Previous Next PDF

swipe to navigate

Who is Hitachi ID Systems?

Hitachi ID Systems, Inc. delivers access governance and identity administration solutions to organizations globally, including many of the Fortune 500 companies. The Hitachi ID Identity and Access Management Suite is a fully integrated solution for managing identities, security entitlements and credentials, for both business users and shared/privileged accounts, on-premises and in the cloud.

The Hitachi ID Suite is well known in the marketplace for high scalability, fault tolerance, a pragmatic design and low total cost of ownership (TCO). Hitachi ID is recognized by customers and analysts for industry leading customer service.

Originally founded in 1992 as M-Tech Information Technology, Inc. and acquired by Hitachi, Ltd. in 2008, Hitachi ID Systems, Inc. is a leading provider of identity management and access governance solutions.

Hitachi ID first identity management and access governance product, Hitachi ID Password Manager, has been commercially available since 1995. Today, Hitachi ID is the leading password management vendor world-wide and a leading provider of identity and privileged access management solutions.

Hitachi ID currently has 160 employees. Hitachi ID has enjoyed strong financial performance, with 104 consecutive quarters of growth and profitability.

Hitachi ID is headquartered in Calgary, Canada and has regional offices in: Canada: Vancouver, Montréal and Ottawa; United States: New York, Chicago and Houston; Europe: Amsterdam, Leeds (UK) and Warsaw (Poland). Australia: Brisbane.

What is Password Manager?

Password Manager is an integrated solution for managing credentials across systems and applications. It simplifies the management of passwords, tokens, smart cards, security questions and biometrics. Password Manager lowers IT support cost and improves the security of login processes.

Password Manager includes password synchronization, self-service password and PIN reset, strong authentication, federated access, enrollment of security questions and biometrics and self-service unlock of encrypted drives.

Password Manager reduces the cost of password management using:

  • Password synchronization, which reduces the incidence of password problems for users
  • Self-service password reset, which empowers users to resolve their own problems rather than calling the help desk
  • Streamlined help desk password reset, to expedite resolution of password problem calls

Password Manager strengthens security by providing:

  • A powerful password policy engine.
  • Effective user authentication, especially prior to password resets.
  • Password synchronization, to help eliminate written-down passwords.
  • Delegated password reset privileges for help desk staff.
  • Accountability for all password changes.
  • Encryption of all transmitted passwords.

To find out more about Password Manager, visit

What does Hitachi ID Identity Manager do, and how does it relate to Password Manager?

Identity Manager is a separate product built on the same infrastructure as Password Manager. Where Password Manager manages passwords, Identity Manager creates, deletes and manipulates user accounts.

Identity Manager is an integrated solution for managing identities, groups and security entitlements across systems and applications. It ensures that users are granted access quickly, that entitlements are appropriate to business need and that access is revoked once no longer needed.

Identity Manager implements the following business processes to drive changes to identities, groups and entitlements on systems and applications:

  • Automation: grant or revoke access based on changes in trusted data (typically HR).
  • Requests: users request changes to identity data or access rights -- for themselves or for peers.
  • Certification: stake-holders review the status and access rights of other users, to identify access which is no longer business-appropriate.
  • Workflow: users are invited to approve requests, implement approved changes or perform access reviews.
  • Analytics: examine trends, access rights, data consistency and policy compliance to identify and remediate problems.

Identity Manager strengthens security by:

  • Quickly and reliably removing access to all systems and applications when users leave an organization.
  • Finding and helping to clean up orphan and dormant accounts.
  • Assigning standardized access rights, using roles and rules, to new and transitioned users.
  • Enforcing policy regarding segregation of duties and identifying users who are already in violation.
  • Ensuring that changes to user entitlements are always authorized before they are completed.
  • Inviting business stake-holders to periodically review user entitlements and either certify or remove them, as appropriate.
  • Reducing the number and scope of administrator-level accounts needed to manage user access to systems and applications.
  • Providing readily accessible audit data regarding current and historical security entitlements, including who requested and approved every change.

Identity Manager reduces the cost of managing users and security entitlements:

  • Auto-provisioning and auto-deactivation leverage data feeds from HR systems to eliminate routine, manual user setup and tear-down.
  • Self-service eliminates IT involvement in simple updates to user names, phone numbers and addresses.
  • Delegated administration moves the responsibility for requesting and approving common changes, such as for new application or folder access, to business users.
  • Identity synchronization means that corrections to user information can be made just once, on an authoritative system and are then automatically copied to other applications.
  • Built-in reports make it easier to answer audit questions, such as "who had access to this system on this date?" or "who authorized this user to have this entitlement?"

How does Password Manager reduce help desk costs?

Password Manager reduces the IT support cost associated with passwords:

  • Lower problem frequency: Users have fewer passwords to remember, due to password synchronization. They are invited to change passwords in the morning, at the start of the week, after which the new password will be used often, so not forgotten. As a result, users tend to remember their passwords and have fewer problems.

  • Lower call volume: Not only do users have fewer login problems, but they can resolve those problems on their own. Self-service password reset and unlock are available at the PC login screen, on a browser, with a smart phone app or a phone call, on-site or away. Users who resolve their own problems don't call the help desk.

  • Lower peak volumes: Most password reset calls happen during a few short hours, at the beginning of the first work day of the week and especially after holidays. By driving down problem frequency and call volume generally, these peaks are attenuated. As a result, fewer total help desk staff are needed.

  • Reduced cost per incident: Even when users do call for support, a single and efficient web portal enables support staff to authenticate them, reset passwords, clear lockouts and generate tickets quickly and easily, shortening call duration and incident cost.

How does Password Manager improve user service?

Password Manager improves user service by simplifying password management:

  • Fewer passwords: Users only have to remember one or two passwords -- these are synchronized across the user's accounts on various systems.

  • Help off-site users: When a user is away from the office and forgets his PC login password, he must bring or ship his PC back to the office, so that any password reset can be applied to the local credential cache. Password Manager eliminates this business interruption by enabling self-service password reset, from the PC login prompt, even for users who are not at work.

  • Simpler UI: All passwords are managed through a single, friendly web portal.

  • Clear, consistent policy: Password composition rules are clearly explained and applied to all systems and applications.

  • Resolve login problems: In the event of a password or login problem, users can quickly resolve their own problem using self-service, rather than calling the help desk and waiting for service.

  • Advance warning of password expiry: Password expiration notices are delivered to all users, including off-site users who would otherwise get no warning before their account is locked out.

  • Personal vault: Users can store unmanaged credentials in a secure, personal password vault, accessible using their PCs or phones.

How does Password Manager improve security?

Password Manager improves the security of authentication processes:

  • Strong, uniform password policy: A strong, uniform set of password composition rules and an open-ended password history prevent the use of easily guessed passwords and ensure that all passwords are changed regularly.

  • Fewer passwords (to write down): Password synchronization reduces the burden on users, who can finally comply with rules against writing down their passwords.

  • Authenticate users before resetting passwords: Consistent, reliable authentication processes ensure that users are reliably identified before accessing either self-service or assisted password resets.

  • Two-factor authentication: User of multiple credentials can be mandated ahead of every user interaction, blocking attacks on user accounts by convincing the help desk to reset a victim's password.

  • Secure SaaS logins: Federated access allows two-factor authentication to be extended to SaaS applications, not just Password Manager logins.

  • No more privileged support accounts: IT support staff can be empowered to reset passwords and clear lockouts through the Password Manager portal, without direct administrative rights on every system and application.

How does Password Manager compare to single sign-on?

Password Manager is not a single sign-on system. Rather, it manages and reduces the number of passwords that users must remember, but does not eliminate the need for users to type their own passwords.

Password management, rather than single sign-on, may be attractive, because of some problems with enterprise single sign-on software:

Previous approaches to enterprise single sign-on systems had problems, mainly related to the password database where application login IDs and passwords are kept:

  • Remote Access and Mobile Devices:

    Over time, a traditional E-SSO system will respond to applications expiring passwords by choosing new, random password values, allowing the application to change passwords and storing the random password value for future reference.

    With this process in place, over time users lose knowledge of their own passwords and become dependent on the E-SSO system to sign into their applications. This means that users cannot access their applications from devices that are not equipped with the E-SSO software, such as smart phones or even their home PCs.

  • Cost to Deploy:

    Building and maintaining a database of every login ID and every password on every application can be both costly and time consuming.

  • Cost to Reset Passwords:

    Login IDs and passwords stored in a traditional E-SSO system are typically encrypted using a key derived from the user's primary network password. When users forget their primary password, they lose this key and can no longer decrypt their application passwords. As a result, password problems may be less frequent with E-SSO, but resolving them is more complicated, time consuming and expensive.

  • Security and Availability:

    In the event that the password database in a traditional E-SSO system is compromised, every user ID and every password would be exposed.

    If the password database suffers an outage, every user would be locked out of every application.

In addition, traditional SSO systems have to integrate with a variety of subsystems on the user's PC, both to detect when a password prompt is displayed and to inject passwords into input fields. This requires integrations with:

  • The login subsystem on 32-bit and 64-bit editions of Windows (XP, Vista, 7, 8, 10, etc.).
  • Applications built using native Windows dialogs.
  • Applications built using frameworks such as Java AWT or Swing, which appear to the Windows OS as just bitmaps.
  • Web applications, rendered using any version of any web browser.
  • Unix or Linux applications, rendered in a terminal emulator such as PuTTY or SecureCRT.
  • X-Windows applications, rendered in an X Server such as Ming, Cygwin/X, VcXsrv or many others.
  • Applications on IBM z/OS mainframes or iSeries midrange servers, rendered in a TN3270 or TN5250 terminal emulator.
  • Undoubtedly, others...

Some organizations require integration with other platforms -- MacOSX, Android, iOS and Linux, which significantly expands the scope of the problem.

Each of these components operates totally differently than the others and has its own release cycle. Web browsers such as Chrome and Firefox, in particular, release new versions every 6 weeks or so, which often break backwards compatibility.

The net result of this complexity is that it is quite difficult to maintain compatibility across a variety of applications as various application development frameworks constantly evolve. Customers are impacted in that they are either prevented from upgrading their endpoints (as this would introduce breakage), or having to frequently upgrade their SSO software, or suffering frequent compatibility problems because upgrades to applications cause SSO to stop working.

Web single sign-on software (WebSSO) are less ambitious than enterprise SSO, but have none of its drawbacks. When users first access an Intranet page, they are diverted to an authentication page. Thereafter, whenever they access another page, their browser sends an encrypted authentication cookie to the web server, which validates it and does not prompt for a second login screen.

With agent-based WebSSO, there is no client software, no credential database and no costly password reset processes.

Password Manager can synchronize passwords across both legacy systems (network operating systems, applications, mainframes, etc.) and WebSSO systems, which typically authenticate users with an LDAP directory and password.

Is there an ROI model for Password Manager deployments?

There is a detailed return on investment (ROI) model for Hitachi ID identity management and access governance solutions at:

ROI from Password Manager is principally due to improved user productivity (fewer password problems) and reduced workload for the help desk.

How does Password Manager compare to products from other vendors?

Password management is key element in an organization's identity management and access governance infrastructure. Other components may include automated onboarding/deactivation, an access request portal, authorization workflow, access certification, directories, meta directories, web single sign-on (WSSO) and web access management (WAM) products.

Password Manager may be compared to other identity management and access governance products as follows:

  • Rapid deployment

    Password Manager is designed for rapid deployment:

    • No client software required, even for access to self-service password reset from the PC login prompt, if users are on-premises.

    • Automated discovery of every login ID on every target system, typically ever 24 hours.

    • Self-service login ID reconciliation where login IDs on different systems are different and there is no pre-existing correlation data.

    • A built-in identity cache that captures user profile data and eliminates the need to install or manage a database or directory before installing Password Manager.

    • Connectors for every common system and application eliminating the need for customers to develop their own connectors to common, off-the-shelf target systems.

    • Remote connectors mean that Password Manager can manage users and passwords on systems without requiring the installation of intrusive local software on each target system.

    • Flexible connectors enable organizations to integrate Password Manager with custom applications, vertical market software, application service providers (ASPs) and service bureaus quickly -- taking just 2 hours to 4 days per new target system.

  • General purpose password reset products

    Some password management products focus mainly on password reset.

    The advantage of Password Manager over such products is a fundamentally different strategy. With Password Manager, customers first seek to eliminate problems, through password synchronization. Self-service is used to divert remaining problems, rather than as a primary tool for call volume management.

    This approach generates a better ROI, through higher user adoption rates and better user service. Typically synchronization, self-service and assisted password resets together reduce help desk password problem load by 95%, as compared to about 60% for just self-service password reset.

    Password Manager is often less costly to purchase and deploy than products that offer just self-service password reset.

  • AD-only password reset products

    A number of products are designed only to enable users who forgot their primary AD password to answer a few security questions and reset this password. This may be offered via a web browser only, or from the PC login screen, or via a phone call.

    There are many problems with this approach:

    1. Users often have more than just AD password. Consider SaaS applications, pre-boot passwords, etc.
    2. Users require access from more physical contexts. Consider the PC login screen, when the user is off-site, or the password prompt that unlocks an encrypted drive, pre-boot.
    3. Organizations should demand stronger authentication than just security questions.
    4. Automation is needed to drive user enrollment, to get better adoption rates and a good ROI.

    AD-only password reset programs generally fail all of the above tests and provide only very limited value.

  • Mainly-IAM products with minor password management features

    Products designed primarily to manage identities and entitlements often have a limited password reset capability, but this usually fails in all the important edge cases: managed user enrollment, access from the PC login screen, access from off-site, from pre-boot, etc. The result is poor user adoption and low ROI.

What platforms does Password Manager support?

Directories: Databases: Server OS -- X86/IA64:
Active Directory and Azure AD; any LDAP; NIS/NIS+ and eDirectory. Oracle; SAP ASE and HANA; SQL Server; DB2/UDB; Hyperion; Caché MySQL; OLAP and ODBC. Windows: NT thru 2016; Linux and *BSD.
Server OS -- Unix: Server OS -- Mainframe: Server OS -- Midrange:
Solaris, AIX and HP-UX. RAC/F, ACF/2 and TopSecret. iSeries (OS400); OpenVMS and HPE/Tandem NonStop.
ERP, CRM and other apps: Messaging & collaboration: Smart cards and 2FA:
Oracle EBS; SAP ECC and R/3; JD Edwards; PeopleSoft;; Concur; Business Objects and Epic. Microsoft Exchange, Lync and Office 365; Lotus Notes/Domino; Google Apps; Cisco WebEx, Call Manager and Unity. Any RADIUS service or SAML IdP; Duo Security; RSA SecurID; SafeWord; Vasco; ActivIdentity and Schlumberger.
Access managers / SSO: Help desk / ITSM: Drive encryption:
CA SiteMinder; IBM Security Access Manager; Oracle AM; RSA Access Manager and Imprivata OneSign. ServiceNow; BMC Remedy, RemedyForce and Footprints; JIRA; HPE Service Manager; CA Service Desk; Axios Assyst; Ivanti HEAT; Symantec Altiris; Track-It!; MS SCS Manager and Cherwell. Microsoft BitLocker; McAfee; Symantec Endpoint Encryption and PGP; CheckPoint and Sophos SafeGuard.
Server health monitoring: HR / HCM: Extensible / scriptable:
HP iLO, Dell DRAC and IBM RSA. WorkDay; PeopleSoft HR; SAP HCM and SuccessFactors. CSV files; SCIM; SSH; Telnet/TN3270/TN5250; HTTP(S); SQL; LDAP; PowerShell and Python.
Hypervisors and IaaS: Mobile management: Network devices:
AWS; vSphere and ESXi. BlackBerry Enterprise Server and MobileIron. Cisco IOS PIX and ASA; Juniper JunOS and ScreenOS; F5 BigIP; HP Procurve; Brocade Fabric OS and CheckPoint SecurePlatform.
Filesystems and content: SIEM: Management & inventory:
Windows/CIFS/DFS; SharePoint; Samba; Hitachi Content Platform and HCP/Anywhere; and Twitter. Splunk; ArcSight; RSA Envision and QRadar. Any SIEM supporting SYSLOG or Windows events. Qualys; McAfee ePO and MVM; Cisco ACS; ServiceNow ITAM; HP UCMDB; Hitachi HiTrack.

How is Password Manager licensed?

Password Manager pricing is based on the number of users (people, not login accounts). This includes all features, all connectors, all client software components and the right to run as many servers and CPUs as desired. A one-time purchase grants customers the perpetual right to use Password Manager.

Password Manager pricing is calculated using a smooth curve -- as the number of users increases, the price per user steadily decreases. This means that customers do not have to base their purchase volumes on price bands or tiers. Instead, customers purchase for the number of users actually required, knowing they will get the best price for that volume.

Customers are encouraged to, over time, extend their deployment of Password Manager to manage new target systems and to activate new features, at no additional charge.

Customers may run as many Password Manager servers as required, to provide high availability, redundancy and a test/QA environment, at no additional charge.

How long does it take to deploy Password Manager?

A basic Password Manager deployment typically requires from 10 to 40 days of work to design and implement.

At the larger end of the above spectrum are more complex implementations that include integrations with drive encryption programs, telephony infrastructure, VPNs (for self-service by off-site users), access from mobile phones and many password systems.

Once the software is active, user enrollment is often required. User enrollment is an ongoing process, as new staff are hired. In most cases, all users can be invited to enroll and most can be expected to complete registration, within 2-3 months of initial deployment.

How much work is needed to manage Password Manager in production?

Password Manager does not require active ongoing administration of user profiles and system functionality. Users are automatically detected on target systems, enrolled and invited to enroll if additional information is required.

A Password Manager administrator is required to monitor the servers, promote consistent password management to application owners, answer questions from the user community and perform periodic software upgrades.

These responsibilities typically amount to approximately 0.25 FTE.

Previous Next PDF