IDM KUB system (End-to-end system of information security)

The KUB system provides centralized operation with access and control of information security. Information security management is exercised using requests in which heads of divisions define access rights of subordinates to resources of an information system. Internal document flow of a system allows to implement approval of requests according to business processes of the organizations. KUB monitors execution of requests and instructions and also registers unauthorized changes of security settings of information systems.

Main systems capabilities:

• Registration of requests for providing access and the automated accounting of the persons allowed to confidential information;
• Constant control of security and the notification about the facts of unauthorized access to personal data and to other confidential information;
• Protection of the facts of providing access against the internal violator with administrative powers;
• Ensuring evidential base and providing the reporting taking into account the history of approvals and changes of access rights.

"CUBE" is implemented in JSC "Russian Railways", projects in Central office of the Central bank for the Vologda region, Federal Treasury are implemented.

This unique cross-platform solution allows to perform close integration of technologies, processes and people, at the same time increasing availability of service of the service of automation (SA) and efficiency of activity of the Information Security Service (ISS).

"We consider that this product reached the sufficient level of a maturity that the separate company was engaged in its implementations and further development. "Trustverse" will become such company working on the "one company — one product" model — Herman Batasov noted. — Our next plans include increase in number of customers and creation of own partner network from among system integrators". KUB is not a shrink-wrapped software product. We are going to create own partner network and to perform sales through partners. Let's create based on the developed KUB technology different solutions and new products. Also in plans to develop the direction of rendering services in the SaaS model. Our specialists together with partners are ready to perform pilot implementations for customers, to train personnel of the partner".

As Andrey Stepanenko noted, the director of business development of company "Informzashita", "KUB" is a classical example of a product for project distribution therefore transferring him to the independent company, we expect to make him more attractive to integrators that our partners were not afraid of the competition to Informzashita at the customers. We already had an opportunity to check efficiency of the similar scheme of cooperation when displaid all our developments of shrink-wrapped software products in Code of Security company and provided partners with additional service for design and maintenance of implementation of secure systems on their basis. Such scheme will allow integrators to provide more rapid implementation "CUBE" and to get big profit due to the services".

Ideally in each company there have to be accurate regulations describing access for employees to these or those resources. Then it is a little problems with data security, and about it is more. However far not everywhere the situation is so well. In any organization numbering from one thousand people the number of significant employee transfers daily is about 2%. Here not only cases of dismissal and employment, but also movement from department to department, diseases, business trips, temporary substitution of duties of the people who went on leave belong. For example, the employee went to a business trip. It means that in addition to tickets and travelers, the organization should provide him remote access to necessary corporate resources. And upon return — to withdraw if such access is not provided in its job description. As a result, if there is a lot of staff changes, even ideally built up system begins to accumulate errors and incongruities that can lead to negative effects in the company.

The KUB platform developed in Trastvers solves a problem of access control more widely, considering requirement and security services. And for the last it is extremely important to provide the continuity of control as the more time will pass from the moment of violation of security policy of the company, the damage will be stronger. The main objective of KUB consists in centralization of all information resources of the company and effective management of them. After system implementation at the enterprise quickly enough there is a harmonious and ordered structure of providing access where each change of access rights has the author. It is especially useful in case of the incidents connected with bad faith of employees. After a glance on KUB there is a question: this really serious and only solution in the niche or "the fifth wheel" in infrastructure of the company?

Target audience of the systems of the class IDM are the administrators managing settings of information systems. But the problem of access control raises much more questions. First of all, it is necessary to create and approve requests for providing access rights taking into account structure of the enterprise. It is necessary to control also continuously access and to reveal unauthorized changes of accounts. In addition it is necessary to provide also coordinated management with logical and network access. These are not all questions which the companies need to solve. Use of the KUB system allows to solve in a complex all problems connected with access control.

Thus, the access control mechanism implemented in the KUB system includes functionality of IDM systems, significantly expanding it in the field of approval, determination of required changes and operating control of settings of access in direct systems. These tasks are key for integrated management of access. KUB — the platform of new generation. She solves a problem of management of access for three main participants of process at once: business users, employees of IT services and staff of Information Security Services.

How it works?

All solutions connected with information security have a weak point, namely — a human factor. It is possible to build up as much as long politicians, to cast and improve authentication — one malefactor who acquired enough rights can nullify all efforts. Especially if for some reason he has a high level of access. Any change order of the rights should have the initiator having necessary for this right and to undergo a number of the approvals set by rules. When process of approval of the request is automated and completely corresponds to information security policy and business processes operating in the company, it is possible to prevent errors of a human factor due to automation. If, despite all precautions, an incident after all occurred, it is very important to have all change history of settings of access rights before eyes. Only this way it is possible to identify "violator".

When using KUB a part of "opportunities" of unfair employees are cut already at the level of architecture.

In process of management of KUB of access creates the so-called "model" reflecting current settings of all information systems. After approval of the request CUBE can predict as settings of information systems should change and transfer model to a new status.

Thanks to such model control procedure becomes really effective because all perfect changes in a system at the same moment are compared with the approved model of access and information security policy. Moreover, changes are considered as successfully complete, only if the real status of an information system matches model. Otherwise at once will become clear that someone from employees did not perform all necessary operations or intentionally made something not so, for example, gave excess access to certain information resources.

The CUBE is the cornerstone electronic managing document management of requests. It allows users to manage the requests for access to information resources through approval. Document flow is understood as consecutive process of the movement of requests, each of which passes the next stages: creation, approval, updating, accomplishment, control. Participants of document flow can be all staff of the organization who creates, will approve or implement requests.

The request is an electronic document where the user formulates the requirements to access or other changes of model. All changes happening in information systems are results of accomplishment of requests. Requests will automatically be transformed to the instructions specifying what needs specifically to be changed in information systems that users got required access to resources. There is no automatic generation of instructions in one of existing today IDM systems as there is also no opportunity to select the mode of automatic or manual exercise of instructions.

Before execution of the instruction can be updated by the specialist responsible for a direct system, i.e. he has the right to correct some of its parameters, for example, to replace the contractor of the instruction or to change a name of the created account.

All requests in KUB are surely approved. Routes of approval are automatically determined, on the basis of the request, considering availability approving, organizational and regular structure of the organization and responsibility of employees for information resources. Existence of dynamic routes of approval distinguishes KUB from IDM-presented at the market and solutions e-document flow. KUB stores not only all requests for access, but also information on the actions happening to them: who and when approved on the basis of what, who executed, etc. In a standard IDM system the change history of access rights is not considered that considerably complicates investigation of incidents.

Any user of a system via the convenient web interface can create the request for access that unloads administrators. During creation of the request the author selects employees and roles which are necessary to them for gaining access to certain resources. Search of suitable roles can be performed by the name, category, compliance to a certain information resource or just to select from the complete list. At the same time there is no need to go deep into technical details. For example, at a request of access rights to 1C, the user does not need to enter a name, the name of the current directory, a set of the rights of the user and other parts. On the basis of the put rules CUBES itself broadcasts requisition requirements in terms of direct systems. The possibility of translation of user requirements in terminology of direct systems allows normal employees not to penetrate into technical details and to save the time, to contractors of instructions – to reduce risks of the errors connected with the wrong interpretation of requests, and to company management – to save money on service of information resources.

Requests and all actions for their approval can be protected the electronic signature. For support of the electronic signature any certificates including intended for creation of the qualified legally significant signature can be used.

Additional opportunities

In KUB also some additional opportunities important for information security support of the company are implemented. First, this management of network access and information security tools. In most the large organizations access to information systems some specialists, and network access – others manage, and often they make untied actions. KUB allows to execute these two processes at the same time. For example, if the employee needs to get access to a remote resource from the house, and between it and a resource there is a firewall (ITU), by the request are generated to the instruction to both the administrator of a resource, and the specialist who is responsible for setup of ITU. And that the most important, process works and in the opposite direction, at restriction of the rights or blocking of users. The system administrator blocks access or deletes an account, and the administrator of ITU closes the corresponding route.

For ensuring complexity of KUB Secret Net is integrated with some the information security facility, for example. Through KUB control of the information security facility settings and settings of access rights to applications is exercised.

Secondly, an additional opportunity can be considered management of digital certificates. Digital certificates are used for authentication of users, i.e. check of the employee who wants to get access to a resource. By issue of certificates it is centralized, through KUB, the complexity of the solution is provided. Today KUB manages only certificates without digital mediums, but the solution on management of tokens will be in the short term connected. The release of the device with the certificate will be initiated in KUB.

At last, the solution does possible management of hardware-software configurations. KUB contain data on a configuration of computers and the software set on them. If the employee needs to install additional programs for work, he sends the request to KUB, it is in the same way approved and generates instructions to contractors. If KUB finds out that the computer was unexpectedly reconfigured, for example, amount of memory became less, the processor exchanged or the sound card was gone, notifications follow the corresponding persons.

For whom is KUB and what to wait from implementation necessary?

Before starting development of the system of KUB specialists of Trastvers company carefully analyzed requirements of the market and found nobody the busy niche demanded by large businesses for which questions of information security at access control are essentially important.

Trastvers implements KUB in the Central Bank of the Russian Federation, Federal Treasury, the Russian Railway, FSB and other large corporations. A target consumer of KUB are the large companies with branched structure having a large number of daily personnel transactions and high price of any errors connected with access rights to information resources.

Unfortunately, the classical IDM solution is not able to solve a problem of access control and observance of information security policy. Today – KUB the only complete solution presented at the Russian market.

The average project on 1000 jobs takes about two months. The main time is spent for a preparatory stage when it is necessary to optimize or describe the operating business processes in the field of information security support and to help the company to formulate the basic principles of safe access control. After accomplishment above the described actions involvement of the customer in project implementation is minimum. In spite of the fact that the large companies pay a lot of attention to information security, their policy in accessibility domains and casts of employees is often far from ideal. Means of the analysis and optimization of structure of roles which will help to bring order are built in KUB.

What occurs after implementation of KUB? Whether it is possible to estimate effect somehow? Certainly. As a result of start of the solution in the company information security policy will be formalized, information resources are arranged and areas of responsibility of employees are defined. Any change of access rights happens without delays on the put scenario therefore risks of loss of important information are reduced. Network access is inseparably linked with logical, and the complete history of all changes of the rights is available. Business users from the workplace make out and approve requests for access to necessary information resources. IT administrators receive accurate instructions in terminology clear to them. At last, the Information Security Service receives the efficient and convenient instrument of control of violations of security policy.

CUBE - End-to-end system of information security 2.10

• The mechanism allowing to create individual versions of a product excepting functionality, excessive for the customer, is added and including only necessary.
• Safety features regarding control of action of administrators are strengthened.
• The mechanism of control of execution of requests is improved that provides additional conveniences and transparency of process to business users. Now they have an opportunity more flexibly to configure types of notifications which they want to receive.
• Mechanisms of work with requests are improved. New requests can be created on the basis of already existing, by copying that minimizes time for creation of the request.
• The augmented list of the created reports for different user groups.

2014

End-to-end system of information security - "CUBE" 2.11.

On January 30, 2014 the Trastvers company announced release of the new version of a system of Integrated Management of Security "CUBE" - 2.11.

In the new version the functionality is available:

• By drawing up requests for access it is possible to manage access for employees as on the basis of the roles configured earlier, so to information resources directly now.
• The ability to manage is added by standard access of divisions. The access appointed to divisions automatically is broadcast to positions and employees in divisions. Here the hierarchy of any level of complexity is possible.
• There was a support of management of positions of employees behind the state, with their binding to the positions imported from a personnel system. At the same time transactions of dismissal of the employee with removal in this case of additional positions of this kind are monitored.
• The feature to accept the approved request from an external system in which the list of roles, necessary for issue, is already specified is added. It allows to import and to accept automatically to execution of the request, created and approved in external systems of document flow.
• The order form printability on the last step of creation of the request for providing access is added.

It is convenient during a transient period from paper document flow to electronic.

• There was a new report "The employees having access to direct systems", the showing access for the employee to direct systems of the organization that is convenient at access certification.

Other changes increasing convenience of users during the work with a system also were a part of the new version.

Integration with Indeed Enterprise SSO

On February 25, 2014 the companies Indid also "ТрастВерс" announced an exit of integrated solution of a system of the Integrated Management of Security ("IMS") and Indeed Enterprise SSO. The joint solution is intended for creation of a system of effective management of access to corporate resources and process automation of IT activity.

The solution Indeed Enterprise SSO (ESSO) provides the organization of pass-through and strict authentication at access for users to information systems of the company without the need for data modification of systems and solves the following problems:

• standardization of the procedure of access for end users;
• centralization of management of authentication of users at access to different applications;
• automation of an entry procedure of passwords in final applications;
• disposal of users of need to remember passwords.

Integration purposes "CUBE" and Indeed-Id Enterprise SSO:

• full automation of processes of management of credentials and access rights of users;
• increase in convenience of work of users due to use of a uniform authenticator for access to different information systems;
• increase in level of information security due to use of means of two-factor authentication.

Dmitry Prokopenko, the head of development of Trastvers company, noted: "The joint solution allowed to automate completely management of credentials and access rights of users. After acceptance of the employee for work and entering it in the personnel KUB system automatically creates accounts and user passwords in all necessary direct systems and issues necessary access rights. Accounting information is automatically transferred to Indeed-Id, exempting the administrator from need to manually enter user profiles into Indeed-Id. The convenience of work of users increases due to use of a uniform authenticator".

"The integration solution gives an opportunity to provide to customers the solution of the whole complex of the tasks directed to effective management of access and information security support of the company", - Pavel Konyukhov, the technical director of the company of Indeed-Id emphasized.

2015

For 2015 an IDM system underwent a number of changes:

• Development of Java Connector Framework for development of connectors by the companies integrators is continued.
• The nomenclature of connectors for management HP SM BMC Remedy SAP ABAP CORE BANKING SYSTEM CFT , etc. is expanded.
• The high scalability of a system is confirmed in practice – it manages access of 80 thousand employees.
• The convenience of operation and setup of a system is increased.
• Electronic document management of requests for access control is finished.
• Functionality of a system on authority delegation and differentiation of access rights is expanded, as a result – the convenience of its work in the geographically distributed organizations increased.

In 2015 the solutions "Trastvers" were selected by the customers working in the different industries: in oil market, in the financial sector, in a segment of leasing services. Among clients it is possible to note Irkutsk Oil Company, AFK "Sistema", Rosinterbank, VTB leasing, "Soteks", the Central Bank of the Russian Federation for the Kurgan region, Okeanbank, etc.

The company worked on the project on expansion of functionality of a system of approval and access control of a subsystem of information security support of GIIS "Electronic Budget". In 2016 further development of the project is planned.

In 2015 the developer changed the strategy of positioning of a product. Before KUB it was implemented in a uniform format – it is focused on state companies and large business. "ТрастВерс" decided to adapt a product proceeding from needs of target audience. As a result there were three options of delivery of the CUBE focused on the organizations of different scale. The packet of Lite is intended for the small companies which want to automate process of creation of accounts in domain infrastructure; KUB of Standard – for the medium-sized and big companies interested in control automation in accounts and access rights and also control of observance of information security policy. And the most senior editorial office – Enterprise – is intended for large corporations and is delivered as the integrated platform for creation of a complex corporate system of access control. As a result of the company it was succeeded to build flexibly price policy, to increase interest in a product and to achieve sales growth.

End-to-end system of information security - "CUBE" 3.0

The Trastvers company, the developer of the automated management tools access and data protection, announced in March, 2015 a release of the new version of the KUB system 3.0 and release of new editions of a product: KUB of Lite, KUB of Standart and KUB of Enterprise.

Vrsiya of the KUB system 3.0 intended for automation and access control to information resources of the company and control of observance of security policy is provided in three editions: KUB of Lite, KUB of Standart and KUB of Enterprise. Each of editions is focused on application in the companies of different level and scale of business and differs in the number of the connected users and systems, cost and complexity of implementation.

"Earlier KUB represented a monolithic product and had no editions. In version 3.0 the decision to separate a product into editions depending on requirements both absolutely small firms, and large corporations could apply a product was made. With separation into editions the KUB IDM system became more available at the price and it is simpler in implementation", – Prokopenko Dmitry, the head of development department of Trastvers company told.

For the small companies interested in automation of creation of accounts and purpose of the rights in Windows infrastructure (the domain, file and mail servers), the Trastvers company releases edition "KUB" Lite. This version of a product is limited by the number of users (till 1000) and to the connected systems (the domain Active Directory, file servers of Windows and the Exchange mail server), differs in the low cost of the license and simplicity of implementation. Edition "KUB" Lite can be also used as the first stage of system implementation in larger company.

For the medium-sized and big companies interested in control automation in accounts and access rights and also for control of observance of information security policy edition Standart is offered. This edition allows to connect any connectors including developed under the order. For edition limited customization of the user interface and development of connectors for information systems of the customer is supported. The developed means of generation and optimization of a role model facilitate the procedure of system implementation and reduce its terms.

For large corporations with a large number of users for whom the most coincidence tuning of a system under their business processes is important, edition Enterprise is offered. Unlike editions Lite and Standart this edition is not so much the boxed solution, how many the platform for creation of an end-to-end corporate system of management of cybersecurity with ability to integrate with a large number of systems and difficult business processes of management of access. For this edition creation specialized, constantly supported from vendor and integrator of the solution is meant.

In addition to release of editions Lite, Standart and Enterprise for the companies of small, medium and large business, in new KUB version 3.0 the following functions are implemented:

• completions of a subsystem of document flow of requests are made;
• opportunities for setup the politician of approval of requests are expanded;
• search algorithms of standard access for employees are finished;
• possibilities of means of generation of a role model are expanded;
• more flexible configuration of appointment approving for requests is implemented;
• customization of screen forms for requests in a free form is added;
• opportunities for work with freelance employees are expanded.

The CUBE Assistant program was also processed into versions of the KUB system 3.0, setup of the program is considerably simplified and the design is processed.

Besides, in KUB version 3.0 the KUB web portal which allows to carry out deep customization of a system under needs of the specific customer without making changes in the code is significantly finished. Further it is going to pass completely to web management which will simplify remote administration of a system and also will allow to separate areas of responsibility of administrators of different branches and departments in the large distributed organizations.

For more convenient information representation in the new version of a system reports are also finished, automatic creation of resources of a file server at the request of users is supported. In general completions of a system are made for increase in its performance and reliability.

2016

Objectives

In plans of the company for 2016 – further development of a partner network, end of a number of large projects in creation of management subsystems by access based on the Trastvers CUBIC system assumes to perform within a year release of the new version of the product cubeB number of the expected functional changes: � Expansion of the nomenclature of connectors for standard electronic document management systems, ERP systems, banking systems, the information security facility and web portals.

• Increase in scalability – at one of customers is expected growth of number of the employees who are under control of a system up to 200 thousand.
• Support of integration of the KUB system into the Card Management systems and ACS.
• Increase in convenience of work of users and expansion of opportunities for setup of a system.