ID-Synch White Paper

Abstract

This document describes the business problems of user provisioning: slow resource provisioning, redundant systems administration and unreliable access termination. It then describes how ID-Synch® addresses these problems with process change and user provisioning technology. Finally, the business benefits of effective user provisioning are described.

Introduction

This document describes the business problems of user provisioning: slow resource provisioning, redundant systems administration and unreliable access termination. It then describes how ID-Synch addresses these problems with process change and user provisioning technology. Finally, the business benefits of effective user provisioning are described.

ID-Synch is the user provisioning component of Hitachi ID Management Suite®. Hitachi ID Management Suite is described in [link].

The remainder of this document is organized as follows:

• Business Problems With User Provisioning

  The motivation for deploying ID-Synch.

• Shared Identity Management Infrastructure

  How the proliferation of systems, each with their own user database, creates an administrative problem, and how consolidating administration of user identity can help.

• Streamlined User Provisioning Processes

  How ID-Synch simplifies management of user identity data across multiple, heterogeneous systems.

• ID-Synch Technology

  The ID-Synch network architecture, and design features that make it scalable, secure and deployable.

• Return on Investment

  A basic ROI model describing how ID-Synch can generate significant cost savings.

• Summary

Business Challenges With User Provisioning

Several factors combine to make management of users and their security rights a growing challenge for many organizations:

• The number of individual systems and platforms that users must access is large and growing.

• Users are increasingly dependent on systems access: they cannot do their jobs without it.

• Organizations cannot afford additional IT staffing to cope with the growing burden of systems administration. On the contrary, most organizations would prefer to reduce the size of IT as a proportion of organization size.

These factors lead to the following costly business problems:

• Overloaded administration: Access / security administrators are overworked. This leads to staff burn-out and turn-over. Overloaded administrators are prone to make errors, and improperly assign privileges.

• Lost productivity: Requests for new access are delayed, and the productivity of users waiting for new access rights is reduced.

• Security risk: System access persists even after users change responsibility or leave an organization. This is not only a serious security vulnerability, but can violate regulatory requirements for effective internal controls.

ID-Synch is an automated user provisioning solution, designed to address these challenges.

Shared Identity Management Infrastructure

Systems administration burden is growing because there are an increasing number of systems to manage, and because almost every system manages user profiles in its own silo. For example, a single (human) user might have a personal profile on the mainframe, an LDAP directory, an e-mail system, an ERP system and elsewhere. Each of these systems is managed separately -- by different administrators, using different tools.

The natural solution for this problem is to consolidate information about users (sometimes referred to as user directories or security databases) into a single repository, and configure every system to refer to that single repository as an authoritative system of record regarding user identity.

This approach has some merit, hence the popularity of LDAP. However, it also has problems:

• Many systems are not compatible with LDAP, and cannot externalize their user/security databases.
• Some systems that can externalize user data can only do so for some attributes, and continue to have internal user profiles, which must still be managed directly.
• Many systems require data about users that is special to them, and would not benefit any other part of the IT infrastructure. If the data storage requirements of every application were added to a single LDAP directory, then the schema would grow to thousands of attributes per user -- thus creating new performance, scalability, reliability and management problems.
• Some user-related data is confidential, and does not belong in a shared directory.

The result of these problems is that while LDAP has helped to slow the proliferation of user databases, organizations continue to require, and must still manage, multiple systems that house data about users.

Since most organizations continue to have multiple user directories, the next best solution is to implement consolidated processes to manage user objects and access rights across multiple systems.

ID-Synch is designed to provide a shared set of processes and infrastructure to manage users and access across heterogeneous systems. It implements multiple processes that an organization can use to provision, update and deactivate user access to multiple systems.

Streamlined User Provisioning Processes

User Lifecycle

The basic lifecycle of identity management begins with hiring a user. This triggers creation of one or more system login accounts and other user objects (e.g., HR record, phone book entries, etc.).

Over time, the user will make numerous routine password changes, and may periodically forget his password, and require an administrative password reset on one or more systems.

As the user moves through an organization, changing job functions and possibly locations, the systems he must access, and his required privileges on those systems will change.

Finally, when a user leaves an organization, his access rights must be terminated. In most cases, his actual IDs persist for a while, until they are no longer required. In many organizations, user identifiers are never reused, to support long-term audit trails.

Each of the above processes is traditionally handled separately on each system. Each system has its own user directory and user/security management tools. In most organizations, each application is managed by its own administrators.

ID-Synch, a part of Hitachi ID Management Suite, is designed to leverage a single set of business processes to manage users and access rights on multiple systems, as illustrated in Figure [link].

    User Lifecycle Management (1)

Automated Change Propagation

ID-Synch can monitor one or more systems of record on a periodic basis (e.g., nightly or every few hours), searching for updates to user profiles. Updates may include new hires, terminations and changes to user profiles (e-mail addresses, job codes, department codes, location and so on).

These changes are first passed through a data filter, which removes objects that are outside the scope of the ID-Synch deployment. For instance, a global enterprise might have a global HR system that is used as a system of record, but only users on a single continent may be in scope for ID-Synch automated management. In this example, changes noted to users in other regions are removed from the authoritative data feed before it is processed further.

Next, changes to user objects noted on authoritative systems are transformed, using roles, rules or both, to calculate what login accounts, attributes and group memberships the affected users should have or whether their access should be created or terminated.

Transformed user profile data may then be:

• Compared against current-state data about these users on target systems
• Send to the ID-Synch authorization engine, to acquire approval for the proposed security changes
• Applied directly to target systems

This process is known as automated administration or, alternately, as automatic change propagation. It is implemented by the IDCOMPARE component in ID-Synch.

Several ID-Synch modules are involved in automated account creation, update, suspension and deletion, based on changes to user profiles on systems of record:

1. An auto-discovery engine, which extracts complete lists of users from each managed system, nightly (psupdate).

   These lists can be configured to include the time and date of last login, and other specified attributes and group memberships.

2. Login ID reconciliation, which connects login IDs on different systems to individual users (PSL):

3. Installation-specific list programs, which typically extract data from one or more system of record (HR or other), merge the data, and so create a "master" list of current users and their authoritative attributes. Normally this is accomplished using SQL scripts or CSV imports in psupdate.

4. A batch load system, which accepts lists of users and their attributes from both the authoritative systems and managed systems as input, executes appropriate business logic to transform authoritative data into expected data on the managed systems, calculates the difference between the desired and current state on each managed system and sends this difference either directly to agents or to the authorization workflow (idcompare).

5. An agent execution service, which accepts update transactions (from idcompare) and pushes them to target systems, possibly repeatedly, until they succeed. (iddriver, pushid)

6. A set of agents, each of which is designed to manage users on a particular type of target system.

Change Request Workflow

A key capability in ID-Synch is to accept change requests, to route them to the appropriate authorizers, and to act on change requests once sufficient authority has been received. This is designed to streamline requests, and to eliminate the need for system administrators to manually fulfill authorized changes.

ID-Synch's workflow automation engine streamlines the process of requesting and authorizing the creation of new accounts, as well as other security changes such as add/remove group membership, change attribute value, rename or move user, delete or deactivate user and so on.

The ID-Synch workflow engine uses secure web input (HTTPS) and prompts authorizers for input using e-mail (normally SMTP).

The workflow automation engine works as follows:

• Request input:
  • Users can authenticate to the system and make change requests.
  • Change requests are formulated as changes to user profiles -- the requester's or another user's (the recipient).
  • Change requests may be to change data attributes, add new accounts, add or remove group memberships, enable accounts or disable accounts. In other words, changes are formulated as changes to user profiles, in relation to the recipient user's current state.
  • Plug-in programs can limit or alter requests -- for example by limiting who can submit a request, by limiting what requesters can ask for, by validating or filling in fields in a request, or by assigning a login ID to new users.
  • Requests may be for changes to user attributes or to add or remove single login accounts, collections of privileges (roles) or physical objects (e.g., tokens, building access badges, etc.).

• Request routing:
  • Requests are automatically routed to appropriate authorizers, which are selected based on the identity of the requester and based on the roles and templates requested.
  • All authorizers are prompted to respond concurrently. Authorizers may delegate alternates in their absence.
  • In most cases, a response is only required from a subset of the authorizers -- for example, any one of three people can approve access to a system.
  • Authorizers are notified by e-mail that their input is required. They click on a URL embedded in the e-mail to respond.
  • Authorizers may be prompted to respond repeatedly if no response is received within a defined period. Requests that are pending response for too long may be escalated to new authorizers or to a call tracking system.

• Authorization:
  • Authorizers review requests using a web form, over a secure connection (HTTPS).

• Executing approved requests:
  • Once adequate authorization has been collected, ID-Synch can automatically create login IDs, update existing IDs or request action from system administrators and others using e-mail and call tracking system integration.

The ID-Synch workflow engine has built-in support for automatic reminders, escalation and delegation:

• Non-responsive authorizers that have been asked to review a change requests receive automatic reminders to respond to a change request. Reminder intervals are programmable.
• Authorizers who continue to be non-responsive are automatically replaced with alternate authorizers, identified using escalation business logic. Escalation normally involves external data access -- e.g., to a corporate directory to lookup the original authorizer's manager or peers.
• Authorizers may elect to delegate their authority, either temporarily (for a scheduled, finite period of time, such as a scheduled holiday) or permanently (for example, when an authorizer changes jobs). Delegation may require that the new authorizer respond and accept responsibility before it takes effect.
• A workflow manager can reassign requests to different authorizers at any time and can administratively set and clear delegation rules.

Templates and Roles to Simplify Setup

(2) ID-Synch provisions new users with templates and roles:

• Rather than requiring an administrator to provide every parameter when creating a new account, ID-Synch copies all relevant parameters from a template account. In effect, ID-Synch implements a "clone user" operation in place of a "create user" operation.

• Note that not every user object on every target system may be cloned. Requiring the organization administrators to specify template accounts ensures that users whose profiles have grown over time, and which contain inappropriate security privileges, are not cloned.

• Change requests, automated updates or actions initiated in the consolidated or delegated administration modules may specify attributes which override those copied from the template. Examples of request attributes that affect new IDs are employee number, phone number, e-mail address, login ID, directory OU, home directory server, mail server, etc.

• Attributes may be entered by a user or administrator (e.g., phone number), may be validated by a plug-in that implements business logic (e.g., building code) or may be assigned by a plug-in that implements business logic (e.g., login ID, directory OU, e-mail address). Plug-ins embody business rules, and may be as simple or as complex as required.

• Template accounts and membership in security groups are collected into named into sets called roles. This allows requests to specify whole sets of new privileges, rather than one account or security group at a time. This simplifies the request process for users, who may not have a clear, technically accurate idea of what accounts or group memberships they require.

  Normally, a role represents every system access required by a user who does a particular job. Roles may also represent functional groups, such as "network access" or "e-mail access."

• Roles may be nested, to simplify definition of incrementally larger access privileges.

• Requests for access may incorporate any combination of roles, template accounts and group memberships. They need not be purely role-based.

(3) ID-Synch does not require that users be classified into roles. While policy-based provisioning, where users' real access privileges are compared to those predicted by their role membership is technically possible with ID-Synch, Hitachi ID recognizes that most organizations will be unable to reliably and fully classify existing users into roles, so user/role classification and policy reconciliation is not an ID-Synch pre-requisite.

Search tags are attached to templates and roles in ID-Synch, to make them easier to find by end-users. Search tags include type and location. Resources such as templates, roles and managed groups also are associated with authorizers.

Consolidated and Delegated Security Administration

Delegated user administration makes it possible to grant limited security privileges to departmental or regional staff. For example, an IT administrator at a business unit may be allowed to create new users in that business unit, and manage the user profiles and access privileges of local users. The same IT administrator would be unable to access user profiles for staff working in other business units and may only be able to perform certain types of updates, on certain systems.

Delegated user administration is implemented in the same manner as consolidated user administration, but with the addition of access controls, as is illustrated in Figure [link].

    Consolidated and Delegated User Administration Console (4)

The scope of authority of a given security administrator can be limited to certain users, certain systems, certain groups or certain OUs. Access controls are normally implemented using business logic, which accesses information about both the IT administrator and intended recipients of security changes, to dynamically determine what kinds of updates are allowed.

Enterprise-wide Security Reporting

All data in ID-Synch is available via ODBC and accessible using standard analytical tools (Crystal Reports, MS-Access, MS-Excel, SQL queries, etc).

The schema is well documented and this documentation is available to all product licensees and to evaluators under NDA. The current release schema documentation is about 175 long, and includes detailed descriptions of every field, table, relation, value constraint, etc.

Data available through ID-Synch includes:

• A list of IDs per user.
• A list of IDs per system.
• A list of IDs per group.
• Allocation of login IDs to user profiles.
• Full detail of transaction history.
• Additional user attributes (e.g., roles, employee ID) for users who were created using ID-Synch.
• Select user attributes drawn from target systems -- such as last login time/date, account enabled/disabled, etc.

ID-Synch includes a number of standard reports, available through a web user interface, from the command-line, or by e-mail:

• Orphan and dormant accounts.
• Users who have accounts on specific systems.
• Templates and roles that a particular user has been assigned.
• User groups available on target systems.
• Membership of users in user groups on target systems.
• Transaction history per time period.
• Authorizer actions.
• Delegations (current and pending).
• Implementer definitions.
• Physical inventory availability.
• Requests, by status, state and result.
• Request statistics.
• User attributes, by user and by system.
• Past Reports.

Advantages of the reporting subsystem in ID-Synch include:

• The ID-Synch schema is a simple, relational, ODBC-accessible database. This makes it open to reports by third party programs, such as Crystal. In comparison, some competing products store all their data in opaque XML blobs, and are therefore not accessible by third party reporting software.
• A rich set of built-in reports, including lists of users, accounts, group memberships, workflow requests, etc.
• Dual-format output (HTML, CSV) in all reports.
• Asynchronous report generation -- i.e,. generate a report, and display it as the data is produced.
• Availability of all reports both from the web console and command-line, where they can be scheduled for automatic execution.
• Availability of full schema documentation, which is guaranteed correct, as it is automatically generated from the same source files as the database tables themselves.
• Full access to raw data by any 3rd party reporting tools.

Web Services Flexibility

An API (application programming interface) is exposed by ID-Synch, supporting features such as creating or deleting users on target systems, modifying user membership in security groups on target systems and modifying user attributes.

The API (application programming interface) is accessed using SOAP and includes a WSDL specification.

The ID-Synch API (application programming interface) is particularly useful for extending meta directories to manage new types of target systems and for enabling custom-written and third-party workflow engines to complete a user provisioning operation with actual updates to target systems, rather than with instructions to a human security administrator.

ID-Synch Technology

Network Architecture

ID-Synch is designed for:

• Security:

  ID-Synch is installed on hardened servers. All sensitive data is encrypted in storage and transit. Strong authentication and access controls protect business processes.

• Scalability:

  Multiple ID-Synch servers can be installed, using a built-in data replication facility. Workload can be distributed using any load-balancing technology (IP, DNS, etc.).

• Openness:

  Open standards are used for inbound integration (SOAP) and outbound communications (SOAP, SMTP, HTTP, etc.).

• Flexibility:

  Both the ID-Synch user interface and all functionality can be customized to meet enterprise requirements.

• Low TCO:

  ID-Synch is easy to set up and requires minimal ongoing administration.

    Network architecture diagram (5)

Figure (_label_fig:combined-net-arch) illustrates the ID-Synch network architecture:

• Users normally access ID-Synch using HTTPS from a web browser.

• Multiple ID-Synch servers may be load balanced using either an IP-level device (e.g., Cisco Local Director, F5 Big/IP) or simply using DNS round-robin distribution.

• Native user password changes on some systems ([link]) may trigger transparent password synchronization. A password change interceptor DLL, library or exit may capture such changes and initiate transparent password synchronization.

• Users may call an IVR (interactive voice response) system with a telephone and be authenticated either using touch-tone input of personal information or using a voice print. Authenticated users may initiate a password reset.

• ID-Synch connects to most target systems using their native APIs (application programming interfaces) and protocols and thus requires no software to be installed locally on those systems.

• Local agents are provided and recommended for Unix servers and OS/390 mainframes. Use of these agents improves transaction security, speed and concurrency.

• A local agent is mandatory on RSA SecurID servers.

• Where target systems are remote and communication to them is slow, insecure or both, an ID-Synch proxy server may be co-located with the target system in the remote location. In this case, servers in the main ID-Synch server cluster initiate fast, secure connections to the remote proxies, which decode these transactions and forward them to target systems locally, using native, slow and/or insecure protocols.

• ID-Synch can look up and update user profile data in an existing system, including HR databases (ODBC), directories (LDAP) and meta-directories (e.g., WMI to Microsoft ILM).

• ID-Synch can send e-mails to users asking them to register or to notify them of events impacting their profiles. Over 163 events can trigger e-mail notification.

• ID-Synch can send write tickets to most common help desk systems, either recording completed activity or requesting assistance (security events, user service follow-up, etc.). Over 163 can trigger ticket integration. Binary integrations are available for 15 and open integration is possible using mail, ODBC, SQL and web services.

Supported Target Platforms

ID-Synch has built-in integration for many common types of systems, plus programmable agents that can be readily adapted to manage IDs and passwords on applications and hosted services.

The supported platforms may be summarized as follows:

(6)

Directories	File/print	Mainframes
LDAP (any), Active Directory, Windows NT domains, Novell eDirectory, Novell NDS, Unix NIS and NIS+, Kerberos/DCE (any)	Windows NT/2000/2003, Novell NetWare, OS2 LanManager, Samba	MVS / OS/390 / zOS, RACF, CA-ACF2, CA-TopSecret, VM/ESA, Siemens BS2000, Tandem NonStop, Unisys MCP
Unix	Midrange	Database
AIX, DGUX, Digital Unix, HPUX, IRIX, Linux, NCR, OSF4, SCO OS, Solaris, SunOS, Tru64, UnixWare, Unisys, passwd, shadow, Trusted Computing Base	HP MPE, OS/400/iSeries, OpenVMS	DB2/UDB, Informix, MSSQL, ODBC, Oracle, Sybase
ERP	Messaging	WebSSO
SAP R/3 4.0+, PeopleSoft 7.5+, Oracle Applications 11i+, JDE OneWorld	MS Exchange 5.5, MS Exchange 2000/03/07, Novell GroupWise, Lotus Domino/HTTP, Lotus Notes/ID files, HP OpenMail	RSA ClearTrust, Entrust getAccess, Netegrity SiteMinder, Oracle COREid, SAP portal
Flexible agents	Hardware tokens and Smartcards	Miscellaneous
API (application programming interface) integration, LDAP attributes, MQ Series, SQL commands, Telnet/TN3270/TN5250 sessions, Unix/Windows cmd-line integration, web forms, web services (SOAP, XML)	RSA SecurID, Secure Computing SafeWord, Vasco Digipass, GemPlus, Precise Biometrics	RADIUS (various), Local and cached Windows passwords. Peregrine ServiceCenter, Remedy ARS, Clarify eFrontOffice, NAI Magic, Tivoli ADSM, IBM OLAP, IBM Tivoli Access Manager Connected Backup

 

(7)ID-Synch includes a number of flexible agents, each of which is programmable (and thus can be said to embody an SDK (software development kit)). These agents allow organizations to quickly and with a minimum of programming or scripting, integrate ID-Synch with custom and vertical market applications.

Flexible agents expose a number of processes, including:

• Binding to an existing management API (application programming interface) (Java, Win32, Unix, COM, etc.).
• Screen-scraping Telnet, TN3270, TN5250, SSH and raw TCP socket connections.
• Navigating through web-based administration user interfaces over HTTP and HTTPS, with support for cookies, form parsing, redirects, etc.
• Executing arbitrary SQL code on Oracle, Sybase, MSSQL, DB2/UDB, Informix and other (ODBC) types of databases.
• Executing command-line administration programs on Unix (via local agent) and Win32 (on the ID-Synch server).
• Manipulating arbitrary attributes in an LDAP directory.
• Posting updates to a web service (SOAP or other XML dialect over HTTP or HTTPS).
• Sending messages using MQ Series.

Organizations that wish to write a completely new agent to a custom or vertical market application may do so using whatever development environment they prefer (J2EE, .NET, Perl, etc.) and invoke it as a command-line or web service target using the appropriate ID-Synch flexible agent.

An effort of 4 hours to 4 days is typically required to integrate ID-Synch with a custom or vertical market application. This compares favorably with competitors' products, where a custom Java or other 3GL connector must be written from scratch, taking weeks or months and requiring the ID-Synch administrator to have significant programming experience and the ability to learn how to use a new framework and API quickly.

In most cases, ID-Synch does not require the installation of local agent software on target systems. The only exceptions to this are two applications which do not publish a remote administration facility at all: RSA Authentication Manager servers and Entrust getAccess servers.

ID-Synch does include local agents for deployment on Unix and OS/390/zOS servers. While users and passwords on these systems can be managed without a local agent -- by emulating a terminal session of Telnet, TN3270 or using SSH -- such terminal connections are slower, less reliable and (except for SSH) less secure than what is possible with a local agent.

Ultimately, the organization must decide whether reduced change control or more secure, fast and reliable administration are more important on Unix and OS/390/zOS systems and therefore make a determination about whether local agents will be installed on these systems.

In no case do the provided local agents interfere with the target system's normal operation -- the login process on each target system remains the same and no significant CPU or other load is placed on target systems.

Process Integration

Identity management is integral to an organization's business processes, and ID-Synch is designed to integrate with existing processes and systems:

• Monitoring authoritative directories / rules-based user provisioning

  ID-Synch can monitor an existing system of reference, and create or delete accounts on managed systems based on changes. This works with HR systems, LDAP directories or simple text file extracts.

• Routing requests

  By default, change requests are routed based on the resources specified. For example, all requests for accounts payable access go to one or more authorizers attached to that account type.

  The list of authorizers required to approve a request may be adjusted based on other variables:

  • The identity of the requester (e.g., Executives submitting requests may not require approval; others may require approval by someone in their management chain.)
  • The identity of the recipient.
  • Other attributes of the request (location, department code, etc.).

  To maximize flexibility, the process of adjusting the list of authorizers is implemented with a plugin architecture.

• Assigning new, standard login IDs

  Login IDs for new accounts can be assigned manually by a designated approver, or automatically by a plugin program that implements site-specific logic (for example, rules such as first initial + last name + unique digit).

• Escalating requests for authority

  ID-Synch supports many features to ensure that requests for authorization are satisfied quickly:

  • Grouping authorizers, and only requiring approval from a subset of each group.
  • Temporarily delegating authority, so that authorizers can safely leave for holidays and other absences.
  • Sending reminders to unresponsive authorizers.
  • Automatically escalating unfulfilled requests for approval.

• Acting on behalf of existing processes

  Some organizations already have a working, automated process to submit, route and approve change requests. What these organizations require is automation to act on approved requests.

  ID-Synch exposes both a web service and library-level RPCs to enable existing workflow processes to trigger administration actions, such as creating new accounts and updating or deactivating existing ones, on managed systems.

Scalability

Scalability in a combined system for user provisioning, access management and password management is primarily relevant to the password management component:

• User provisioning is uniform over time -- change requests and administrative actions may take place on any day, at any hour. In other words, users may be hired, moved or terminated at any time.
• In contrast, password management is bursty. Most password changes happen at login time in the morning with the largest spikes occurring directly after a weekend or holiday.
• Password management and in particular password synchronization, is needed periodically by all users, not just those being hired, moved or terminated.

Typical peak transaction rates for a 10,000 person organization are 10 events/hour for provisioning and 5,000 events/hour for password synchronization.

Accordingly, the following discussion focuses on P-Synch®, since password management requires extreme scalability, which account provisioning does not. ID-Synch is built on the same scalable architecture, but simply does not require the same benefits.

(8) P-Synch has been deployed by very large corporations. Some anecdotal examples of large scalability include:

• Organizations with over 250,000 P-Synch users managing passwords on a single P-Synch instance, load balanced between just two servers.
• Users distributed over six continents.
• A single P-Synch instance, running on a single server, managing passwords on over 500 password systems.
• A customer who deployed 20 P-Synch servers, with real-time data replication between them, to allow users to access the system even in the face of network outages.

The P-Synch architectural features that support scalability include:

• The ability to install multiple instances per server.
• The ability of instances to span multiple servers, where each server in a group is functionally identical; supporting the same users, systems and features.
• A built-in, high-performance identity cache, which includes server-to-server data replication in real time.

  This engine has been benchmarked at millions of record updates per second on Windows/Intel servers. The database uses standard, open-format files (xBase/DBF) to ensure compatibility with existing reporting and analytical tools.

• Built-in services to monitor server health and dynamically update DNS records; for example to remove a malfunctioning server from load balancing rotation.

In addition, P-Synch incorporates many features that, while not directly performance-related, are required by large organizations:

• The ability to operate across firewalls: between the user and P-Synch, as well as between P-Synch and managed systems.
• Inclusion of a proxy service, which allows a P-Synch server in one location to manage passwords elsewhere, across slow and/or insecure WANs.
• Support for multiple user interfaces and UI languages per server instance.
• Auto-discovery of user IDs on managed systems, to eliminate ongoing manual administration and to minimize initial setup effort.
• The ability to support self-service password reset for users who forgot their initial NOS login password without having to deploy desktop software (secure kiosk account).
• Support for 21 user interface languages.

Security

ID-Synch improves the security of user access administration processes:

• When users leave the organization, their systems access is terminated promptly and reliably.
• All access changes are subject to a rigorous, globally-enforced approvals process.
• Audit reports listing accounts per user and access privileges for users across systems, can be generated easily and can be used to identify and remove inappropriate access privileges.
• Access change history, including who submitted each request, who approved it and the change details, are logged and are available as an audit trail.
• Orphan and dormant accounts are easily identified and are subsequently deactivated and deleted.
• New accounts are created in compliance with security policy and standards.
• Initial passwords are never set to default, guessable values and are never transmitted in plaintext e-mail.

ID-Synch is designed to be secure. It is protected using a multi-layered security architecture, which includes running on a hardened OS, using file system ACLs, providing strong application-level user authentication, filtering user inputs, encrypting sensitive data, enforcing application-level ACLs, storing log data indefinitely and more.

ID-Synch never requires plaintext passwords to be stored in configuration files or scripts and does not store plaintext passwords anywhere. ID-Synch does not ship with a default administrator password -- one must be typed in at installation time.

These security measures are illustrated in Figure [link].

    Network architecture security diagram (9)

Rapid Deployment

Hitachi ID solutions are optimized for rapid deployment and this is a core design characteristic for all our products. Features such as a dynamic workflow, eliminating the need for role engineering, auto-discovery and self-service login ID reconciliation are intended specifically to eliminate cost and delays that separate product acquisition from production deployment.

ID-Synch is designed for rapid deployment:

• Single, Dynamic Workflow for Change Authorization

  Simplifies setup and maintenance of authorization processes. A single flow-chart (state diagram) is used to authorize all requests in the ID-Synch workflow engine. The ID-Synch workflow engine supports:

  • Parallel change authorization.
  • Authorizers who can reroute or rewrite change requests.
  • Multiple groups of multiple authorizers.
  • Automatic reminders to unresponsive authorizers.
  • Automatic escalation, when authorizers continue to be unresponsive.
  • Delegation -- for example, when authorizers take extended leaves of absence.
  • Authorizers with veto power over some or all of a request.

  Using a single, dynamic workflow, enterprises can focus on the key questions in an identity management workflow system:

  • Is the change request syntactically correct and legitimate?
  • Whose authority is required to authorize this change?
  This eliminates the need to define one flow-chart per target system, per transaction type. Since there may be thousands of target system / transaction type combinations, this is a huge savings.

• No requirement for role engineering

  ID-Synch works without a formal model of user privileges. Automation can provision coarse-grained access for new users, and terminate all access for departed staff, without a detailed model of rights per role or a detailed classifications of users into roles. Workflow addresses the need for fine-grained access provisioning triggered by human requests, again eliminating the need for a formal model of privileges. Privilege accumulation is also addressed, by activating managers, application owners and group owners to clean up current entitlements, rather than attempting to model what is "appropriate" for a dynamic user base.

  Role engineering projects can take years to complete and in fact are much more likely to be terminated than completed. Eliminating the need for detailed role engineering is a significant contributor to ensuring project success and lowering user provisioning project cost.

• Cloning model users

  ID-Synch creates new users by cloning existing ones, which have been identified by the ID-Synch administrator as "models." This eliminates the need for ID-Synch administrators and platform administrators to collaborate in specifying hundreds of attribute values for each type of new user, on each managed system.

(10) P-Synch is designed for rapid deployment:

• No client software required, even for access to self-service password reset from the workstation login prompt.

• Automated discovery of every login ID on every managed system, nightly.

• Self-service login ID reconciliation where login IDs on different systems are different and there is no pre-existing correlation data.

• A built-in identity cache that captures user profile data and eliminates the need to install or manage a database or directory before installing ID-Synch.

• Pre-built agents for 70+ systems eliminating the need for customers to develop their own connectors to common, off-the-shelf target systems.

• Remote agents mean that ID-Synch can manage users and passwords on systems without requiring the installation of intrusive local software on each target system.

• Flexible agents enable organizations to integrate ID-Synch with custom applications, vertical market software, application service providers (ASPs) and service bureaus quickly -- taking just 2 hours to 4 days per new target system.

Return on Investment

ID-Synch realizes cost savings for security administrators and enhanced productivity for users:

• User Productivity: Users get new and changed access more quickly.

  New hires can be provisioned in hours rather than days or weeks. Staff with changed responsibilities get updated access privileges immediately, rather than waiting for changes to be approved and implemented.

• Reduced Administration Transaction Volume: Security administrators are freed from routine tasks.

  Routine tasks, such as setting up standard systems access for new users, deactivating access after routine terminations and making changes to user attributes or group memberships can be handled by automated processes and self service. Security administrators are freed to focus on more valuable tasks.

• Improved administrator efficiency: Administrators can manage user access to multiple systems from a single console.

  A consolidated web console allows both global and regional / departmental security administrators to manage any user's access to any combination of systems from a single point. This reduces time wasted switching between native administration programs, duplicate input and platform-specific training.

---

Summary

Efficient and reliable user provisioning yields better productivity for users, reduced administration overhead, and better security.

ID-Synch allows organizations to streamline their user provisioning, access management and termination processes through:

• Automation / Change Propagation:
  Changes to user profiles on authoritative systems (e.g., HR or contractor management) trigger automatic updates to the same users' profiles on managed systems.
• Self service / Workflow:
  Users or automatic processes submit change requests -- to provision new access, change existing user profiles or deactivate users. Requests are automatically routed to business users with suitable authority, who approve or reject them. Approved changes are applied to managed systems.
• Consolidation:
  Security administrators with an enterprise-wide scope of authority update user access to multiple managed systems from a single security administration console, that creates a consolidated view of multiple security databases.
• Delegation:
  Regional or departmental security administrators are granted limited access to manage some users, on some systems, through the consolidated security administration console.
• Fulfillment:
  This is not so much a process, as the ability of one user management system to implement changes initiated on another system.

ID-Synch is designed to be scalable, secure and easy to deploy.

---

Appendix: Hitachi ID Management Suite Overview

(11)

Hitachi ID Management Suite is a complete identity management solution enabling organizations to more securely and efficiently manage the user lifecycle across enterprise applications and systems.

Hitachi ID Management Suite combines the power of Hitachi ID's flagship technologies, ID-Synch for user provisioning and P-Synch for password management, with more targeted products including ID-Access® to manage user access rights, ID-Certify® to review user rights and clean up stale privileges and ID-Archive™ to securely manage sensitive credentials.

Hitachi ID Management Suite creates real business value by increasing productivity for users, reducing IT overhead, strengthening network security and providing internal controls to support compliance with privacy protection and corporate governance regulations.

Hitachi ID Management Suite is designed as identity management middleware, in the sense that it presents a uniform user interface and a consolidated set of business processes to manage user objects, identity attributes, security rights and authentication factors across multiple systems and platforms. This is illustrated in Figure [link].

    Hitachi ID Management Suite Overview: Identity Middleware (12)

Hitachi ID Management Suite includes several functional identity management modules:

• ID-Synch -- User Provisioning.
  • Automated propagation of changes to user profiles, from systems of record to target systems.
  • Self-service workflow, for security change requests.
  • Consolidated and delegated user administration.
  • Federated user administration, through a SOAP API (application programming interface) to a user provisioning fulfillment engine.
  • Consolidated access reporting.
• ID-Certify -- Access Certification.
  • Delegated access reviews, with roll-up of audit results and certification to the top of the management structure.
• P-Synch -- Password Management.
  • Password synchronization.
  • Self-service and assisted password reset.
  • Enrollment and management of other authentication factors, including Q-A (Question-and-Answer) profiles, hardware tokens, biometric samples and PKI certificates.
• ID-Access -- Group Management.
  • Self-service and delegated administration of group membership in Active Directory groups and Exchange 2000/2003 mail distribution lists.
• ID-Org™ -- Enterprise Orgchart Management.
  • Self-service construction and maintenance of data about lines of reporting in an organization.
• ID-Archive -- Privileged Password Management.
  • Periodically randomize local admin credentials.
  • Ensure that IT staff access to sensitive credentials is authenticated, authorized and logged.
• P-Synch/SSO® -- Reduced Enterprise Signon.
  • Automatically sign users into systems and applications.
  • Eliminate the need to build and maintain a credential repository, using a combination of password synchronization and artificial intelligence.
• ID-Telephony® -- Telephone-based Password Reset.
  • Turn-key telephony-enabled password reset, including account unlock and RSA SecurID token management.
  • Numeric Q&A or voice-print authentication.
  • Support for multiple languages.
• ID-Discover® -- Login ID Auto-discovery and Reconciliation.
  • Automatic discovery of login IDs.
  • Automated and self-service reconciliation of non-standard login IDs.
  • Access reporting and cleanup of orphan and dormant accounts.

The relationships between Hitachi ID Management Suite components is illustrated in Figure [link].

    Components of Hitachi ID Management Suite (13)

© Hitachi ID Systems, Inc. 2008. All rights reserved.