Hitachi ID Systems: An Organization Focused on Delivering Practical IAM Solutions.
The Hitachi ID Systems office space showcases a combination of collaboration and innovation in motion. In the open concept workspace, Idan Shoham, the CTO and company co-founder works with the engineering and services teams to expand the capabilities of their identity and access management (IAM) solution portfolio and deliver robust solutions to customers.
While the Hitachi ID engineering team works on technology design, development and testing, the solution delivery team engages with customers to deploy complete solutions in customer environments, at scale. Feedback from the solution delivery team to the engineering team drives ongoing innovation and new product releases, fueling the evolution of both the company and its products.
A quiet workplace belies the rapid pace of innovation and customer delivery work at Hitachi ID Systems. “The work culture at Hitachi ID Systems is informal, with a flat organization and strong emphasis both on addressing customer challenges and on work/life balance for our employees,” mentions Shoham.
“We collect information from many sources: first and foremost, from frequently engaging with our customers and discussing their challenges and roadmaps,” states Shoham. Hitachi ID Systems’ team also study RFP documents from prospective customers regularly, which gives them a bigger view of market trends. In addition, the company engages with analyst firms to get their take on market direction. “These are all inputs fed into our decision-making process, which mainly (re)prioritizes R&D work,” adds Shoham. What comes out is an IAM solution that meets or exceeds customer objectives.
An Integrated IAM Solution
The core product from Hitachi ID is its Identity Manager, which provides identity administration and access governance functionality: automation from systems of record, request/approval workflows for incremental access, access certification, role-based access control where appropriate, segregation of duties and risk scoring policies, identity and entitlement analytics and more. Perhaps uniquely in the marketplace, this product is built on a shared platform that also provides many complementary feature sets:
• Full lifecycle management for security groups and mail distribution lists is included in Identity Manager.
• Password Manager -- enabling users to manage their own credentials, both routinely and in the event of a login problem. Password Manager can manage passwords (obviously) but also RSA and similar hardware tokens, 2FA applications such as from Okta, Ping or Duo Security, enroll biometric samples such as voice prints, collect and distribute PKI certificates, reset PINs on smart cards and more.
• Federated single sign-on via SAML -- typically into SaaS applications such as Salesforce.com or Cisco WebEx is included with Password Manager.
• Privileged Access Manager -- randomizing and vaulting passwords to sensitive accounts; authenticating, authorizing and brokering user logins to managed endpoints; replacing embedded passwords in scripts and applications with secure API calls; periodically changing service account passowords; recording user requests, approvals and activity and more.
• All Hitachi ID solutions include both the ability to leverage existing multi-factor authentication solutions or - for organizations that have not yet deployed an MFA system - include an out-of-the-box MFA smart phone app.
• All Hitachi ID solutions are available either for on-premises deployment and as a service.
• A complementary smart phone app -- Hitachi ID Mobile Access -- is included to access the Hitachi ID solutions’ web portal even if there is no accessible, public URL.
By offering so many complementary features on the same platform, which can be deployed just once (features are activated via a license file), Hitachi ID offers its customers a unique value proposition: lower TCO due to fewer products, application servers, database instances, etc. combined with simpler deployment, less required administrator training, fewer distinct version upgrades to schedule and a better user experience, as users sign into a single portal for a wide variety of access-related services: “change my password,” “resolve login problem,” “request incremental access,” “sign into a privileged account” or simply “launch SaaS login session.”
Customer service and satisfaction are Hitachi ID’s top priority. This seemingly simple objective depends on many components:
• Accessibility from relevant contexts -- for example access to self-service password reset from a PC operating system login screen, even when that PC is a laptop and the user is away from the office, and must reset a locally cached password.
• A system that is performant, to avoid user frustration waiting for their screen to refresh.
• Integrations with the relevant systems, appliations, directories and other infrastructure that Hitachi ID’s customers operate -- everything from Active Directory to z/OS mainframes, Salesforce.com and Office 365 tenants and ServiceNow tickets.
That’s all technology. Customer satisfaction also depends on how customers collaborate with software vendors such as Hitachi ID. With this in mind, Hitachi ID offers a fixed-price/ defined deliverables model for implementation professional services. This has the effect of transferring deployment risk from customers to Hitachi ID. It also forces customers to think carefully about deliverables, which reduces false starts and wasted effort.
Hitachi ID also employs an industry-leading team of customer support analysts. The objective is for the randomly selected person who picks up an incoming support call to be able to resolve at least 80% of incoming inquiries. Considering that these inquiries could be in regards to anything from load balancer configuration to integration with SAP, z/OS, SaaS applications or policy enforcement, that’s a tall order which Hitachi ID’s expert team is nonetheless able to meet. Front line customer support at Hitachi ID is a team of experts, not simple note takers who follow a script.
The work culture at Hitachi ID Systems is informal, with a flat organization and strong emphasis both on addressing customer challenges and on work/ life balance for our employees
Scalability and service resilience
Users demand a responsive system and IT needs the system to survive peak workloads. The Hitachi ID Management Suite meets a variety of scalability and service resiliency metrics through a combination of unique technologies. First and most fundamentally, there is an active-active replication model where multiple application servers each have their own, private database instances and where workload -- user interface sessions, API calls and workflow processes are load balanced across geographically distributed nodes. Next, work is preferentially performed in SQL stored procedures rather than in application logic, to reduce the need to serialize data in and out of the database. Finally, application code is compiled, native C++ code rather than .NET or Java, eliminating the need for sandbox VMs and improving performance by a factor of 2 (.NET) to 10 (Java).
The end result of all this technology is a system that can manage up to about 20,000,000 identities while providing full governance workflows and controls. It’s also a system where real-world customers have on-boarded over 200,000 managed endpoints for PAM or process over 50,000 access requests per day or 20,000 password updates per hour. Geographic redundancy and a master-master model means that the service can survive loss of a single server or even a whole data center without human intervention.
Joiners, Movers and Leavers
The most fundamental feature of an IAM system is to grant access to systems and applications when people join an organization -- i.e., employees are hired, contractors start work, etc.; When the same people move within an organization -- change manager, department or location for example -- their access rights should be updated to reflect their new relationship with the organization. Finally, when people leave, their access rights should be revoked and any data (e-mail, filesystem) archived.
Joiner/mover/leaver processes are notoriously complex and many organizations defer process automation until after they have completed a data cleanup. In reality, this doesn’t help: what blocks process automation is not due to inappropriate access rights but undocumented, complex processes. Hitachi ID offers a unique solution to this challenge, by offering no-cost reference implementations called “Identity Express” to customers. Identity Express encapsulates best practices business processes and can be deployed easily to replace legacy processes. This approach to process automation leads to stronger controls and improved process velocity (SLAs) while materially reducing implementation risk, cost and timelines. Shoham adds, “Reference implementations such as HR-driven hire/ transfer/fire processes for employees; request-driven start/end processes for contractors; name changes; leaves of absence; transfers across departments, locations or managers; periodic and event-triggered access reviews are all included in Identity Express.”
The Password Manager component of the Hitachi ID Suite manages credentials across systems and applications, including password synchronization, self-service password and PIN reset, strong authentication, federated access, enrolment of security questions and biometrics, and self-service unlocking of encrypted drives. It simplifies the management of passwords, tokens, smart cards, security questions and biometrics, and in turn, lowers IT support cost and improves the security of login processes. Self-service is accesible via a full-screen or mobile web browser, from the login screen of a corporate laptop, even if off-site and off-network and even via a self-service voice phone call to an IVR system.
Users of an IAM system often have to sign into a portal to request access rights that could not be predicted and automatically granted. Requests may be by a user for themselves or for others, such as subordinates. Regardless, the request process is daunting: there may be millions of available, requestable entitlements and business users have little hope of correctly selecting the right ones, especially as they often only have technical names. Hitachi ID Identity Manager addresses this challenge with multiple requester aids. For example, it can intercept ‘access denied’ error messages on key systems and provide users with a simple navigation to a suitable access request page. Requesters also have the option of comparing the rights of two people, to select for one user some of the rights that another already has. Finally, Identity Manager can collect users into peer groups based on information such as their department or location. Requesters are then offered “recommended entitlements” based on what’s popular among a recipient’s peers. All this is on top of more common capabilities, such as roles, search and filters applied to the entitlement catalog.
Privileged Access Management
The Privileged Access Management component of the Hitachi ID Suite can secure access to all kinds of sensitive accounts: administrator accounts used by people to configure and manage systems; embedded accounts used by applications and scripts to connect to services and service accounts used to launch unattended processes. It is the only product in its category with a geographically distributed, active-active architecture, which is essential to ensure service availability even during a disaster.
Privileged Access Manager is designed with multiple usability aids, to compensate IT workers for giving up their cherished administrator passwords. This includes the ability to check out multiple accounts at once, to request temporary membership in security groups for existing (business) accounts and to execute commands across multiple systems at once.
Hitachi ID Systems has carved a unique niche in the IAM space through organically developed solutions. Unlike most competitors, the company didn’t have to incorporate technology from the acquisition of other companies. This approach sometimes means that it takes a bit longer to bring new capabilities to market, but it also means that Hitachi ID Systems’ solutions are more coherent, maintainable, integrated and cost-effective for customers. “What’s interesting about this process is we aren’t paying too much attention to what our competitors are doing, at least not directly. We are much more interested in what current and prospective customers have to say. The end result is that we often wind up with very different solutions to problems than what we see amongst our peers — we’re often the ‘black sheep’ in the market segments where we operate,” informs Shoham.
The Big Picture in IAM
With a focus on innovation, Hitachi ID’s strategy has always been to expand product capabilities. For example, the company has recently added real-time integration with AD domains. This allows the company to provide access governance features and workflows at consumer scale — tens of millions of identities. It also enables interesting scenarios, such as detecting unauthorized changes to security groups and reversing those changes in near-real-time.
Hitachi ID has also added full lifecycle management for groups and an accurate model of parent/child group relationships, also unique among IAM products. This means that customers can extend the same process automation and governance that was originally developed for identities to groups as well: a great value-add.
"We aren’t paying too much attention to what our competitors are doing, at least not directly. We are much more interested in what current and prospective customers have to say"
In the credential management arena, the company’s focus has been two-fold: first is to enable users to resolve login problems in challenging contexts—such as at the login screen of laptops while outside the office—and secondly the introduction of “value-add” features such as federated single sign-on and a personal password vault.
Another part of Hitachi ID’s strategy has been to offer an all-in commercial and technical model. Going forward, the company will continue to invest in the same platform and products and services but with expanded features, improved user interfaces and more integrations. “The observation here is that you want good processes and effective tools to manage the lifecycles of all sorts of digital entities. Taking this kind of a ‘big picture’ view of IAM is a great way to ensure that organizations get the maximum benefit from their investment,” concludes Shoham.