Hitachi ID Systems, Inc.

Hitachi

Hitachi ID Identity Manager logo
certification

Hitachi ID Identity Manager White Paper

Abstract
This document describes the business problems of user provisioning: slow resource provisioning, redundant systems administration and unreliable access termination. It then describes how Hitachi ID Identity Manager (formerly ID-Synch) addresses these problems with process change and user provisioning technology. Finally, the business benefits of effective user provisioning are described.

Introduction

This document describes the business problems of user provisioning: slow resource provisioning, redundant systems administration and unreliable access termination. It then describes how Hitachi ID Identity Manager addresses these problems with process change and user provisioning technology. Finally, the business benefits of effective user provisioning are described.

Hitachi ID Identity Manager is the user provisioning component of Hitachi ID Management Suite. Hitachi ID Management Suite is described in [link].

The remainder of this document is organized as follows:

Business Challenges With User Provisioning

Several factors combine to make management of users and their security rights a growing challenge for many organizations:

These factors lead to the following costly business problems:

Hitachi ID Identity Manager is an automated user provisioning solution, designed to address these challenges.

Shared Identity Management Infrastructure

Systems administration burden is growing because there are an increasing number of systems to manage, and because almost every system manages user profiles in its own silo. For example, a single (human) user might have a personal profile on the mainframe, an LDAP directory, an e-mail system, an ERP system and elsewhere. Each of these systems is managed separately -- by different administrators, using different tools.

The natural solution for this problem is to consolidate information about users (sometimes referred to as user directories or security databases) into a single repository, and configure every system to refer to that single repository as an authoritative system of record regarding user identity.

This approach has some merit, hence the popularity of LDAP. However, it also has problems:

The result of these problems is that while LDAP has helped to slow the proliferation of user databases, organizations continue to require, and must still manage, multiple systems that house data about users.

Since most organizations continue to have multiple user directories, the next best solution is to implement consolidated processes to manage user objects and access rights across multiple systems.

Hitachi ID Identity Manager is designed to provide a shared set of processes and infrastructure to manage users and access across heterogeneous systems. It implements multiple processes that an organization can use to provision, update and deactivate user access to multiple systems.

Streamlined User Provisioning Processes

User Lifecycle

The basic lifecycle of identity management begins with hiring a user. This triggers creation of one or more system login accounts and other user objects (e.g., HR record, phone book entries, etc.).

Over time, the user will make numerous routine password changes, and may periodically forget his password, and require an administrative password reset on one or more systems.

As the user moves through an organization, changing job functions and possibly locations, the systems he must access, and his required privileges on those systems will change.

Finally, when a user leaves an organization, his access rights must be terminated. In most cases, his actual IDs persist for a while, until they are no longer required. In many organizations, user identifiers are never reused, to support long-term audit trails.

Each of the above processes is traditionally handled separately on each system. Each system has its own user directory and user/security management tools. In most organizations, each application is managed by its own administrators.

Hitachi ID Identity Manager, a part of Hitachi ID Management Suite, is designed to leverage a single set of business processes to manage users and access rights on multiple systems, as illustrated in Figure [link].

figure

    User Lifecycle Management (1)

Automated Change Propagation

Hitachi ID Identity Manager can monitor one or more systems of record on a periodic basis (e.g., nightly or every few hours), enumerating new, deleted and changed users. In the case of an HR application, for example, these changes may represent new hires, terminations and transfers. Auto-discovery is performed on all integrated systems and applications -- not just systems of record.

Changes detected by Hitachi ID Identity Manager are passed through a data filter, which removes users that are outside Hitachi ID Identity Manager's scope. For instance, in a scenario where Hitachi ID Identity Manager manages all users in one country, but the HR system is global, Hitachi ID Identity Manager would ignore changes to users from other countries.

All changes to a given user are aggregated and business logic is executed, with the set of changes as input. This is best illustrated with some examples:

Detected change

Actions

Net result
New user appears in an HR application.

  • Lookup appropriate role based on the user's location and job code.
  • Submit a change request to the Hitachi ID Identity Manager workflow engine, to create a new user, with the HR-provided identity attributes and with resources specified by the role.

Auto-provisioning.
New phone number detected on white pages directory.

  • White pages has a higher priority for the phone number attribute than other systems.
  • Submit a change request to the Hitachi ID Identity Manager workflow engine, to change the phone number in the user's profile.
  • Once approved (most likely automatically), the new phone number is mapped to other login IDs belonging to the user, and agents are run to update this information on other systems.

Identity synchronization.
Change to termination date is detected on the HR system.

  • Using the identity synchronization mechanism described above, set this date on the user's profile.
  • A separate batch process periodically identifies users with today or earlier termination dates, and submits requests to disable all accounts for every matching user.

Automated termination.
User disappears from system of record (HR).

  • Lookup all of a user's login IDs.
  • Submit a "disable all accounts" change request to the Hitachi ID Identity Manager workflow engine.
  • Given the source of the request (employee gone from HR), this type of change may be auto-approved.

Automated termination (2nd method).
User was added to Administrators group on Active Directory domain.

  • Since the change was detected on AD, it follows that it was not initiated by Hitachi ID Identity Manager.
  • Submit two change requests to the workflow engine:
    • Remove the user from the Administrators group (this is an auto-approved change).
    • Add the user from the Administrators group (requires approval).
  • Submit a security alarm ticket to the help desk system.

Detect unauthorized privilege escalation.

 

Collectively, these processes are known as automated user management. They are implemented by the ID-Track component in Hitachi ID Identity Manager.

Several Hitachi ID Identity Manager modules are involved in automated user management:

  1. The PSUPDATE auto-discovery engine, which extracts lists of users, attributes, groups and group memberships from every integrated system and application. In most deployments, PSUPDATE runs nightly.

  2. The LOADDB batch loader, which collects detected changes to users on target systems and updates the internal identity cache accordingly.

  3. Login ID mapping data, which connects unique user identifiers on different systems. For example, this may map employee numbers in HR to login IDs on other systems. This data may be the produced through consistent login IDs, mapping other attributes or self-service reconciliation initiated through invitations sent to users.

  4. The ID-Track module, which aggregates changes on a per-user basis and executes organization-specific business logic for each changed user. This business logic typically submits workflow change requests based on detected changes.

  5. The API service, which accepts change requests from ID-Track and/or external programs and submits them to the workflow service.

  6. The IDWFM workflow service, which accepts change requests, validates them, fills in missing data (e.g., assigning login IDs and e-mail addresses), selects suitable authorizers and invites them to approve or reject each change.

  7. The IDTM transaction manager, which accepts approved changes from the workflow engine and runs connectors to effect changes. IDTM retries failed updates to enable reliable updates to target systems.

  8. A set of agents (connectors), almost all of which run locally on the Hitachi ID Identity Manager server, each of which is designed to discover and manage users on a particular type of system or application.

Change Request Workflow

A key capability in Hitachi ID Identity Manager is to accept change requests, to route them to the appropriate authorizers, and to act on change requests once sufficient authority has been received. This is designed to streamline requests, and to eliminate the need for system administrators to manually fulfill authorized changes.

Hitachi ID Identity Manager's workflow automation engine streamlines the process of requesting and authorizing the creation of new accounts, as well as other security changes such as add/remove group membership, change attribute value, rename or move user, delete or deactivate user and so on.

The Hitachi ID Identity Manager workflow engine uses secure web input (HTTPS) and prompts authorizers for input using e-mail (normally SMTP).

The workflow automation engine works as follows:

The Hitachi ID Identity Manager workflow engine has built-in support for automatic reminders, escalation and delegation:

Templates and Roles to Simplify Configuration

(2) Hitachi ID Identity Manager provisions new users with templates and roles:

(3) Hitachi ID Identity Manager does not require that users be classified into roles. While policy-based provisioning, where users' real access privileges are compared to those predicted by their role membership is technically possible with Hitachi ID Identity Manager, Hitachi ID Systems recognizes that most organizations will be unable to reliably and fully classify existing users into roles, so user/role classification and policy reconciliation is not an Hitachi ID Identity Manager pre-requisite.

Search tags are attached to templates and roles in Hitachi ID Identity Manager, to make them easier to find by end-users. Search tags include type and location. Resources such as templates, roles and managed groups also are associated with authorizers.

Consolidated and Delegated Security Administration

Delegated user administration makes it possible to grant limited security privileges to departmental or regional staff. For example, an IT administrator at a business unit may be allowed to create new users in that business unit, and manage the user profiles and access privileges of local users. The same IT administrator would be unable to access user profiles for staff working in other business units and may only be able to perform certain types of updates, on certain systems.

Delegated user administration is implemented in the same manner as consolidated user administration, but with the addition of access controls, as is illustrated in Figure [link].

figure

    Consolidated and Delegated User Administration Console (4)

The scope of authority of a given security administrator can be limited to certain users, certain systems, certain groups or certain OUs. Access controls are normally implemented using business logic, which accesses information about both the IT administrator and intended recipients of security changes, to dynamically determine what kinds of updates are allowed.

Enterprise-wide Security Reporting

All data in Hitachi ID Identity Manager is available via SQL or ODBC and accessible using standard analytical tools (Crystal Reports, MS-Access, MS-Excel, SQL queries, etc).

The schema is well documented and is available to all product licensees and evaluators under NDA. The current release schema documentation is about 127 pages long, and includes detailed descriptions of every field, table, relation, value constraint, etc.

Data available through Hitachi ID Identity Manager includes:

Hitachi ID Identity Manager includes a number of standard reports, available through a web user interface, from the command-line, or by e-mail:

Advantages of the reporting subsystem in Hitachi ID Identity Manager include:

Web Services Flexibility

An API (application programming interface) is exposed by Hitachi ID Identity Manager, supporting features such as creating or deleting users on target systems, modifying user membership in security groups, modifying user attributes, submitting workflow requests, looking up resource information and approving or rejecting open requests.

The API (application programming interface) is accessed using SOAP and includes a WSDL specification.

The Hitachi ID Identity Manager API (application programming interface) is particularly useful for extending meta directories to manage new types of target systems and for enabling custom-written and third-party workflow engines to complete a user provisioning operation with actual updates to target systems, rather than with instructions to a human security administrator.

Hitachi ID Identity Manager Technology

Network Architecture

Hitachi ID Identity Manager is designed for:

figure

    Network architecture diagram (5)

Figure (_label_fig:combined-net-arch) illustrates the Hitachi ID Identity Manager network architecture:

Supported Target Platforms

Hitachi ID Identity Manager has built-in integration for many common types of systems, plus programmable agents that can be readily adapted to manage IDs and passwords on applications and hosted services.

The supported platforms may be summarized as follows:

(6)

Directories

File/print

Mainframes
LDAP (any), Active Directory, Windows NT domains, Novell eDirectory, Novell NDS, Unix NIS and NIS+, Kerberos/DCE (any)

Windows NT/2000/2003/2008, Novell NetWare, OS2 LanManager, Samba

z/OS, RACF, CA-ACF2, CA-TopSecret, VM/ESA, Siemens BS2000, Tandem NonStop, Unisys MCP

Unix

Midrange

Database
AIX, DGUX, Digital Unix, HPUX, IRIX, Linux, NCR, OSF4, SCO OS, Solaris, SunOS, Tru64, UnixWare, Unisys, passwd, shadow, Trusted Computing Base

HP MPE, OS/400/iSeries, OpenVMS

DB2/UDB, Informix, MSSQL, ODBC, Oracle, Sybase

ERP

Messaging

WebSSO
SAP R/3 4.0+, PeopleSoft 7.5+, Oracle Applications 11i+, JDE OneWorld

MS Exchange 5.5, MS Exchange 2000/03/07, Novell GroupWise, Lotus Domino/HTTP, Lotus Notes/ID files, HP OpenMail

IBM TAM, RSA ClearTrust, Entrust getAccess, CA SiteMinder, Oracle COREid, SAP portal

Flexible agents

Hardware tokens and Smartcards

Miscellaneous
API (application programming interface) integration, LDAP attributes, MQ Series, SQL commands, Telnet/TN3270/TN5250 sessions, Unix/Windows cmd-line integration, web forms, web services (SOAP, XML)

RSA SecurID, Secure Computing SafeWord, Vasco Digipass, GemPlus, Precise Biometrics

BMC Service Desk Express, Clarify eFrontOffice, Connected Backup, IBM OLAP, IBM Tivoli Access Manager, Local and cached Windows passwords, HP Service Manager, RADIUS (various), BMC Remedy ARS and Tivoli ADSM,

 

(7)Hitachi ID Identity Manager includes a number of flexible agents, each of which is programmable (and thus can be said to embody an SDK (software development kit)). These agents allow organizations to quickly and with a minimum of programming or scripting, integrate Hitachi ID Identity Manager with custom and vertical market applications.

Flexible agents expose a number of processes, including:

Organizations that wish to write a completely new agent to a custom or vertical market application may do so using whatever development environment they prefer (J2EE, .NET, Perl, etc.) and invoke it as a command-line or web service target using the appropriate Hitachi ID Identity Manager flexible agent.

An effort of between four hours to four days is typically required to integrate Hitachi ID Identity Manager with a custom or vertical market application. This compares favorably with competitive products, where a custom Java or other 3GL connector must be written from scratch, taking weeks or months and requiring the Hitachi ID Identity Manager administrator to have significant programming experience and the ability to quickly learn how to use a new framework and API.

In most cases, Hitachi ID Identity Manager does not require the installation of local agent software on target systems. The only exceptions to this are two applications which do not publish a remote administration facility at all: RSA Authentication Manager servers and Entrust getAccess servers.

Hitachi ID Identity Manager does include local agents for deployment on Unix and z/OS servers. While users and passwords on these systems can be managed without a local agent -- by emulating a terminal session of Telnet, TN3270 or using SSH -- such terminal connections are slower, less reliable and (except for SSH) less secure than what is possible with a local agent.

Ultimately, Hitachi ID Systems customer must decide whether reduced change control or more secure, fast and reliable administration are more important on Unix and z/OS systems and therefore make a determination about whether local agents will be installed on these systems.

In no case do the provided local agents interfere with the target system's normal operation -- the login process on each target system remains the same and no significant CPU or other load is placed on target systems.

Process Integration

Identity management is integral to an organization's business processes, and Hitachi ID Identity Manager is designed to integrate with existing processes and systems:

Scalability

Scalability in a combined system for user provisioning, access management and password management is primarily relevant to the password management component:

Typical peak transaction rates for a 10,000 person organization are 10 events/hour for provisioning and 5,000 events/hour for password synchronization.

Accordingly, the following discussion focuses on Hitachi ID Password Manager (formerly P-Synch), since password management requires extreme scalability, which account provisioning does not. Hitachi ID Identity Manager is built on the same scalable architecture, but simply does not require the same benefits.

(8) Hitachi ID Password Manager has been deployed by very large corporations. Examples of large deployments include:

Hitachi ID Password Manager features that support scalability include:

In addition, Hitachi ID Password Manager incorporates many features that, while not directly performance-related, are required by large organizations:

Security

Hitachi ID Identity Manager improves the security of user access administration by establishing the following processes:

Hitachi ID Identity Manager is designed to be secure. It is protected using a multi-layered security architecture, which includes running on a hardened OS, using file system ACLs, providing strong application-level user authentication, filtering user inputs, encrypting sensitive data, enforcing application-level ACLs, and storing log data indefinitely.

Hitachi ID Identity Manager never requires plaintext passwords to be stored in configuration files or scripts and does not store plaintext passwords anywhere. Hitachi ID Identity Manager does not ship with a default administrator password -- one must be typed in at installation time.

These security measures are illustrated in Figure [link].

figure

    Network architecture security diagram (9)

Rapid Deployment

Hitachi ID Systems solutions are optimized for rapid deployment -- this is a core design characteristic across all products in the Hitachi ID Management Suite. Features such as a dynamic workflow, an architecture which does not depend on role engineering, auto-discovery of users on target systems and self-service login ID reconciliation are all designed to eliminate costly deployment steps and minimize ongoing administration.

Hitachi ID Identity Manager is designed for rapid deployment:

(10) Hitachi ID Password Manager is designed for rapid deployment:

Return on Investment

Hitachi ID Identity Manager realizes cost savings for security administrators and enhanced productivity for users through:


Summary

Efficient and reliable user provisioning yields better productivity for users, reduced administration overhead, and better security.

Hitachi ID Identity Manager allows organizations to streamline their user provisioning, access management and termination processes through:

Hitachi ID Identity Manager is designed to be scalable, secure and easy to deploy.


Appendix: Hitachi ID Management Suite Overview

(11)

Hitachi ID Management Suite is a complete identity management solution that enables organizations to more securely and efficiently manage the user lifecycle across enterprise applications and systems.

Hitachi ID Management Suite combines the power of Hitachi ID Systems flagship technologies, Hitachi ID Identity Manager for user provisioning and Hitachi ID Password Manager for password management with more targeted products including Hitachi ID Group Manager (formerly ID-Access) to manage user access rights, Hitachi ID Access Certifier (formerly ID-Certify) to review user rights and clean up stale privileges and Hitachi ID Privileged Password Manager (formerly ID-Archive) to securely manage privileged passwords.

Hitachi ID Management Suite creates real business value by increasing productivity for users, reducing IT overhead, strengthening network security and providing internal controls to support compliance with privacy protection and corporate governance regulations.

Hitachi ID Management Suite is designed as identity management middleware, in the sense that it presents a uniform user interface and a consolidated set of business processes to manage user objects, identity attributes, security rights and authentication factors across multiple systems and platforms. This is illustrated in Figure [link].

figure

    Hitachi ID Management Suite Overview: Identity Middleware (12)

Hitachi ID Management Suite includes several functional identity management modules:

The relationships between Hitachi ID Management Suite components is illustrated in Figure [link].

figure

    Components of Hitachi ID Management Suite (13)