This white paper describes the Hitachi ID Password Manager password management software. It identifies business problems associated with the operation of password systems and describes how these problems are resolved using Password Manager features.Password Manager is a total password management solution. It is intended to reduce the cost of ownership of password systems and simultaneously improve their security. This is done through:
• Password synchronization:
Helping users to maintain a single, strong password across their loginIDs.
• Password policy:
Enforcing robust password composition, expiration and history rules across all systems, regardless of the capabilities of their native password policy mechanisms.
• Self-service password reset:
Enabling users who have forgotten their password or triggered an intruder lockout to self-authenticate and resolve their own problem, without incurring a call to the helpdesk.
• Assisted password reset:
Streamlining password reset calls to the help desk, so that they are consistently secure and short.Password Manager may be deployed to support internal user populations, characterized by modest numbers of complex users (i.e., fewer than a million users, typically with 5 – 7 login ID/password pairs each).
Password Manager may also be deployed to support Extranet user populations, characterized by larger numbers of simple users (typically over a million users, but with just a single LDAP ID each and infrequent logins).
Original Title
Enterprise Scale Password Management With Hid Pw Manager
This white paper describes the Hitachi ID Password Manager password management software. It identifies business problems associated with the operation of password systems and describes how these problems are resolved using Password Manager features.Password Manager is a total password management solution. It is intended to reduce the cost of ownership of password systems and simultaneously improve their security. This is done through:
• Password synchronization:
Helping users to maintain a single, strong password across their loginIDs.
• Password policy:
Enforcing robust password composition, expiration and history rules across all systems, regardless of the capabilities of their native password policy mechanisms.
• Self-service password reset:
Enabling users who have forgotten their password or triggered an intruder lockout to self-authenticate and resolve their own problem, without incurring a call to the helpdesk.
• Assisted password reset:
Streamlining password reset calls to the help desk, so that they are consistently secure and short.Password Manager may be deployed to support internal user populations, characterized by modest numbers of complex users (i.e., fewer than a million users, typically with 5 – 7 login ID/password pairs each).
Password Manager may also be deployed to support Extranet user populations, characterized by larger numbers of simple users (typically over a million users, but with just a single LDAP ID each and infrequent logins).
This white paper describes the Hitachi ID Password Manager password management software. It identifies business problems associated with the operation of password systems and describes how these problems are resolved using Password Manager features.Password Manager is a total password management solution. It is intended to reduce the cost of ownership of password systems and simultaneously improve their security. This is done through:
• Password synchronization:
Helping users to maintain a single, strong password across their loginIDs.
• Password policy:
Enforcing robust password composition, expiration and history rules across all systems, regardless of the capabilities of their native password policy mechanisms.
• Self-service password reset:
Enabling users who have forgotten their password or triggered an intruder lockout to self-authenticate and resolve their own problem, without incurring a call to the helpdesk.
• Assisted password reset:
Streamlining password reset calls to the help desk, so that they are consistently secure and short.Password Manager may be deployed to support internal user populations, characterized by modest numbers of complex users (i.e., fewer than a million users, typically with 5 – 7 login ID/password pairs each).
Password Manager may also be deployed to support Extranet user populations, characterized by larger numbers of simple users (typically over a million users, but with just a single LDAP ID each and infrequent logins).
2014 Hitachi ID Systems, Inc. All rights reserved. As users access ever more systems and applications, they accumulate passwords and other authentication factors. Complexity that arises in managing multiple login technologies leads to IT support and security problems: high help desk call volumes, written passwords, lost or stolen OTP tokens and smart cards, etc. Effective password management addresses these problems by helping users to manage all of their authen- tication factors in an integrated manner. Passwords are synchronized, so there are fewer to remember. Self-service allows users to reset their own forgotten or locked out passwords or PINs and unlock PCs with encrypted disks. A single process is used to enroll security questions, mobile phone numbers and biometric samples. The entire solution is made available from full screen or mobile phone web browsers, phone calls or PC login screens. Contents 1 Introduction 1 2 Business Drivers: IT Support for Passwords and PINs 2 3 Technical Challenges: Hard-To-Support Passwords 3 3.1 Locked Out Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.2 Cached Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.3 Replication Delays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.4 Forgotten Passwords for Full Disk Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.5 Mobile, Disconnected Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.6 Managing PKI Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 4 Hitachi ID Password Manager Features 6 4.1 Password Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 4.2 Self-service Password Reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 4.3 Self-Service, Anywhere: Supporting Mobile Users and Encrypted Disks . . . . . . . . . . . 7 4.4 Assisted Password Reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 4.5 Password Policy Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.6 Password Expiration / Aging Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 4.7 Preventing Password Reuse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 5 Solution Architecture 10 6 Self-Service: Access and Authentication 12 6.1 Access For Locked Out Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 i Large Scale Password Management With Password Manager 6.2 Authenticating Users Without Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 6.3 Authentication Chains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 7 User Enrollment: Maximizing Adoption 17 8 Telephony Integration 18 9 Managing PKI Certicate Passwords 21 10 Support for Mobile, Disconnected Users 22 11 Overcoming Active Directory Replication Delays 25 12 Built-in Single Sign-on Technology 26 13 Return on Investment 28 14 Platform Support 30 15 Rapid Deployment 32 2014 Hitachi ID Systems, Inc. All rights reserved. Large Scale Password Management With Password Manager 1 Introduction This white paper describes self-service management of authentication factors in general and Hitachi ID Password Manager in particular. It shows how product features and best practices address business prob- lems. Hitachi ID Password Manager is solution for managing all of a users authentication factors. This lowers IT support cost and improves security through: Password synchronization: Helping users to maintain a single, strong password across multiple systems and applications. Single sign-on: Automatically signing users into applications. Password policy enforcement: Ensuring that new passwords are hard to guess, are changed fre- quently and that old passwords are not reused. Self-service password and PIN reset: Enabling users who have forgotten their password, forgotten the PINfor their hardware token or smart card or who have triggered an intruder lockout to authenticate themselves and resolve their problem from any location, using any device, without calling the help desk. Cryptographic key recovery: Allowing users who forgot the password that activates their PC at boot time to resolve their problem without speaking to a support analyst. Assisted password and PIN reset: Streamlining IT support calls to resolve login problems. 2014 Hitachi ID Systems, Inc.. All rights reserved. 1 Large Scale Password Management With Hitachi ID Password Manager 2 Business Drivers: IT Support for Passwords and PINs Users who must manage multiple passwords to corporate systems and applications have usability, security and cost problems. Users have too many passwords. Each password may expire on a different schedule, be changed with a different user interface and be subject to different rules about password composition and reuse. Some systems are able to force users to select hard-to-guess passwords, while others are not. Some systems require that users change their passwords periodically, while others cannot enforce expiration. Users have trouble choosing hard-to-guess passwords. Users have trouble remembering passwords, because they have too many of them or because they chose a new password at the end of the day or week, and didnt have an opportunity to use it a few times before going home. These problems drive users to choose trivial passwords, to avoid changing their passwords and to write down their passwords. All of these behaviors can compromise network security. When users do comply with policy and regularly change their passwords to new, hard-to-guess values, they tend to forget their passwords and must call the help desk. Password and login problems are the top incident type at most IT help desks, frequently accounting for 25% or more of total call volume. In addition to the above security and support cost problems, users simply dont like memorizing and typing passwords. Password management is a nuisance that contributes to a negative perception of IT service. Despite all these problems, passwords will continue to be needed for years to come: 1. Passwords are signicantly less expensive to deploy and support than other technologies. 2. Other authentication technologies, such as biometrics, smart cards and hardware tokens, are typically used along with a password or PIN. i.e., something you have (smart card, token) or something you are (biometric) plus something you know (password, PIN). 3. Passwords are an important backup to other authentication technologies: (a) Hardware devices can be lost or stolen or simply left at home. (b) Some devices from which users need to access corporate systems, such as smart phones and home PCs, may not support more advanced authentication methods. Since passwords are not going away and remain difcult for users to manage, solutions are needed to help users more effectively manage their passwords. 2014 Hitachi ID Systems, Inc.. All rights reserved. 2 Large Scale Password Management With Hitachi ID Password Manager 3 Technical Challenges: Hard-To-Support Passwords Enabling synchronization and self-service reset for passwords on centralized servers is reasonably straight- forward. Technical problems arise, however, with locked out users, mobile users, cached credentials and PKI. 3.1 Locked Out Users Users often forget their initial network login password or inadvertently trigger an intruder lockout. These users should be able to get assistance, reset their network or local password, clear intruder lockouts and get back to work. Since these users have a problem with their workstation login, they cannot access a conventional web browser or client/server application with which to resolve their problem. The problem these users face is how to get to a user interface, so that they can x their login problem and subsequently access their own workstation desktop. This problem is especially acute for mobile users, who use cached domain passwords to sign into their workstation and who may not be attached to the corporate network when they experience a forgotten password problem. 3.2 Cached Credentials Windows workstations cache user passwords typically the primary password a user types at the login screen, which was authenticated against Active Directory. This is done for two reasons: 1. To enable users to log into their workstation while detached from the network (example: traveling laptop). 2. To automatically sign the user into resources, such as shared le and print services, without having to ask the user to retype his password. When a user changes his password using the network client software on the workstation (e.g,. ctrl-alt-del method), the network client automatically updates its cached password. On the other hand, if a user is logged into his workstation and simultaneously his password is reset else- where on the network for example by the help desk or by the user himself on a second concurrently logged in workstation, then the cached password on the workstation will not change it will simply be wrong. Similarly, if the user forgets his password and it is reset on the network while his PC is disconnected (e.g., remote), the new password will not be copied to the workstation until it is re-attached to the network. An invalid, cached password causes several problems: 1. If the users PC is not attached to the network when his password changes, the user will be unable to use the new password on his PC until he re-attaches to the network. 2014 Hitachi ID Systems, Inc.. All rights reserved. 3 Large Scale Password Management With Hitachi ID Password Manager 2. If the users PC is attached to the network and the user attempts to access a network resource (le server, print queue, etc.), the workstation may send an incorrect, cached password to the network resource, which will increment the users number of invalid login attempts counter. Repeated con- nection attempts will trigger an intruder lockout. 3.3 Replication Delays Active Directory does not propagate cleared intruder lockout ags on an expedited schedule. This can create problems for remote users who inadvertently trigger a lockout and subsequently call a central help desk for assistance. The help desk will typically clear the users lockout on a domain controller near the help desk. This lockout may take a long time (hours) to reach the domain controllers against which the user wishes to authenticate or which service network resources that the user wishes to access. This problem is especially acute in global organizations, with hundreds of domain controllers that employ a global IT support function. Note that AD password change replication is described here: http://technet.microsoft.com/en-us/library/cc772726.aspx 3.4 Forgotten Passwords for Full Disk Encryption Organizations deploy full disk encryption (FDE) software to protect against data leakage in the event that a corporate laptop is lost or stolen. Users with FDE on their PCs normally have to type a password to unlock their hard disk, before they can boot up an operating system. This password is normally synchronized with the users primary Windows password, so that the user only has to remember and type a single password at login. If a user forgets his hard disk encryption unlock password, the user will be unable to start their operat- ing system or use their computer. This is a serious service disruption for the user and can contribute to signicant support costs for the IT help desk. 3.5 Mobile, Disconnected Users Traveling users typically log into their workstations using cached Active Directory passwords. If they forget the cached password, technical support may be expensive, insecure or simply impossible: 1. Expensive: the user must physically bring (or mail) the laptop to a corporate location, the PC can re-authenticate to the AD domain and cache the users newly reset password. 2. Insecure: alternately, the help desk can give the traveling user the login ID and password of an alternate login ID, which is dened on the users PC (not a domain account), whose security will henceforth be compromised. 3. Impossible: the user is unable to bring his PC to the ofce and the help desk cannot or will not offer an alternate, local user ID. 2014 Hitachi ID Systems, Inc.. All rights reserved. 4 Large Scale Password Management With Hitachi ID Password Manager While the frequency of password reset incidents for traveling users is typically low, the cost per incident is much higher than for network-attached users. 3.6 Managing PKI Passwords Public key infrastructures typically deploy certicate les on PCs and smart cards. This enables users to access encrypted documents, send and receive encrypted e-mail and (with smart cards) perform multi- factor authentication, even while disconnected from the corporate network. Certicate les are typically encrypted and decrypted using a users personal password or smart card PIN. In other words, users have a PKI password, which is not necessarily stored on any server. Rather, this password is used to unlock the users personal certicate le. This is true of both standards-based PKI, using x.509 certicates and proprietary PKI, using Lotus Notes ID les. PKI passwords, including Lotus Notes ID le passwords, are difcult for IT organizations to support be- cause they cannot be administratively reset: 1. The PKI certicate may exist in multiple locations more or more PCs, network home directories, USB ash drives, smart cards, etc. 2. Some of these locations may be inaccessible to a password management server on the network. 3. The PKI certicate must be decrypted, using the current password, before it can be re-encrypted, with the new password. In other words, there is no notion of an administrative password reset, which does not rely on knowledge of the current password. 2014 Hitachi ID Systems, Inc.. All rights reserved. 5 Large Scale Password Management With Hitachi ID Password Manager 4 Password Manager Features Hitachi ID Password Manager is designed to reduce the cost and improve the security of password systems: 4.1 Password Synchronization Password synchronization is any process or technology that helps users to maintain a single password, subject to a single security policy, across multiple systems. Password synchronization is an effective mechanism for addressing password management problems on an enterprise network: Users with synchronized passwords tend to remember their passwords. Simpler password management means that users make signicantly fewer password-related calls to the help desk. Users with just one or two passwords are much less likely to write down their passwords. There are two ways to implement password synchronization: Transparent password synchronization, where native password changes, that already take place on a common system (example: Active Directory) are automatically propagated through the password management system to other systems and applications. Web-based password synchronization, where users are asked to change all of their passwords at once, using a web application, instead of continuing to use native tools to change passwords. One of the core features of Hitachi ID Password Manager is password synchronization. Password Manager implements both transparent and web based password synchronization. 4.2 Self-service Password Reset Self-service password reset is dened as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate method and repair their own problem, without calling the help desk. Users who have forgotten their password or triggered an intruder lockout may launch a self-service applica- tion using an extension to their workstation login prompt, using their own or another users web browser or through a telephone call. Users establish their identity, without using their forgotten or disabled password, by answering a series of personal questions, using a hardware authentication token or by providing a bio- metric sample. Users can then either specify a new, unlocked password or ask that a randomly generated one be set. 2014 Hitachi ID Systems, Inc.. All rights reserved. 6 Large Scale Password Management With Password Manager Self-service password reset expedites problem resolution for users after a problem has already occurred and reduces help desk call volume. It can also be used to ensure that password problems are only resolved after strong user authentication, eliminating an important weakness of many help desks: social engineering attacks. One of the core features of Password Manager from Hitachi ID Systems is self-service password reset. 4.3 Self-Service, Anywhere: Supporting Mobile Users and Encrypted Disks Hitachi ID Password Manager includes key features to assist mobile users: 1. E-mail notication to users about upcoming password expiry, since the notice displayed at the Win- dows login prompt is not shown to users away from the ofce. 2. Support for resetting forgotten encryption keys for users whose PCs are protected with full disk en- cryption. 3. Support for resetting forgotten passwords or PINs from the login prompt, even if the user is away from the ofce and is not physically attached to the Internet. 4.4 Assisted Password Reset Hitachi ID Password Manager includes an assisted password reset web portal, which allows IT support staff to help callers without having direct administrative access to target systems: Support staff sign into Password Manager with a web browser. Support staff can be authenticated using IDs and passwords internal to Password Manager or use pass-through authentication to an existing system. For example, support staff may sign into Password Manager using their Active Directory ID and pass- word, with Password Manager validating the membership of each support technician in a designated AD security group and granting appropriate Password Manager privileges based on that group mem- bership. From the Password Manager web interface, support staff can search for the callers prole by login ID or full name. Support staff can be required to authenticate the caller for example by keying answers to some of the users personal questions, which Password Manager can validate against its own back-end database or an external database, directory or web service. Note that the same, different or overlapping security questions can be used for assisted and self- service authentication processes. Once both the support technician and caller have been authenticated, support staff can reset the callers password, lock or unlock the callers access to Password Manager or update the callers prole. Assisted password resets may be congured to also expire the new password, requiring the user to change it on the next login. 2014 Hitachi ID Systems, Inc.. All rights reserved. 7 Large Scale Password Management With Password Manager All transactions IT support login, user prole lookup, successful or failed password reset and more may trigger e-mails to the user, to the support technician or to a third party, such as a security of- cer. The same events can also trigger automatic creation, update or closure of tickets in an incident management system. Since only a single, simple web interface is used, an assisted password reset is normally completed in 12 minutes. The right of one user to reset another users password may be global (e.g., global IT support team) or based on the requester/recipient relationship (e.g., departmental or regional IT support can only assist in-scope users). Moreover, which passwords a given user can reset can be controlled by policy. At no point in the process does an IT support technician require administrative access to the systems where passwords are being reset. Instead, Password Manager uses its own credentials to sign into target systems and these are encrypted in an internal Password Manager database. Assisted password reset reduces the cost of password support calls and ensures that such calls are handled in a consistent, secure fashion. 4.5 Password Policy Enforcement Hitachi ID Password Manager is normally congured to enforce a uniform password policy across all sys- tems, to ensure that any new password will be acceptable to every integrated system. This provides the most clear and understandable experience to users. Password Manager is congured such that it will never accept or attempt to propagate a password that will not meet this global password policy. For instance, in the case of an organization that has both Windows Active Directory (AD) and z/OS pass- words, where users may enter very long passwords on AD but only 8 characters on the (older) main- frame, Password Manager can require that passwords be exactly 8 characters long. Alternately, Password Manager can support longer passwords, but truncate them when it updates the mainframe. (Users generally prefer the preset length rule, as it is easier to understand than automatic truncation). In general, systems enforce one of two types of password rules: Complexity requirements ensure that users do not select easily-guessed passwords. Example rules are: disallowing any permutation of the users login ID, password history, requiring mixed letters and digits, forbidding dictionary words, etc. Representational constraints limit what can be physically stored in a password eld on a given system. Usually there are just two such rules: maximum length and allowable character set. A global password policy is normally created by combining and strengthening the best-of-breed complexity requirements from each system affected by the policy. Password Manager then combines these with the most restrictive representational constraints. This forces users to select strong, secure passwords on every system. The alternative, of dening different password policies for every target system or for groups of target sys- tems, is considered to be user-unfriendly. To update their passwords, users must select a system, choose 2014 Hitachi ID Systems, Inc.. All rights reserved. 8 Large Scale Password Management With Password Manager a password, wait for the password update to complete, possibly re-authenticate, choose another system, choose a different password, etc. Users must then remember multiple passwords and will continue to ex- perience many password problems. It has been shown that users with many passwords have a strong tendency to write down their passwords. 4.6 Password Expiration / Aging Enforcement To enforce password expiration and to get users to trigger web-based password synchronization, Hitachi ID Password Manager is congured to detect upcoming password expiration on individual systems (e.g., Win- dows, AD, LDAP, etc.) or based on the last time a user changed his passwords using Password Manager and to remind users to change their passwords using the Password Manager web UI. Password expiration is normally congured so that users change their passwords with Password Manager web portal on a shorter expiry interval than the native password expiry on any system. This way, Password Manager prompts users to change passwords before any other system does and users are never prompted to change expired passwords by other systems or applications. Early notication of upcoming password expiration is a viable alternative to transparent password synchro- nization, especially in cases where it is impossible to trigger synchronization from the primary login system that users most often use. Users can be notied of upcoming password expiration by e-mail. Alternately, a small client program can be triggered at user login time, which checks whether the user currently logging in is on the list of soon to expire users and if so opens the users default web browser to a URL that asks the user to change his passwords. The same small program can be used to make the password change mandatory, by opening a kiosk-mode web browser to the password change web portal and requiring the user to change passwords before they can close this browser and access their desktop. 4.7 Preventing Password Reuse In Hitachi ID Password Manager, password history is innite by default. Unless specically allowed, users are prevented from reusing passwords at all. Where password reuse is allowed, it is based on a time interval, rather than the number of intervening password changes. Password history is stored in a one-way, non-reversible hash (SHA-1 plus 64-bit random salt). 2014 Hitachi ID Systems, Inc.. All rights reserved. 9 Large Scale Password Management With Password Manager 5 Solution Architecture Hitachi ID Password Manager is designed for: Security: Password Manager is installed on hardened servers. All sensitive data is encrypted in storage and transit. Strong authentication and access controls protect business processes. Scalability: Multiple Password Manager servers can be installed, using a built-in data replication facility. Workload can be distributed using any load-balancing technology (IP, DNS, etc.). The end result is a multi- master, distributed architecture that is very easy to setup, as replication is handled at the application layer. Performance: Password Manager uses a normalized, relational and indexed database back end. All access to the database is via stored procedures, which help to minimize communication overhead between the application and database. All Password Manager code is native code, which provides a 2x to 10x performance advantage as compared to Java or .NET Openness: Open standards are used for inbound integration (SOAP) and outbound communications (SOAP, SMTP, HTTP, etc.). Flexibility: Both the Password Manager user interface and all functionality can be customized to meet enterprise requirements. Low TCO: Password Manager is easy to set up and requires minimal ongoing administration. Figure 1 on Page 11 illustrates the Password Manager network architecture: Users normally access Password Manager using HTTPS from a web browser. Multiple Password Manager servers may be load balanced using either an IP-level device (e.g., Cisco Local Director, F5 Big/IP) or simply using DNS round-robin distribution. Users may call an IVR (interactive voice response) system with a telephone and be authenticated either using touch-tone input of personal information or using a voice print. Authenticated users may initiate a password reset. Password Manager connects to most target systems using their native APIs (application programming interfaces) and protocols and thus requires no software to be installed locally on those systems. Local agents are provided and recommended for Unix servers and z/OS mainframes. Use of these agents improves transaction security, speed and concurrency. 2014 Hitachi ID Systems, Inc.. All rights reserved. 10 Large Scale Password Management With Password Manager User Password Synch Trigger Systems Load Balancer SMTP or Notes Mail Incident Management System System of Record IVR Server Reverse Web Proxy Target Systems with local agent: OS/390, Unix, older RSA Firewall TCP/IP + AES Various Protocols Secure Native Protocol HTTPS R e m o t e
D a t a
C e n t e r Firewall L o c a l
N e t w o r k Target Systems with remote agent: AD, SQL, SAP, Notes, etc Target Systems E m a ils T ic k e t s L o o k u p & T r ig g e r N a t iv e p a s s w o r d c h a n g e A D , U n ix , O S / 3 9 0 , L D A P , A S 4 0 0 V a lid a t e P W W e b S e r v ic e s Proxy Server (if needed) Hitachi ID Application Server(s) SQL/Oracle SQL DB SQL DB C l o u d - h o s t e d , S a a S
a p p s VPN Server Figure 1: Network architecture diagram A local agent is mandatory on older RSA SecurID servers (version 7.x and later exposes a remote API). Where target systems are remote and communication with them is slow, insecure or both, a Password Manager proxy server may be co-located with the target system in the remote location. In this case, servers in the main Password Manager server cluster initiate fast, secure connections to the remote proxies, which decode these transactions and forward them to target systems locally, using native, slow and/or insecure protocols. Password Manager can look up and update user prole data in an existing system, including HR databases (ODBC), directories (LDAP) and meta-directories (e.g., WMI to Microsoft ILM). Password Manager can send e-mails to users asking them to register or to notify them of events impacting their proles. Over 189 events can trigger e-mail notication. Password Manager can create tickets on most common incident management systems, either record- ing completed activity or requesting assistance (security events, user service follow-up, etc.). Over 189 events can trigger ticket generation. Binary integrations are available for 17 help desk applications and open integration is possible using mail, ODBC, SQL and web services. 2014 Hitachi ID Systems, Inc.. All rights reserved. 11 Large Scale Password Management With Password Manager 6 Self-Service: Access and Authentication 6.1 Access For Locked Out Users When users forget their primary password or trigger an intruder lockout, they are in a Catch-22 situation: they cannot log into their computer and open a web browser but cannot open a web browser to x their password and make it possible to log in. Hitachi ID Password Manager includes a variety of mechanisms to address the problem of users locked out of their PC login screen. Each of these approaches has its own strengths and weaknesses, as described below: Option Pros Cons 1 Do nothing: users continue to call the help desk. Inexpensive, nothing to deploy. The help desk continues to eld a high password reset call volume. No solution for local passwords or mobile users. 2 Ask a neighbor: Use someone elses web browser to access self-service password reset. Inexpensive, no client software to deploy. Users may be working alone or at odd hours. No solution for local passwords or mobile users. Wastes time for two users, rather than one. May violate a security policy in some organizations. 3 Secure kiosk account (SKA): Sign into any PC with a generic ID such as help and no password. This launches a kiosk-mode web browser directed to the password reset web page. Simple, inexpensive deployment, with no client software component. Users can reset both local and network passwords. Introduces a generic account on the network, which may violate policy, no matter how well it is locked down. One user can trigger an intruder lockout on the help account, denying service to other users who require a password reset. Does not help mobile users. 2014 Hitachi ID Systems, Inc.. All rights reserved. 12 Large Scale Password Management With Password Manager Option Pros Cons 4 Personalized SKA: Same as the domain-wide SKA above, but the universal help account is replaced with one personal account per user. For example, each users help account could have their employee number for a login ID and a combination of their SSN and date of birth for a password. Eliminates the guest account on the domain, which does not have a password. Requires creation of thousands of additional domain accounts. Requires ongoing creation and deletion of domain accounts. These new accounts are special their passwords do not expire and would likely not meet strength rules. 5 Local SKA: Same as the domain-wide SKA above, but the help account is created on each computer, rather than on the domain. Eliminates the guest account on the domain. Can be congured to assist mobile users who forgot their cached domain password (by automatically establishing a temporary VPN connection). Requires a small footprint on each computer (the local help account.) 6 Telephone password reset: Users call an automated system, identify themselves using touch-tone input of a numeric identier, authenticate with touch-tone input of answers to security questions or with voice print biometrics and select a new password. Simple deployment of centralized infrastructure. No client software impact. May leverage an existing IVR system. Helpful for remote users who need assistance connecting to the corporate VPN. New physical infrastructure is usually required. Users generally dont like to talk to a machine so adoption rates are lower than with a web portal. Does not help mobile users who forgot their cached domain password. Does not help unlock PINs on smart cards. 8 Physical kiosks: Deploy physical Intranet kiosks at each ofce location. Eliminates generic or guest accounts. May be used by multiple applications that are suitable for physically-present but unauthenticated users (e.g., phone directory lookup, badge management, etc.). Costly to deploy hardware at many locations. Does not help mobile users who forgot their cached domain password. Users may prefer to call the help desk, rather than walking over to a physical kiosk. 2014 Hitachi ID Systems, Inc.. All rights reserved. 13 Large Scale Password Management With Password Manager Option Pros Cons 9 GINA DLL: Windows XP: Install a GINA DLL on user computers, which adds a reset my password button to the login screen. User friendly, intuitive access to self-service. Can be congured to assist mobile users who forgot their cached domain password (by automatically establishing a temporary VPN connection). Works on Windows Terminal Server and Citrix Presentation Manager. Requires intrusive software to be installed on every computer. Broken installation or out-of-order un-installation will render the computer inoperable (i.e., brick the PC). 10 GINA Extension Service: Similar to the GINA DLL, but uses a sophisticated service infrastructure to modify the UI of the native GINA, rather than installing a GINA DLL. User friendly, intuitive access to self-service. Can be congured to assist mobile users who forgot their cached domain password (by automatically establishing a temporary VPN connection). More robust, fault-tolerant installation process than the GINA DLL. Requires software to be installed on every computer. Does not work on Citrix Presentation Server or Windows Terminal Server only works on personal computers. 11 Credential Provider: The equivalent of a GINA DLL, but for the login infrastructure on Windows Vista/7/8. User friendly, intuitive access to self-service. Can be congured to assist mobile users who forgot their cached domain password (by automatically establishing a temporary VPN connection). Works on Windows Terminal Server and Citrix Presentation Manager. More robust infrastructure than GINA DLLs on Windows XP. Deployment of intrusive software to every workstation. No other product or vendor supports as many options for assisting users locked out of their PC login screen. 6.2 Authenticating Users Without Passwords Users may authenticate into Hitachi ID Password Manager as follows: 2014 Hitachi ID Systems, Inc.. All rights reserved. 14 Large Scale Password Management With Password Manager On the web portal: By typing their current password to a trusted system (e.g., Windows/AD, LDAP, RAC/F, etc). By answering security questions. Using a security token (e.g., SecurID pass-code). Using a smart card with PKI certicate. Using Windows-integrated authentication. Using a SAML assertion issued by another server. By typing a PIN that was sent to their mobile phone via SMS. Using a combination of these mechanisms. Using a telephone, calling an automated IVR system: By keying in numeric answers to a series of security questions (e.g., employee number, date of hire, drivers license number). By speaking one or more phrases, where the Password Manager server compares the new speech sample to one on record (biometric voice print verication) Using a telephone, calling an IT support technician: By answering a series of security questions, where the technician must type the answers into a web portal to authenticate the caller. 6.3 Authentication Chains Hitachi IDPassword Manager includes a mechanismfor authenticating users called authentication chains. This mechanism works by dening sequences of steps that can be used to authenticate a user and dening how the authentication process proceeds from one step to the next. Authentication chains allow Password Manager to: 1. Offer a user multiple authentication mechanisms. For example, type a password, answer security questions, use a token, etc. 2. Combine authentication mechanisms. For example, a user may be asked to type a password and answer a subset of the security questions in his prole. 3. Select an authentication mechanism based on context. For example, require a user with elevated privileges or a user attached via VPN to satisfy a more robust process than an unprivileged user connected to the corporate network. Authentication chains allow Password Manager to implement exible login processes. For example, mobile phones can be used as an authentication factor: 2014 Hitachi ID Systems, Inc.. All rights reserved. 15 Large Scale Password Management With Password Manager 1. During enrollment, users are asked to identify their mobile phone provider and enter their mobile phone number. 2. At authentication time, a user is sent a random PIN via SMS, which he must enter correctly and within a short time window. This establishes that the user is in possession of his phone. 3. A second authentication step is to ask the user to answer a few security questions, which supports the users claimed identity through something he knows. 2014 Hitachi ID Systems, Inc.. All rights reserved. 16 Large Scale Password Management With Password Manager 7 User Enrollment: Maximizing Adoption In many organizations, deployment of a password management system requires a user enrollment pro- cess. Users may have to provide personal data such as answers to authentication questions (which can subsequently be used to authenticate users who forgot their passwords or triggered a lockout). Users may be asked to attach their non-standard IDs to their proles. Users may have to provide biometric samples, likewise used for non-password authentication in the event of a future password problem. Finally, users may simply be asked to review and agree to some corporate policy, for example regarding password sharing or writing down their password. If enrollment is required, it is helpful for the password management system to automate the process by iden- tifying users who must be enrolled, inviting and reminding them to enroll, provide a strongly authenticated enrollment user interface, etc. Hitachi ID Password Manager includes built-in infrastructure to securely and automatically manage the user enrollment process: By monitoring one or more systems of record, Password Manager automatically creates new and removes old prole IDs. New users and existing users with incomplete proles are automatically invited to complete their proles (e.g., by answering security questions). Invitations to enroll may be e-mailed to users. Users may be more forcefully reminded to enroll by having a web browser automatically open to the enrollment page when they log into the network. Users may be forced to enroll, by opening a kiosk-mode web browser to the enrollment page when they sign into the network, and blocking access to the Windows desktop until users complete their prole. This process is typically controlled by placing users into a mandatory enrollment AD group and attaching a suitable GPO to that group. To enroll, users must rst authenticate. This is normally done by leveraging an existing strong authen- ticator such as a network password or a token. A single, integrated enrollment system supports collecting answers to security questions, mapping different login IDs, on different systems back to their owners and collecting biometric voice print sam- ples. The enrollment system in Password Manager includes schedule controls. For example, the maximum number of invitations to send daily can be limited, as can the frequency of invitations per user. Days-of- week during which to send invitations are identied as are holidays during which no invitations should be sent. 2014 Hitachi ID Systems, Inc.. All rights reserved. 17 Large Scale Password Management With Password Manager 8 Telephony Integration A popular option for extending password reset services to locked out users is to extend this service over a telephone, using an integrated voice response (IVR) system. Users who forget their passwords can dial an IVR system with any telephone and initiate a password reset. Authentication using either touch-tone entry of personal secret information or using voice print verication is supported. Existing IVR systems can be extended using a Hitachi ID Password Manager remote API or Hitachi ID Telephone Password Manager a turn-key IVR system specically designed for password resets. Overview: Telephone Password Manager is a turn-key telephone user interface bundled with the Password Manager credential management solution. It enables organizations to quickly and inexpensively offer self-service password reset, PIN reset and disk unlock to users over a telephone, without having to congure a complex IVR system. Features: Telephone Password Manager supports self-service management of authentication factors (credentials) and recovery of disk encryption keys over a telephone with: User identication: Users who call Telephone Password Manager typically identify themselves by typing a personal iden- tier on a touch-tone telephone keypad. The identier may be a pre-existing numerical ID, such as an employee number or a letters-to-digits mapping of an alpha-numeric ID, such as the users network login ID. User authentication: Once identied, users must be authenticated. Telephone Password Manager supports authentication with a hardware token (e.g., RSA SecurID), by asking the user to key in answers to numeric security questions using a touch-tone telephone keypad on their phone (e.g., drivers license number, SSN, date of birth, etc.) or using an optional biometric voice verication module. Password reset: Once authenticated, users can initiate a password reset. This may be for one or all of their passwords and the new password may either be randomly generated and read out to the user or user-specied. New passwords may be set to expire after rst use. PIN reset: Authenticated users can also use Telephone Password Manager to reset the PINs on their RSA Se- curID tokens. A randomly-generated or a user-specied PIN may be used. Disk unlock: 2014 Hitachi ID Systems, Inc.. All rights reserved. 18 Large Scale Password Management With Password Manager Users with a full disk encryption program protecting their computer can use Telephone Password Manager to automate the key recovery process in the event that they forgot the password that unlocks their computer. Text to speech: Telephone Password Manager is normally congured to play .WAV audio les as asks for user input. It also includes a text to speech mechanism that makes it easier to develop new navigation menus and defer new voice recordings. Speech to text: While text input into Telephone Password Manager is usually made with a touch-tone keypad, Telephone Password Manager can be congured to recognize small dictionaries of spoken words, so that users can make alphanumeric input by speaking the names of letters and digits. PBX integration: Telephone Password Manager can be directly integrated into an existing PBX system, by installing the appropriate (to that PBX system) Dialogic telephony board on each Telephone Password Manager server. VoIP integration: Telephone Password Manager can also be connected to a voice-over-IP network and congured to accept VoIP calls. Benets: Telephone Password Manager lowers IT support costs and improves user service by enabling mobile, re- mote or locked out users to resolve problems with their password, hardware token or encrypted hard disk on their own, without calling the help desk. Telephone Password Manager can improve the security of IT support processes by authenticating users with biometric voice-print verication prior to offering services such as password or PIN reset. Telephone Password Manager supports self-service management of authentication factors (credentials) and recovery of disk encryption keys over a telephone with: User identication: Users who call Telephone Password Manager typically identify themselves by typing a personal iden- tier on a touch-tone telephone keypad. The identier may be a pre-existing numerical ID, such as an employee number or a letters-to-digits mapping of an alpha-numeric ID, such as the users network login ID. User authentication: Once identied, users must be authenticated. Telephone Password Manager supports authentication with a hardware token (e.g., RSA SecurID), by asking the user to key in answers to numeric security questions using a touch-tone telephone keypad on their phone (e.g., drivers license number, SSN, date of birth, etc.) or using an optional biometric voice verication module. 2014 Hitachi ID Systems, Inc.. All rights reserved. 19 Large Scale Password Management With Password Manager Password reset: Once authenticated, users can initiate a password reset. This may be for one or all of their passwords and the new password may either be randomly generated and read out to the user or user-specied. New passwords may be set to expire after rst use. PIN reset: Authenticated users can also use Telephone Password Manager to reset the PINs on their RSA Se- curID tokens. A randomly-generated or a user-specied PIN may be used. Disk unlock: Users with a full disk encryption program protecting their computer can use Telephone Password Manager to automate the key recovery process in the event that they forgot the password that unlocks their computer. Text to speech: Telephone Password Manager is normally congured to play .WAV audio les as asks for user input. It also includes a text to speech mechanism that makes it easier to develop new navigation menus and defer new voice recordings. Speech to text: While text input into Telephone Password Manager is usually made with a touch-tone keypad, Telephone Password Manager can be congured to recognize small dictionaries of spoken words, so that users can make alphanumeric input by speaking the names of letters and digits. PBX integration: Telephone Password Manager can be directly integrated into an existing PBX system, by installing the appropriate (to that PBX system) Dialogic telephony board on each Telephone Password Manager server. VoIP integration: Telephone Password Manager can also be connected to a voice-over-IP network and congured to accept VoIP calls. 2014 Hitachi ID Systems, Inc.. All rights reserved. 20 Large Scale Password Management With Password Manager 9 Managing PKI Certicate Passwords PKI standards generally relate to certicate format and use, not to the administration of certicates is- suance, delivery to users, installation on PCs and smart cards and revocation. Unfortunately, a major cost of PKI is exactly these processes of managing certicates. Hitachi ID Password Manager includes a signicant and mature infrastructure for managing (provision, man- age passwords and other attributes, deliver to users and revoke) PKI certicates. Of necessity, this infrastructure combines a general facility, related to business process and certicate storage with a set of platform-specic bindings, for individual PKI/certicate authority products. Currently, Hitachi ID Systems provides a platform binding for Lotus Notes ID les, which is by far the most widely deployed (though not necessarily standards-based) PKI infrastructure today: Lotus Notes actually uses two separate passwords for each user: HTTPPassword hashes, stored on a Notes / Domino server. These are a straight-forward password hash in a eld in an .NSF le on the server. Password Manager can be congured to verify, change and reset these passwords directly. Passwords used to encrypt ID les, typically stored on user workstations. These cannot be adminis- tratively reset. 1. Password Manager includes technology to help organizations both build out and maintain a repository of every users ID le, along with a recoverably encrypted password for that ID le. 2. Password Manager simulates password resets on ID les by retrieving an ID le from the repos- itory, opening it with a password from the repository, changing the password to a new value and delivering the new ID le to the user. 3. Both collection of ID les from users, to maintain the repository and delivery of updated ID les back to users, supports multiple mechanisms, including via le synchronization and a shared staging directory (no client software required) and via a Notes Extension DLL installed on user workstations (immediate and silent delivery and collection). Password Manager is the only product to automate not only ID le password resets, but also construc- tion and maintenance of the ID le repository. Hitachi ID Systems is working on bindings between the general-purpose PKI administration infrastructure in Password Manager and other PKI products, from Microsoft, Entrust, Verisign, GeoTrust and other PKI vendors. Unfortunately, none of these PKI products is currently widely deployed and customer demand for integrations is therefore limited. 2014 Hitachi ID Systems, Inc.. All rights reserved. 21 Large Scale Password Management With Password Manager 10 Support for Mobile, Disconnected Users Hitachi ID Password Manager offers a unique set of technologies, collectively referred to as Self-Service, Anywhere. Using these technologies, users can resolve problems with their passwords, smart cards, tokens or full disk encryption software both at the ofce and mobile, from any endpoint device. Self-Service, Anywhere automates problem resolution in a number of technically challenging and business- critical scenarios: Mobile users warned of password expiry Problem Solution Business impact Mobile users are not notied by Windows when their passwords are about to expire. Users who infrequently connect their laptop to the ofce network, instead checking e-mail with a solution such as Outlook Web Access, suffer regular password expiry and require frequent password resets. Password Manager sends users e-mails warning of imminent password expiry. Users change passwords using a web browser. An ActiveX control refreshes the password on their laptop. Fewer login problems that cause a work interruption. Lower IT call volume and support cost. Reset forgotten, cached password while away from the ofce 2014 Hitachi ID Systems, Inc.. All rights reserved. 22 Large Scale Password Management With Password Manager Problem Solution Business impact Laptop users sometimes change their password before leaving the ofce and may forget the new password when they need to use it while not attached to the corporate network. Without a technical solution, the IT help desk cannot resolve these users problem until they return to the ofce. User laptops are rendered inoperable until they return to the ofce. A Password Manager client software component allows users who forgot their primary, cached Windows password and cannot sign into their PC to connect to the Internet over a WiFi hotspot or using an air-card. Users locked out out of their PC login screen can also establish a temporary Internet connection using their home Internet connection or a hotel Ethernet service. Once the users laptop is on the Internet, Password Manager establishes a temporary VPN connection and launches a kiosk-mode (full screen, locked down) web browser. The user steps through a self-service password reset process and Password Manager uses an ActiveX component to reset the locally cached password to the same new value as was set on the network back at the ofce. Forgotten passwords are a major work disruption for mobile users, since they cannot be resolved until the user visits the ofce. Password Manager allows users to re-enable their laptop in minutes. Unlock encrypted hard disk 2014 Hitachi ID Systems, Inc.. All rights reserved. 23 Large Scale Password Management With Password Manager Problem Solution Business impact Organizations deploy full disk encryption (FDE) software to protect against data leakage in the event that a corporate laptop is lost or stolen. Users with FDE on their PCs normally have to type a password to unlock their hard disk, before they can boot up an operating system. This password is normally synchronized with the users primary Windows password, so that the user only has to remember and type a single password at login. If a user forgets his hard disk encryption unlock password, the user will be unable to start their operating system or use their computer. This is a serious service disruption for the user and can contribute to signicant support costs for the IT help desk. Most FDE packages include a key recovery process at the PC boot prompt. This normally involves a challenge/response process between the FDE software, the user, an IT support analyst and a key recovery server. Password Manager can front-end this process using an integrated telephony option, so that users can perform key recovery 24x7, from any location, using their telephone and without talking to a human help desk technician. Key recovery is an essential IT support service for organizations that have deployed FDE. Password Manager lowers the IT support cost of key recovery by moving the process to a self-service model. Smart card PIN reset Problem Solution Business impact Organizations deploy smart cards to strengthen their authentication processes. Users typically sign into their PC by inserting their smart card into a reader and typing a PIN. If users forget their PIN or leave their smart card at home, they cannot sign into their PC. PIN reset is a complex support process since the new PIN has to be physically installed on the users smart card. This means that IT support may trigger a physical visit to the help desk. Password Manager allows users to access a self-service web portal from anywhere, including from the locked out login screen of their laptop, even away from the ofce (even using WiFi, as described earlier). Once a user signs into the self-service portal, Password Manager can download an ActiveX component to the users web browser, to communicate with the smart card and reset the forgotten PIN. Password Manager can also be used to assign a user a temporary login password (often a very long and random one) to be used in the event that a user left his smart card at home. While forgotten PINs are infrequent PINs are not usually set to expire when they do happen, they are extremely disruptive. Assigning temporary passwords is just as important for users who left their smart card at home, which happens quite often. 2014 Hitachi ID Systems, Inc.. All rights reserved. 24 Large Scale Password Management With Password Manager 11 Overcoming Active Directory Replication Delays Please refer to Subsection 3.3 on Page 4 for an overview of the intruder lockout replication problem in Active Directory. Hitachi ID Password Manager uniquely circumvents the problem of slow replication of cleared intruder lock- outs between Active Directory domain controllers by automatically directing password resets and cleared intruder lockouts to a select set of domain controllers, which the user is most likely to access: DCs on the users home site, based on the users home directory UNC and the IP address of the server that hosts this UNC. DCs on the users current site, based on the users web browser IP address (this only applies to self-service password reset). DCs mapped to either of these sites by an administrator-congured rule set. For example, at global or regional data centers. 2014 Hitachi ID Systems, Inc.. All rights reserved. 25 Large Scale Password Management With Password Manager 12 Built-in Single Sign-on Technology Hitachi ID Login Manager, a module included with Hitachi ID Password Manager, is an enterprise single sign-on solution. It automatically signs users into applications where the ID and/or passwords are the same ones users type to sign into Windows on their PC. Login Manager leverages password synchronization instead of stored passwords. This means that it does not require a wallet and that users can continue to sign into their applications from devices other than their corporate PC such as a smart phone or tablet for which a single sign-on client may not be available. Login Manager does not require scripting or a credential vault, so has a much lower total cost of ownership (TCO) than alternative single sign-on tools. Login Manager automatically lls in application login IDs and passwords on behalf of users, streamlining the application sign-on process for users. Login Manager works as follows: When users sign into their workstations, Login Manager acquires their network login ID and password from the Windows login process. Login Manager may (optionally) acquire additional login IDs (but not passwords) from the users Active Directory prole. Login Manager monitors the Windows desktop for newly launched applications: It detects when the user types one of his known login IDs or his Windows password into an application dialog box, HTML form or mainframe terminal session. When this happens, the location of the matching input elds is stored on a local conguration le. Whenever Login Manager detects an application displaying a previously congured login screen, it automatically lls in the appropriate login ID and/or the current Windows password. The net impact of Login Manager is that login prompts for applications with well-known IDs and passwords that authenticate to AD or are synchronized with AD are automatically lled in. This is done without: Interfering with user access to applications from devices not equipped with the SSO software, such as their smart phones. Having to deploy a secure location in which to store application credentials. Writing scripts. Login Manager is installed as a simple, self-contained MSI package. It does not require a schema extension to Active Directory. The reduced sign-on process used by Login Manager has several advantages over traditional E-SSO tech- niques: 2014 Hitachi ID Systems, Inc.. All rights reserved. 26 Large Scale Password Management With Password Manager There is no global directory or database with user credentials: There is no target for a would-be attacker. There is no single point of failure which could cause a widespread disruption to users who wish to sign into applications. There is no need to enroll users by having them provide their passwords. There are no manually written scripts: No manual conguration is required. No infrastructure is required to distribute script les to PCs. Continued access to applications: Users sometimes need to sign into application from devices other than their work PC. Since passwords are synchronized and users know their own password, they can still sign in, even without the SSO software. In contrast, with other E-SSO products, users may not know their own application passwords. This disrupts application access using a smart phone, home PC, Internet kiosk, etc. These advantages signicantly reduce the cost and risk associated with deploying and managing Login Manager. 2014 Hitachi ID Systems, Inc.. All rights reserved. 27 Large Scale Password Management With Password Manager 13 Return on Investment Deploying Hitachi ID Password Manager saves money for three groups of people in an organization: Users: Password synchronization reduces the incidence of password problems. In most organizations, over 80% of problems are eliminated. Accordingly, users waste less time making unsuccessful attempts to log into systems. Support staff: Both password synchronization and self-service password resets eliminate calls to the help desk. Together, they normally reduce password-related call volume by over 90%. Once calls reach the help desk, they are resolved much more quickly, using a single tool that integrates caller authentication, multiple password resets and creation of problem tickets. Using a web browser, support staff can resolve password calls in 1-2 minutes. System administrators: Without Password Manager, most support organizations escalate some password calls to system ad- ministrators. This is done when the support organization does not have training or security clearance to reset passwords on the systems in question. Password Manager eliminates password problem escalation. Example savings calculation The following example illustrates how Password Manager reduces the cost of password management: 10000 users experience 3000 password problems per month. Users spend 10 minutes with a pass- word problem before calling for help. The help desk takes 10 minutes to resolve password problems. 1/6 of calls are escalated from the help desk to system administrators. Password Manager eliminates 80% of password problems, and reduces problem resolution time 2 minutes. Monthly cost Initial Password Manager Savings Users 3000 calls 20 minutes $40/hr 600 calls 12 minutes $40/hr = $40,000 = $4,800 $35,200 Help desk 3000 calls 10 minutes $40/h 600 calls 2 minutes $40/hr = $20,000 = $800 $19,200 Administrators 500 calls 5 minutes $40/hr = $1,670 0 $1,670 Monthly Total $61,670 $5,600 $56,070 2014 Hitachi ID Systems, Inc.. All rights reserved. 28 Large Scale Password Management With Password Manager To estimate the cost savings in your organization, try our on-line calculator at: http://Hitachi-ID.com/Password-Manager/roi/ 2014 Hitachi ID Systems, Inc.. All rights reserved. 29 Large Scale Password Management With Password Manager 14 Platform Support Hitachi ID Password Manager can manage passwords on most systems directly. It includes built-in support for the following systems: Directories: Servers: Databases: Any LDAP, AD, NDS, eDirectory, NIS/NIS+. Windows 20002012, Samba, NDS, SharePoint. Oracle, Sybase, SQL Server, DB2/UDB, ODBC, Informix. Unix: Mainframes: Midrange: Linux, Solaris, AIX, HPUX, 24 more variants. z/OS with RAC/F, ACF/2 or TopSecret. iSeries (OS400), OpenVMS. ERP: Collaboration: Tokens, Smart Cards: JDE, Oracle eBiz, PeopleSoft, SAP R/3, SAP ECC 6, Siebel, Business Objects. Lotus Notes, Exchange, GroupWise, BlackBerry ES. RSA SecurID, SafeWord, RADIUS, ActivIdentity, Schlumberger. WebSSO: Help Desk: HDD Encryption: CA Siteminder, IBM TAM, Oracle AM, RSA Access Manager. BMC Remedy, BMC SDE, ServiceNow, HP Service Manager, CA Unicenter, Assyst, HEAT, Altiris, Clarify, Track-It!, RSA Envision, MS SCS Manager. McAfee, CheckPoint, BitLocker, PGP. SaaS: Miscellaneous: Extensible: Salesforce.com, WebEx, Google Apps, MS Ofce 365, SOAP (generic). OLAP, Hyperion, iLearn, Cach, Success Factors, VMWare vSphere. SSH, Telnet, TN3270, HTTP(S), SQL, LDAP, command-line. Password Manager includes a number of exible connectors, each of which is used to script integration with a common protocol or mechanism. These connectors allow organizations to quickly and inexpen- sively integrate Password Manager with custom and vertical market applications. The ability to quickly and inexpensively add integrations increases the value of the Password Manager system as a whole. There are exible connectors to script interaction with: API binding: Terminal emulation: Web services: Back end integration: Command-line: C, C++ Java, J2EE .NET COM, ActiveX MQ Series SSH Telnet TN3270, TN5250 Simulated browser SOAP WebRPC Pure HTTP(S) SQL Injection LDAP attributes Windows Power Shell Unix/Linux 2014 Hitachi ID Systems, Inc.. All rights reserved. 30 Large Scale Password Management With Password Manager Organizations that wish to write a completely new connector to integrate with a custom or vertical market application may do so using whatever development environment they prefer (J2EE, .NET, Perl, etc.) and invoke it as either a command-line program or web service. If an organization develops their own integrations, an effort of between four hours and four days is typical. Alternately, Hitachi ID Systems offers xed-cost custom integrations for a nominal fee. 2014 Hitachi ID Systems, Inc.. All rights reserved. 31 Large Scale Password Management With Hitachi ID Password Manager 15 Rapid Deployment Hitachi ID Systems solutions are optimized for rapid deployment this is a core design principle across all products in the Hitachi ID Management Suite. Rapid deployment is largely a feature of (a) including as many built-in features as possible and (b) making common use cases easier to congure. Hitachi ID Identity Manager minimizes deployment cost using a built-in request portal, a built-in approvals process and by enabling organizations to dene categories of relationships, which then drive what one user can see of another, what changes one user can submit on behalf of another, who is invited to approve change requests and more. Hitachi ID Password Manager minimizes deployment cost using built-in processes for enrollment of security questions, login IDs, mobile phone numbers and voice biometrics. This is augmented by built-in processes to control the pace of user invitations. Hitachi IDPrivileged Access Manager minimizes deployment cost using built-in processes for auto-discovery and automated classication of systems and accounts to be managed. It also includes a robust, built-in pro- cess for authorizing one-time access requests. All Hitachi ID Systems products include a rich set of over 110 connectors, built-in reports, a robust and translation-friendly web portal, e-mail and incident management system integration, multi-node database replication and more. These are all things that Hitachi ID Systems customers need not hand-craft, reducing project time and cost. Password Manager is designed for rapid deployment: No client software required, even for access to self-service password reset from the workstation login prompt. Automated discovery of every login ID on every target system, nightly. Self-service login ID reconciliation where login IDs on different systems are different and there is no pre-existing correlation data. A built-in identity cache that captures user prole data and eliminates the need to install or manage a database or directory before installing Password Manager. Built-in connectors for every common system and application eliminating the need for customers to develop their own connectors to common, off-the-shelf target systems. Remote connectors mean that Password Manager can manage users and passwords on systems without requiring the installation of intrusive local software on each target system. Flexible connectors enable organizations to integrate Password Manager with custom applications, vertical market software, application service providers (ASPs) and service bureaus quickly taking just 2 hours to 4 days per new target system. . www.Hitachi-ID.com 500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com File: /pub/wp/documents/white/psynch/hipam-white-22.tex Date: 2011-05-15