Hitachi ID Identity Manager security benefits
User administration, especially in a heterogeneous environment where each user has multiple login accounts and appears in multiple directories, has many inherent security problems. In many organizations, weaknesses in change management processes are a major source of security problems.
|Security problem||Hitachi ID Identity Manager solution|
|User profiles persist long after their owner has been terminated||Unreliable business processes and incomplete access profiles mean that when employees or contractors are terminated, systems administrators may not be notified on time, or at all. Additionally, without a global record of every login ID on every system that belongs to a user, it is difficult or impossible to ensure that all of the login accounts associated with a user are reliably and promptly disabled after a termination. As a result, users may retain login entitlements long after they have left an organization.||Identity Manager helps organizations to implement reliable and prompt termination, through automated termination, consolidated access reporting, and use of a consolidated user administration console.|
|Users accumulate entitlements like lint||Over time, as users move around an organization, changing responsibilities, they accumulate login accounts on various systems and specific security entitlements, all required to do their jobs. Unfortunately, it is difficult or impossible to determine when their old entitlements are really no longer needed, and so should be removed. As a result, users just accumulate entitlements. This is a security problem, as it increases the risk of security violations due either to honest errors or compromised accounts.||Identity Manager can be used to periodically review what login accounts and entitlements each user has, to identify suspicious entitlements, and to remove those that managers and system owners agree are truly no longer required.|
|It is difficult to determine what users have what access to systems and data, and how they got it.||Lack of a database that connects login IDs across systems back to individual users, and that tracks security entitlements across systems, makes it difficult or impossible to determine just what access rights any given user has (globally), or conversely what set of users have a particular combination of security entitlements. Local or absent change logs make it impossible to track how users got the access rights they have. This makes it difficult to meet regulatory requirements for effective internal controls.||Identity Manager can be used to report on user access rights and change history globally.|
|Users have non-standard login IDs and account configuration||Different human security administrators create accounts in different ways, inadvertantly violating standards. Without effective standards enforcement, it is difficult to control the access rights of large user populations. Without enforcing login ID naming conventions, it is difficult to correlate security events across systems.||Identity Manager creates all new users with standard login IDs by cloning pre-defined, standardized template accounts.|
|Users get new accounts and security changes without proper authorization||Overly-restrictive change control procedures, or simply difficult to use change request forms, may lead business users to bypass the change request / routing / authorization process entirely, and demand security changes directly from systems administrators. In effect, lack of usability can defeat security.||Identity Manager makes the change control process easy to use, with a built-in self-service workflow engine. Users have no incentive to bypass the system when it is fast and effective.|
Identity Manager strengthens security by:
- Quickly and reliably removing access to all systems and applications when users leave an organization.
- Finding and helping to clean up orphan and dormant accounts.
- Assigning standardized access rights, using roles and rules, to new and transitioned users.
- Enforcing policy regarding segregation of duties and identifying users who are already in violation.
- Ensuring that changes to user entitlements are always authorized before they are completed.
- Asking business stake-holders to periodically review user entitlements and either certify or remove them, as appropriate.
- Reducing the number and scope of administrator-level accounts needed to manage user access to systems and applications.
- Providing readily accessible audit data regarding current and historical security entitlements, including who requested and approved every change.
Hitachi ID Password Manager security benefits
Password management, especially in a heterogeneous environment where each user has multiple passwords, has many inherent security problems. In many organizations, weak password management is the single largest security problem.
|Security problem||Hitachi ID Password Manager solution|
|Users write down passwords||Users with many passwords frequently write them down since they are too hard to remember. Written passwords may be attached to user workstations, stored on computer files, or carried around by users. None of these techniques are secure.||Password Manager helps users remember a single, strong password using password synchronization.|
|Users choose weak passwords||Users tend to pick simple, easy-to-remember passwords. Unfortunately,
such passwords are also easy to guess, and password cracking software can
easily find them.
Some computer systems offer password strength enforcement, but usually only a few rules are available, and the same rules are not available on different types of systems.
|Password Manager can enforce a single, strong and uniform password strength policy across every system in the enterprise.|
|Users never change their passwords||Over time, users may share their passwords with friends or co-workers. The best way to overcome this problem is to change passwords regularly. Unfortunately, users are reluctant to do this, and only some systems can force users to change their passwords often.||Password Manager can prompt users to change all of their passwords regularly.|
|Support staff reset passwords for unauthorized callers||When users forget their passwords, they call the help desk and ask for a password reset. The help desk may reset the caller's password with little or no proof of the identity of the caller.||Password Manager allows users to reset their own password, after being properly authenticated. It also integrates user authentication into the help desk password reset facility.|
|Too many people have administrative rights||Without Password Manager, many front-line support staff may have administrative rights to many systems, so that they can reset passwords for callers. A large number of people with administrative rights presents a serious security problem.||Password Manager allows front-line support staff to reset passwords on every system without having an account on those systems. This significantly reduces the number of people with administrative rights on the network.|
|There is no audit trail for password resets||Without Password Manager, there may be no way to tell who reset a user's password, when or why.||Password Manager logs administrator logins, user IDs, host IDs, time and date and password reset results.|
Password Manager improves the security of authentication processes:
- A strong, uniform password policy prevents the use of easily guessed passwords and ensures that all passwords are changed regularly.
- Password synchronization discourages written passwords ("sticky notes").
- Consistent, reliable authentication processes ensures that users are reliably identified before accessing sensitive services, such as a help desk password reset.
- IT support staff can be empowered to assist callers without having administrator accounts on every system and application.
- Extensive audit logs create accountability for password resets.
- Encryption ensures that passwords are not stored or transmitted in plaintext.
Hitachi ID Privileged Access Manager security benefits
Hitachi ID Privileged Access Manager's primary function is to secure access to privileged accounts. This is described here.
Hitachi ID Group Manager security benefits
Hitachi ID Group Manager's primary function is to manage user membership in Active Directory groups, while ensuring proper authorization for all such change requests. This is described here.