3. A new workflow API, allowing organizations to write custom onboarding applications, where the Hitachi ID Management Suite tracks requests through approval and execution.

    2. Automated provisioning, identity synchronization and deprovisioning:
      1. A code-less identity synchronization engine, that organizations can quickly configure to keep personal data in sync between multiple systems and applications.
      2. A new attribute priority mechanism, allowing each integrated system to be authoritative for just a subset of user profiles.
      3. A completely new auto-provisioning / auto-deprovisioning system, which aggregates detected changes on a per-user basis and executes business logic in response to those change events. The new system (ID-Track) is much easier to configure than previous approaches.

    3. Enhanced support for role-based access control (RBAC) and policy enforcement:
      1. Persistent role assignments to users.
      2. Support for calculated role changes.
      3. Segregation of duties policies are now built-in and enforced for all change requests.
      4. An exception management system tracks approved policy violations.

    4. Access certification has been redesigned:
      1. Certification of users with role assignments is simplified, replacing multiple fine-grained privileges with single role checkboxes.
      2. Certification highlights new and previously approved violations to segregation of duties policies.
      3. The certification process is more flexible and user friendly.

    5. Licensing / feature inclusion:
      1. Org Manager and Group Manager are built into the base Identity Manager license.

    Updated Product Architecture

    The internal architecture of Hitachi ID Management Suite Version 6.0 is completely revised from previous releases. All Hitachi ID Management Suite components, including user interface screens, reports, service programs and command-line / batch processes access the database using the same architecture:

    1. A client component calls a client wrapper library.
    2. The client wrapper library communicates with a Hitachi ID Management Suite database service using an IPC. This may be shared memory (same server, very fast) or TCP/IP socket (remote server, encrypted communication using a shared key).
    3. The Hitachi ID Management Suite database service authenticates clients, checks what they are allowed to see/do and invokes stored procedures to read from and write to the database.
    4. Stored procedures, installed on the relational database back end (e.g., Microsoft SQL Server or Oracle Database Server), access data in the local schema and return results.
    5. Calls to stored procedures which insert, delete or update records are forwarded by the database service to its replicating peers, so that each database instance may be kept up to date.
    6. Data returned by stored procedures is passed back to the calling program.

    This architecture is advantageous for several reasons:

    1. Built-in data replication makes it easy to configure Hitachi ID Management Suite in a high-availability, fault-tolerant architecture.
    2. Using stored procedures rather than direct SQL calls significantly improves performance while leaving open the possibility of future schema changes.
    3. Using a Hitachi ID Management Suite database service to front-end the physical database enables robust access controls and easy-to-manage database replication.
    4. Wrapping data calls in an encrypted protocol enables secure configuration in a distributed environment, over untrusted network segments.

    In addition to the above data access architectural changes:

    1. The product source code has been entirely revised and is Unicode-ready.
    2. A new SOAP API is available, exposing the entire workflow system to external applications.
    3. A new infrastructure has been introduced for automated processes. Whereas the old system (ID-Compare) compared lists of users on exactly two systems, the new system (ID-Track) aggregates detected changes on a per-user basis, from all data sources, and executes business logic for each user with changes. Moreover, ID-Track uses the new workflow API to directly submit requests to the workflow service.

  6. On what kinds of systems can the Hitachi ID Management Suite connect manage users, identity data, privileges and passwords?

    7. The Hitachi ID Management Suite includes connectors to over 100+ kinds of systems. A full list of supported target system types is available at:

    http://Hitachi-ID.com/identity-manager/technology/platform.html

  7. What kinds of back-end databases can Version 6.0 use?

    8. The Hitachi ID Management Suite replicating data service can be configured to use any of the following SQL database engines as its physical data store:

    • Oracle 10g, Enterprise Edition, R2.
    • Oracle 11gR1, Enterprise Edition, so long as the 10gR2 client is used.
    • Microsoft SQL Server 2005, Enterprise Edition.
    • Microsoft SQL Server 2008, Enterprise Edition.
    • Oracle 10g, Express Edition, R2 (free download from http://oracle.com/).
    • Microsoft SQL Server 2005, Express Edition, with Advanced Services (free download from http://microsoft.com/).


  8. How many users can Hitachi ID Management Suite scale to?

    9. Hitachi ID Management Suite is an appropriate solution for managing internal users in organizations with as few as about 1,000 and as many as about 500,000 users. It is assumed that in internal deployments, users have many identity attributes (40+) and a typical user has many login IDs (typically 2 to 20 each).

    In Extranet deployments, Hitachi ID Management Suite can be used to manage millions of users, since they often have much simpler user profiles. It is assumed that Extranet users have just one user object, typically in an LDAP directory, and fewer than 20 identity attributes.

  9. What is the cost of the Hitachi ID Management Suite?

    10. License Model

    Hitachi ID Management Suite pricing is based on the number of users (people, not login accounts). This includes all features, all connectors, all client software components and the right to run as many servers and CPUs as desired. A one-time purchase grants customers the perpetual right to use Hitachi ID Management Suite.

    Hitachi ID Management Suite pricing is calculated using a smooth curve -- as the number of users increases, the price per user steadily decreases. This means that customers do not have to base their purchase volumes on price bands or tiers. Instead, customers purchase for the number of users actually required, knowing they will get the best price for that volume.

    Customers are encouraged to, over time, extend their deployment of Hitachi ID Management Suite to manage new target systems and to activate new features, at no additional charge.

    Customers may run as many Hitachi ID Management Suite servers as required, to provide high availability, redundancy and a test/QA environment, at no additional charge.

    Please contact your Hitachi ID Systems sales representative or e-mail sales@Hitachi-ID.com for a price quote, as this will vary based on the number of licensed users.

    Total Project Cost

    To deploy Hitachi ID Management Suite, Hitachi ID Systems customers can expect the following project costs:

    1. Hitachi ID Systems Charges:

      1. Hitachi ID Management Suite Software License Fee, one-time perpetual right to use, based on the number of users, includes all features and all platforms. There are no additional charges for running multiple servers, or backup copies.

      2. Hitachi ID Management Suite Annual Support and Maintenance, required at time of license and renewed at the customer's option, annually thereafter.

      3. Optional fixed price professional services from Hitachi ID Systems to implement Hitachi ID Management Suite.

    2. Other Direct Hitachi ID Systems customer Expenses:

      1. Server hardware and operating systems for Hitachi ID Management Suite.

      2. Licenses for the back end database engine (Microsoft SQL Server or Oracle).

    3. Hitachi ID Systems customer Soft Costs:

      1. Internal resources to manage the project and to implement and roll out Hitachi ID Management Suite.

      2. Ongoing costs to manage Hitachi ID Management Suite, including maintaining steady state (minimal), as well as adding new features and platforms (typical).


  10. How can prospective partners and customers get an evaluation copy of Hitachi ID Management Suite 6.0?

    11. Please download, print, sign and fax back an evaluation agreement form from the following URL:

    http://Hitachi-ID.com/password-manager/cgi-bin/evaluate

    Once this is done, please fill in the evaluation request form at:

    http://Hitachi-ID.com/identity-manager/cgi-bin/evaluate

  11. Can customers deploy Hitachi ID Management Suite 6.0 themselves, or are services always required?

    12. While deployment without assistance is certainly possible, most of Hitachi ID Systems enterprise customers purchase a fixed-price, defined-deliverables deployment service, which may include on-site or remote control installation of all functionality and assistance with initial deployment.

    Hitachi ID Systems Services

    Identity and Access Management (IdM) products are installed across the enterprise infrastructure and have an impact on systems, directories, applications, user support, HR, corporate security and audit. To realize the benefits of an IdM solution, organizations must exercise care in selecting both technology products and integration services, to meet the needs of all these stake-holders.

    In addition to industry-leading products, Hitachi ID Systems offers design, implementation and training services to our customers. Hitachi ID Systems solution delivery services rely on a standard methodology, optimized over hundreds enterprise-scale IdM deployments. Our methodology replaces expensive consulting with automation and self-service wherever possible, enabling Hitachi ID Systems to deliver the lowest-cost IdM deployments available.

    Hitachi ID Systems services are normally priced on a fixed-cost, fixed-deliverables basis, eliminating cost overruns and transferring risk from our customers to Hitachi ID Systems.

    Hitachi ID Systems takes pride in our track record with medium to large deployments, attested to by our many satisfied, referenceable customers. Our services staff bring significant technological expertise, product knowledge and implementation experience to each engagement.

    Utilizing Hitachi ID Systems solution delivery methodology ensures rapid deployment and high user adoption. The Hitachi ID Systems professional services team works closely with customers from project inception to full production deployment, to ensure success. Once in production, Hitachi ID Systems technical support team takes over, providing high quality, responsive assistance to all live installations.

  12. Where and when is training for architects, product installers and project managers offered?

    13. The following processes and tools are available to provide training and knowledge transfer to Hitachi ID Systems customer staff:

    • Formal training classes for administrators.
    • Informal knowledge transfer during product installation and configuration.
    • CBT, such as on-line help and animations, for users.

    Introductory and advanced Identity Manager administrator training is available.

    These 4-day courses are regularly scheduled via WebEx, to reduce customer travel time and expense. Training is also available in Hitachi ID Systems' Calgary or Montreal offices and on customer premises. These courses typically run for 5 days as the pace is slower and more time is spent on topics of interest.

    The price for regularly scheduled WebEx-based training classes is just $800 per person -- i.e., Hitachi ID Systems makes an effort to encourage customers to attend, by removing cost and travel barriers. Courses are scheduled four times annually.

    Topics in the introductory course include:

    Customers also receive a sample of training materials culled from prior deployments that can be modified for their own purposes. The intention with both Hitachi ID Management Suite is to provide a necessarily simple interface which removes any need for user training beyond simple introductory e-mails.

  13. What kind of companies use Hitachi ID Systems software?

    14. Hitachi ID Systems solutions have been deployed by over 900 organizations world-wide, with a combined total of over 11.9 million end users. Hitachi ID Systems customers range from medium sized companies and organizations, with as few as about 1,000 employees, to very large deployments, impacting up to about 1 million users. Hitachi ID Systems has customers in many industries, located in many countries, as described here:

    http://Hitachi-ID.com/aboutus/customer/

  14. How does the Hitachi ID Management Suite benefit organizations that deploy it?

    15. The Hitachi ID Management Suite delivers several concrete business values:

    • Improved user productivity, due to reduced wait for new and updated systems access and fewer authentication problems.
    • Lower security administration cost, as the bulk of user management is automated or delegated to business users and password resets are either eliminated or resolved with self-service.
    • Enhanced security, as inappropriate access is terminated quickly and reliably.
    • Regulatory compliance, including the ability to audit access rights globally, to ensure that only appropriate users have access to sensitive systems and data.
    These benefits, combined with technology built for rapid deployment, yield ROI more quickly than any other identity and access management software on the market.

  15. Is there an API into the Hitachi ID Management Suite workflow engine?

    16. Yes, one of the key features of Version 6.0 is the introduction of an extensive Workflow API. The Hitachi ID Management Suite workflow API allows integrated programs to:

    • Submit new change requests, to create, modify, enable, disable or delete users on one or more systems.
    • Search for existing change requests.
    • Approve, reject or cancel open requests.
    • Add authorizers to and remove authorizers from requests.
    • Update request contents.
    • Search the identity cache for users matching defined criteria.

  16. Are there performance metrics for the Hitachi ID Management Suite?

    17. Hitachi ID Management Suite is extensively stress tested prior to each release. Following are some performance metrics that illustrate high throughput in the most computationally expensive process: periodic auto-discovery of users, groups and group memberships on target systems.

    The following tests are carried out on commodity Intel server hardware -- single CPU, dual core, 2GB RAM, SATA disks. The target systems were Microsoft Active Directory and SunONE LDAP. The internal database was Oracle 10g, Enterprise Edition on the same server as Hitachi ID Management Suite.

    Number of users: 10,000 100,000
    Number of managed groups: 10,000 100,000
    Number of target systems: 2 2
    Number of login IDs per user: 2 2
    Total number of login IDs: 20,000 200,000
    Number of identity attributes per login ID: 40 20
    Total number of attributes loaded: 800,000 4,000,000
    Average number of group memberships login ID: 50 25
    Total number of group memberships loaded: 1,000,000 5,000,000
    Time required to list the above data and load it into the Hitachi ID Management Suite internal database:

    		20 minutes

    		4.5 hours

     

    These short run times mean that it is both practical and recommended for customers to perform auto-discovery nightly.

  17. How does Hitachi ID Management Suite differ from competing products?

    18. Unique Features

    A number of innovative features incorporated into the Hitachi ID Management Suite are not available with any other identity and access management product:

    • Self-service, anywhere™:

      Password Manager allows mobile users to both avoid and resolve login problems. This includes:

      • Password reset for cached domain credentials at the Windows login screen, including where the user is away from the office and only able to access the Internet via WiFi.
      • Self-service recovery of full disk encryption keys, for users who forgot the password they must type at their PC boot prompt.
      • Advance notification to traveling users that their domain password will expire, and a mechanism to change it both on Active Directory and on the cache on their laptop.

      No other identity or password management product can address these problems.

    • Integrated password synchronization and single sign-on:

      Password Manager includes Hitachi ID Login Manager, which automatically populates login prompts on applications that share an ID or password with the Windows login. This gives users the benefit of single sign-on without locking users out of the same application when they try login from devices that don't have the SSO client, such as their mobile phone, tablet or home PC.

      No other identity or password management product includes this seamless integration between identity management and single sign-on.

    • Shell extension to intercept "access denied" errors:

      Identity Manager includes the Group Manager module at no extra cost.

      When users try to access a share or folder to which they have not yet been assigned access rights, an Group Manager shell extension can intercept the Windows "access denied" error and direct the user to the appropriate web-based access request page. This process eliminates much of the cost and delay associated with ad-hoc requests for Active Directory security group membership.

      No other identity management product helps users to understand what AD groups they should request to gain the access they need.

    • Access certification integrated with user provisioning:

      Identity Manager includes the Access Certifier module at no extra cost. Access Certifier is used to periodically invite managers, data owners and application owners to review lists of users and entitlements and either certify that they remain appropriate or flag them for removal.

      No other user provisioning product includes access certification in the base product, at no extra charge.

    • Detecting effective violations to segregation of duties rules:

      Most IAM systems include an engine to detect and prevent violations to segregation of duties policies. What sets Identity Manager apart is that it can detect effective violations, where SoD rules are expressed in terms of roles but the violation happens when a user requests fine-grained entitlements, or vice-versa. Other products simply miss these violations, creating a false sense of security.

    • Concurrent invitations to authorizers to approve requests:

      Identity Manager is designed to invite multiple authorizers to review and either accept or reject change requests at the same time. By inviting authorizers concurrently, total response time is reduced and user service is significantly improved.

      Parallel workflows are difficult or impossible to implement with competing products, leading to significantly longer service delivery time.

    • Built-in processes to invite human system administrators:

      Identity Manager ships with extensive infrastructure to invite human system administrators to complete approved tasks, such as creating or deleting login IDs on individual applications. This includes sending reminders, tracking work completion, reports, etc. Using this infrastructure, organizations are able to quickly deploy a "one stop shopping" portal for identity-related requests.

      No competing product includes this capability out of the box, leading to either extensive custom development or two request processes depending on whether a connector has been deployed to the application being requested.

    • Group request and access certification included with privileged access management:

      In a typical privileged access management system deployment, security policies that control what users are allowed to sign into which privileged accounts are based on Active Directory group memberships. Hitachi ID Privileged Access Manager is unique including technology, request forms, access certification and more to manage the membership of IT users in these security groups.

    • Session monitoring included with privileged access management:

      Many organizations that deploy a privileged access management system also wish to record and playback login sessions to administrator-level accounts. Privileged Access Manager is the only product in its category that includes this capability in the core product, at the base price.

    Scalability

    Figure [link] highlights differences between the architecture of Hitachi ID Management Suite and other common architectures for identity and access management systems. Using the optimizations shown in this diagram, Hitachi ID Management Suite is able to process changes, such as auto-discovery of large numbers of users on target systems, up to 100 times faster than competing products.

    figure

        Performance of Alternative IdM Solution Architectures (1)

    In the diagram:

    1. The "Optimized" architecture shows the components of Hitachi ID Management Suite. In this diagram:
      1. Users access the system using a web browser, connected to a web server using the HTTPS protocol. This is common to all products with a web portal.
      2. Hitachi ID Management Suite's user interface and core services are implemented using native-compiled IA86 code, which executes 2x to 10x faster than Java or .NET bytecode.
      3. Business logic is added to the system in the form of script code -- an approach common to all identity and access management products and modern products.
      4. A database server houses all data: policies, identities, workflow requests, transaction history, etc.
      5. Stored procedures act both to isolate the database from the user interface and IdM services and to accelerate the system by performing as much of its processing as possible within the database.

    2. The "Typical" architecture shows the components of most competing products. This architecture performs less well than the Hitachi ID Management Suite because of the following differences:
      1. The UI and IdM services are written in either Java (J2EE) or .NET. Java is typically about 10x slower than native code and .NET is typically about 2x slower than native code.
      2. The IdM logic, in both the UI and IdM services, has direct access to the database. Issuing SQL calls directly to the database means that searches and updates that might be accelerated by being run inside the database instead trigger slow network traffic.

    3. The "Slow" architecture shows the components of only one or two competing products. In this architecture, a high performance relational database is replaced with complex XML objects embedded in an LDAP directory. Whenever the IAM system has to look up user profile data or search for users that match certain criteria, an XML parser must be applied to each and every user profile. This not only severely impairs performance, but it also makes it impossible to use off-the-shelf tools to write custom reports.

  18. How will Version 6.0 of the Hitachi ID Management Suite reduce the need for implementation services?

    19. A number of enhancements in Hitachi ID Management Suite 6.0 support more rapid deployment of the solution:

    1. Identity synchronization can now be implemented without writing any code.
      1. Profile attributes are defined and mapped to target attributes.
      2. Both profile and target attributes are given priority numbers.
      3. Flags are set telling Identity Manager to monitor changes to profile and target attributes.
      4. A requester is configured for identity synchronization events.
      Once all of the above items are configured -- using the web UI -- identity synchronization will automatically take place as an integral part of nightly auto-discovery.
    2. Auto-provisioning and auto-deactivation is implemented using a new, event-driven model.
      1. ID-Compare has been replaced with ID-Track.
      2. ID-Track aggregates all detected changes for each user profile and calls a single function, passing in those changes.
      3. Customers write business logic that parses detected changes and submits responsive actions to the workflow engine.
      4. Example use cases include:
        1. Detecting changes to personal identity attributes, for example a new phone number in the HR feed, and propagating the new attributes to other login IDs associated with the same user (i.e., identity synchronization as above).
        2. Detecting unauthorized changes, such as a user being added to the Administrators group on Active Directory and submitting workflow requests to undo them.
        3. Detecting newly created users in a system of record, such as HR, and submitting role-based requests to create login IDs for the same user on other systems and applications.
        4. Detecting removal of users from a system of record, such as HR, and submitting "terminate all access" requests to the workflow engine.
    3. The workflow API is available directly to business logic.

      Customers wishing to develop custom request forms can do so easily, using the development tools of their choice. Forms can submit requests directly to the workflow service over a SOAP API, so that Identity Manager can track requests through validation, approval and execution.

      This API also largely eliminates the need for business logic to perform direct database lookups using tools such as DBCMD.

    4. A number of connectors have been enhanced and are more flexible than before.
      1. The SSH agent has been enhanced and is more easily scriptable.
      2. A new, XML/web services agent has been added, making it easy to integrate with applications that expose an administrative API over a web service.
      3. The scriptable database agents have been updated, making them much more flexible and easy to configure.
    5. A reference implementation is available on request.

      Hitachi ID Systems has developed a reference implementation of Hitachi ID Management Suite, complete with AD and Exchange target systems, validated and authorized request forms and table-driven logic to select OUs, home directory servers and mailbox servers for new users. Customers can examine how this system is put together before beginning their own implementations.