User administration, especially in a heterogeneous environment where each user has multiple login accounts and appears in multiple directories, has many inherent security problems. In many organizations, weaknesses in change management processes are a major source of security problems.
|Security problem||Hitachi ID Identity Manager solution|
|User profiles persist long after their owner has been terminated||Unreliable business processes and incomplete access profiles mean that when employees or contractors are terminated, systems administrators may not be notified on time, or at all. Additionally, without a global record of every login ID on every system that belongs to a user, it is difficult or impossible to ensure that all of the login accounts associated with a user are reliably and promptly disabled after a termination. As a result, users may retain login entitlements long after they have left an organization.||Identity Manager helps organizations to implement reliable and prompt termination, through automated termination, consolidated access reporting, and use of a consolidated user administration console.|
|Users accumulate entitlements like lint||Over time, as users move around an organization, changing responsibilities, they accumulate login accounts on various systems and specific security entitlements, all required to do their jobs. Unfortunately, it is difficult or impossible to determine when their old entitlements are really no longer needed, and so should be removed. As a result, users just accumulate entitlements. This is a security problem, as it increases the risk of security violations due either to honest errors or compromised accounts.||Identity Manager can be used to periodically review what login accounts and entitlements each user has, to identify suspicious entitlements, and to remove those that managers and system owners agree are truly no longer required.|
|It is difficult to determine what users have what access to systems and data, and how they got it.||Lack of a database that connects login IDs across systems back to individual users, and that tracks security entitlements across systems, makes it difficult or impossible to determine just what access rights any given user has (globally), or conversely what set of users have a particular combination of security entitlements. Local or absent change logs make it impossible to track how users got the access rights they have. This makes it difficult to meet regulatory requirements for effective internal controls.||Identity Manager can be used to report on user access rights and change history globally.|
|Users have non-standard login IDs and account configuration||Different human security administrators create accounts in different ways, inadvertantly violating standards. Without effective standards enforcement, it is difficult to control the access rights of large user populations. Without enforcing login ID naming conventions, it is difficult to correlate security events across systems.||Identity Manager creates all new users with standard login IDs by cloning pre-defined, standardized template accounts.|
|Users get new accounts and security changes without proper authorization||Overly-restrictive change control procedures, or simply difficult to use change request forms, may lead business users to bypass the change request / routing / authorization process entirely, and demand security changes directly from systems administrators. In effect, lack of usability can defeat security.||Identity Manager makes the change control process easy to use, with a built-in self-service workflow engine. Users have no incentive to bypass the system when it is fast and effective.|
Identity Manager strengthens security by:
Password management, especially in a heterogeneous environment where each user has multiple passwords, has many inherent security problems. In many organizations, weak password management is the single largest security problem.
|Security problem||Hitachi ID Password Manager solution|
|Users write down passwords||Users with many passwords frequently write them down since they are too hard to remember. Written passwords may be attached to user workstations, stored on computer files, or carried around by users. None of these techniques are secure.||Password Manager helps users remember a single, strong password using password synchronization.|
|Users choose weak passwords||Users tend to pick simple, easy-to-remember passwords. Unfortunately,
such passwords are also easy to guess, and password cracking software can
easily find them.
Some computer systems offer password strength enforcement, but usually only a few rules are available, and the same rules are not available on different types of systems.
|Password Manager can enforce a single, strong and uniform password strength policy across every system in the enterprise.|
|Users never change their passwords||Over time, users may share their passwords with friends or co-workers. The best way to overcome this problem is to change passwords regularly. Unfortunately, users are reluctant to do this, and only some systems can force users to change their passwords often.||Password Manager can prompt users to change all of their passwords regularly.|
|Support staff reset passwords for unauthorized callers||When users forget their passwords, they call the help desk and ask for a password reset. The help desk may reset the caller's password with little or no proof of the identity of the caller.||Password Manager allows users to reset their own password, after being properly authenticated. It also integrates user authentication into the help desk password reset facility.|
|Too many people have administrative rights||Without Password Manager, many front-line support staff may have administrative rights to many systems, so that they can reset passwords for callers. A large number of people with administrative rights presents a serious security problem.||Password Manager allows front-line support staff to reset passwords on every system without having an account on those systems. This significantly reduces the number of people with administrative rights on the network.|
|There is no audit trail for password resets||Without Password Manager, there may be no way to tell who reset a user's password, when or why.||Password Manager logs administrator logins, user IDs, host IDs, time and date and password reset results.|
Password Manager improves the security of authentication processes:
Hitachi ID Privileged Access Manager's primary function is to secure access to privileged accounts. This is described here.
Hitachi ID Group Manager's primary function is to manage user membership in Active Directory groups, while ensuring proper authorization for all such change requests. This is described here.