Hitachi


Previous PDF

swipe to navigate

Introduction

Hitachi ID Systems offers multiple editions of Hitachi ID Identity Express -- each of which is a reference implementation of Hitachi ID Identity and Access Management Suite for a specific type of organization.

The objective of Identity Express is to minimize the time, cost and risk of IAM system deployment. Instead of spending months with consultants to document existing processes, adjust them and then implement automation on a "clean slate" system, Hitachi ID recommends discarding old, inefficient processes, adopting best practices and implementing a full set of IAM processes in just a few days. Identity Express can reduce the total cost of IAM system deployment by 80% to 90%.

Hitachi ID Identity Express: Partner Portal Edition is a pre-configured set of business processes and policies which implement best practices for managing the identities, security entitlements and credentials of users affiliated with the partners of an organization. The idea is to delegate the management of partner identities to one or more designated individuals at each partner organization, in conjunction with self-service where possible.

Identity Express: Partner Portal Edition is built on Hitachi ID Identity Manager, used to manage identities and entitlements, and Hitachi ID Password Manager, used to manage credentials.

Replacing legacy IAM processes with Identity Express has the following advantages over custom IAM implementations:

  • Optimized IAM processes: The business processes codified in Identity Express have been optimized for fast service and robust internal controls, improving on the legacy processes in most organizations.

  • Complete functionality: When implementing a custom IAM system, organizations can only automate one or two processes at a time. Most start with onboarding, deactivation or access reviews and only later automate transfers, leaves of absence, name changes, rehire detection, etc. In contrast, Identity Express allows organizations to automate a comprehensive set of identity lifecycle processes up front.

  • Efficient implementation: By adopting a pre-configured set of processes and policies, organizations minimize deployment risk, reduce implementation cost and shorten time to value.

Terminology

There are two kinds of organizations at play and multiple kinds of users, so clear terminology is helpful to understand the capabilities of the Identity Express: Partner Portal Edition:

Term Description
Host organization

The organization which licensed and is operating the Hitachi ID Suite software.
Host user

A user with access to the Hitachi ID Suite by virtue of being affiliated with the host organization (employee, contractor, etc.)
Partner

An organization that does business with the host organization.
Partner user

A user affiliated with a partner (employee, contractor, etc.). It is the identities, entitlements and credentials of partner users which the Identity Express: Partner Portal Edition manages.
Global administrator

A host user with elevated privileges, allowed to manage all partners and partner users.
Partner administrator

A partner user with rights to manage other users, their entitlements or their credentials, but with visibility and privileges limited to only his own partner organization.
Directory

A public database containing records about users and organizations. Typically implemented using LDAP server software or Microsoft Active Directory. This may be a stand-alone directory or a subset of a larger directory operated by the hosting organization. The Identity Express: Partner Portal Edition is used to manage partner users in the directory.
Application

A computer program operated by the host organization which is accessed by partner users. Host organizations use the Hitachi ID Suite to manage access to applications by partner users. Applications in the context of the Identity Express: Partner Portal Edition are typically deployed either in on the host organization's Extranet or "in the cloud" in a software-as-a-service model.

Scope of automation

Identity Express: Partner Portal Edition automates best-practice processes for managing identities, security entitlements and credentials in partner-facing portal environment. It is suitable where IAM requirements fit the following profile:

  1. A host organization has a business relationship with one or more partner organizations.
  2. The host organization operates one or more applications which partner users sign into.
  3. There are no reliable data feeds that could be used to automatically grant or revoke access to partner users, or such data feeds are only available for a subset of partners.
  4. The host organization wishes to delegate the management of partner users to partner administrators, rather than creating, managing and deactivating partner users directly.

Identities and security entitlements in these organizations can be managed using the following processes:

  1. Global administrators setup and manage partners and partner administrators.
  2. Partner administrators create, manage, support and deactivate partner users.
  3. Warnings are sent to inactive partner users, asking them to sign on before their access is deactivated.
  4. Partner users who remain inactive are automatically disabled.
  5. Partner administrators are periodically invited to review and clean up lists of partner users.
  6. Partner administrators can reset passwords and clear intruder lockouts for other partner users.
  7. Partner users can manage their own credentials, including enrolling security questions and resetting passwords.

Change management processes are subject to a variety of policies relating to access changes and identity information:

Policy Description
Self-service visibility

Partner users can only see their own profiles.
Partner-wide visibility

Partner administrators can only see and modify partner users in their own organization.
Global access

Global administrators can manage all partners and all users, including selecting the partner users who will have partner administrator rights.
Deactivation after inactivity

Partner user accounts are disabled after a period of inactivity.
Reviews per partner

Partner administrators are responsible for periodically reviewing accounts in their own organization and removing the accounts of users who no longer require access.
Global reviews

Global administrators are responsible for periodically reviewing the list of partner administrators and removing any that no longer require access.
Password security

Passwords are subject to complexity, non-reuse and periodic change requirements.
Security question strength

Security questions must be unique and sufficiently complex.
Intruder lockouts

Access to the system is subject to intruder lockouts triggered by repeated, failed login attempts.

Previous Next PDF