Rosselkhozbank implemented Avanpost IDM for centralized operation by access to the IC

2018: Implementation of Avanpost IDM for centralized operation by access to the IC

The Avanpost company announced on December 6, 2018 that Rosselkhozbank implemented a single system of management of accounts and access rights of users to corporate resources of the organization (IDM) based on the Avanpost IDM system.

Prerequisites

The strategy of active development of Rosselkhozbank (and especially its retail direction) demanded acceleration of all technology of management and control of access, carrying out its deep automation on the basis of the modern IDM solution. And at the same time it was necessary to save and use all valuable that was available in regulating documents, methodical practices and practicians of work of a preceding period. It was necessary to provide high quality of access control to information resources of bank with a wide branch network.

The Russian Avanpost IDM software product became a technical basis of an access control system of Rosselkhozbank.

Project Progress

In Avanpost IDM three approaches to automation of issue and a withdrawal of user rights in different ICs are applied at once. It:

• hands-off processing of personnel events (on the basis of a role model and due to integration of IDM with sources of personnel events and with the managed systems);
• process automation of formation of requests of powers by users and further processing of these requests according to difficult regulations;
• automatic prevention of inadmissible combinations of roles (SOD conflicts).

Integration of IDM with a source of personnel events and managed by the IC. So-called modules of interface (connectors) are responsible for such integration into IDM. The abundance and a variety of the IC with which users of Rosselkhozbank work and also led complexity of an IT landscape to the fact that in this project three important advantages of Avanpost IDM were shown:

• abundance of ready connectors to the different system, infrastructure and application software;
• relative simplicity of creation of new modules of interface;
• opportunity after setup of connectors to book automatic audits of access rights which reveal deviations of the actual access rights from normative, and in all managed systems connected to IDM.

During implementation of Avanpost IDM in Rosselkhozbank not only all necessary setup of connectors is made and audit of access rights is started, but also the reports necessary for control of processes and investigation of incidents of cybersecurity are configured. Role model — on paper and in IDM. The role model sets normative sets of the rights of different categories of users in enterprise information systems. In Avanpost IDM there is a full range of the built-in tools and automation equipment for creation of a role model and its maintenance in current status. But even despite it, for many organizations methodically correct work with role models appears the most difficult, and often and an unsolvable task.

However in Rosselkhozbank of this problem did not arise as, starting Avanpost IDM implementation, it already had a relevant role model, technology of its updating (in the form of strictly observed administrative time limit) and accurately described processes of providing access for each of the information systems. These practices allowed to realize completely the potential of Avanpost IDM and to carry out implementation methodically correctly, told in Avanpost. Processes of a request of powers in Avanpost IDM allow users to create independently requests for a receiving / withdrawal of the rights and also to organize their approval according to scenarios of any complexity. At the same time lists of the vising persons, routes of approval of requests, rules of authority delegation and other aspects are flexibly configured. For process management in Avanpost IDM there is a visual designer of processes and a full-function management system of workflow, rather flexible to operate with difficult regulations from hundreds of steps.

The function of prevention of the SOD conflicts which is built in Avanpost IDM (from an arsenal of solutions of a class of IGA) allowed already at execution of requests completely to prevent investment of employees with potentially dangerous combinations of the rights whose combination is forbidden by existing regulations of Rosselkhozbank.

Even before implementation of IDM in bank the whole system of bans on combination of roles which prevented was developed or significantly reduced many risks, but was labor-consuming. As the mechanism of work with the SOD conflicts was implemented in the 5th release of Avanpost IDM, at implementation the circle of checks was even expanded, and all routine transactions — are completely automated. Moreover, the implemented system reveals the conflicts preventively, even when forming the request, without allowing to send conflict requests for approval. At the same time a system offers possible corrective actions and also allows the user to set the option of elimination of the conflict.

Project Results

Creation in RSHB of the single centralized system controlling access control in the centralized and decentralized ICs became result of system implementation of Avanpost IDM, including in large quantities used and critical for all bank: the automated banking system, corporate mail, the wood of the domains Microsoft Active Directory, a number of the domains Lotus Domino (integrate solutions of the class groupware and different databases for work with poorly structured information). Also tens of ICs used in all regions of the Russian Federation are connected to an access control system. At the same time the IDM solution works both in completely automatic mode, and in the mode of manual execution — depending on category of the specific managed IC. The choice of the mode of execution is defined by the economic feasibility estimated according to regulations of Rosselkhozbank. For September, 2018 Avanpost IDM manages the rights of most of users of information systems of Rosselkhozbank, and these are tens of thousands of people and over 80 thousand accounts.

In general the solution allowed bank to optimize and accelerate processes of access for employees to information systems. This project also allowed Rosselkhozbank to reduce sanctions risks and in practice to estimate quality of the Russian software. On a response of bank representatives, work of the users who are making out requests for obtaining access rights and participating in their vising became simpler.

In Avanpost noted not only the regular Avanpost IDM functions, but also the completions executed upon the demand of the customer (for example, the control interface of access for employee groups allowing to set and change in large quantities access rights was so customized and simplified) and also automation of response to different delays of processes for various reasons (for example, delegation for requests which the employee who is in a business trip or a holiday had to process). And, of course, identification and prevention of the SOD conflicts.

Using the Russian software product we not just repeatedly accelerated processes of management of access, but passed into qualitatively new status when processes of information security and other technical moments ceased to constrain development of primary activity of bank — the vice chairman of the board of Rosselkhozbank Ekaterina Romankova noted. — Avanpost IDM technologies allowed to increase efficiency of application of practices of bank in the field of access control and to move ahead".

Implementation of Avanpost IDM lowered load of the staff of Rosselkhozbank participating in processes of creation, approval and providing access. The special role was played: use of the classical IDM functions for automation of response to personnel events, exception handling from processing rules of personnel events, flexibility of the description of regulations of processes in Avanpost IDM and also a large number ready and simplicity of development of new modules of interface (connectors) to the managed systems.

To Rosselkhozbank knowledge and tools allowing to accompany and develop independently the IDM solution were imparted. For September, 2018 specialists of bank successfully operate an IDM system, develop a role model and processes of approval. The employees who are responsible for development integrate into already automated process of management of access everything the new information systems in large quantities used in bank.

2017: Further development of the IDM system

Further development of a system began in May, 2017 and took place in two stages. At the first stage the processes of management of access constructed within a pilot project were finished, simplified and standardized. Instruments of administration of processes were created (including automation), optimization and completion of components of the user interface and integration solutions was performed. Also in a product flexible configurations of exclusive processing rules of personnel events were implemented and the set of other changes designed to facilitate operation and use of a system in bank is made.

At the second stage (from September to December, 2017) scaling in terms of quantity of the managed systems and roles of users of the IC is carried out and also audit of access rights was started and reports are developed.

2016: Resumption of work on implementation of the IDM solution

In 2016 works started again — on the basis of the product Avanpost IDM 5.0. The phase of active implementation of the IDM solution fell on the period from May to August, 2016, and since September (after testing of the offered IDM solution in a pilot zone) scaling on all divisions of bank for the purpose of confirmation of performance and fault tolerance of the solution was made. Successful testing and positive reviews of the divisions performing primary activity of the customer fixed Avanpost IDM as the target solution for creation of the centralized control system of access in Rosselkhozbank.

2015: Creation of an accounting system, management and audit of means of authentication

The Avanpost company, the Russian developer of the systems of identification and access control to information resources of the enterprise (IDM), announced at the beginning of 2016 project completion on creation of an accounting system, management and audit of means of authentication and storage of key information (tokens) in Rosselkhozbank. As a result the solution Avanpost PKI is used as the centralized base of information on the tokens issued not only to employees of bank, but also clients. The project was executed from March to November, 2015.

Earlier Rosselkhozbank used the system of import production for management of the identification information and electronic keys. Transition to the Russian solution from Avanpost gives to the customer enhanced capabilities on application of different types of key carriers, thanks to the fact that Avanpost PKI supports all tokens and smart cards presented at the Russian market and provides centralized operation with key carriers more than 300 thousand users.

Implementing solution saved the client from a set of manual activities at initialization of key carriers, printing of PIN codes in PIN envelopes, release of technology keys, tracking of validity period of certificates, suspension, resuming and a withdrawal of certificates with simultaneous transfer of a key in a system bank client in the blocked status.

Besides, the solution Avanpost PKI allowed to manage quickly release of certificates for employees of the bank, having lowered load of administrators on infrastructure management of public keys. So, for example, thanks to the solution after certain time the unblocking of the blocked key carrier is automatic. The solution "Avanpost" helps to trace validity periods of powers and to obtain information on users not only from AD, but also from the personnel systems, CRM.

We carefully approached the choice of the system developer on management of authentication, certificates and key carriers. The Russian development Avanpost completely conformed to our requirements. With its help we managed to automate many routine transactions connected with support of PKI infrastructure of bank and as result to reduce personnel labor costs. Avanpost PKI services more than 300 thousand signature key certificates. Separately I want to note that the concept of import substitution in the field of high technologies brings the results and contributes to emergence and rapid development of the qualitative Russian IT systems competing with the western analogs on set and completeness of functions. Head of department of information security of Rosselkhozbank Lavreshin Gennady

2013-2014: Preparation for implementation of the IDM solution and pilots

Preparation for implementation of the IDM solution in Rosselkhozbank began in 2013. For several years in bank a number of full-fledged pilot projects to which the focus groups consisting of representatives business IT and Information security departments were attracted was executed. About 1500 users were involved in projects, at the same time the bank compared IDM solutions of different producers (Oracle, IBM, Microsoft, Avanpost, KUB, etc.).

From the beginning of sanctions against the Russian Federation of work on IDM were temporarily suspended since it was necessary to develop strategy in the changed conditions.