Hitachi ID Systems, Inc. delivers access governance and identity administration solutions to organizations globally, including many of the Fortune 500 companies. The Hitachi ID Identity and Access Management Suite is a fully integrated solution for managing identities, security entitlements and credentials, for both business users and shared/privileged accounts, on-premises and in the cloud.
The Hitachi ID Suite is well known in the marketplace for high scalability, fault tolerance, a pragmatic design and low total cost of ownership (TCO). Hitachi ID is recognized by customers and analysts for industry leading customer service.
Originally founded in 1992 as M-Tech Information Technology, Inc. and acquired by Hitachi, Ltd. in 2008, Hitachi ID Systems, Inc. is a leading provider of identity management and access governance solutions.
Hitachi ID first identity management and access governance product, Hitachi ID Password Manager, has been commercially available since 1995. Today, Hitachi ID is the leading password management vendor world-wide and a leading provider of identity and privileged access management solutions.
Hitachi ID currently has 160 employees. Hitachi ID has enjoyed strong financial performance, with 104 consecutive quarters of growth and profitability.
Hitachi ID is headquartered in Calgary, Canada and has regional offices in: Canada: Vancouver, Montréal and Ottawa; United States: New York, Chicago and Houston; Europe: Amsterdam, Leeds (UK) and Warsaw (Poland). Australia: Brisbane.
Password Manager is an integrated solution for managing credentials across systems and applications. It simplifies the management of passwords, tokens, smart cards, security questions and biometrics. Password Manager lowers IT support cost and improves the security of login processes.
Password Manager includes password synchronization, self-service password and PIN reset, strong authentication, federated access, enrollment of security questions and biometrics and self-service unlock of encrypted drives.
Password Manager reduces the cost of password management using:
Password Manager strengthens security by providing:
To find out more about Password Manager, visit https://Hitachi-ID.com/password-manager/.
Identity Manager is a separate product built on the same infrastructure as Password Manager. Where Password Manager manages passwords, Identity Manager creates, deletes and manipulates user accounts.
Identity Manager is an integrated solution for managing identities, groups and security entitlements across systems and applications. It ensures that users are granted access quickly, that entitlements are appropriate to business need and that access is revoked once no longer needed.
Identity Manager implements the following business processes to drive changes to identities, groups and entitlements on systems and applications:
Identity Manager strengthens security by:
Identity Manager reduces the cost of managing users and security entitlements:
Password Manager reduces the IT support cost associated with passwords:
Password Manager improves user service by simplifying password management:
Password Manager improves the security of authentication processes:
Password Manager is not a single sign-on system. Rather, it manages and reduces the number of passwords that users must remember, but does not eliminate the need for users to type their own passwords.
Password management, rather than single sign-on, may be attractive, because of some problems with enterprise single sign-on software:
Over time, a traditional E-SSO system will respond to applications expiring passwords by choosing new, random password values, allowing the application to change passwords and storing the random password value for future reference.
With this process in place, over time users lose knowledge of their own passwords and become dependent on the E-SSO system to sign into their applications. This means that users cannot access their applications from devices that are not equipped with the E-SSO software, such as smart phones or even their home PCs.
Building and maintaining a database of every login ID and every password on every application can be both costly and time consuming.
Login IDs and passwords stored in a traditional E-SSO system are typically encrypted using a key derived from the user's primary network password. When users forget their primary password, they lose this key and can no longer decrypt their application passwords. As a result, password problems may be less frequent with E-SSO, but resolving them is more complicated, time consuming and expensive.
In the event that the password database in a traditional E-SSO system is compromised, every user ID and every password would be exposed.
If the password database suffers an outage, every user would be locked out of every application.
In addition, traditional SSO systems have to integrate with a variety of subsystems on the user's PC, both to detect when a password prompt is displayed and to inject passwords into input fields. This requires integrations with:
Some organizations require integration with other platforms -- MacOSX, Android, iOS and Linux, which significantly expands the scope of the problem.
Each of these components operates totally differently than the others and has its own release cycle. Web browsers such as Chrome and Firefox, in particular, release new versions every 6 weeks or so, which often break backwards compatibility.
The net result of this complexity is that it is quite difficult to maintain compatibility across a variety of applications as various application development frameworks constantly evolve. Customers are impacted in that they are either prevented from upgrading their endpoints (as this would introduce breakage), or having to frequently upgrade their SSO software, or suffering frequent compatibility problems because upgrades to applications cause SSO to stop working.
Web single sign-on software (WebSSO) are less ambitious than enterprise SSO, but have none of its drawbacks. When users first access an Intranet page, they are diverted to an authentication page. Thereafter, whenever they access another page, their browser sends an encrypted authentication cookie to the web server, which validates it and does not prompt for a second login screen.
With agent-based WebSSO, there is no client software, no credential database and no costly password reset processes.
Password Manager can synchronize passwords across both legacy systems (network operating systems, applications, mainframes, etc.) and WebSSO systems, which typically authenticate users with an LDAP directory and password.
There is a detailed return on investment (ROI) model for Hitachi ID identity management and access governance solutions at:
ROI from Password Manager is principally due to improved user productivity (fewer password problems) and reduced workload for the help desk.
Password management is key element in an organization's identity management and access governance infrastructure. Other components may include automated onboarding/deactivation, an access request portal, authorization workflow, access certification, directories, meta directories, web single sign-on (WSSO) and web access management (WAM) products.
Password Manager may be compared to other identity management and access governance products as follows:
Some password management products focus mainly on password reset.
The advantage of Password Manager over such products is a fundamentally different strategy. With Password Manager, customers first seek to eliminate problems, through password synchronization. Self-service is used to divert remaining problems, rather than as a primary tool for call volume management.
This approach generates a better ROI, through higher user adoption rates and better user service. Typically synchronization, self-service and assisted password resets together reduce help desk password problem load by 95%, as compared to about 60% for just self-service password reset.
Password Manager is often less costly to purchase and deploy than products that offer just self-service password reset.
A number of products are designed only to enable users who forgot their primary AD password to answer a few security questions and reset this password. This may be offered via a web browser only, or from the PC login screen, or via a phone call.
There are many problems with this approach:
AD-only password reset programs generally fail all of the above tests and provide only very limited value.
Products designed primarily to manage identities and entitlements often have a limited password reset capability, but this usually fails in all the important edge cases: managed user enrollment, access from the PC login screen, access from off-site, from pre-boot, etc. The result is poor user adoption and low ROI.
|Directories:||Databases:||Server OS -- X86/IA64:|
|Active Directory and Azure AD; any LDAP; NIS/NIS+ and eDirectory.||Oracle; SAP ASE and HANA; SQL Server; DB2/UDB; Hyperion; Caché MySQL; OLAP and ODBC.||Windows: NT thru 2016; Linux and *BSD.|
|Server OS -- Unix:||Server OS -- Mainframe:||Server OS -- Midrange:|
|Solaris, AIX and HP-UX.||RAC/F, ACF/2 and TopSecret.||iSeries (OS400); OpenVMS and HPE/Tandem NonStop.|
|ERP, CRM and other apps:||Messaging & collaboration:||Smart cards and 2FA:|
|Oracle EBS; SAP ECC and R/3; JD Edwards; PeopleSoft; Salesforce.com; Concur; Business Objects and Epic.||Microsoft Exchange, Lync and Office 365; Lotus Notes/Domino; Google Apps; Cisco WebEx, Call Manager and Unity.||Any RADIUS service or SAML IdP; Duo Security; RSA SecurID; SafeWord; Vasco; ActivIdentity and Schlumberger.|
|Access managers / SSO:||Help desk / ITSM:||Drive encryption:|
|CA SiteMinder; IBM Security Access Manager; Oracle AM; RSA Access Manager and Imprivata OneSign.||ServiceNow; BMC Remedy, RemedyForce and Footprints; JIRA; HPE Service Manager; CA Service Desk; Axios Assyst; Ivanti HEAT; Symantec Altiris; Track-It!; MS SCS Manager and Cherwell.||Microsoft BitLocker; McAfee; Symantec Endpoint Encryption and PGP; CheckPoint and Sophos SafeGuard.|
|Server health monitoring:||HR / HCM:||Extensible / scriptable:|
|HP iLO, Dell DRAC and IBM RSA.||WorkDay; PeopleSoft HR; SAP HCM and SuccessFactors.||CSV files; SCIM; SSH; Telnet/TN3270/TN5250; HTTP(S); SQL; LDAP; PowerShell and Python.|
|Hypervisors and IaaS:||Mobile management:||Network devices:|
|AWS; vSphere and ESXi.||BlackBerry Enterprise Server and MobileIron.||Cisco IOS PIX and ASA; Juniper JunOS and ScreenOS; F5 BigIP; HP Procurve; Brocade Fabric OS and CheckPoint SecurePlatform.|
|Filesystems and content:||SIEM:||Management & inventory:|
|Windows/CIFS/DFS; SharePoint; Samba; Hitachi Content Platform and HCP/Anywhere; Box.com and Twitter.||Splunk; ArcSight; RSA Envision and QRadar. Any SIEM supporting SYSLOG or Windows events.||Qualys; McAfee ePO and MVM; Cisco ACS; ServiceNow ITAM; HP UCMDB; Hitachi HiTrack.|
Password Manager pricing is based on the number of users (people, not login accounts). This includes all features, all connectors, all client software components and the right to run as many servers and CPUs as desired. A one-time purchase grants customers the perpetual right to use Password Manager.
Password Manager pricing is calculated using a smooth curve -- as the number of users increases, the price per user steadily decreases. This means that customers do not have to base their purchase volumes on price bands or tiers. Instead, customers purchase for the number of users actually required, knowing they will get the best price for that volume.
Customers are encouraged to, over time, extend their deployment of Password Manager to manage new target systems and to activate new features, at no additional charge.
Customers may run as many Password Manager servers as required, to provide high availability, redundancy and a test/QA environment, at no additional charge.
A basic Password Manager deployment typically requires from 10 to 40 days of work to design and implement.
At the larger end of the above spectrum are more complex implementations that include integrations with drive encryption programs, telephony infrastructure, VPNs (for self-service by off-site users), access from mobile phones and many password systems.
Once the software is active, user enrollment is often required. User enrollment is an ongoing process, as new staff are hired. In most cases, all users can be invited to enroll and most can be expected to complete registration, within 2-3 months of initial deployment.
Password Manager does not require active ongoing administration of user profiles and system functionality. Users are automatically detected on target systems, enrolled and invited to enroll if additional information is required.
A Password Manager administrator is required to monitor the servers, promote consistent password management to application owners, answer questions from the user community and perform periodic software upgrades.
These responsibilities typically amount to approximately 0.25 FTE.