RelevanceAny information system relies on access policies for operations with named subjects (users) and objects (data, resources, and services). The two pillars of access and identity management are user identification and user authentication. Authentication bears particular significance, being the last security barrier for malicious users who were able to obtain a legitimate user ID. Show Password-based authentication remains the most popular access management technology. However, this technology does have a number of important disadvantages:
Another weak point of password management software lies in the fact that each information system or service may use its own authentication subsystem. This may cause further problems and reduce labor productivity:
Another factor deserves special attention: foreign media constantly feature news about leaked user account databases (containing logins and passwords) that later become available for sale on private web resources. All issues and vulnerabilities related to password-based authentication can be solved by introducing a single comprehensive authentication management system. Such systems should be able to perform the following tasks:
The Indeed Access Manager (Indeed AM) platform belongs to a specialized class of IT solutions that incorporates the following functional modules: The Indeed AM platform draws on our company’s long-term expertise of developing information security products, specifically those that have to do with access management. Indeed AM is a software and hardware system providing centralized identity management policies, a universal authentication technology for all corporate services, and various strong and multi-factor authentication scenarios. The key advantage of Indeed AM is that it supports various strong authentication scenarios across multiple target resources and authentication protocols (via relevant integration modules). This system was designed to replace password management software with more secure technology for neutralizing the above threats across your entire corporate IT infrastructure. In this case, all authentication data is stored in a secure vault. Access policies define access rules, specify the technology to be used in specific applications, and establish the scope of permissions for system operators and administrators. Corporate users can use the web console to view information about their authenticators. In addition, users can issue new authenticators and disable existing ones in the web application. The Indeed AM Administrator and Operator Console is a convenient web application to customize, manage and audit the centralized authentication system. Administrators can use it to manage the system’s integration with your IT infrastructure and set up role-based access control. The console also serves as a tool for managing user authenticators and granting access to target resources (directly or via authentication protocols). Client software designed for workstations running Microsoft Windows can be used to enable strong authentication scenarios (Windows Logon) and Enterprise Single Sign-On for corporate applications and web applications on user workstations. The Indeed Key mobile app ensures secure access to your corporate resources. Users confirm their access via the app on their smartphones, where they can also view their access information and the name of the system they are trying to log into. The system also supports one-time password technology (TOTP protocol). Special integration modules enable strong authentication scenarios for various categories of target resources as they support both specialized authentication protocols (RADIUS, ADFS, etc.) and specific target systems (Windows-based workstations, Microsoft RDS terminal servers, etc.). Thanks to the convenient Indeed AM role-based mechanism, you can set up user privileges for employees with various job duties. For example, you can use it to clearly divide the responsibilities of federal and regional security administrators. Strong authenticationA series of technical and organizational measures is required for replacing password-based authentication with new technology that can ensure a higher security level across your entire IT infrastructure. One of the key tasks here is to select and introduce optimal strong authentication solutions. This is a relatively easy task when it comes to local access to corporate workstations. In this case, you can use Microsoft Windows built-in authentication tools, such as digital certificates or biometric scanners embedded in modern laptops. However, this may prove increasingly more challenging if we are talking about strong authentication for remote access to corporate resources, when you need to assign specific authenticator sets to different categories of employees in line with their respective permissions. The market offers multiple technologies for strong user authentication, including biometric authentication, push authentication, hardware-based authentication, digital certificates, or one-time passwords issued by local generators or sent by SMS or email. Every solution has both strong and weak points. Let’s consider a couple of examples.
When choosing the right authenticator (or authenticators), one should consider a range of factors, such as:
The Indeed AM platform is a universal tool that helps you select the optimal strong authentication types for your specific conditions. Technological integrationDuring the migration to centralized access management, the main challenge lies in the fact that corporate services and applications may rely on several subsystems for user identification and authentication, and these subsystems are rarely interconnected. In some cases, a user may need more than one user account (login and password) to gain access to various services. The following IT components can serve as target resources:
If we want to completely replace password-based authentication with other solutions, we may discover during implementation that password protection is the only type of authentication supported by some services. The Indeed AM platform includes specialized modules offering extensive integration options. Integration with authentication protocols:
Integration with specialized servers:
Integration with local resources:
The platform also supports integration with the following types of access and identity management solutions:
Thus, you can use the Indeed AM platform to create a single authentication system encompassing all your corporate services. Centralized authentication management and monitoringAs noted above, the main challenge of migration to centralized access management has to do with multiple subsystems used at the same time. More often than not, your IT infrastructure includes services, systems, and even devices with their own user directories, which means that all of them require separate user identification and authentication. This issue can be addressed by using relevant Identity Governance & Administration (IGA) software. However, IGA deployment is not an easy task. Building a unified access management model that correctly assigns user privileges will require extensive and resource-intensive R&D efforts. In addition, each service has its own event log. In some cases, logins in different systems may even have distinct notation. When a security incident occurs, you may find it hard to quickly reconstruct the sequence of events since you will need to analyze multiple records from different logs. This problem can be solved by purchasing and deploying a Security Information & Event Management (SIEM) solution, but some companies may find that they are lacking the necessary resources. If we take a closer look at the problems mentioned above, we may be tempted to conclude that only big companies possessing sufficient resources can hope to solve them, and the only way to do this is to buy expensive systems. However, IGA and SIEM products may be redundant if centralized access management is your only task for today. On the other hand, the Indeed AM platform does not offer centralized customization and management of user permissions in specific target systems, and neither can it collect and analyze data related to information security events. What Indeed AM can do is help you address a set of tasks related to centralized access management that is best suited for your needs, keeping the required efforts and financial investments at a minimum. The Indeed AM platform can help you achieve the following results.
It is important to point out that the Indeed AM platform is not at variance with SIEM and IGA solutions and cannot replace them. Even if your company plans to purchase and deploy SIEM or IGA software in the future, having Indeed AM is still highly desirable since it can help you address the most burning issue in the field of information security. After that, you can start working on centralized permission management, as well as end-to-end monitoring and analysis of all security events, including access events. Technical parametersUser directories
Target resources
Integration mechanisms for target applications
Authentication technology
Removable hardware tokens
Third-party security solution integration
|