Identity management and access governance is defined as a shared platform and consistent processes for managing information about users: who they are, how they are authenticated and what they can access.
Identity and access management (IAM) systems address a set of core business challenges:
- Security and regulatory compliance:
- The access deactivation process may be slow or unreliable, allowing users who have left the organization to retain access.
- Access to privileged accounts, such as Administrator, root or sa is not consistently secured, leading to weak accountability and access to critical systems retained by departed users.
- Users accumulate security entitlements over time, ending up with the ability to commit fraud or other abuses.
- IT support cost:
- The IT support group must respond to a large volume login- and access-related calls.
- A large number of security administration staff are needed to setup, manage and tear-down user access in response to a changing organization.
- User service:
- It is difficult for users to figure out how to request access for new or reassigned users.
- It takes too long to authorize and provision needed access rights.
- Users must manage too many passwords and fill in too many login prompts.
The Hitachi ID Management Suite is designed as identity management and access governance middleware, in the sense that it presents a uniform user interface and a consolidated set of business processes to manage user objects, identity attributes, security rights and credentials across multiple systems and platforms. This is illustrated in Figure [link].
Management Suite Overview: Identity Middleware (1)
The Management Suite includes several functional identity management and access governance modules:
- Hitachi ID Identity Manager
-- User provisioning, RBAC, SoD and access certification.
- Automated propagation of changes to user profiles, from systems of record to target systems.
- Workflow, to validate, authorize and log all security change requests.
- Automated, self-service and policy-driven user and entitlement management.
- Federated user administration, through a SOAP API to a user provisioning fulfillment engine.
- Consolidated access reporting.
Identity Manager includes the following additional features, at no extra charge:
- Hitachi ID Access Certifier
-- Periodic review and cleanup of security entitlements.
- Delegated audits of user entitlements, with certification by individual managers and application owners, roll-up of results to top management and cleanup of rejected security rights.
- Hitachi ID Group Manager
-- Self-service management of security group membership.
- Self-service and delegated management of user membership in Active Directory groups.
- Hitachi ID Org Manager
-- Delegated construction and maintenance of Orgchart data.
- Self-service construction and maintenance of data about lines of reporting in an organization.
- Hitachi ID Password Manager
-- Self service management of passwords, PINs and encryption keys.
- Password synchronization.
- Self-service and assisted password reset.
- Enrollment and management of other authentication factors, including security questions, hardware tokens, biometric samples and PKI certificates.
Password Manager includes the following additional features, at no extra charge:
- Hitachi ID Login Manager
-- Automated application logins.
- Automatically sign users into systems and applications.
- Eliminate the need to build and maintain a credential repository, using a combination of password synchronization and artificial intelligence.
- Hitachi ID Telephone Password Manager
-- Telephone self-service for passwords and tokens.
- Turn-key telephony-enabled password reset, including account unlock and RSA SecurID token management.
- Numeric challenge/response or voice print authentication.
- Support for multiple languages.
- Hitachi ID Privileged Access Manager
-- Secure administrator and service accounts.
- Periodically randomize privileged passwords.
- Ensure that IT staff access to privileged accounts is authenticated, authorized and logged.
- Group Manager is available both as a stand-alone product and as a component of Identity Manager.
The relationships between the Management Suite components is illustrated in Figure [link].
Components of the Management Suite (2)