Identity management and access governance is defined as a shared platform and consistent processes for managing information about users: who they are, how they are authenticated and what they can access.
Identity and access management (IAM) systems address a set of core business challenges:
- Security and regulatory compliance:
- The access deactivation process may be slow or unreliable, allowing users who have left the organization to retain access.
- Access to privileged accounts, such as Administrator, root or sa is not consistently secured, leading to weak accountability and access to critical systems retained by departed users.
- Users accumulate security entitlements over time, ending up with the ability to commit fraud or other abuses.
- Responding to audit queries about who has what, who requested and approved access and whether access is consistent with policy is time consuming.
- IT support cost:
- The IT help desk must resolve many login- and access-related calls.
- A large number of access administration staff are needed to setup, manage and tear-down user access in response to organizational changes.
- User service:
- It is difficult for users to figure out how to request access for new or reassigned users.
- It takes too long to authorize and provision needed access rights.
- Users must manage too many passwords and fill in too many login prompts.
The Hitachi ID Identity and Access Management Suite is designed as identity management and access governance middleware, in the sense that it presents a uniform user interface and a consolidated set of business processes to manage user objects, identity attributes, security rights and credentials across multiple systems and platforms. This is illustrated in Figure [link].
The Hitachi ID Identity and Access Management Suite includes several functional identity management and access governance modules:
- Hitachi ID Identity Manager
-- User provisioning, RBAC, SoD and access certification.
- Monitoring systems of record to update user profiles and automatically requesting matching changes to identities and access rights.
- A portal where users may requests changes to identities and access rights, with advanced search and access controls.
- Workflow to route change requests to authorizers and implementers.
- Analytics, including risk scores deviation from role and violation of SoD.
Hitachi ID Identity Manager includes the following additional features, at no extra charge:
- Hitachi ID Access Certifier
-- Periodic review and cleanup of security entitlements.
- Delegating review of access rights, policy configuration and identity attributes to business stake-holders.
- Engagement with managers, resource owners and policy owners.
- Hitachi ID Group Manager
-- Self-service management of security group membership.
- Self-service and delegated requests for access to resources and the groups that have rights to them.
- Group Manager is also available as a stand-alone product, as well as a component of Hitachi ID Identity Manager.
- Hitachi ID Org Manager
-- Delegated construction and maintenance of Orgchart data.
- Delegating the construction and maintenance of manager/subordinate relationships to managers.
- Read/write integration with directories and HR systems.
- Hitachi ID Password Manager
-- Self service management of passwords, PINs and encryption keys.
- Password synchronization, via browser or by intercepting native password changes.
- Self-service and assisted reset of passwords and PINs.
- Self-service unlock of encrypted filesystems, where users may have forgotten a pre-boot password.
- Access from anywhere - browser, smart phone app, voice phone call, PC login screen, pre-boot password prompt, on-premises or off-site.
- Two factor authentication for all users, using either existing credentials (RSA, etc.) or by introducing new mechanisms, such as browser fingerprinting, sending a PIN to the user's phone or an included smart phone app.
- Federated access (SAML IdP) to compatible applications.
- A personal vault, where users can securely store and retrieve unmanaged credentials.
- Managed enrollment of security questions, mobile phone numbers, etc.
Hitachi ID Password Manager includes the following additional features, at no extra charge:
- Hitachi ID Login Manager
-- Automated application logins.
- Automatically sign users into systems and applications.
- Eliminate the need to build and maintain personal password wallets, using a combination of password synchronization and pattern matching.
- Hitachi ID Telephone Password Manager
-- Telephone self-service for passwords and tokens.
- Turn-key telephony-enabled password and PIN reset, including for RSA SecurID tokens.
- Self-service unlock for forgotten pre-boot disk encryption passwords.
- Authentication with either numeric security questions or voice print biometrics.
- Support for multiple spoken languages.
- Hitachi ID Privileged Access Manager
-- Secure administrator and service accounts.
- Automatically discover and classify systems, accounts, groups and services to manage.
- Periodically randomize and vault passwords to privileged accounts.
- Authenticate, authorize and log user access to privileged accounts and groups, including built-in 2FA for all users.
- Orchestrate changes to service account and embedded account passwords.
- Discover, analyze and modify SSH trust relationships.
- Risk scores and analytics, at request time and after the fact.
- Record sessions (video, keylog, etc.) with search and playback.
- Group Manager is available both as a stand-alone product and as a component of Hitachi ID Identity Manager.
The relationships between the Hitachi ID Identity and Access Management Suite components is illustrated in Figure [link].