Trusted solutions for telecom leaders
The explosive development of telecommunication technologies, mobile solutions, the Internet of things and cloud services brings telecom companies a truly unlimited potential for technological improvement. At the very same moment, the latest technologies and a growing number of network communications provide a lot of opportunities for attackers as well. Along with the growth and development of telecom companies, the amount of potentially vulnerable areas and cyber attacks is increasing.
Over the last 13 months, BT has experienced a 1,000% increase in threats. We’ve seen our networks targeted in ways that we haven’t seen before. There is unprecedented speed in the innovation, resiliency and evasiveness of cyber attacks.Les Anderson, Vice President of British Telecom Cyber
While experiencing a significant increase in the number of subscribers and employees, telecom companies faced difficulties organizing the work of IT infrastructures and solving new multiple problems. This led to the scale-up and complexity of the infrastructure.
Access to company resources granted by the classic ‘login-password’ model poses no difficulty for cybercriminals. Thoughtless attitude to secure access to corporate resources results in the loss of the latter. Unfortunately, data loss of millions of customers has become a reality for many b2c companies.
One of the largest telecom companies in Russia - MegaFon - has a task to provide secure access from outside the company's infrastructure. The growth of staff brought difficulties to the information technology department – passwords transfer, frequent recovery of lost passwords and declining security.
At the same time, users with allowed access to the company’s critical systems (so-called ‘privileged accounts’) require special attention. To control these users and monitor their activity, to timely stop actions posing a threat to the company are tasks becoming increasingly important for telecom companies.
This is getting even more relevant taking into consideration that the majority of such companies widely use the services of outsourcers and subcontractors.
Russia’s three leading telecom operators – MobileTeleSystems, Megafon and Rostelecom – provide service to more than 160 million subscribers worldwide. In 2018, Indeed Identity tied up contracts with these operators to use Indeed Identity solutions for authentication and certificate management.
Moreover, to meet the PCI DSS requirements, Rostelecom and Mobile TeleSystems deployed a Public Key Infrastructure (PKI), which allowed the use of smart cards and digital certificates for employee authentication. However, after deploying PKI, the companies witnessed either inefficiency of existing solutions or lack of software managing certificates. A frequent certificates re-issue, chaos in smart cards/tokens account, inability to use smart cards for authentication when entering the company’s software applications and lack of self-service – this is just an incomplete list of problems that significantly undermined the information security of telecom companies.
Protection of published corporate resources.
Making company resources accessible remotely increases the risk of unauthorized access to critical business information drastically. The required protection level can only be reached by using modern user authentication methods.
Two-factor authentication using one-time passwords in published corporate services:
- Web applications
- VPN server
- Web Single Sign-On
The Indeed Access Manager solution makes it possible to use two-factor authentication (2FA) methods in a broad range of corporate applications.This, in turn, allows for building a unified 2FA system for accessing the resources available from outside the company’s network.
Creation of a single access point to the corporate IT resources, multi-factor authentication in all access scenarios.
Indeed Access Manager is the universal authentication system, designed to implement strong and/or multi-factor authentication in any enterprise systems. Enterprise Single Sign-On technology is also supported.
Users forget their passwords now and then, losing access to business applications as a result.
- Smart cards and USB tokens
- Push notifications
- Biometrics (fingerprint, face or hand vein pattern)
- RFID cards
This imposes an additional workload on the IT service. Its employees have to spend a fair share of their working time on resetting user passwords and restoring their access to applications. Enterprise SSO implements the single sign-on approach enterprise-wide. The system provides for centralized storage of user passwords to applications that require authentication and puts them in automatically when the application requests to do so.
Strong authentication for:
- Windows OS via Credential Provider mechanism
- Application systems via Enterprise Single Sign-On
- Cloud applications with the use of SAML (Web SSO) protocol
The ESSO technology can be used with any application types (Windows, Web, .Net), irrespective to the architecture - be it single-tiered, two-tiered, three-tiered, thick client or terminal applications. Enterprise SSO relieves the employees from remembering the passwords and keeping them secret, entering them with keyboard and changing the passwords manually in accordance with password security policies.
Fully control and track usage of privileged accounts.
Another task was to control the actions of information system administrators. To do so, the companies deployed a solution to manage privileged access based on Indeed Privileged Access Manager product. The solution allowed switching from the obvious use of administrative passwords to gaining access through a single control system.
- who is granted access
- what privileged accounts access is granted to
- what resources access is granted to
- for what time
- what session records should be made
Administrative staff no longer knows privileged credentials and cannot compromise them. All administrative sessions are recorded in the video and text format which makes it possible to conduct investigations in case of any violations.
Reducing the cost of managing the public key infrastructure - automation of smart cards and certificate tasks, centralized distribution of PIN code policies.
To solve problems connected with Public Key Infrastructure (PKI) management, Indeed Certificate Manager has been installed in the companies.
Smart cards types:
- Indeed AirKey Enterprise
- eToken by SafeNet
- ID Prime by Gemalto
- HID cards
Manager has been installed in the companies. The system implementation helped to solve Customer’s following tasks:
- To automate the digital certificate issue. The list of certificates to issue is set centrally, based on a policies mechanism. The system provides a single and convenient interface to work with smart cards of various manufacturers and models.
- To perform a number of operations connected with smart cards, for example, to renew certificates or unlock a smart card, without putting an additional burden on the department of information security. For this purpose, users receive a self-service made in the form of a web application.
- To automatically meet the regulators’ requirements. The system keeps records of smart cards and digital certificates in accordance with the legislative requirement.
- To centrally distribute PIN code policies to all the smart cards used in the enterprise. The system usage ensures that all smart cards have the same PIN settings.
Several Indeed Identity solutions were offered to solve the above problems. Indeed Access Manager provided secure access from outside the infrastructure using two-factor authentication (domain password and OTP). The solution capabilities let one of the companies evaluate all the advantages of the Enterprise Single Sign-On module. Not only became access to application systems and applications significantly easier, but the security of the infrastructure increased as a whole.
Indeed Identity readiness to customize the solutions according to the customers’ needs allowed implementing non-trivial scenarios.
Indeed Privileged Access Manager made it possible to switch to the access model without using administrative passwords explicitly. It significantly reduced the attack area in this segment and increased the transparency and security of privileged access.
For one of the companies, Indeed Certificate Manager became a worthy replacement of Safenet Authentication Manager (SAM), reducing the costs of PKI maintenance and enhancing information security in terms of working with smart cards. Smart cards account, management of certificates life cycle, implementation of self-service for company employees largely unloaded information technology department and increased the economic efficiency of this service.