Hitachi


Previous PDF

swipe to navigate

Introduction

Hitachi ID Systems offers multiple editions of Hitachi ID Identity Express -- each of which is a reference implementation of Hitachi ID Identity and Access Management Suite for a specific type of organization.

The objective of Identity Express is to minimize the time, cost and risk of IAM system deployment. Instead of spending months with consultants to document existing processes, adjust them and then implement automation on a "clean slate" system, Hitachi ID recommends discarding old, inefficient processes, adopting best practices and implementing a full set of IAM processes in just a few days. Identity Express can reduce the total cost of IAM system deployment by 80% to 90%.

Hitachi ID Identity Express: Corporate Edition is a pre-configured set of business processes and policies which implement best practices for managing the identities, security entitlements and credentials of internal users in corporations and similar organizations. In most organizations, these internal users are employees and contractors.

Identity Express: Corporate Edition is built on Hitachi ID Identity Manager, used to manage identities and entitlements and Hitachi ID Password Manager, used to manage credentials.

Replacing legacy IAM processes with Identity Express has the following advantages over custom IAM implementations:

  • Optimized IAM processes: The business processes codified in Identity Express have been optimized for fast service and robust internal controls, improving on the legacy processes in most organizations.

  • Complete functionality: When implementing a custom IAM system, organizations can only automate one or two processes at a time. Most start with onboarding, deactivation or access reviews and only later automate transfers, leaves of absence, name changes, rehire detection, etc. In contrast, Identity Express allows organizations to automate a comprehensive set of identity lifecycle processes up front.

  • Efficient implementation: By adopting a pre-configured set of processes and policies, organizations minimize deployment risk, reduce implementation cost and shorten time to value.

Scope of automation

Identity Express: Corporate Edition automates best-practice processes for managing identities, security entitlements and credentials in a corporation or similar organization. It is suitable for any organization that fits the following profile:

  1. Its workforce largely consists of employees.
  2. Employees are tracked in one or more human resources (HR) systems.
  3. The workforce also includes other categories of people -- contractors, vendors, etc.
  4. These other types are usually not tracked in HR.
  5. Employees and some contractors are assigned corporate, centrally managed PCs, which are members of an Active Directory domain.
  6. Most users also have a home directory on a file server and an e-mail account / mail folder, typically on Office 365 or Exchange.
  7. Basic access rights (AD, Exchange, home directory) assigned to all users are uniform and predictable based on user type, location, etc.
  8. Additional access rights depend on the user's department, job code, location or projects and may be more difficult to predict.

Identities and security entitlements in these organizations can be managed using the following processes:

  1. Employee access is automatically granted and revoked based on changes detected in one or more systems of record (SoR), typically HR.
  2. Non-employee access is granted and revoked in response to requests entered on the IAM portal.
  3. Access can be deactivated urgently if needed (terminations).
  4. Users may be transferred across locations, departments and between managers, as a result of either requests or changes in an SoR.
  5. User types may change, for example between employee and contractor.
  6. User names may change (marital status, etc.).
  7. Users may take leaves of absence, for example due to maternity.
  8. The system accepts, authorizes and manages fulfilment of requests for access, for example to add login accounts or to add users to security groups.
  9. User access is reviewed and, where it was inappropriate, revoked both on a periodic basis and in response to events such as transfers.

Change management processes are subject to a variety of policies relating to access changes and identity information:

Policy Description
Privacy protection

Who can see what information, about whom?
Data retention

Archive of e-mail folders and home directory contents, post-termination.
Segregation of duties

What rights should not be combined?
Authorization

Who should approve what access?
Identifier management

How to construct unique, persistent login IDs, e-mail addresses, etc.
Resource placement

In what directory OU to create accounts, on what filesystem to create home directories, in what mail database to create a mail folder?

Rehire control

Whether people who have left the organization may return and if so whether to re-activate their old profile or create a new one.
Password complexity

How to compose adequately secure passwords.
Authentication options

How users sign into the IAM system, both under normal circumstances and in the event that they forgot their password.

Integrations and manual fulfillment

Included target systems

Identity Express: Corporate Edition includes a number of default integrations. Organizations use these as a starting set and add or replace target systems and applications as required:

  1. A data feed from human resources (HR) to trigger automatic setup, modification and deactivation processes.
    1. There is no assumption that all the data from HR is correct. Manager/subordinate relationships, department codes, contact information and more may be obsolete or incorrect.
    2. Changes to HR data, especially new hires and removal of employees from HR, are assumed to be accurate when they are detected and do trigger changes to user access.
  2. A single Active Directory domain.
  3. A single Exchange e-mail domain.
  4. Windows file servers, where home directories are managed.

Additional target systems and applications

Initially, Identity Express: Corporate Edition can invite access administrators to manually fulfill authorized access requests on not-yet-integrated systems and applications. Over time, integrations should be added, prioritizing based on request volume, to reduce the workload for access administrator staff.

ITSM integration

Integration with an incident management system is also supported in Identity Express: Corporate Edition, but is not configured out-of-the-box, as no two IT service management (ITSM) systems are alike. When ITSM integration is added, it is configured to:

  1. Automatically create service incidents to reflect events such as account creation and password resets, for consolidated record keeping and analytics.
  2. Allow users to request access for new hires and initiate terminations through the ITSM portal, with logical access provisioned or deactivated via Identity Manager.

Note that fine-grained access requests via ITSM are not recommended, as this would require implementing sophisticated segregation of duties policies, data filters, privacy protection, etc. This quickly becomes a large, complex exercise whose only deliverable is to re-implement the existing, working Identity Manager request UI on the ITSM platform.

Previous Next PDF