Hitachi ID Systems, Inc.

Hitachi

Headlines

Hitachi, Ltd. acquires M-Tech Information Technology, Inc. ... More»

ID-Synch White Paper

Abstract
This document describes the business problems of user provisioning: slow resource provisioning, redundant systems administration and unreliable access termination. It then describes how ID-Synch® addresses these problems with process change and user provisioning technology. Finally, the business benefits of effective user provisioning are described.

Introduction

This document describes the business problems of user provisioning: slow resource provisioning, redundant systems administration and unreliable access termination. It then describes how ID-Synch addresses these problems with process change and user provisioning technology. Finally, the business benefits of effective user provisioning are described.

ID-Synch is the user provisioning component of Hitachi ID Management Suite®. Hitachi ID Management Suite is described in [link].

The remainder of this document is organized as follows:

Business Challenges With User Provisioning

Several factors combine to make management of users and their security rights a growing challenge for many organizations:

These factors lead to the following costly business problems:

ID-Synch is an automated user provisioning solution, designed to address these challenges.

Shared Identity Management Infrastructure

Systems administration burden is growing because there are an increasing number of systems to manage, and because almost every system manages user profiles in its own silo. For example, a single (human) user might have a personal profile on the mainframe, an LDAP directory, an e-mail system, an ERP system and elsewhere. Each of these systems is managed separately -- by different administrators, using different tools.

The natural solution for this problem is to consolidate information about users (sometimes referred to as user directories or security databases) into a single repository, and configure every system to refer to that single repository as an authoritative system of record regarding user identity.

This approach has some merit, hence the popularity of LDAP. However, it also has problems:

The result of these problems is that while LDAP has helped to slow the proliferation of user databases, organizations continue to require, and must still manage, multiple systems that house data about users.

Since most organizations continue to have multiple user directories, the next best solution is to implement consolidated processes to manage user objects and access rights across multiple systems.

ID-Synch is designed to provide a shared set of processes and infrastructure to manage users and access across heterogeneous systems. It implements multiple processes that an organization can use to provision, update and deactivate user access to multiple systems.

Streamlined User Provisioning Processes

User Lifecycle

The basic lifecycle of identity management begins with hiring a user. This triggers creation of one or more system login accounts and other user objects (e.g., HR record, phone book entries, etc.).

Over time, the user will make numerous routine password changes, and may periodically forget his password, and require an administrative password reset on one or more systems.

As the user moves through an organization, changing job functions and possibly locations, the systems he must access, and his required privileges on those systems will change.

Finally, when a user leaves an organization, his access rights must be terminated. In most cases, his actual IDs persist for a while, until they are no longer required. In many organizations, user identifiers are never reused, to support long-term audit trails.

Each of the above processes is traditionally handled separately on each system. Each system has its own user directory and user/security management tools. In most organizations, each application is managed by its own administrators.

ID-Synch, a part of Hitachi ID Management Suite, is designed to leverage a single set of business processes to manage users and access rights on multiple systems, as illustrated in Figure [link].

figure

    User Lifecycle Management (1)

Automated Change Propagation

ID-Synch can monitor one or more systems of record on a periodic basis (e.g., nightly or every few hours), searching for updates to user profiles. Updates may include new hires, terminations and changes to user profiles (e-mail addresses, job codes, department codes, location and so on).

These changes are first passed through a data filter, which removes objects that are outside the scope of the ID-Synch deployment. For instance, a global enterprise might have a global HR system that is used as a system of record, but only users on a single continent may be in scope for ID-Synch automated management. In this example, changes noted to users in other regions are removed from the authoritative data feed before it is processed further.

Next, changes to user objects noted on authoritative systems are transformed, using roles, rules or both, to calculate what login accounts, attributes and group memberships the affected users should have or whether their access should be created or terminated.

Transformed user profile data may then be:

This process is known as automated administration or, alternately, as automatic change propagation. It is implemented by the IDCOMPARE component in ID-Synch.

Several ID-Synch modules are involved in automated account creation, update, suspension and deletion, based on changes to user profiles on systems of record:

  1. An auto-discovery engine, which extracts complete lists of users from each managed system, nightly (psupdate).

    These lists can be configured to include the time and date of last login, and other specified attributes and group memberships.

  2. Login ID reconciliation, which connects login IDs on different systems to individual users (PSL):

  3. Installation-specific list programs, which typically extract data from one or more system of record (HR or other), merge the data, and so create a "master" list of current users and their authoritative attributes. Normally this is accomplished using SQL scripts or CSV imports in psupdate.

  4. A batch load system, which accepts lists of users and their attributes from both the authoritative systems and managed systems as input, executes appropriate business logic to transform authoritative data into expected data on the managed systems, calculates the difference between the desired and current state on each managed system and sends this difference either directly to agents or to the authorization workflow (idcompare).

  5. An agent execution service, which accepts update transactions (from idcompare) and pushes them to target systems, possibly repeatedly, until they succeed. (iddriver, pushid)

  6. A set of agents, each of which is designed to manage users on a particular type of target system.

Change Request Workflow

A key capability in ID-Synch is to accept change requests, to route them to the appropriate authorizers, and to act on change requests once sufficient authority has been received. This is designed to streamline requests, and to eliminate the need for system administrators to manually fulfill authorized changes.

ID-Synch's workflow automation engine streamlines the process of requesting and authorizing the creation of new accounts, as well as other security changes such as add/remove group membership, change attribute value, rename or move user, delete or deactivate user and so on.

The ID-Synch workflow engine uses secure web input (HTTPS) and prompts authorizers for input using e-mail (normally SMTP).

The workflow automation engine works as follows:

The ID-Synch workflow engine has built-in support for automatic reminders, escalation and delegation:

Templates and Roles to Simplify Setup

(2) ID-Synch provisions new users with templates and roles:

(3) ID-Synch does not require that users be classified into roles. While policy-based provisioning, where users' real access privileges are compared to those predicted by their role membership is technically possible with ID-Synch, Hitachi ID recognizes that most organizations will be unable to reliably and fully classify existing users into roles, so user/role classification and policy reconciliation is not an ID-Synch pre-requisite.

Search tags are attached to templates and roles in ID-Synch, to make them easier to find by end-users. Search tags include type and location. Resources such as templates, roles and managed groups also are associated with authorizers.

Consolidated and Delegated Security Administration

Delegated user administration makes it possible to grant limited security privileges to departmental or regional staff. For example, an IT administrator at a business unit may be allowed to create new users in that business unit, and manage the user profiles and access privileges of local users. The same IT administrator would be unable to access user profiles for staff working in other business units and may only be able to perform certain types of updates, on certain systems.

Delegated user administration is implemented in the same manner as consolidated user administration, but with the addition of access controls, as is illustrated in Figure [link].

figure

    Consolidated and Delegated User Administration Console (4)

The scope of authority of a given security administrator can be limited to certain users, certain systems, certain groups or certain OUs. Access controls are normally implemented using business logic, which accesses information about both the IT administrator and intended recipients of security changes, to dynamically determine what kinds of updates are allowed.

Enterprise-wide Security Reporting

All data in ID-Synch is available via ODBC and accessible using standard analytical tools (Crystal Reports, MS-Access, MS-Excel, SQL queries, etc).

The schema is well documented and this documentation is available to all product licensees and to evaluators under NDA. The current release schema documentation is about 175 long, and includes detailed descriptions of every field, table, relation, value constraint, etc.

Data available through ID-Synch includes:

ID-Synch includes a number of standard reports, available through a web user interface, from the command-line, or by e-mail:

Advantages of the reporting subsystem in ID-Synch include:

Web Services Flexibility

An API (application programming interface) is exposed by ID-Synch, supporting features such as creating or deleting users on target systems, modifying user membership in security groups on target systems and modifying user attributes.

The API (application programming interface) is accessed using SOAP and includes a WSDL specification.

The ID-Synch API (application programming interface) is particularly useful for extending meta directories to manage new types of target systems and for enabling custom-written and third-party workflow engines to complete a user provisioning operation with actual updates to target systems, rather than with instructions to a human security administrator.

ID-Synch Technology

Network Architecture

ID-Synch is designed for:

figure

    Network architecture diagram (5)

Figure (_label_fig:combined-net-arch) illustrates the ID-Synch network architecture:

Supported Target Platforms

ID-Synch has built-in integration for many common types of systems, plus programmable agents that can be readily adapted to manage IDs and passwords on applications and hosted services.

The supported platforms may be summarized as follows:

(6)

Directories

File/print

Mainframes
LDAP (any), Active Directory, Windows NT domains, Novell eDirectory, Novell NDS, Unix NIS and NIS+, Kerberos/DCE (any)

Windows NT/2000/2003, Novell NetWare, OS2 LanManager, Samba

MVS / OS/390 / zOS, RACF, CA-ACF2, CA-TopSecret, VM/ESA, Siemens BS2000, Tandem NonStop, Unisys MCP

Unix

Midrange

Database
AIX, DGUX, Digital Unix, HPUX, IRIX, Linux, NCR, OSF4, SCO OS, Solaris, SunOS, Tru64, UnixWare, Unisys, passwd, shadow, Trusted Computing Base

HP MPE, OS/400/iSeries, OpenVMS

DB2/UDB, Informix, MSSQL, ODBC, Oracle, Sybase

ERP

Messaging

WebSSO
SAP R/3 4.0+, PeopleSoft 7.5+, Oracle Applications 11i+, JDE OneWorld

MS Exchange 5.5, MS Exchange 2000/03/07, Novell GroupWise, Lotus Domino/HTTP, Lotus Notes/ID files, HP OpenMail

RSA ClearTrust, Entrust getAccess, Netegrity SiteMinder, Oracle COREid, SAP portal

Flexible agents

Hardware tokens and Smartcards

Miscellaneous
API (application programming interface) integration, LDAP attributes, MQ Series, SQL commands, Telnet/TN3270/TN5250 sessions, Unix/Windows cmd-line integration, web forms, web services (SOAP, XML)

RSA SecurID, Secure Computing SafeWord, Vasco Digipass, GemPlus, Precise Biometrics

RADIUS (various), Local and cached Windows passwords. Peregrine ServiceCenter, Remedy ARS, Clarify eFrontOffice, NAI Magic, Tivoli ADSM, IBM OLAP, IBM Tivoli Access Manager Connected Backup

 

(7)ID-Synch includes a number of flexible agents, each of which is programmable (and thus can be said to embody an SDK (software development kit)). These agents allow organizations to quickly and with a minimum of programming or scripting, integrate ID-Synch with custom and vertical market applications.

Flexible agents expose a number of processes, including:

Organizations that wish to write a completely new agent to a custom or vertical market application may do so using whatever development environment they prefer (J2EE, .NET, Perl, etc.) and invoke it as a command-line or web service target using the appropriate ID-Synch flexible agent.

An effort of 4 hours to 4 days is typically required to integrate ID-Synch with a custom or vertical market application. This compares favorably with competitors' products, where a custom Java or other 3GL connector must be written from scratch, taking weeks or months and requiring the ID-Synch administrator to have significant programming experience and the ability to learn how to use a new framework and API quickly.

In most cases, ID-Synch does not require the installation of local agent software on target systems. The only exceptions to this are two applications which do not publish a remote administration facility at all: RSA Authentication Manager servers and Entrust getAccess servers.

ID-Synch does include local agents for deployment on Unix and OS/390/zOS servers. While users and passwords on these systems can be managed without a local agent -- by emulating a terminal session of Telnet, TN3270 or using SSH -- such terminal connections are slower, less reliable and (except for SSH) less secure than what is possible with a local agent.

Ultimately, the organization must decide whether reduced change control or more secure, fast and reliable administration are more important on Unix and OS/390/zOS systems and therefore make a determination about whether local agents will be installed on these systems.

In no case do the provided local agents interfere with the target system's normal operation -- the login process on each target system remains the same and no significant CPU or other load is placed on target systems.

Process Integration

Identity management is integral to an organization's business processes, and ID-Synch is designed to integrate with existing processes and systems:

Scalability

Scalability in a combined system for user provisioning, access management and password management is primarily relevant to the password management component:

Typical peak transaction rates for a 10,000 person organization are 10 events/hour for provisioning and 5,000 events/hour for password synchronization.

Accordingly, the following discussion focuses on P-Synch®, since password management requires extreme scalability, which account provisioning does not. ID-Synch is built on the same scalable architecture, but simply does not require the same benefits.

(8) P-Synch has been deployed by very large corporations. Some anecdotal examples of large scalability include:

The P-Synch architectural features that support scalability include:

In addition, P-Synch incorporates many features that, while not directly performance-related, are required by large organizations:

Security

ID-Synch improves the security of user access administration processes:

ID-Synch is designed to be secure. It is protected using a multi-layered security architecture, which includes running on a hardened OS, using file system ACLs, providing strong application-level user authentication, filtering user inputs, encrypting sensitive data, enforcing application-level ACLs, storing log data indefinitely and more.

ID-Synch never requires plaintext passwords to be stored in configuration files or scripts and does not store plaintext passwords anywhere. ID-Synch does not ship with a default administrator password -- one must be typed in at installation time.

These security measures are illustrated in Figure [link].

figure

    Network architecture security diagram (9)

Rapid Deployment

Hitachi ID solutions are optimized for rapid deployment and this is a core design characteristic for all our products. Features such as a dynamic workflow, eliminating the need for role engineering, auto-discovery and self-service login ID reconciliation are intended specifically to eliminate cost and delays that separate product acquisition from production deployment.

ID-Synch is designed for rapid deployment:

(10) P-Synch is designed for rapid deployment:

Return on Investment

ID-Synch realizes cost savings for security administrators and enhanced productivity for users:


Summary

Efficient and reliable user provisioning yields better productivity for users, reduced administration overhead, and better security.

ID-Synch allows organizations to streamline their user provisioning, access management and termination processes through:

ID-Synch is designed to be scalable, secure and easy to deploy.


Appendix: Hitachi ID Management Suite Overview

(11)

Hitachi ID Management Suite is a complete identity management solution enabling organizations to more securely and efficiently manage the user lifecycle across enterprise applications and systems.

Hitachi ID Management Suite combines the power of Hitachi ID's flagship technologies, ID-Synch for user provisioning and P-Synch for password management, with more targeted products including ID-Access® to manage user access rights, ID-Certify® to review user rights and clean up stale privileges and ID-Archive™ to securely manage sensitive credentials.

Hitachi ID Management Suite creates real business value by increasing productivity for users, reducing IT overhead, strengthening network security and providing internal controls to support compliance with privacy protection and corporate governance regulations.

Hitachi ID Management Suite is designed as identity management middleware, in the sense that it presents a uniform user interface and a consolidated set of business processes to manage user objects, identity attributes, security rights and authentication factors across multiple systems and platforms. This is illustrated in Figure [link].

figure

    Hitachi ID Management Suite Overview: Identity Middleware (12)

Hitachi ID Management Suite includes several functional identity management modules:

The relationships between Hitachi ID Management Suite components is illustrated in Figure [link].

figure

    Components of Hitachi ID Management Suite (13)