The following architectural description applies to the entire Hitachi ID Bravura Security Fabric when the software is deployed on-premises:

Hitachi ID Bravura Security Fabric is designed for:

  • Security:

    Hitachi ID Bravura is installed on hardened servers. All sensitive data is encrypted in storage and transit. Strong authentication and access controls protect business processes.

  • Scalability:

    Multiple Hitachi ID Bravura servers can be installed, using a built-in data replication facility. Workload can be distributed using any load-balancing technology (IP, DNS, etc.). The end result is a multi-master, active-active, geographically distributed architecture that is very easy to setup, as replication is handled at the application layer.

  • Performance:

    Hitachi ID Bravura uses a normalized, relational and indexed database back end. All access to the database is via stored procedures, which help to minimize communication overhead between the application and database. All Hitachi ID Bravura code is native code, which provides a 2x to 10x performance advantage as compared to Java or .NET

  • Openness:

    Open standards are used for inbound integration (SOAP) and outbound communications (SOAP, SMTP, HTTP, etc.).

  • Flexibility:

    Both the Hitachi ID Bravura user interface and all functionality can be customized to meet enterprise requirements.

  • Low TCO:

    Hitachi ID Bravura is easy to set up and requires minimal ongoing administration.

Figure [link] illustrates the Hitachi ID Bravura network architecture when deployed on-premises:

Hitachi ID Bravura network architecture

Hitachi ID Bravura network architecture

  • Users normally access Hitachi ID Bravura using HTTPS from a web browser.

  • Multiple Hitachi ID Bravura servers may be load balanced using either an IP-level device (e.g., Cisco Local Director, F5 Big/IP) or simply using DNS round-robin distribution.

  • Native password changes on some systems may trigger transparent password synchronization. A password change interceptor DLL, library or exit may capture such changes and initiate transparent password synchronization.

  • Users may interact with Hitachi ID Bravura via an app on their phone. Where this is allowed by Hitachi ID Systems customer, the app on the phone connects via HTTPS to a Linux/Tomcat proxy server in the cloud or on the Hitachi ID customer DMZ. Simultaneously, each Hitachi ID Bravura server keeps open a pool of HTTPS connections to the same proxy system(s). The proxies broker communication from user phones to the on-premises Hitachi ID Bravura server(s) after authenticating both connections. The app is authenticated by offering up a key, which was deployed earlier at phone activation time and which may be revoked at any time.

  • Users may make a voice phone call to an interactive voice response (IVR) system and be authenticated either using touch-tone input of personal information or using a voice print. Authenticated users may initiate a password reset.

  • Hitachi ID Bravura connects to most target systems using their native APIs (application programming interfaces) and protocols and thus requires no software to be installed locally on those systems.

  • Local agents are provided for Unix/Linux servers and z/OS mainframes. A local agent is recommended for z/OS -- on Unix/Linux it's only included in case there is no SSHD. Use of these agents improves transaction security, speed and concurrency.

  • Where target systems are remote and communication with them is slow, insecure or blocked by a firewall or NAT, a Hitachi ID Bravura proxy server may be co-located with the target system in the remote location. In this case, servers in the main Hitachi ID Bravura server cluster initiate fast, secure connections to the remote proxies, which decode these transactions and forward them to target systems locally, using native, slow and/or insecure protocols.

  • Hitachi ID Bravura can look up and update user profile data in an existing system, including HR databases (ODBC), directories (LDAP) and meta-directories (e.g., WMI to Microsoft ILM).

  • Hitachi ID Bravura can send e-mails to users asking them to complete enrollment, participate in workflow processes or to notify them of events impacting their profiles. Over 300 events can trigger e-mail notification.

  • Hitachi ID Bravura can create tickets on many types of incident management systems, either recording completed activity or requesting assistance (security events, user service follow-up, etc.). Over 300 events can trigger ticket generation. Binary integrations are available for 20 help desk applications and open integration is possible using mail, ODBC, SQL and web services.