Any information system relies on access policies for operations with named subjects (users) and objects (data, resources, and services). The two pillars of access and identity management are user identification and user authentication. Authentication bears particular significance, being the last security barrier for malicious users who were able to obtain a legitimate user ID.
Password-based authentication remains the most popular access management technology. However, this technology does have a number of important disadvantages:
- You need a security incident to actually occur to learn that your password has been compromised. Intruders are less than likely to be willing to openly show their presence in your network. On the contrary, they will do their best to disguise their activity and the fact that authentication data has been compromised, as long as possible.
- Remote work only increases the risk of having your passwords compromised since it permits access from any devices, including uncontrolled ones.
- Passwords are highly vulnerable to social engineering techniques when various manipulations are used to coerce the users to directly or indirectly disclose their password to the intruder.
- Access blocking after a specified number of failed attempts may be disabled for some corporate resources, especially for local sessions. This means that such systems and services may be vulnerable to various password-cracking methods.
Another weak point of password management software lies in the fact that each information system or service may use its own authentication subsystem. This may cause further problems and reduce labor productivity:
- Users need to remember and enter multiple passwords.
- System administrators have to address a number of tasks:
- Keep all users and their authenticators under control.
- Respond to failures in different user authentication subsystems.
- Monitor access events across multiple subsystems.
- Reset forgotten user passwords.
Another factor deserves special attention: Russian and foreign media constantly feature news about leaked user account databases (containing logins and passwords) that later become available for sale on private web resources.
All issues and vulnerabilities related to password-based authentication can be solved by introducing a single comprehensive authentication management system. Such systems should be able to perform the following tasks:
- Support additional types of authentication (that do not share the weak points of password management systems).
- Enable centralized management of authenticators and access to corporate resources.
- Offer the same set of authenticators for all corporate resources.
- Ensure centralized monitoring of all access-related security events.
Indeed Access Manager platform
The Indeed Access Manager (Indeed AM) platform belongs to a specialized class of IT solutions that incorporates the following functional modules:
- Authentication Management
- Multi-Factor Authentication Provider (MFA-Provider)
- Enterprise Single Sign-On
- Web Single Sign-On
- Out-of-band (Mobile) Authentication
The Indeed AM platform draws on our company’s long-term expertise of developing information security products, specifically those that have to do with access management.
Indeed AM is a software and hardware system providing centralized identity management policies, a universal authentication technology for all corporate services, and various strong and multi-factor authentication scenarios.
The key advantage of Indeed AM is that it supports various strong authentication scenarios across multiple target resources and authentication protocols (via relevant integration modules). This system was designed to replace password management software with more secure technology for neutralizing the above threats across your entire corporate IT infrastructure. In this case, all authentication data is stored in a secure vault.
Access policies define access rules, specify the technology to be used in specific applications, and establish the scope of permissions for system operators and administrators.
Corporate users can use the web console to view information about their authenticators. In addition, users can issue new authenticators and disable existing ones in the web application.
The Indeed AM Administrator and Operator Console is a convenient web application to customize, manage and audit the centralized authentication system. Administrators can use it to manage the system’s integration with your IT infrastructure and set up role-based access control. The console also serves as a tool for managing user authenticators and granting access to target resources (directly or via authentication protocols).
Client software designed for workstations running Microsoft Windows can be used to enable strong authentication scenarios (Windows Logon) and Enterprise Single Sign-On for corporate applications and web applications on user workstations.
The Indeed Key mobile app ensures secure access to your corporate resources. Users confirm their access via the app on their smartphones, where they can also view their access information and the name of the system they are trying to log into. The system also supports one-time password technology (TOTP protocol).
Special integration modules enable strong authentication scenarios for various categories of target resources as they support both specialized authentication protocols (RADIUS, ADFS, etc.) and specific target systems (Windows-based workstations, Microsoft RDS terminal servers, etc.).
Thanks to the convenient Indeed AM role-based mechanism, you can set up user privileges for employees with various job duties. For example, you can use it to clearly divide the responsibilities of federal and regional security administrators.
A series of technical and organizational measures is required for replacing password-based authentication with new technology that can ensure a higher security level across your entire IT infrastructure.
One of the key tasks here is to select and introduce optimal strong authentication solutions. This is a relatively easy task when it comes to local access to corporate workstations. In this case, you can use Microsoft Windows built-in authentication tools, such as digital certificates or biometric scanners embedded in modern laptops.
However, this may prove increasingly more challenging if we are talking about strong authentication for remote access to corporate resources, when you need to assign specific authenticator sets to different categories of employees in line with their respective permissions.
The market offers multiple technologies for strong user authentication, including biometric authentication, push authentication, hardware-based authentication, digital certificates, or one-time passwords issued by local generators or sent by SMS or email. Every solution has both strong and weak points. Let’s consider a couple of examples.
- Biometric authentication relies on the inherent and unique physiological and behavioral characteristics of users. However, such technology requires specialized scanners and can hardly be used for remote access from a potentially unlimited number of user devices.
- User authentication relying on local one-time password generators (tokens or smartphone apps) supports scenarios for almost any type of target resource, both for local and remote sessions. It also does not require connection with corporate services. Yet, if a smartphone is used, there is always a risk that it may get hacked and taken over. On top of that, tokens must be purchased separately and may break down.
When choosing the right authenticator (or authenticators), one should consider a range of factors, such as:
- Access scenario (local or remote access)
- Device used (computer or smartphone)
- Target resource (corporate application or public web service)
- Users’ privileges and permissions
The Indeed AM platform is a universal tool that helps you select the optimal strong authentication types for your specific conditions.
During the migration to centralized access management, the main challenge lies in the fact that corporate services and applications may rely on several subsystems for user identification and authentication, and these subsystems are rarely interconnected. In some cases, a user may need more than one user account (login and password) to gain access to various services.
The following IT components can serve as target resources:
- Workstations running Microsoft Windows
- Application servers (Microsoft Windows Remote Desktop Server or Citrix XenServer)
- Virtual desktop infrastructure (VDI)
- VPN gateways for remote access
- Public web services
- Corporate local apps on user workstations
If we want to completely replace password-based authentication with other solutions, we may discover during implementation that password protection is the only type of authentication supported by some services.
The Indeed AM platform includes specialized modules offering extensive integration options.
Integration with authentication protocols:
- SAML Identity Provider
- ADFS Extension
- NPS RADIUS Extension
- OIDC Identity Provider
Integration with specialized servers:
- RDP Windows Logon (Microsoft Windows Remote Desktop Server)
- IIS Extension (Microsoft Internet Information Services)
Integration with local resources:
- Windows Logon (workstations running Windows)
- Enterprise Single Sign-On (desktop and web applications)
The platform also supports integration with the following types of access and identity management solutions:
- Identity & Access Governance (IAG, IAM)
- Physical Access Monitoring and Control System (AMCS)
- Endpoint Security Suite (ESS)
Thus, you can use the Indeed AM platform to create a single authentication system encompassing all your corporate services.
Centralized authentication management and monitoring
As noted above, the main challenge of migration to centralized access management has to do with multiple subsystems used at the same time. More often than not, your IT infrastructure includes services, systems, and even devices with their own user directories, which means that all of them require separate user identification and authentication. This issue can be addressed by using relevant Identity Governance & Administration (IGA) software. However, IGA deployment is not an easy task. Building a unified access management model that correctly assigns user privileges will require extensive and resource-intensive R&D efforts.
In addition, each service has its own event log. In some cases, logins in different systems may even have distinct notation. When a security incident occurs, you may find it hard to quickly reconstruct the sequence of events since you will need to analyze multiple records from different logs. This problem can be solved by purchasing and deploying a Security Information & Event Management (SIEM) solution, but some companies may find that they are lacking the necessary resources.
If we take a closer look at the problems mentioned above, we may be tempted to conclude that only big companies possessing sufficient resources can hope to solve them, and the only way to do this is to buy expensive systems.
However, IGA and SIEM products may be redundant if centralized access management is your only task for today.
On the other hand, the Indeed AM platform does not offer centralized customization and management of user permissions in specific target systems, and neither can it collect and analyze data related to information security events.
What Indeed AM can do is help you address a set of tasks related to centralized access management that is best suited for your needs, keeping the required efforts and financial investments at a minimum. The Indeed AM platform can help you achieve the following results.
- Have a single log of all access events with personalized connection data that can be used for investigating security incidents. You will only need to review one event log that contains all required information.
- Apply universal policies for managing user authentication and access to target systems. All you need to do is set up integration with target systems and assign access rights for specific user groups in relation to specific resources once and for all.
- Introduce a single set of user authenticators. For each user group, you can set up a comprehensive set of authenticators required for access to all corporate resources for both remote and local sessions.
It is important to point out that the Indeed AM platform is not at variance with SIEM and IGA solutions and cannot replace them. Even if your company plans to purchase and deploy SIEM or IGA software in the future, having Indeed AM is still highly desirable since it can help you address the most burning issue in the field of information security. After that, you can start working on centralized permission management, as well as end-to-end monitoring and analysis of all security events, including access events.
- Active Directory
- DBMS (SQL)
- Workstations running Microsoft Windows
- Microsoft Remote Desktop Server
- Microsoft Internet Information Services
- Windows desktop applications
- Web applications
- VPN servers
- Application servers
- Virtual desktop infrastructure (VDI)
Integration mechanisms for target applications
- OpenID Connect
- OAuth 2.0
- Enterprise Single Sign-On
- Biometrics: fingerprints, palm vein pattern, and face geometry (2D and 3D)
- Hardware devices: contactless cards, USB tokens, iButtons, and RFID cards
- One-time passwords: TOTP/HOTP applications, OTP tokens, one-time password delivery via SMS, Telegram and email
- Push authentication app (Indeed Key)
Removable hardware tokens
- eToken, ID Prime, and iKey (Thales Group, the former SafeNet and Gemalto)
Third-party security solution integration
- Workstation security solutions: Secret Net Studio
- Permission and user account management tools: Solar inRights, 1IDM, Cube, Microsoft FIM, and IBM Tivoli Identity Manager
- Public key infrastructure management tools: Indeed Certificate Manager
- Tools for information security event monitoring and correlation: SIEM solutions
- Access monitoring and control tools: Bastion, Orion, and Seven Seals