Mosvodokanal passed to Avanpost IDM 6

2020: Transfer of a management system and access control to Avanpost IDM 6

The Avanpost company – the Russian developer of the systems of identification and access control to information resources of the enterprise (IDM) – announced on January 19, 2021 the carried-out migration of a management system and access control of Mosvodokanal on the Avanpost IDM 6 platform. During upgrade of a system new processes of management of access to a single system of electronic document management of the customer were implemented. For January 19 under control of Avanpost IDM there are  more than 5,000 accounts of users.

Large-scale updating of the IDM platform allowed the enterprise to involve all latest functionality of the solutions "Avanpost" at the time of project implementation, to implement difficult models and scripts of access control for a set of internal ICs and to increase stability and efficiency of a corporate information system in general. On a response of the customer, transition to Avanpost IDM 6 helped to achieve optimization of a number of business processes, including creation of new means of additional processing of special cases and errors, increase in transparency of business processes and stability of their execution.

During the project specialists Avanpost executed transfer of all processes of management of access, a role matrix and also processes of approval of requests for providing and change of access. At the same time one of key requirements of the customer – preserving of all historical data and the main settings of a system with a guarantee of continuity of all current business processes was observed during work on upgrade. Let's emphasize that, as well as in all other projects, Avanpost paid special attention to convenience and efficiency of work with a system, and that is not less important, – to simplification of control procedures from authorized divisions (first of all –  Department of information technical protection).

Implementation of absolutely new access control mechanisms to electronic document management (EDMS) of Mosvodokanal – obligatory for use by all staff of the enterprise difficult (contains more than five different measurements of model of security concerning both a role profile and directly access to objects) and a many-sided system with a special order of providing access became an important part of the project. So, the regulations of access control to this system provide several large processes at once: primary connection to EDMS which special condition is entering of the user into Active Directory MS directory services with additional approval; changes of powers of access at employee transfers (also with additional approval); the automated termination of access at dismissal; process managements of delegation of access when leaving to a holiday / on hospital, etc.

The updated mechanism of primary connection to EDMS is implemented in the form of two blocks of electronic requests in the module Avanpost Workflow 6. The first of them – automatic connection through the electronic request when the person is employed and to it is already provided access to Microsoft Active Directory. The second block –  manual connection – can be used in case of connection of the employees who are earlier not registered in AD; it is applied as spare option. At the same time the electronic request without fail passes additional stages of approval and execution in each of these cases.

For reliable accounting and display of staff changes in all ICs during the project a number of subsystems and processes was implemented. So, process of change of powers at employee transfer leads to obligatory check of necessary conditions and automatic creation of the electronic request for review of powers of access to EDMS now. Nevertheless, it is possible to change powers (for example, to request additional) and by creation of the electronic request independently. Daley a system provides completely auto disconnect of access at dismissal that allows to follow implicitly requirements of information security and to control so-called "dead souls" and does possible direct instrumental audit of the status of the dismissed employees. At last, the flexible instruments of setup of business processes of authority delegation of access put in Avanpost Workflow 6 were implemented.

As emphasized in Avanpost, unlike other systems, for EDMS authority delegation is not the standard procedure and without fail should be followed by additional processes in the EDMS. Possibilities of "the designer of business processes" Avanpost Workflow allowed to implement completely this procedure according to requirements of the customer.

The special technique of implementation which included timely informing workers on the forthcoming changes, preparation complete was applied to ensuring continuous work of Mosvodokanal during implementation of all project by specialists Avanpost and short (on basic functions) operation manuals of the updated system, advance providing to everyone demonstration access to a test circuit where each employee of the customer could independently try to make specific transaction, for example, to submit the application or to print the report.

JSC Mosvodokanal – one of our old and most exacting customers, – Andrey Konusov, the CEO of Avanpost company noted. –  Carrying out upgrade of an IDM system of this large, socially important enterprise, we needed to consider all features of work of all user groups, having applied at the same time the experience accumulated for years of use in this organization of the previous versions - Avanpost IDM 5 and 4. I will especially note harmonious work at design, to development and debugging of the integration solution with representatives of JSC Mosvodokanal and the supplier of EDMS – without their active participation work simply would not be so effective".

2018: Completion of implementation of the IDM and SSO systems

On September 11, 2018 the company "Avanpost" announced completion of implementation of systems Avanpost IDM and Avanpost SSO century JSC Mosvodokanal.

On the basis of the specified software products in Mosvodokanal the end-to-end cybersecurity system which provided process automation of access control to information resources of the enterprise was step by step created and put into operation. The department of information technical protection of JSC Mosvodokanal received the uniform instrument of centralized operation by access rights covering all users of an enterprise information system and the majority of its elements and subsystems.

Use of the created cybersecurity solution allowed the customer to reduce duration of providing access to the necessary information resources and also to minimize the risks connected with presence at employees of excess access rights and accumulation in information systems of active accounts of persons which do not work at the enterprise any more. And each such error is a vulnerability in the cybersecurity system.

This project allowed Mosvodokanal to solve completely this problem and to prevent a possibility of its emergence further. Implementation of Avanpost IDM was executed methodically correctly: effective role models, processes and regulations of approval of access were developed. In particular, it allowed to carry out unification of users and access rights within the project and also to lead processes of providing access to information systems to uniform "template". Using standard modules of interface (connectors) to an IDM system it was connected different infrastructure and the application software that allowed to automate and accelerate completely approved reconfiguration of access rights at each personnel event (employment, change of a position, dismissal, a holiday, a disease, inclusion in structure of temporary work groups and mn. other) and also to book audits of access rights. All this allowed to reduce and optimize labor costs of IT and cybersecurity specialists.

The number of the IT solutions integrated with IDM within this project included most the ICs critical backbone elements of the customer: domain structure based on Active Directory MS, the ERP system based on Oracle E-Business Suite (OEBS), a number of business systems based on the 1C Platform. At the same time the personnel system creating a flow of personnel events is 1C ZUP. Implementation of Avanpost SSO allowed for key IT systems of the customer (including OEBS and 1C) to implement means of single authentication of users.

In the cybersecurity solution created the following developments were applied to JSC Mosvodokanal: support of SSO authentication in browsers Chrome and Firefox, sharing of the products Avanpost IDM and SSO which interaction gives a synergy effect and allows to implement new methods of access control in a system. Along with use of ready connectors, in the project also tools SDK using which about 10 information systems, unique were connected to IDM in terms of were widely used authorizations.

JSC Mosvodokanal actively works in the direction of increase in level of information security. The project helped the enterprise to provide control and transparency in questions of access control that, in turn, reduced number of the corresponding incidents and raised the overall level of cybersecurity.

2017: Updating of Avanpost IDM to version 5.1

In 2017 Avanpost IDM was updated to version 5.1 that increased efficiency and reliability of a system and also allowed to put base for implementation of a subsystem of self-service of users (which then was implemented in 2018).

2016: Development of the IDM solution and implementation of Avanpost SSO

In 2016 the functionality IDM- solutions Avanpost was cardinally expanded: during this period role models, processes and regulations of providing access for employees to information systems were developed, i.e. methodically correct implementation of IDM came to the end. Additional direct systems were connected to IDM.

In 2016 there was also implementation Avanpost SSO, and since then in the IC "Mosvodokanal" works single authentication users in key business systems, including OEBS and 1C.

2015: Avanpost IDM implementation start

In 2015 implementation of Avanpost IDM as the management subsystem access which is a part of an end-to-end system of information security support of JSC Mosvodokanal started. Principal components of a system were installed, its integration with personnel and other systems is performed. Then the Avanpost IDM complex was brought into operation, at the same time the main objective of this period was monitoring of the conferred powers, including in the context of personnel events.