新手上路
經驗值2
金錢6
貢獻0
存款0
愛幣0
警告0
UID2430
帖子1
閱讀權限10
新手上路
經驗值2
金錢6
存款0
警告0
帖子1
閱讀權限10
|
Forced import substitution in the information technology market poses serious questions for information security services about how to control access rights and user accounts.
How these tasks were solved at PAO Segezha Group using the Indeed AM product was described by Maxim Korolev, Director of Information Security, in an interview on Anti-Malware.
The interview turned out to be very interesting and informative.
For your convenience, we publish part virtual phone number service of the interview below. The full version can be read on Anti-Malware .
How do you think an ideal process for managing access rights and organizational accounts should be structured?
M.K.: Since about 2010, there has been a methodology of "zero trust" - Zero Trust. It implies issuing the minimum necessary rights to access only the information that is needed, and only for the time that is required. In order to implement and support it in a large company, it is necessary to put in a colossal amount of effort. Recently, the automation and digitalization of companies have been going by leaps and bounds, and no one has kept up with them, including information security. Therefore, everyone focused on building a kind of "fence" around. Building internal processes - segmentation, access management, roles, all kinds of checks - is a very labor-intensive matter. As we have already noted, most companies work without implementing these processes, and quite successfully: they do not feel that they have lost any money somewhere, and IT resources are always limited. Therefore, such factors - labor intensity, cost and the lack of obviousness of the result - have led to the fact that these solutions are implemented either in the form of slogans, or not at all.
How do you manage accounts and access rights if you don't have IdM? What is used?
M.K.: I won’t name the products, but it happens in a decentralized manner. In different systems (ERP, BI, system software) we manage accounts and access rights through built-in tools. There are some elements of integration of these systems, but we have not yet achieved centralized role management.
And what about external access control? What are you working with here?
M.K.: We use the Indeed Access Manager product from Indid Company to implement the second authentication factor. All remote users are connected using this product. We are also considering the possibility of using Indeed Privileged Access Manager to verify and control the actions of privileged users — system administrators, which will reduce the risks of internal violations and conduct incident investigations more efficiently.
How long did it take you to implement a multi-factor authentication system and what foreign analogues did you use before?
M.K.: We did not use foreign analogues, but immediately implemented Indeed Access Manager. The implementation took about three months, after which the system entered the stage of industrial operation and works stably.
Why did you choose this particular system?
M.K.: We looked at analogs, cost, compared them, and then decided which system to choose. At that time, there weren’t many options that allowed us to solve the problems we faced.
Among the key requirements that you had for this kind of system, what did you put first, what had to be supported? What was critical for you?
M.K.: The ability to work with the VPNs we use, support for all types of mobile devices used by our employees and contractors; user-friendliness of the interface and reliability of operation were also among the key aspects. Of course, the cost. These are the parameters that determined our choice.
Why was it necessary to support mobile devices? Do you use them as additional authentication factors?
M.K.: Yes, the product is configured to work via push notifications. If we started working via SMS notifications, we would have to install an SMS gateway, pay a subscription fee, and so on. Indid Company has an application for all types of devices, even for exclusive operating systems used, for example, in Honor phones. Accordingly, the user installs the application, configures it in a couple of clicks, and then, when entering our infrastructure via VPN, receives push notifications and confirms that it is him.
|
|
窺視卡
雷達卡
發表於 2024-11-7 13:53:32
收藏
轉播
分享
淘帖
支持
反對
提升卡
置頂卡
沉默卡
喧囂卡
變色卡
千斤頂
照妖鏡
