Developers: | Avanpost (Outpost) |
Date of the premiere of the system: | 2004 |
Last Release Date: | 2022/06/15 |
Technology: | Information Security - Authentication |
Main Article: Identity and Access Management - Definitions
Avanpost Access System is a line of technical tools used in the construction of a corporate identification and authentication system and a corporate public key infrastructure.
The Avanpost PC allows you to build an integrated Identity access management (IAM) system for users to various information resources based on the PKI infrastructure (Public Key Infrastructure) using two-factor authentication and domestic cryptography tied in real time to the organization's personnel system. The potential of the modular, scalable Avanpost PC architecture allows you to quickly implement a system in organizations of any scale with functioning processes of any complexity and effectively maintain it at reasonable financial costs, which is extremely significant in the current very difficult economic situation.
2022
Automation of account lifecycle management and access rights in the management company "First"
On June 15, 2022, Avanpost, a Russian developer of identification and access control systems for information resources of the enterprise, completed a project to automate the life cycle management of accounts and access rights in JSC Management Company Pervoye. The solution, deployed on the basis of the Avanpost IDM software product, helped the company optimize the issuance of access rights to new employees and the formation of applications for access to the systems of the management company. Integration with Jira Service Desk is also set up within the project.
The main objectives of the project were to strengthen the information security circuit of the enterprise, automate onboarding and access request processes, its approval and execution.
At the time of the start of work, there were a large number of internal systems in the company's infrastructure, integration IDM with which would require months of improvements. It was for such systems Jira that Service Manager was integrated. The request for employee accesses is automated. You can get it on the principle of a single window.
The implementation of Avanpost IDM optimized two important business processes related to the exit of a new employee and the formation of an access request to the organization's systems. This creates a basic access account automatically as soon as the employee is checked out. As a result, when entering the office, a person will have basic access and the opportunity to immediately start work.
The changes also affected the control of access to the systems of the management company "First." All accesses are issued through the IDM self-service portal, where they are divided into systems and types.
As part of the project, the customer took over the design of the role model and the connection of managed information systems. The full functional support of the system and its development is carried out by the specialists of the management company.
"The introduction of the Avanpost IDM system in the management company" First "made it possible to achieve tangible results. On the one hand, the transparency and automation of activities for IT and information security departments of the customer has increased, on the other hand, the process of submitting an application for access and tracking the path of its execution for the user has been simplified. One of the important aspects of this process, in my opinion, is the high degree of involvement and competence of the customer's specialists, who close the issues of operation of the implemented solution and develop it both in terms of increasing the functionality and in terms of expanding the landscape of managed systems. " comments Marina Dony, Deputy General Director for Project Work at Avanpost |
Ability to manage process and non-personalized accounts
The company "Avanpost," a Russian developer of systems for identifying and controlling access to information resources of the enterprise, on April 5, 2022 announced that it had updated Avanpost IDM, a system for managing accounts and user access rights to corporate resources of the organization. It has the ability to manage technological and non-personalized accounts.
Technology accounts (TPS) are those data that allow services to authenticate in other components of the enterprise's IT infrastructure, for example, to access a DBMS or from one IS to another using a web service, etc. For TPS, Avanpost IDM implements the functionality of accounting for systems, accounts, as well as administrators who have access to them. The update will allow you to control the change in the password of the technological UZ when the administrator is dismissed or transferred to another place, and will also help, as necessary, automate the process of changing the passwords of the technological UZ on a schedule.
A number of problems are associated with the management of TPS at the enterprise, which pose a threat to information security. First, technology accounts have significant privileges. Passwords from them are known both by administrators of systems using accounts and by administrators of systems providing the service. Secondly, quite often a policy is set on such accounts that disables the urgency of the password. Thirdly, administrators can quit, and the TAC data to which they had access remains unchanged. In addition, the company's IT landscape is changing: for example, systems are decommissioned, and the TPS designed for them are "forgotten."
To solve all these problems, you may need an automated process for managing the TPS, which, as a rule, does not exist at enterprises. The updated Avanpost IDM will be able to organize the necessary business processes. The system will allow you to control the processes of creating, controlling access and decommissioning the TPS, as well as help organize an audit of all access rights associated with them, "said Alexander Makhnovsky, system architect of Avanpost IDM, Avanpost. |
Non-personalized UIs include accounts that are not associated with specific individuals. Such an authorization method is often used by enterprises with a high turnover of personnel or more employees working in shifts. These can be courier and warehouse services, freight companies, fast food restaurants. Usually, employees only need a tablet or smartphone to work, on which basic operations and navigation tools are available.
In order not to issue personal devices and accounts, it is more convenient for a business to immediately create a pool of UZs that are assigned to employees at the beginning of the shift, which also creates a number of information security problems. Passwords in such accounts are either never changed, or created the same for the entire pool. They may be known by all employees who have ever used or given out UZs. Anyone who knows the password from the CD can take the device and perform an action that violates the business process or privacy rules. It is almost impossible to establish the responsibility of a particular person in this case.
The updated version of Avanpost IDM provides for the accounting of CM with the definition of responsible persons. The system will allow you to compile a list of potential users and configure automatic password changes based on a schedule or other important events: for example, the dismissal of a responsible employee or his transfer to another job. Avanpost IDM also provides automation of password delivery and access control, rights audit. In general, the updated functionality of Avanpost IDM will allow companies to more effectively manage a large number of accounts and significantly increase the level of information security, - said Alexander Makhnovsky. |
Red OS Compatibility
Domestic developers RED SOFTWARE and "Outpost" on the basis of successfully conducted tests on January 20, 2022 confirmed the compatibility of the Avanpost IDM system with the operating system RED OS.
Information security is a central issue in building any IT infrastructure. Guided by this, we are developing the RED OS ecosystem, including more and more information security solutions. The symbiosis of Avanpost IDM and RED OS meets the needs of our customers. The solution can reduce the number of errors caused by the "human factor," which provides the user with a higher level of security when working in the RED OS operating system environment, - commented Rustamov Rustam, Deputy General Director of RED SOFT. |
The RED OS operating system is used in state organizations, including law enforcement agencies. Therefore, for the company "Avanpost" cooperation with RED SOFT and technical compatibility of our products are a significant milestone of strategic development in the public sector. In the future, we plan to continue similar work for our other products in order to provide a comprehensive solution to issues of managing access to information resources based on the domestic RED OS operating system, - said Oleg Gubka, Deputy General Director for Development. |
2021
Certification for compliance with safety requirements in the Republic of Kazakhstan
Avanpost On September 30, 2021, the company "" announced certification for compliance with security requirements in the Republic Kazakhstan of its flagship product - Avanpost IDM. Obtaining a certificate will allow the company to implement the system among more. government organizations countries
The successful passing of certification tests confirms that the Avanpost IDM software meets all safety requirements established in the State Standard of the Republic of Kazakhstan ST RK ISO/IEC 15408-3-2017 "Information Technologies. Methods and means of safety assurance. Information Technology Security Assessment Criteria. "
The company "Outpost" stood at the origins of the IDM market in the CIS, back in 2012 offering a Russian system for managing access rights of corporate users.
Due to the strengthening of security requirements for information protection tools for the implementation of projects in state and commercial organizations of the Republic of Kazakhstan, a certificate of compliance with regulatory requirements is increasingly required, therefore, a decision was made to pass certification. In addition, the presence of a certificate makes it possible to get into the National Register of Trusted Software.
Significant assistance in obtaining a certificate for Avanpost IDM software was provided by PACIFICA LLP, one of the integrators of information security systems in Kazakhstan and the CIS countries. The Company assisted in the preparation of all the documents necessary for certification, and also participated in the support of certification work through cooperation with the accredited conformity confirmation body and the testing laboratory.
The Company "Outpost" has been present on the Kazakhstan market for about 10 years and constantly strengthens its position on it. First of all, thanks to the ongoing development of its products, in particular Avanpost IDM. As of September 2021, it is already used in large companies and organizations of Kazakhstan. Thanks to the received certificate, their number will become even higher. Customers can be sure that the solution fully complies with the regulatory requirements in the field of information security in force in the Republic of Kazakhstan, - said Oleg Gubka, Development Director of Avanpost. |
Certification according to the latest FSTEC requirements
Avanpost On March 11, 2021, the company announced certification according to the latest requirements FSTEC of Russia of the current version of one of its flagship products - Avanpost IDM 6. Now, in addition to state information systems (GIS) and systems (personal data ISDS), Avanpost IDM will be applied in areas such as Critical Facility Protection (CSR) and, critical information infrastructures (CII) including subsystems. APCS
The procedure for obtaining an updated certificate has become much more complicated, primarily due to the need to ensure that the product meets the requirements for confidence levels established by the Order of the FSTEC of Russia (dated June 2, 2020 N 76). So, now the developer company needs to perform additional large-scale work on comprehensive testing and preparation of documentation, including a detailed description of the product, protective measures used, design processes, secure development, testing, including for vulnerabilities, elimination of shortcomings, updates, etc.
{{quote 'Of course, IDM is an integral part of any serious information security system, says Andrey Konusov, CEO of Avanpost. - Therefore, it is understandable that the state imposes increasingly stringent requirements on the quality of such systems, the methodology of creation and testing; Specifies clear and transparent certification rules. I believe that this is an undoubted plus for a responsible information security vendor: the need to comply with a high level of control makes development better and, at the same time, makes it possible for the public sector to include properly verified solutions in any, even critically significant ICs without fear. }}
Ability to manage access rights based on a comprehensive risk assessment model
Avanpost, a Russian developer of enterprise identification and access control systems (IDM), has implemented IGA (Identity Governance and Administration) risk-based access management tools in its flagship product, Avanpost IDM. The company announced this on February 25, 2021. Within the framework of this model, a certain level of risk is associated with each access right (authority and roles in the target system), depending on the opportunities provided by them and their criticality for the business. Account and user metrics are calculated based on a risk determination model and are compensated by a variety of measures. The full implementation of the risk-oriented model is a novelty for the domestic market, despite the fact that this functionality is increasingly in demand by organizations seeking to manage their business on the basis of data.
Various scenarios can be used as compensatory measures: escalation of requests, limitation of access time, planned revision of critical permissions, strengthening of policies applied to the account, and many others. In fact, this functionality makes the product interesting not only for traditional customers of IdM/IGA solutions - IT and information security, but also for departments responsible for internal compliance and risk management.
The developer noted that the risk assessment model is individual in nature and depends on the use cases in which it is planned to be used. At the same time, there is a universal set of basic parameters that you need to pay attention to first. Among them, Avanpost specialists include: possession of access rights (a basic variable showing the level of privilege in the system; is the basis for scoring); combining rights (the assessment of individual risks may be low, but their combination in one person may be significantly higher than their simple amount); method of obtaining the right (the right obtained on the basis of the role model carries fewer risks than obtained on an additional request or outside IDM); non-use of the account ("forgotten" accounts are significantly more susceptible to compromise); user status (for example, long-term leave increases the risk of compromising his account); the location of the user (the risk of malicious use of privileges by users working remotely is significantly higher than that of office workers); user type (an external contractor with a critical set of privileges carries additional risk).
As a result, such a model allows you to accurately and timely identify complex risks and respond to them; first of all, it is the risk of compromising the account and the risk of malicious behavior of the user. In accordance with this, the functionality of the system makes it possible to obtain an assessment of the level of potential damage that an attacker who takes possession of a separate account can cause, as well as determine the harm that a person with the entire set of accounts can cause.
An important aspect of the implementation in Avanpost IDM and the main difference from Western solutions is the lack of the need to develop a full-fledged risk assessment model and approve compensation procedures to begin using the function and gain practical benefits. At the first stage, it is enough to assess the most critical powers and this will instantly determine the list of privileged accounts and their owners, and the addition of a simple process for certifying the powers of privileged accounts will reduce the accumulation of access, especially common among IT specialists.
The risk assessment and management function at IDM is not as complex as many system owners still imagine, "says Andrey Konusov, CEO of Avanpost. - Our solution will help not only identify, but also take control of privileged accounts, where most of the threats to the information security of any enterprise are concentrated. During the coronavirus pandemic, this is especially true, because many employees with extended access rights to the corporate information system work remotely, including from their personal devices. |
2020: Certification for compliance with SAP integration standards
Avanpost, a Russian developer of enterprise identification and access control systems (IDM), announced on October 27, 2020 that it had passed certification and assigned the Avanpost IDM product the status of a certified SAP integration solution . This international certificate confirms the correct operation of Avanpost IDM as part of complex solutions based on SAP ERP and its compliance with SAP integration standards.
The source clarified that now Outpost has become the only domestic developer of IDM-class systems whose integration capabilities with SAP are officially confirmed by the manufacturer's certificate. At the same time, Avanpost products are a Russian development, and, therefore, fully comply with the requirements of import substitution. This combination gives Outpost significant competitive advantages both in the government ordering market and in the corporate sector.
The obtained certificate allows you to carry out integration work with SAP at various levels, including the deep configuration of the interaction of IDM and ERP systems to create a fully functional and secure solution. The source noted that since many processes in SAP are organized according to strict regulations, any changes or potential external control effects on SAP systems are often alarming to customers. That is why the influence on the system by products whose correctness is not confirmed by SAP is often considered potentially dangerous, is considered unacceptable, and in some companies their use is completely prohibited. The obtained certificate allows Outpost to implement solutions even in those organizations where the safety requirements for the installed software are especially strict and only proven products are allowed.
The source added that the integration solution developed by Outpost uses only standard SAP capabilities and does not require additional components to be installed in the system, which greatly simplifies pairing and support.
I am sure that our obtaining an SAP certificate is an event that is significant not only for our company, but also for the entire market, says Andrey Konusov, CEO of Avanpost. - Of course, this will open up opportunities for our customers to improve the security of their information systems. But, perhaps, it is even more important that the solution created by the Russian developer is essentially tested for compliance with the highest international standards adopted in the industry. And this suggests that we are ready for import substitution not in words, but in deeds. |
2019
Avanpost IDM 6.5
On November 20, 2019, Outpost announced the release of an updated version of its flagship software product Avanpost IDM 6.5, which meets the modern and promising needs of organizations with a high level of maturity of access control processes. Using the tools introduced in this release, any organization can move to more correct and effective access management practices, increase the involvement of business units in role model management, and align role descriptions with the underlying international standards applied in business software and in IDM and IGA class solutions. According to the developer, Avanpost IDM 6.5 is of interest to any customer, regardless of the direction and scale of activity. At the same time, customers have the opportunity to significantly improve the quality and organization of access control processes in many areas at once, to draw up and implement the most convenient roadmap for such improvements.
As noted in "Outpost," the main difference between Avanpost IDM 6.5 is the transition to a multi-level hierarchical role model. The previously used single-level (flat) model had a number of advantages at the stage of acquiring the first experience of using IDM and IGA by Russian companies: it simplified the implementation of IDM and made it possible to automate most of the work on creating a role model based on the access rights actually existing in the organization. However, the flat model inevitably led to an overly tight binding of roles to a specific software and the access control mechanisms built into it, reducing the role of any level (business, organizational, functional, etc.) to a set of permissions in certain elements of the information system (for example, MS AD groups or SAP roles) that allow you to perform certain actions. The lack of direct connection with business terminology made such roles incomprehensible and inconvenient for business units, limited the involvement of the latter in access control processes, hampered the processes of access certification and primary reconstitution, and did not allow raising the role model to the business level. In addition, the single-level organization of the role model led to the duplication of permissions in various roles and in related rules (for example, SoD conflict prevention rules). Any change in the IT infrastructure required adjustments to many roles (often many tens, and sometimes hundreds), which made it more time-consuming to keep the role model up to date.
In Avanpost IDM 6.5, the role model has become a tiered model, not limited in the number of layers. At the same time, Avanpost recommends designing at least two levels: basic - IT roles and business roles of various types: functional, design, organizational. The latter form is essentially a hierarchical dictionary of rules for employees' access to certain functions of the organization's information systems, which, unlike the flat model, are defined abstractly, that is, without reference to specific software and access control mechanisms built into it. In different departments of the organization and at different stages of information infrastructure development, the same abstract description can be implemented using different software. In this case, the association of abstract roles with specific software is set in the base layer of a multi-level role model and does not go beyond it.
According to the developer, this gives great advantages. Firstly, the descriptions of roles and rules in the add-on level are understandable to business unit employees, which allows them not only to fully participate in access control processes, but also to independently manage the business layer of the role model. Secondly, the upper levels of the role model change only when business requirements change, but remain unchanged when replacing one software with another. At the same time, such a replacement (and other changes at the IS level) often requires adjusting only the base layer of the multi-level model, which employees of IT or information security departments independently cope with. In other words, the transition to a multilevel model leads to a redistribution of responsibility in the area of access control and bringing it into full compliance with the tasks that actually solve different categories of employees of the enterprise. Thirdly, the role inheritance mechanism implemented in Avanpost IDM 6.5 makes it possible to create role models of any depth of nesting, eliminating duplication of descriptions and related problems. The implementation of a multi-level role model allows Avanpost IDM 6.5 to implement fully transparent processes for the primary reclamation and certification of user access rights, cover a wider set of access control scenarios, increase the level of automation and engage users in them.
According to the developer's statement, Avanpost IDM 6.5 has added a resource publishing mechanism that allows the IDM system to manage rights to objects that users themselves create and control. Models such authorizations as ACLs and contextual roles can be used. This makes it possible for customers to fully control access to a variety of resources: projects (in), project management system sites, Share Point reports (for example, in the system), BI shared, " to files shared spaces" (in teamwork systems), and many others. The resource publishing mechanism eliminates gaps and delays in the access control system for such resources. Using the resource publishing mechanism, the manager can, by creating a project or other resource, immediately publish it to the IDM system, become its owner and request the necessary access rights for team members. In turn, IDM will immediately take control of the access rights to this resource, apply all the necessary processes to them (rights) (for example, coordinate the application with certain officials, and in the future - certification and certification procedures), as well as provide basic automation mechanisms (for example, revoke rights upon dismissal of an employee).
The resource publishing mechanism relies on access object rights that exist in Avanpost IDM 6.5 along with rights that grant global information system level authority. All this, according to the developer, expands the control area from the IDM solution, allows you to increase the accuracy of rights management and effectively counteract a wider set of risks.
The presented version of Avanpost IDM has a number of technical changes and improvements that, according to the developer, increase the convenience of implementing, using and maintaining an IDM solution. The main ones are:
- The user interface has been improved, and integrators have introduced tools to customize the appearance of the IDM system and bring it into line with special customer requirements, including branding. In Avanpost IDM, you can create menus for different groups of users, assign actions available to process participants (including appearance and behavior), and set many other settings.
- a large-scale change was the redesign of the self service module. All users of the IDM solution directly interact with this system, so its improvements have a tangible effect.
- noticeable changes occurred in the user interface. Its appearance, convenience and responsiveness are aligned with the changed approaches to designing web interfaces and with the increased requirements of customers. The style chosen by the Avanpost IDM 6.5 developers is based on the proven principles of Material Design, and carefully selected ready-made components are used to implement it. The use of a ready-made design system and framework not only accelerated development, but also expanded the possibilities of customization and branding.
- improved process designer and testing mechanism. In the presented version, when saving the process description, not only the completeness of the tinctures of each stage, but also all relationships, expressions in conditions, input and output variables are automatically checked.
- there was support for functions in the Python programming language, which made it possible to replace time-consuming programming (for example, to implement a business process access to an external service) with writing simple scripts - right in the user interface of the administrator console. It has become easier to modify processes, and even without stopping the service. In addition, all types of scripts available in Avanpost IDM 6.5 have been translated into Python.
Alt 8 SP compatibility
On October 29, 2019, it became known that BASEALT and Outpost officially announced the successful completion of compatibility testing of the latest versions of their products: the certified Alt 8 JV operating system and the centralized access control system for enterprise information resources, application and infrastructure software Avanpost IDM 6.0.
The full compatibility and correctness of the collaboration of these software products has been confirmed, which allows us to recommend a centralized access control system for enterprise resources Avanpost IDM 6.0 for operation in the Alt 8 SP operating system on the hardware platform x86_64.
The compatibility of OS Alt and Avanpost IDM solutions will continue in the future, since all previously performed tests will be repeated when preparing the next versions of the software of both companies. The seamless collaboration of Avanpost and BASEALT software products will reduce customer costs for the implementation, operation and development of modern information systems with high information security requirements, and will also allow them, using the functions of classic IDM and IGA, to automate all processes related to access control and control, relying on import-independent software.
Support for multilingualism
On September 3, 2019, it became known that the company Avanpost - Russian a developer of systems identifications and access control to enterprise information resources () - IDM has built a universal localization mechanism into the latest versions of its Avanpost IDM software products and, which Avanpost WebSSO made their user interfaces multilingual. Now this ON fully meets the current and promising needs of Russian organizations operating in the countries of near and far abroad. In addition, this project has become an important stage in the implementation of the company's export program.
Avanpost IDM and Avanpost Web SSO became the first Russian software products in their field that support multilingualism and have ready-made English-language localization. At the same time, the localization mechanism is implemented not in a custom version, but in a product for a wide market, which guarantees high-quality support and development that is not limited in time.
The Avanpost IDM and Avanpost Web SSO localization mechanism allows you to connect additional languages by simply adding dictionaries to the system. At the same time, each user can choose the most convenient user interface language for himself from among the installed ones, since the simultaneous use of multilingual interfaces is the standard mode of operation of both software products.
As of September 2019, their scope of supply includes support for the Russian and English language, which closes almost all requests from Outpost customers, including organizations of the national scale of the neighboring countries. Dictionaries will be added as market demand arises, as well as at the request of large customers.
2018
Avanpost IDM 6.0 Release
On June 27, 2018, the Outpost company announced the release of the next stage release of its flagship product - Avanpost IDM 6.0.
This version was released 6 months ahead of schedule, which is due to the need to support customers preparing to launch large projects related to the transition to independent software, digital transformation of organizations and the implementation of elements of the digital economy, as well as the development of enterprise management systems, - explained in the company "Avanpost." |
Linux: support for PostgreSQL DBMS and porting business logic
Linux-Avanpost IDM 6.0 can use high-performance/ DBMS PostgreSQL (Postgres Pro along with proprietary DBMS and). Microsoft Oracle At the same time, the system can be installed on high-load and disaster-resistant Postgres Pro configurations, which is useful when IDM the system is operating in the mode of a critical information system of a large organization.
The Postgre DBMS implements not only the basic functions of Avanpost IDM, but also the entire set of role model management tools that provide methodically correct implementation and maintenance of IDM solutions, as well as an audit of access rights.
The transfer of business logic to Linux was also painless. For several years now, Outpost has been preparing to port the IDM system to other platforms (OS, DBMS, frameworks). In particular, when preparing Avanpost IDM 5.0, the IDM kernel was completely redesigned to ease dependence on specific platforms and frameworks, and all business logic became platform-independent.
Replacing the Workflow engine
The most difficult task arose in connection with the need to replace the business process engine. In the Windows version of Avanpost IDM, the creation of various applications and compliance with their processing procedures is controlled by the Avanpost Workflow subsystem, based on the Windows Workflow Foundation (WWF) component of the .NET Framework. NET Core (an open version of the.NetFramework) did not include the WWF library and a number of other important Enterprise development tools, which required their replacement. The particular difficulty of abandoning WWF was due to the fact that the library is poorly documented, but designed so that it is impossible to separate business logic, as a result of which the program code of the process engine was completely dependent on WWF.
After analyzing almost all actively developing open source business process management systems, the Avanpost specialists chose the Workflow Core system, which has sufficient functionality, is acceptably documented, is supported by an active developer community and is distributed under the MIT license, which is well consistent with the Avanpost business model.
Therefore, until the debugging of the process diagram translator and the entire automatic migration technology is completed, the company does not recommend the transition from version 5.8 to 6.0. For organizations implementing Avanpost IDM for the first time, it is better to immediately choose version 6.0.
Interface modules (connectors)
In the Linux version of Avanpost IDM 6.0, another practically important problem was solved related to the use of platform-dependent interface modules (connectors) of the IDM system and various managed systems of the infrastructure and application layer (MS AD directory services, DBMS, EDMS, portal solutions, etc.). Such connectors use tools that cannot be ported to Linux: COM objects, the MFC library, or, for example, Power Shell script libraries that are not directly supported on NET Core).
In order for customers to use all these connectors on Linux, Avanpost IDM 6.0 created a separate connector server that can run on a dedicated Windows machine, where it runs platform-dependent connectors. This solution allowed you to inherit the entire fleet of connectors without changing them, and avoid a lot of work to eliminate the dependence of connectors on platforms and accurately test their platform-independent versions.
Platform independent connectors can be used without any difficulties when Avanpost IDM 6.0 runs on both Windows and Linux.
Changing the IDM Core Architecture
The core redesign for Avanpost IDM 5.0 was aimed not only at making business logic platform-independent. In addition, the kernel architecture was completely changed and became microservice. This change was made mainly in anticipation of the growing popularity of SaaS architecture in the corporate environment.
However, Maintaining a microservice architecture would inevitably create increasing problems as IGA functions are added in a number of minor versions (6.1, 6.2, 6.3...) Avanpost IDM. As the developers explained, in order to avoid this, in Avanpost 6.0 the kernel architecture was again significantly changed: a number of services (synchronization with trusted sources and preparation and editing of personnel data) were integrated into the kernel, and other services were merged or enlarged. As a result, the transparency of the business logic of the entire product has increased, debugging, administration and incident detection have been simplified. And most importantly: Avanpost IDM is now fully ready to implement a large set of IGA functions.
Transition to Agile techniques
In "Outpost" the introduction of agile methods began in 2015. But it was Avanpost IDM 6.0 that became the first important version of the key software product, the entire development and life cycle of which is fully controlled using agile, the company noted.
The transition to agile in product development, together with the parallel implementation of continuous integration (from version assembly to deployment and commissioning) and automated testing, accelerated the release of Avanpost IDM 6.0, and also allowed the integration of market feedback and operational response to new user needs into the product life cycle (LC).
Product teams "Outpost" work according to the agile method close to FDD (feature-driven development). When preparing intermediate versions of Avanpost IDM, Scrum will be used, since this agile technique is better suited than others to add functions to software with a well-developed and stable system architecture and domain model. And the company will return to FDD when creating milestone releases of Avanpost IDM and other products.
It is expected that the alternative use of FDD and Scrum in LC products will optimize development costs: FDD is more expensive than Scrum (due to the presence of analytical stages), the use of Scrum on long segments of LC software product will reduce the cost of its development.
Avanpost IDM 5.8 Release
The company "Outpost" - the Russian developer of systems for identifying and controlling access to information resources of the enterprise (IDM) - on April 12, 2018 released the following version of its flagship product for monitoring and managing accounts and access to corporate resources of the organization - Avanpost IDM 5.8. The main changes and innovations of this version are aimed at optimizing labor costs during the implementation and maintenance of the product. In addition, Avanpost IDM 5.8 adds features related to role model management and the ease of use of the IDM solution in large organizations.
According to the developers, as a result of the totality of the implemented innovations, the labor costs for the initial deployment and maintenance of the IDM system have decreased. For example, in March 2018, training of specialists from integrator companies showed that a qualified engineer, previously unfamiliar with Avanpost products, needs more than two times less time to install 5.8 deploy and launch Avanpost IDM than 5.7 versions (for example, in an unrecoverable configuration - 3 hours instead of 6-7). In addition, less resources are now needed to parse and resolve typical incidents. The analysis of incidents related to the synchronization of data from personnel sources, as well as the analysis of the interaction of the IDM solution with managed systems, was also simplified, the company said.
When preparing version 5.8, Avanpost engineers collected and analyzed the requirements of technical specialists and architects of integrator companies implementing product implementation projects, as well as analysts and support specialists of customer companies actively using and developing solutions based on Avanpost IDM. In addition, the experience of the company's own customer support service was summarized. This approach made it possible, when working on Avanpost IDM 5.8, to concentrate on the expected innovations related to three main tasks:
- Greatly simplify initial deployment and configuration of processes
- increased transparency of responses of the IDM solution and multiple systems managed by it to personnel events;
- Create tools that automate the handling of common errors that generate a wave of incidents (for example, when a managed system is unavailable).
In Avanpost IDM version 5.8:
- The configuration management system of all components of the IDM solution has been dramatically simplified. Now the configurations of all functional subsystems and plug-ins (connectors, auxiliary libraries of business processes) are combined and built directly into the main configuration files of the system. In addition, the configurations of the multiple add-ons can now refer directly to the parameter values of the main subsystems. All this simplified the description of configurations, made them more flexible, holistic and easy to accompany.
- The user interface of utilities (utilities) used to link accounts, import current user access rights, etc. has been redesigned. And based on the RoleManager tool built into Avanpost IDM, a simpler RoleMiner tool has been created that facilitates analytical work that accompanies the development and optimization of role models of organizations. * Rights templates in IDM roles have changed, now they are written in Python and can define sets of rights that depend on user attributes.
- The mail notification template editor is optimized, with the help of which the system informs about the receipt of new requests, about the requests submitted to the queue, about the change in status and about the escalation of requests, as well as about other events of interest to the customer. Now this editor has a description of the data model of the object on which the notification is generated, and it became possible to add the desired variables in one click. This speeds up the development and modification of templates, reduces the number of errors when editing them, and ultimately pushes to create more meaningful notifications (with a large number of variables).
- Basic business process diagrams have been added, making it easier to start the self-service subsystem.
- The scheme of maintaining system logs (logs) of the product has been completely changed. In particular, the wording of the messages was revised and the need to display certain messages was analyzed, the levels at which different messages are displayed were correctly determined. Thanks to this, the logs have become more informative, and the number of distracting messages has decreased.
- The ability to allocate logs of pairing plug-ins (connectors) has been added, and the most important messages are placed directly into the product user interface, which embeds these messages in the context of the executable task.
The company also noted the many opportunities that appeared in Avanpost IDM 5.8 for specialists involved in the maintenance and development of IT solutions based on this product. Among them: massive restart of tasks, checking the response to personnel events, a flexible system of internal roles, additional options for configuring password policies, extensions for connector interfaces, which make it easier to develop them for some types of systems, etc.
Avanpost PKI 5.4 integrated with CMEA and ESIA
Avanpost PKI 5.4 is integrated with the unified system of interdepartmental electronic interaction (SMEV) and supports both the verification of certificate recipients' data through the services of state authorities and the publication of certificates into the unified identification and authentication system (ESIA). Both functions are requirements of the current legislation in relation to accredited certification centers.
The distribution and development of electronic services and trading platforms has led to a significant increase in the interest of individuals and legal entities in qualified electronic signature tools. In the early 2010s, the market expanded, and, accordingly, the number of accredited commercial certification centers increased. As in any other area related to finance, unscrupulous market participants and new schemes of computer crimes appeared on this wave. Thus, one of the widespread types of fraud was the transfer of savings of an individual to a non-state pension fund using an illegally issued EP certificate. The regulator reacted to this by tightening the rules and responsibilities of participants - both with the help of organizational and with the help of technical means.
The current legislation imposes the following requirements on accredited certification centers, which can be fulfilled by integrating the TC software with several services available in SMEV:
- The certification center using infrastructure must check and clarify the information provided by the applicant to obtain a qualified certificate - follows from part 2.2 of article 18 of the Federal Law of 06.04.2011 No. 63-FZ;
- When issuing a qualified certificate, the certification center must register the certificate, as well as, if desired, the person to whom the certificate is issued in the unified identification and authentication system (ESIA) - follows from part 5 of article 18 of the Federal Law of 06.04.2011 No. 63-FZ.
Currently, the Avanpost PKI product is a system for managing public key infrastructure, which allows automating the fulfillment of the requirements of the Federal Law of 06.04.2011 No. 63-FZ "On Electronic Signature," as amended by the Federal Law of 12.03.2014 No. 33-FZ and the Federal Law of 30.12.2015 No. 445-FZ.
To fulfill the requirements of Part 2.2, Avanpost PKI checks the data of the certificate request for an individual through the SNILS verification service of the Pension Fund of Russia, and when issuing a certificate for a legal entity, it requests and checks the data using the service "Provision of brief information and/or extracts from the Unified State Register of Legal Entities/Unified State Register of Legal Entities" of the Federal Tax Service of the Russian Federation.
The requirements of Part 5 of Article 18 are fulfilled by integration with the "Electronic User Registration Service of the Unified Identification and Authentication System." Avanpost PKI searches for a subject in the ESIA directory and publishes a certificate issued for it. If the subject is not found, the system independently performs registration, and then adds the certificate to the directory. In addition to the script for new (or reissued certificates), Avanpost PKI allows you to publish previously issued certificates to the ESIA.
The largest certification centers with proprietary information systems (for example, SKB Kontur or Taxcom) fulfilled the above legislative requirements back in 2016. But it is difficult for smaller market participants, including many industry CAs, to fulfill these requirements due to the lack of the necessary expertise in software development and system integration. In addition, SMEV services are constantly developing, which requires constant refinement of integrated systems, which is also very difficult for a large number of organizations. At the moment, the use of the Avanpost solution will allow them to close this requirement of the regulator. This will not require much effort, since to connect the certification center to the unified system of interdepartmental interaction (SMEV), a company using Avanpost PKI, only organizational issues will have to be resolved, while it will receive the technical component and regular updates "out of the box."
In light of the entry into force with the 31.12.2017 of the next package of amendments introduced by the Federal Law of 30.12.2015 No. 445-FZ, clarifying and, once again, tightening the requirements for the work of certification centers, the implementation of this function will not be superfluous for any CA issuing qualified certificates.
2017
Certificate of FSTEC of Russia
On December 7, 2017, Avanpost announced the receipt of a certificate of conformity certifying that Avanpost IDM meets the requirements of guiding documents FSTEC Russia for the absence of undeclared capabilities (NVD) according to the 4th level of control and for compliance with the technical specifications (that is, for the coincidence of real and declared functionality in the documentation). Certificate of Conformity No. 3765 dated 30.06.2017 was issued based on the results of certification tests carried out by the testing laboratory (Echelon Scientific and Production Association accreditation certificate No. СЗИ RU.0001.01BI00.B018 dated 18.04.2017).
According to Outpost, the company's software product became the first IDM solution in Russia, certified precisely as a means of information protection (IPS). This makes it possible to use Avanpost IDM in state information systems (GIS) and personal data processing systems (ISDS) for the implementation of appropriate protection measures.
According to the developers, Avanpost IDM protects the organization from many threats related to:
- with accidental and deliberate errors of information security personnel and administrators of the IE when assigning access rights;
- with long delays unavoidable in the manual execution of applications for change of such rights;
- with rapid obsolescence of role models;
- with uncontrolled differences between the role model and actual user rights;
- with the appearance of a loop of redundant access rights among employees;
- with the accumulation in the information system of the so-called "dead souls" (dismissed employees who retain access rights to information systems).
With built-in access rights auditing technology, Avanpost IDM allows you to detect and correct errors, even if they occurred before implementation. At the same time, Avanpost IDM has a built-in set of tools for creating role models and keeping them up to date. In addition, the IDM system has a large number of ready-made interface modules (connectors) with frame systems and with all kinds of managed IE elements, including operating systems, directory services, DBMS, application servers, all kinds of application software (including those based on 1C: Enterprise platform). There are also mature developer techniques and tools that allow Avanpost, its partners and customers to develop connectors - without the need to delve deeply into the principles of the IDM solution. Thanks to this, Avanpost IDM created pairing modules that made it possible to fully integrate Russian software popular in the domestic IT market into the corporate access control system, as well as non-replicated "self-described" developments made by integrators and customers themselves.
Avanpost IDM can be used not only independently, but also in combination with other software products of the Avanpost line, which are responsible for all aspects of working with open keys and tokens (Avanpost PKI) and for one-time authentication of IP users (Avanpost SSO and Avanpost WebSSO). In this case, the organization receives a comprehensive system of protection against unauthorized access.
Avanpost IDM 5.5 Release
On October 3, 2017, the Outpost company released the next version of its product - Avanpost IDM 5.5. It contains a large number of functional improvements and improvements, thanks to which the product began to meet the requirements of large Russian customer organizations.
According to the developers, Avanpost IDM 5.5 is of primary interest for all categories of customers: large commercial organizations, state corporations, federal authorities, departments with a branch structure throughout the country.
The main changes are related to the implementation of HR event processing policies, optimization of role model building tools for organizations with an extensive structure, and the creation of a mechanism for resolving SOD conflicts. In addition, the built-in means of organizing electronic document management have become more functional, and the set of Avanpost IDM interface modules (connectors) with various managed systems (primarily with Russian infrastructure and application software) has also expanded.
HR Event Processing Policies
Now Avanpost IDM contains flexible tools for setting policies for handling personnel events (hiring and dismissal, job changes, etc.). For structural units, positions, or arbitrary user lists, it has become possible not only to choose the scenario of automatic system response (from among the predefined ones, as well as those configured during implementation), but also to specify the subtle nuances of such processing.
At the same time, all the functionality of creating and configuring scenarios for processing personnel events is built into Avanpost 5.5 and is available in the IDM system administrator interface. As a result, authorized employees of the customer can independently describe and change the policies for processing personnel events - without the need for revision or contacting the integrator. At the same time, the capabilities of the policy editor cover almost all the needs of any large organization.
Role models of large organizations with an extensive structure
A number of innovations in setting up a role model make it easier to create and maintain role models in large geographically distributed organizations.
The mechanism implemented in version 5.5 allows you to create universal roles that automatically form the composition of rights for the receiving user, depending on his data.
As emphasized in "Outpost," the role calculation mechanism is critical for the application of Avanpost IDM in large organizations with an extensive structure. At the same time, as in the case of the policy editor for processing personnel events, the role calculation mechanism is built into Avanpost 5.5 and is available to the customer through the user interface.
Developing a role calculation mechanism that affects the IDM life cycle, Avanpost conducted a survey, including consultations with its clients - federal departments and commercial organizations (Federal Tax Service of Russia, Rosselkhozbank and several others). The analysis of the obtained data made it possible to create a simple and flexible solution that covers most scenarios for setting up a role model for a large geographically distributed organization.
In addition, a number of improvements in the role model configuration unit simplified role creation, maintenance and decommissioning, made it more convenient to work with archive roles, and also provided users with advanced filtering tools for finding roles.
SoD Conflict Resolution
SoD (Segregation of duties) is the concept of separation of powers, the main idea of which is to prevent one person from performing controlling and controlling actions. In the practical application of this concept, it becomes important to identify and prevent SoD conflicts, i.e. such a separation of powers that leads to contradictions in user rights (for example, to mutually exclusive powers). Such conflicts are the cause of abuse of user rights.
SoD conflict prevention mechanism built into Avanpost IDM 5.5:
- protects the organization from SOD policy violations, provides a high level of automation, allows you to set complex criteria for role assignment, configure role usage restrictions - with a minimum level of false positives, the developers say.
- improves the integrity of the role model by protecting against technical errors (for example, disallowing a role from dependencies). In addition, in Avanpost IDM 5.5, an employee will not be able to receive a role for which he does not have authority.
- simplifies the maintenance of IDM solutions - now working with several thousand roles does not pose significant difficulties.
Document flow accompanying IDM work
The capabilities of the subsystem for managing the processes of processing applications and maintaining the corresponding electronic document flow have been expanded:
- business process blocks are integrated with the event system, and exit scenarios can be set in the graphical editor.
- optimized response to runtime errors (for example, the required resource is unavailable) - now such requests are received by the IDM administrator, who can perform corrective actions, after which the request will continue to be processed.
- Reduced the number of irreversible actions and improved dunning and escalation mechanisms.
- business processes in Avanpost IDM have become asynchronous: after any user action, the software interface "freezes" for a minimum time, after which further processing of the application is carried out in the background. This led to a qualitative jump in interface responsiveness.
- The mechanism for importing/exporting business process diagrams is optimized - this is especially significant for large schemes with which large organizations operate.
Modules of IDM interface with other IE elements
Avanpost IDM has a large number of ready-made connectors to popular Russian software (for example, 1C: Enterprise or), EDMS DocsVision as well as to software with: based on,, open source OS all Linux DBMS common directory implementations (Open LDAP LDAP, 389 LDAP, Free IPA), etc.
At the same time, Outpost continues to create connectors, and also ensures compatibility of existing connectors with current versions of the corresponding software. In particular, the compatibility of Avanpost IDM 5.5 with common foreign Linux-based operating systems (Red Hat, SUSE, Ubuntu and Debian), as well as with the Russian enterprise-level operating system (OS ALT of BASEALT), was checked. In all cases, the universal Avanpost IDM connector for Linux provides both management of users and their rights, and retrieval of credentials, which, in turn, relies on tools to automatically build role models and conduct audits of actual access rights.
Avanpost IDM in conjunction with WebSSO
The IDM-solution "Outpost" in conjunction with Avanpost WebSSO automatically acquires a number of functions important for managing access rights on large portals and in SaaS services with a very large number (millions) of users, the company noted.
For example, working in conjunction with the Avanpost WebSSO software product (one-time user authentication in applications of all types: cloud, mobile, traditional), the Avanpost IDM system automatically acquires the on-demand provisioning function. In this configuration, the IDM system does not require a connector at all to directly communicate with those IT systems that work with WebSSO through standard authentication protocols. Responding to such a request, WebSSO "asks" the IDM system if it complies with the user's rights.
For certain types of information systems (for example, portals or SaaS services with which a large number of external users can work), this gives a number of possibilities:
- First, in such a scheme, a rights audit is not required, since IDM checks the user rights in the specified system every time according to the role model, which eliminates the deviation of actual rights in the system from approved ones.
- Secondly, IDM integration with other IE elements is simplified: if you need to implement 12 functions when developing a connector, then when connecting via WebSSO, there are only two of them.
- Finally, the customer is able to reduce license costs because only actual software usage is considered.
The number of active Avanpost PKI licenses has exceeded 1 million
On May 18, 2017, Outpost announced that it had exceeded the number of 1 million active licenses for the Avanpost PKI product. The total number of users of all Avanpost products has come close to 3 million.
According to the company, for most customers (~ 70% of implementations) Avanpost PKI is a system-forming information security technology. It supports all aspects of working with open keys and electronic signatures, a full set of functions for working with tokens, including service document management related to the formation and satisfaction of applications for the issuance and preparation of media, with the removal of compromised or planned removed from service media.
Avanpost PKI (as well as IDM and SSO) is certified by the FSTEC of Russia and is included in the Unified Register of Russian Programs for Electronic Computers and Databases.
According to the vendor's statistics, as of May 18, 2017, the largest number of licenses for Avanpost PKI (55%) falls on Russian banks, 25% - on the public sector and large municipal customers, 10% uses the oil and gas sector, 10% - other enterprises and organizations.
2016
Plugins to Avanpost SSO
On November 14, 2016, Outpost announced the expansion of the line of plugins used in Avanpost SSO.
Plugins work under Internet Explorer (IE), Google Chrome, Mozilla Firefox browsers.
Avanpost SSO is a module that provides transparent authentication and user identification. It is designed to create a single sign-on system and form multi-factor authentication mechanisms for accessing various information systems. The solution helps to centrally manage user passwords according to password policy, and automatically authenticate users in applications serviced by the system. Plugins are used as a link between employees and applications.
When loading the browser, the plugin accesses Avanpost SSO and requests templates with page settings that need to be monitored. After that, offline fixes which pages the user enters. If the page matches the template, the plugin asks the SSO Outpost for the username and password for the employee.
The SSO outpost, in accordance with the security policy adopted by the company, can additionally request a PIN to the token, biometric data, etc. If the information provided by the specialist is correct, Avanpost SSO transfers the login and password, and the plugin provides access to the desired site.
Until recently, plugins that provide communication between the user and the software functioned under the IE browser (no plugins are required to operate the SSO outpost with a "thick" plugin client). Avanpost specialists have developed tools that work under Google Chrome and Mozilla Firefox browsers.
The Avanpost SSO solution is used by the largest Russian companies to manage the passwords of their employees. For many of them, using a specific browser is a corporate standard that we cannot ignore. The development of new plugins for our product is a matter of user convenience and the desire of our company to meet the highest customer requirements. |
Business Process Designer Upgraded
On October 11, 2016, Outpost announced the release of an upgraded business process designer in the release of the Avanpost IDM 5.0 software product.
Business Process Designer is part of the requisition module. It determines the process participants and the document reconciliation scheme depending on the parameters of the requisition.
The design update in Avanpost IDM 5.0 is related to the need to increase the flexibility of this tool. In the previous version of the software product, the mechanism assisted in configuring logic depending on the system to which access is requested. The process was linear, tightly regulated, limited the choice of options for approving the application. Large customers with whom Avanpost works need to maintain a large number of interaction scenarios, minimize the need for improvements, in particular, to coordinate access to different information systems.
The upgraded mechanism helps to configure processes using branches, Avanpost IDM 5.0 internal directories, external directories, and other entities. In the negotiation scenario, it is possible to provide for its dependence on the account, subdivision of the user, his rights in the system.
The constructor represents business processes in BPMN notation. This model is generally recognized in the professional community, convenient for both technical specialists and analysts, and for ordinary users.
The advanced editor supports the versioning of business processes. Documents in the work continue to move in accordance with the process in force at the time of creation. Applications received in the system after the creation of a new version are approved according to other rules.
The designer initially has a pre-installed set of basic activities: the beginning and end of the business process, control the design (branching and selection). They also include activities that allow you to interact with the user (parallel decision block, mail notifications), internal and external services (asynchronous and synchronous service call).
This version provides the ability to add additional activities. For example, the delegation of user actions, which is enabled when an employee declared to perform a process is unable to complete a task within the allotted time.
The designer helps you interact with external reference books and systems. After granting the rights on the request in IDM, additional manual administrator actions are required, the module automatically creates a work order for this task in the Service Desk system.
Users will get more options and will be able to operate on accounts and roles, adjusting them to their needs.
The business process engine implemented in the 4th version was one of the bottlenecks in terms of integrating our product into the business processes of large customers. Its revision, as well as the implementation of the graphics editor for it, is the most important technological innovation of the 5th version of Avanpost IDM. It allows you to both organize a flexible coordination process, including a parallel one, and integrate the system with processes controlled by other information systems, such as Service Desk systems and document management systems. Its flexibility has been confirmed in several successful projects in large companies that have already started using Avanpost IDM 5.0. |
Outpost software products are included in the register of domestic software
The register of domestic software was replenished with decisions of the Outpost company. In accordance with the order of the Ministry of Telecom and Mass Communications of Russia, the products of the Avanpost line are included in the software class, which includes the information security tools of the enterprise.
The Expert Council under the Ministry of Telecom and Mass Communications approved the application of the developer company to add to the register of Russian programs for electronic computers and databases of the entire line of solutions:
- Avanpost IDM - a system for centralized control of access to enterprise resources;
- Avanpost PKI - a system for managing all elements of the PKI infrastructure (tokens, certificates, CIPF licenses) from a single center;
- Avanpost SSO is a user authentication management system (password policies, single sign-on, etc.).
Avanpost integrated access control systems are a fully Russian development and are well known in the market. They are used by state authorities of the federal and regional level, including the FCS, the Federal Tax Service and DIT of Moscow, banks from TOP-50, in particular, Rosselkhozbank, Moscow Industrial Bank, MTS Bank, as well as medium and large commercial organizations of various fields of activity.
Avanpost PKI integrated with CryptoPro DSS electronic signature server
The CryptoPro DSS software and hardware complex is designed for centralized, secure storage of user private keys, as well as for remote execution of operations for creating an electronic signature (EF) in the interests of users when interacting with CryptoPro HSM. Integration is implemented through the web services of the electronic signature server. As a result of the implementation, the administrator or user of Avanpost PKI is able to create a request for the issuance of a certificate with subsequent approval at the Certification Center (CA) integrated with the DSS. When creating a request, cryptographic keys are generated in CryptoPro HSM, which are stored in it in a secure module.
Thus, it became possible to take into account all user certificates, including those issued on DSS, with the option of responding to personnel events, for example, revoking a certificate upon dismissal.
As a result of development and integration, users will be able to manage all their keys and certificates, including those released on CryptoPro DSS, from a single console - the Avanpost PKI personal account.
Avanpost PKI 5.0 supports work with both known versions of certification centers on the Russian market, such as CRYPTO-PRO, Microsoft, Signal-KOM, Infotex (ViPNet), RSA (Keon), and with more specific both Checkpoint and Validata.
Avanpost PKI is integrated with the Accord-AMDZ anti-unauthorized access protection
The work was carried out jointly with InfoCrypt, a developer of cryptographic information protection tools, information protection tools from unauthorized access and a technological partner of OKB SAPR, a manufacturer of SD of the Accord family.
NSD NPS Trusted Download Hardware Module A chord for IBM-compatible PCs - servers and workstations of the local network provides protection of devices and information resources from unauthorized access. Chord-AMDZ is produced in 6 versions, which allows it to be used on various, from the point of view of bus interfaces, machines. Integration with Avanpost PKI is implemented with a unified controller (PCI, PCI-X) Accord-5.5, combining the functions of AMDZ with a hardware-implemented cryptographic subsystem.
As a result of the connector development and integration, users will be able to manage all their keys and certificates through the PKI Outpost module, synchronized with the NSD NSD Chord database. The administrator or user of the Avanpost PKI was able to create keys on key media working with the NSD NDS Accord, pause and renew them or recall them.
Avanpost IDM 5.0
On June 28, 2016, Outpost announced the launch of the Avanpost IDM 5.0 system.
Among the changes to Avanpost IDM 5.0 is a self-service module with a built-in full-featured business process graphics editor. The user interface has been radically redesigned, APIs have been improved, and the role assignment mechanism has been improved.
The company is starting to promote Avanpost IDM 5.0 in the market of access control systems as a standalone product. Until October 2015, Avanpost IDM 5.0 was part of the Avanpost software complex, which included PKI and SSO modules. The allocation of modules into independent products makes it possible to optimize pricing policy, more flexible to manage releases.
In this system release, the advanced self-service module helps you request additional access rights, coordinate their changes, and change account passwords in managed information systems. Avanpost IDM 5.0 also takes into account one of the modern trends in the global development of IDM systems - the use of a graphical business process editor. Its presence increases usability and allows the software product to go one level with Western developments in which this tool is already used. Innovations have significantly increased the flexibility of the solution.
The user interface has been completely redesigned. Usability specialists took part in the work on its modification, the comments and wishes of customers were taken into account. To layout web applications, the popular CSS framework Bootstrap is used, which opens up ample opportunities for branding and customizing the interface to customer requirements.
Another feature of the version is significant improvements in application programming interfaces. In particular, a mechanism has been implemented that allows external systems to work with all IDM objects. This solved the problem of integration with Service Desk systems, SiEM systems and other products.
Changes have been made to the software interface (API) for connectors to managed systems. The interface clearly defines the parameters required by the operations, simplifying the development of connectors. This retains support for connectors implemented for IDM version 4.0. Tools for accessing external services have been created, which allows you to integrate processes managed in IDM with processes automated in other enterprise systems.
To simplify and systematize account management in integrated systems, the role assignment mechanism has been changed and the ability to generate passwords has been added in accordance with the policy defined for the resource. The generated passwords can be sent to users, their managers, owners and resource administrators. The software version allows you to create employee cards, make changes to their data and organizational structure guides. User information from different sources is combined into one key card.
Our goal is to create a product that is not inferior to the leaders of the world market, but at the same time deeply takes into account the features and specifics of Russian customers. Today, Russian business, especially medium-sized, is between two needs - to save on new projects or update working systems and reliably protect the company's information resources. And our development, taking into account its cost and functionality, solves both of these problems much more efficiently than Western counterparts. Therefore, more customers see Avanpost IDM as a priority access control solution. |
2015
The first major PC update Avanpost 4.1 has been released
The Avanpost 4.1 software package (PC) version has improved a number of functions of the IDM and PKI modules. As a result, the use of the system in large geographically distributed organizations, as well as in enterprises with a large number of freelance employees, has been simplified. In many cases, it has become possible to significantly reduce the set of roles and provide more flexible scenarios for agreeing requests for their change and issuance to employees.
First of all, we note a number of improvements to the IDM Workflow subsystem, which is responsible for changing the access rights of an employee based on his request or manager's request.
In the information security model of a geographically distributed organization, as a rule, there are at least two sections: the roles themselves that determine access to certain IT systems, as well as various role-independent restrictions, for example, on access from specific territorial units (central office and branches). Now, right in the request for a role, you can select the values of its properties corresponding to the sections of the information security model. So, you can selectively specify the objects on which the employee will receive the specified role - and sighting persons and the approval route will be automatically assigned correctly in the application. In real organizations, where the number of slices can be quite large, the ability to easily combine roles and properties not only makes application processing more flexible, but also allows you to make the role model much more compact and concise.
In addition, special reports were developed for IDM Workflow that allow geographically distributed organizations with complex scenarios for sighting applications for issuance of rights, to monitor the progress of approval processes, timely identifying the "freeze" of applications. Such control significantly reduces the loss of working time associated with delays in issuing access rights. In addition, reports have appeared in the system that allow you to analyze the frequency of issuing certain rights.
In a new way, user rights management is implemented when changing the position. Previously, in such cases, the system automatically recalled old roles and assigned new ones - in accordance with the current role model. These changes were related to the date of the order, after which the employee could no longer fulfill the old official duties. These changes can now be applied not only automatically, but also through a recertification cycle for employee rights managed by the IDM Workflow subsystem. In this case, the purchase requisition is automatically created and routed to a pre-configured path that depends on its roles. The responsible persons confirm the withdrawal of the old ones and the appointment of new roles, making a decision on the entire application or selectively for individual roles. The new mechanism is useful in many cases, for example, when a period of combining old and new positions was required. Now everything is simple: the application falls for sighting to both the old and new leaders who note the desired configuration of roles.
In PC "Avanpost 4.1," delimitation of access rights by the branch administrator has become a regular function. Now, an IDM system deployed to the entire organization and managed from one or more points can be configured so that administrators see only the employees of their territorial unit (central office, regional branch, separate department, etc.) and, accordingly, would only manage the rights of these users, would only view their errors when assigning roles, audit errors, etc. This improvement is very important in practice, since it allows you to combine the centralized installation of an IDM system with decentralized administration.
The most important change in working with freelance employees who are not listed in the personnel system is associated with the ability, bypassing the personnel system, to enter data about them directly into the IDM system - through a Web application with a convenient graphical interface. Freelance employees can be included in the staff structure, their positions and statuses can be changed. Certain opportunities for working with freelance employees were available in the Avanpost PC before, but now they are significantly expanded and have become full-time.
Among other improvements, we note the mechanism for hierarchical classification and cataloging of roles, additional features of the mechanism for uploading reports in various formats, as well as the ability to send PIN codes via SMS that has appeared in the PKI module (this function is not available in competing key media management solutions on the Russian market - TMS).
Avanpost 4.1 = > DIRECTUM pairing module created
On March 4, 2015, the company Avanpost announced the creation of an interface module (connector) connecting the IDM subsystem of the Avanpost 4.1 software complex (PC) with the system. electronic document management DIRECTUM
The DIRECTUM connector implements the interface required by the IDM kernel. The new Outpost connector supports all basic access control functions, allowing you to create, block and unlock accounts, assign and revoke specific rights and roles to users - in full compliance with the current role model and all kinds of personnel events (hiring, layoffs, official movements, etc.). In addition, the connector allows you to audit user rights in the DIRECTUM system.
Through integration with IDM, rights management in the popular DIRECTUM electronic document management system can be fully automated, freeing IT administrators from the routine of creating accounts and managing their rights manually. Thanks to this development, information security specialists are able to control the compliance of user rights in the role model.
PC "Avanpost 4.1" is integrated with Galaktika ERP enterprise management system
On March 18, 2015, Outpost announced the release of two interface modules (connector) of the Avanpost 4.1 software complex (PC) with the Galaktika ERP enterprise management system and the Galaxy Human Resources Management system. The creation of new connectors fits into the policy of product integration infrastructure development aimed at expanding the portfolio of integration modules with corporate systems popular on the Russian market.
Frame connector
The new PC connector "Avanpost 4.1" allows the IDM module to automatically receive all necessary information from the Galaxy HCM system, including: directories of employees, positions, departments, information on hiring, leave, dismissal, appointment and changes in employee data. The connector supports full and partial data synchronization modes. The connector is a module for the Avanpost synchronization service, it can be used as the main source of information, as well as in conjunction with connectors to other types of sources.
Target Connector
The connector to the target system implements a complete data exchange protocol with the IDM core. Accordingly, the Avanpost 4.1 PC can control all settings of the access control system built into Galaktika ERP: create, block and unlock accounts, assign and revoke specific rights and roles to users - in full accordance with the current role model and all kinds of personnel events (hiring, layoffs, official movements, etc.). Also, Avanpost IDM is able to extract current data about actual accounts and user rights, include the personnel system in the audit of access rights and identify deviations from the role model and, if necessary, cancel them. The connector works through the APIs of the standard ERP Galaxy administrative client.
By interfacing with IDM, rights management in Galaktika ERP becomes fully automated, which solves the problem of the burden on administrators, and information security specialists receive a working tool for comprehensive control of user access to functions, as well as tracking the actions of administrators in terms of changing user access.
"Taking into account the new import substitution strategy, many companies choose Russian automated systems to quickly solve the main management tasks. In terms of its functionality, the completeness of planning processes, the Galaktika ERP system has no analogues among Russian IT solutions. Therefore, the creation of a connector to enterprise management systems Galaktika ERP and Galaxy Human resources management is an actual event for our company, "said Andrey Konusov, CEO of Avanpost. "Today, the Avanpost software complex is integrated with almost all personnel systems widespread in Russian companies, which allows us to remain the leaders of the domestic IDM market and successfully compete with Western counterparts that are losing their popularity in the new economic conditions."
"Avanpost 4.1" integrated with Microsoft SharePoint
On June 3, 2015, Outpost announced the creation of a connector for the communication of the IDM subsystem of the Avanpost 4.1 software complex (PC) with the Microsoft SharePoint platform.
The connector supports all basic access control functions, helping you manage roles and user groups, create accounts, and audit rights on a SharePoint system. Integration with IDM will help automate rights management in SharePoint, which, according to developers, will save IT administrators from a huge amount of routine work on creating accounts and managing their rights manually. Specialists of information security departments will be able to control the compliance of user rights in the role model.
The connector operates through the standard web services of the system - SharePoint Web Services, which allow remote work with system elements. Thus, the site or collection of sites in SharePoint will correspond architecturally to the resource in the IDM solution.
"The company Avanpost continues to overcome such inherent shortcomings in consumer characteristics as the high cost and lack of connectors to information systems popular among Russian corporate users. Our new development for the popular corporate collaboration solution Microsoft SharePoint is designed to increase organizational flexibility and expand the business capabilities of customers, "said the Andrey Konusov CEO of the company. Avanpost
"Avanpost IDM 4.3" supports MS SQL Server
On July 7, 2015, Outpost announced the release of Avanpost IDM 4.3.
The most significant refinement of this release is support for relational DBMS SQL Server.
MS SQL Server 2012 and later can be used as a DBMS, which facilitates the integration of IDM into the current IT infrastructure and optimizes support costs, avoiding the involvement of external specialists.
- In the self-service interface (workflow), the list of roles available for a query by the user can be restricted based on the user's position in the organizational structure.
- Improved account management. Unlocking the user account for a certain period has become available. When you unlock a user in the administrator interface, you can specify the end date of the unlock mode, and when it occurs, the user will be automatically blocked. The new version adds the Account Administrator feature role. The role functions are adapted to work for the Technical Support Operator dealing with user authentication issues on systems.
- A mechanism for creating a role matrix based on additional calculated characteristics of users has been developed. Now, in addition to the characteristics related to the position of the user, a condition that ensures that the user receives the role can be used to automatically assign the role.
"The company Avanpost adheres to a customer-oriented policy in its business development, so we develop the functionality of the product based on the needs of customers. The new releases of the IDM solution are designed to meet all previously announced requests, which will allow Avanpost to remain a more flexible and open platform for creating a convenient access control system for any organization, "said the Andrey Konusov CEO. Avanpost
"Avanpost IDM 4.3" enabled SCIM support
On July 30, 2015, Outpost announced the creation of an interface module (connector) to operate under the SCIM protocol. This development simplifies the management of identity information in many popular SaaS services.
The Simple Cloud Identity Management (SCIM) protocol specification is designed to simplify the management of user accounts in cloud applications and services. This specification was created using existing deployment schemes and options, with a special focus on ease of development and integration in the use of current models, authentications authorization and privacy protection. The protocol is developed based on the experience of integrating cloud applications () SaaS with the internal infrastructure of companies to automate user account management.
SCIM Interface Diagram, 2014
The standard is supported by most cloud service providers, including Salesforce.com,,. Cisco Google Support for this standard provides Outpost with a significant expansion of the list of supported systems by modern SaaS services. For systems that do not have protocol support, a service implementation according to the specification is available.
The connector supports all basic account access control functions and automatically creates enterprise users in the service provider directory. An organization that hosts systems in the cloud has the ability to migrate internal user directories to the SCIM service provider infrastructure, while maintaining the ability to online manage user access. The specification can also be used as an internal standard for integrating internal systems with IDM.
"In addition to integration with cloud services, this protocol is a modern, universal and well-documented standard that can be used by our customers as an effective alternative to their own developments. Following the technologies of the future in the field of managing access to information resources, we strive to stay ahead of Western solutions, offering a decent product to Russian customers as part of import substitution, "said Oleg Gubka, Development Director of Avanpost.
Avanpost IDM 4.3 integrated with Oracle E-Business Suite
In September 2015, it was announced the creation of an interface module (connector) connecting the IDM subsystem of the Avanpost 4.3 software complex (PC) with the Oracle E-Business Suite. This package is designed to automate the main activities of enterprises and includes financial services, logistics management module, enterprise assets, customer relations (CRM), business efficiency (CPM ) and others.
Using the connector will eliminate the need for manual information entry, possible errors in data mismatch between applications, ensuring the convenience of the administrator and the user. The Outpost connector implements a standard IDM contract to interact with target managed systems. Namely, it allows you to manage roles and user groups, create, block and unlock accounts, audit access rights if necessary in Oracle E-Business Suite.
Due to the interfacing with IDM, the burden on system administrators is reduced in terms of manually creating accounts for users and managing their rights, and information security specialists are able to control user rights as part of their audit. IDM integration with Oracle E-Business Suite takes place through Oracle's own procedure storage package, which is part of the standard installation of the system database and contains logic for managing users, their rights and role models.
Avanpost 5.0
On October 20, 2015, Outpost announced the fifth release of the Avanpost 5.0 complex.
All function modules have been redesigned in this version:
- IDM, PKI и SSO,
- architecture
- critical subsystems
- user interface,
- Business Process Management,
- integration with external systems,
- role management, etc.
In the upgraded version of the PC "Avanpost 5.0," IDM, PKI and SSO modules have become independent full-featured software products, they can be implemented and used both in combination and separately. This approach to product release will help large organizations more flexibly manage costs and changes, combine Outpost solutions with already used, similar in purpose, developments of other information security vendors. The outpost has the opportunity to more closely connect the life cycles of its products with the market situation, favorable demand dynamics for certain solutions and the tension of competition in various segments. In addition, the company can now apply more flexible marketing, post in time the release of major updates to the main functional modules (products) in order to dose the amount of changes that the company's client simultaneously encounters. This approach is implemented in the Avanpost 5.0 PC, where the PKI system is first released (October 2015), followed by IDM (December 2015), and then SSO and a number of additional modules (February 2016).
Screenshot of the product window (2015)
In the announcement of the release of the system, the company noted the mutual integration of several products of the Avanpost PC line during their implementation. The synergistic effect and all the capabilities of complex access control systems according to the formula: IDM + PKI + SSO remain.
An important change is associated with the transfer of all applications of the Avanpost 5.0 line to the architecture of web applications and the use of a thin client. The main advantages of this approach are:
- simplified administration,
- reduced requirements for workstation configuration,
- Improved information security and scalability
- Lower Total System Cost of Ownership (TCO)
- accelerating return on investment (ROI).
The outpost transferred all the functionality of "thick" customers to the modified architecture and received a simple and ergonomic user interface.
The user interface has been completely redesigned. Its design and testing was conducted in collaboration with a professional team of usability specialists. In terms of technology, the interface is based on the popular Bootstrap library (CSS Framework). For the version of "Avanpost 5.0" an original style design has been developed.
In "Avanpost 5.0" an information board (dashboard) appeared with a "live" summary of the main parameters necessary for the security administrator to monitor, identify emergency situations and adequately respond. The number of such parameters increased to 35 (there were about a dozen of them in the Avanpost 4.0 PC).
The entire AvanpostWorkflow subsystem has been translated into a business process engine and the creation of its own fully functional graphical process diagram editor. The engine created on the WindowsWorkflowFoundation platform (WWF, part of the.NET Framework 4.5) provides greater flexibility in the processes of agreeing applications, delegating, replacing users, escalating tasks when coordinating applications, etc.
The AvanpostWorkflow system has a software interface for connecting external request approval systems, for example, the customer's ServiceDesk system, intranet portal or workflow system).
Avanpost IDM has redesigned and improved the software interface (API) of connectors to managed systems. Now the very structure of classes, sets of methods and their parameters maximize the logic of interaction of related systems for the developer, help to notice errors. Significantly reduces API learning time, accelerates connector development, and reduces programming errors and testing costs.
Knowing the target system and not knowing the principles of IDM functioning, the developer can create a connector and be sure that it will work.
Avanpost PKI has developed a plugin-based universal support system for almost any certification center (CA), key generation algorithms, as well as cryptographers used by the organization. Based on this system, a number of integration modules have been created. In particular, a module for the ViPNet PKI infrastructure, necessary for many government agencies, where network segment protection is built on ViPNet.
The Avanpost PKI version works with all CAs that were supported by previous versions of the "Avanpost" PC. On October 20, Avanpost PKI 5.0 supports work with CA:
A number of changes have occurred in the management of service roles such as "IDM administrator," "security officer" or "certification center administrator in the PKI system." These pre-installed roles (sometimes called "functional" roles) define the authority of those responsible for setting up and operating IDM systems.
It became possible to change the permissions of pre-installed functional roles and create new roles with an arbitrary set of permissions. This mechanism allows you to give system administrators only the minimum necessary authority according to current IT processes. Previously, this common situation led to the issuance of redundant powers or required the writing and maintenance of program code that provides specific aspects of role authority management. Now everything is done by the arrangement "ticks."
The role issuance mechanism has been improved, which unifies all options for processing role and account management jobs. In the Avanpost 5.0 line, these tasks are created by administrators (through a special console), the users themselves (through a self-service system) and external systems (through event handlers in data sources).
A mechanism is implemented that ensures the organization of a role model based on additional calculated characteristics of users. Now the automatic assignment of a role can be associated not only with the official position of the user, but with any condition that ensures the acquisition of the role.
There are other innovations that make it easier to use Avanpost products in large territorial-distributed organizations. These are:
- Role Reconstitution Interface
- a toolkit for linking an organizational structure to a domain structure
- means of creating passwords in accordance with the policy defined for the resource, etc.
The need for these changes was identified in real projects carried out by Outpost partners in government agencies and large commercial organizations after the release of the Avanpost 4.0 PC.
"The preparation of the new release of Avanpost came at a difficult time for the entire Russian IT market, where the tone was set by such well-known phenomena as sequestration of organization budgets for new IT and information security solutions, the desire to extend the life time of those scheduled to replace outdated solutions, limiting the planned projects to only the most necessary innovations. Under these conditions, the only right step for our company was an accelerated transition to a multi-product business model. We could limit ourselves to this, especially since we have been going to this model for a long time. I am sure that customers would understand us, but we did not make this compromise - and fulfilled the entire development plan for the new Avanpost release, making our products as convenient to implement and use as the best Western counterparts, - said Andrey Konusov, CEO of Avanpost. - This is not only a matter of principle, but also a clear calculation, because all new tools not only enhance the impression of the Avanpost products, but also significantly speed up implementations, and also allow in most projects to do without any programming at all. And this is a big saving of time and money. And a real opportunity, together with partners, to support any business projects of our customers as quickly as possible. I would like to emphasize the importance in terms of import substitution of the even simplified integration of the Avanpost 5.0 line with Russian application and infrastructure software and with OpenSource software. It is a pleasure to realize that for an organization of any size, our products are a profitable alternative or replacement for any competing products in the field of comprehensive access control and the creation of a public key infrastructure - without any stretch or compromise. "
Password synchronization is implemented in the Avanpost PC
On November 19, 2015, it was announced that the Avanpost PC was implementing a mechanism for synchronizing passwords between target systems. Thus, users will be able to use a single password in all systems integrated with IDM and change it in any way with the ability to synchronize with all accounts in these systems. For specialists of IT-information security departments, the function provides the ability to centrally reset passwords and the ability to set a single password policy of the enterprise.
The development of Outpost consists of a password interception module running on the target system side and a password change event handler in IDM, which synchronizes the received password with user accounts on other systems. The interception module includes a password provider registering with the server of the target system and a common password delivery service independent of the integrated system. Note that the interaction of the password delivery service with IDM is carried out asynchronously, through a queue of messages that are encrypted by the certificate of the system server. After distribution to accounts, passwords are not saved, which guarantees secure synchronization.
The password provider for Microsoft Active Directory is based on the password filter interface, a standard option to extend Active Directory password policies. The filter must be installed on all controllers interacting with user workstations or services through which the password is changed.
Avanpost Access System received the go-ahead to enter the Belarusian market
On December 1, 2015, Avanpost announced the completion of the certification procedure for the Avanpost IDM software complex at the Operational and Analytical Center under the President of the Republic of Belarus.
Certificate of Conformity No. BY/112 02.02. 036 00156 is valid until June 2020. As of December 1, 2015, Avanpost is the only Russian supplier of IDM solutions that has received a certificate of compliance with state regulations listed in the document "TR 2013/027/BY Information Technologies. Information security tools. Information security. "
Certification of the Avanpost PC in the Belarusian market is important for the company as a tool for promotion to the market. The legislation of the Republic of Belarus prescribes the mandatory use of only certified solutions in information security systems.
Nikita Silchenko, CEO of Tiger Optics, an authorized distributor of Avanpost solutions in the Republic of Belarus and Kazakhstan, noted:
- CSR certification is a new step in the partnership between Outpost and Tiger Optics. Avanpost's solutions are in the right place at the right time, and as a distributor, we continue to invest in the success of the Russian vendor in the Republic of Belarus and other territories of presence.
Andrey Konusov, CEO of Avanpost, explained:
- Successful certification of our solution opens up opportunities for corporate clients and state enterprises of the Republic of Belarus to the leading system of identification and control of access to information resources of the enterprise - "Avanpost IDM." We are excited to deliver a high-quality product ready for implementation now. The mandatory SMT certificate removes barriers to the use of our IDM system in the public sector, so our solution will also be interesting for government customers. Now we are considering the possibility of opening an outpost office in Minsk, including local engineering competence, which confirms our readiness for long-term cooperation with partners and clients in the Republic of Belarus.
2014
Avanpost 5.0 PC Plans
The most important task is to make the new release of the PC "Avanpost 5.0" convenient for implementation and maintenance, as well as Western products, where up to 90% of settings do not require programming and are made "checkboxes." The 5th release and subsequent updates of the Avanpost PC will significantly increase the flexibility of the built-in workflow system, which controls the processing of all kinds of requests (for changing user access rights, role recertification, etc.). In a special graphic editor, you can specify business processes of any complexity, depending on the conditions and having complex logic. In addition, all modules will receive a completely new user interface built on Web technologies. Setting up reports will also be greatly simplified.
The presence of independent and at the same time mutually integrated fully functional IDM, PKI and SSO modules is a fundamental advantage of the Avanpost PC over any IDM solutions presented on the Russian market, including new ones. Accordingly, the task of the Outpost is to maximize the share of complex projects carried out according to the IDM + PKI + SSO formula. By choosing such a solution, customers improve the security of their IP, and for Outpost and partners, this means that the implementation of one product increases the customer's willingness to purchase one or two other modules to maximize synergies. In 2015, some additional functions will be added to the IDM, PKI and SSO complex, for example, a single management console for the entire set of attached modules, the output of key parameters and indicators of critical events related to all modules to a single dashboard, as well as integration with information security event correlation analysis systems (Altiris).
Another area of work is related to the support of all kinds of mechanisms in the Avanpost 5.0 PC. Sensors and authentications biometric authentication with hardware keys (smart cards and tokens) are currently supported. Soon, one-time passwords will be added to them, delivered SMS using or created using autonomous hardware generators or otherwise. As a result, the customer himself will be able to set the N-factor authentication algorithm he needs.
PC "Avanpost 4.0" is the only IDM solution that has a complete set of tools for building role models, optimizing them and keeping them up to date. These tools do not need to be separately purchased and implemented. The development of Avanpost Role Manager and the role recertification module was a breakthrough for the entire Russian IDM market: for the first time, any organization got a real opportunity to implement and accompany the IDM system methodically correctly, and the implementation time even in the largest organizations was reduced from several years to six months. Now the task of the Outpost is to ensure that all or almost all implementations are methodically correctly carried out. An important step in this direction will be the completion of the development of an integrator and consultant-oriented methodology for the implementation of PC "Avanpost 5.0," which equally covers both organizational and technological issues. In addition, the company will continue to develop technologies for managing role models and, in particular, will teach Avanpost PCs to track which of their rights employees use and which do not. This technology will make it possible to eliminate redundant rights much more fully and efficiently.
Further plans for the development of the product line provide for the porting of the Avanpost PC to the OS and open source database (2016), as well as the gradual expansion of the functionality of the Avanpost PC and its transformation into a modular product with a high degree of synergy from the sharing of two or more modules (2017), covering new related areas. Among the most likely candidates are MDM (mobile device management) and MCDS (control of employees' physical access to the premises). Recall that earlier Avanpost worked on pilot projects in various scenarios for sharing IDM, PKI and MCDS technologies. At the same time, since 2016, the expansion of the functionality of the Avanpost PC will occur not only by creating software from scratch, but also by absorbing promising development teams.
A special priority for 2015 is the public sector, where Outpost already occupies a strong position, has a portfolio of completed implementations, and currently performs real and pilot projects, has leads. Among other industries where the company also has projects and pilots, the most important is the banking sector, fully prepared for large-scale implementations of IDM and integrated access control systems. This category of customers also includes insurance companies, nuclear and electric power industries, and the oil and gas sector. Significant efforts will be directed to a larger penetration into retail and a number of other industries, where the Outpost has only pilots so far.
In order to create technologies that speed up implementations as quickly as possible, Outpost will create a new development center for 20-30 highly qualified specialists in 2015. The new center will be located in one of the remote regions of the Russian Federation and will be responsible for the strategic development of the Avanpost PC in accordance with the roadmap of the product line (roadmap). This will completely eliminate the impact of specific projects, which until now is the main reason for periodic deviations from the development plan of the new functionality of the Avanpost PC. The Moscow Development Center will focus mainly on improvements and improvements related to specific implementations, for example, on the creation of connectors. In addition, a team of regional representatives of the Outpost for Russia, Kazakhstan and Belarus will be created. In 2015, the team will include presale specialists, and in 2016, implementation engineers will be added to them. The creation of this division will dramatically increase the efficiency of promoting Avanpost PCs and customer satisfaction with the implementation.
PC "Avanpost 4.0" - recertification of user rights
On December 2, 2014, Avanpost announced an update to the Avanpost 4.0 software package (PC) - re-certification of user rights.
This function makes it easier to correctly change access rights to different elements of the corporate information system when you transfer an employee to a new position. There are various options for changing rights, which allows you to take into account the peculiarities of a particular organization and reduce the burden on IT personnel, as well as managers and employees of business units.
PC "Avanpost 4.0" during personnel movements of an employee himself recalls his old roles and appoints new ones. Previously issued in accordance with the role model, roles and access rights were revoked from employees during the transfer, of course, and replaced with new positions. These changes can now be applied not only automatically, but an employee rights recertification cycle can also be started. In this case, the system generates a purchase requisition that follows a pre-configured path that depends on the roles in the requisition. The responsible persons will be asked to confirm the recall of old roles and the appointment of new ones. At the same time, any participant in the process can either make a decision on the entire application, or selectively confirm individual assignments of rights or revocation of individual roles. The sighting process is controlled by the standard subsystem of the PC "Avanpost 4.0" - IDM Workflow (changing the employee's access rights based on his request or manager's request).
The emergence of a separate procedure reduced the likelihood of incidents involving the premature loss of the rights necessary for the user (an employee transferred to a new position continues to perform the functions of an old position), and made the process more transparent, understandable and controlled, reduced the likelihood of errors. In addition, the relationship between personnel events and IDM functions has become more flexible. This is especially important for large organizations where many such events occur every day.
Improving the management mechanisms of the role model of the organization and the mechanisms for managing the rights of specific users is one of the most important priorities in the development of the Avanpost 4.0 PC. As part of this work, in particular, both the IDM Workflow subsystem and the Role Manager and Role Recertification modules were created, which allow you to quickly and methodically correctly create and optimize a role model, and then keep it up to date.
PC "Avanpost 4.0" is compatible with Rutoken key line
On October 30, 2014, the company Avanpost and the company "Asset" announced the full compatibility of the Avanpost 4.0 software complex (PC) with the entire line of electronic keys, Rutoken including the Rutoken S Rutoken EDS and Rutoken RF models.
Aktiv has been a technology partner at Outpost since July 2013. The development of the Rutoken lineup and, in particular, the emergence of the Rutoken RF model (with the built-in RFID label) required Aktiv to create a completely new version of drivers that did not support some of the interaction mechanisms used in the Avanpost 4.0 PC.
The companies identified the problem, carried out driver refinement and testing, including in real projects.
Rutoken S, Rutoken EDS and Rutoken RFID media are recommended for use as a hardware medium for key information in projects to create a public key infrastructure or complex access control systems of any complexity based on the Avanpost 4.0 PC. The recommendation applies to projects with high security requirements, since both Avanpost 4.0 PCs and Rutoken certified identifiers with built-in Russian cryptography and integrated RFID metcames are Russian developments and comply with the requirements of the current regulatory framework of the Russian Federation in the field of information security.
Users of information security systems that integrate the solutions of both companies receive IDM, PKI and SSO functionality (depending on the configuration of the Avanpost 4.0 PC) and a fully functional tool for accounting and management of their key media. This expands the use of Rutoken electronic keys in organizations where you need to keep personalized records of key media and issued certificates.
PC "Avanpost 4.0" is integrated with ABS "Quorum"
On October 8, 2014, Avanpost announced the creation of an interface module for the IDM subsystem of the Avanpost 4.0 software complex (PC) with the Kvorum automated banking system (ABS ).
The new development of Outpost is of primary interest to all credit and financial institutions using IT solutions based on the Quorum banking platform . Bank. "
The connector ABS "Quorum" implements a full protocol for exchanging data with the IDM core. The Avanpost PC can control all settings of the access control system built into this ABS: create, block and unlock accounts, assign and revoke specific rights and roles to users, in full accordance with the current role model and all kinds of personnel events (hiring, layoffs, official movements, etc.).
The IDM core of the Avanpost PC is able to extract up-to-date data about actual accounts and user rights, which allows you to include ABS "Quorum" in the audit of access rights, which allows you to identify deviations from the role model and, if necessary, cancel them, as well as in the processes of creating and recertification of the bank's role model.
By interfacing with IDM, rights management in ABS "Quorum" becomes fully automated, which frees ABS administrators from a huge amount of routine work, prevents errors and closes opportunities for a wide range of abuse and computer crime. At the same time, the bank receives a tool for comprehensive control of user access to ABS functions and information stored in it, as well as control over the actions of administrators in terms of changing user access.
Given the role of ABS in the activities of a credit and financial institution, these changes significantly increase the level of information security in general, reduce the risks of fraud and high-profile crimes that could negatively affect the bank's reputation.
PC "Avanpost 4.0" integrated with Validation Center
In September 2014, Outpost announced the release of the interface module (connector) of the Avanpost 4.0 software complex (PC) with the Validation Center (CA). The connector is embedded in the public key subsystem (PKI) of the Avanpost 4.0 PC and allows you to issue, update and revoke certificates of the specified CA. At the same time, Validation CA certificates can be applied in the SSO module (single authentication in application and infrastructure software ) of the Avanpost 4.0 PC.
This connector is of particular interest to organizations - government agencies and banks - that have a legally significant document flow with the Central Bank of the Russian Federation. Initially, the infrastructure for working with public keys of the Validation Center did not allow issuing, revoking and updating certificates using third-party software. Accordingly, the creation of a new connector required significant joint work between the specialists of Avanpost and Validata. Now work in the PC "Avanpost 4.0" work with the Validation CA is organized in the same way as with other supported CAs - through the user interface of the security administrator console. Here, the administrator generates a request for the necessary actions with certificates, receives notifications about the approval and rejection of requests by the certification center, and also installs the issued certificates on key media. In addition, the administrator who created the request receives e-mail notifications about the passage of the stages of processing the latter in the CA.
Releasing keys using the Avanpost PKI module is much less time consuming than using standard CA tools. At the same time, in the PC "Avanpost 4.0," the workflow and individual procedures are completely unified both for different CAs and for permissible actions with certificates. All this significantly reduces the burden on personnel, simplifies training and contributes to the unification of the organization's document flow.
The number of supported CAs, along with the Validation CA, also includes: CryptoPro, RSA Keon, NotaryPRO, Microsoft and CheckPoint. Although the Validation CC is not as widespread as other CTs, its support in a mature fully Russian IT system combining the functions of PKI, SSO and IDM is extremely important for a number of Russian organizations that closely interact with the Central Bank of the Russian Federation.
Avanpost 4.0 - new SOAP connector
On August 19, 2014, Outpost announced the release of a universal interface module (connector) connecting the Avanpost 4.0 software package (PC) with all kinds of target systems managed by the IDM solution.
The interface module operates according to the standard SOAP protocol (hereinafter referred to as the SOAP connector). The new development of Outpost relies on the most common options for implementing web services in the corporate segment and allows you to organically fit the Avanpost 4.0 PC into the SOA infrastructure of the customer company.
The SOAP connector is primarily intended for organizations that already have or are striving to create an information system based on a service-oriented architecture (SOA). At the same time, this connector greatly simplifies the connection of various application and infrastructure subsystems of the enterprise to the Avanpost 4.0 PC by customers and integrators. The connector will also be used in integration projects carried out with the involvement of target system developers.
The SOAP connector connects to the standard interface infrastructure with target information systems built into the Avanpost 4.0 PC. In turn, the target system must provide a web service with which the connector can safely extract the necessary information (for example, to build a role model or conduct an audit), as well as change the access control settings. Together with the connector, a web service contract (WSDL description and XSD schema) is supplied, describing the methods, message types and other details of the connector's interaction with the web service of the target system.
The new connector significantly expands the range of development tools and methods. The SOAP connector is based on open standards and is focused on the technologies that form the foundation of the modern implementation of service-oriented architecture in the enterprise information system. The integration made using the SOAP connector does not force the developer of a particular pairing module to use the information technologies underlying the Avanpost 4.0 PC and allows you to more completely abstract from the structural features of the connected system, which can change from version to version.
Avanpost 4.0 Virtual Resource Subsystem
On July 3, 2014, Outpost announced a new virtual resource subsystem for the Avanpost 4.0 software complex.
The new development allows you to take into account in the role model of the enterprise the rights from any application and infrastructure IT systems that have their own access control mechanisms, but are not involved in the actual exchange of data with the IDM solution using a fully functional connector.
The use of the new subsystem helps coordinate access control in such isolated systems with personnel events and approved access control rules. In addition, the subsystem simplifies the documentation of access control settings in the corporate IS.
According to the developers, the subsystem of virtual resources of the PC "Avanpost 4.0" is especially useful when working with legacy IT systems and software operating in dedicated and physically isolated IE security circuits. The use of virtual resources is also justified as a temporary measure for the development period of a fully functional pairing module.
The virtual connector connects to the Avanpost 4.0 PC according to general rules, which is the same as regular full-featured pairing modules, but unlike the latter, it does not interact with the real IT system, but with a special reference book that lists isolated systems, and for each of them the names of roles, groups and other entities involved in the built-in access control system are indicated.
The IDM core of the Avanpost 4.0 PC, responding to personnel events (hiring, layoffs, job movements, etc.), initiates a change in the state of access rights in all connected IT systems, including isolated ones. For systems with fully functional pairing modules, the process is fully automated and does not require the participation of administrators to complete it. The virtual connector for all necessary actions generates tasks in the Service Desk system, appointing them as executors of the corresponding information security administrators, which ensures control over the execution of tasks and the load on administrators. At the same time, the use of roles, groups and other entities characteristic of each system in tasks greatly simplifies the work of the administrator and reduces the likelihood of his errors.
Role Manager - User Rights Analysis
Workflow Resources
Administrator Console
Avanpost 4.0
On June 5, 2014, Outpost announced the fourth release of its flagship product, the Avanpost 4.0 software complex.
In terms of technology, functionality and ease of implementation, this release is the largest in the entire existence of the Avanpost PC, putting it on a par with the leading high-end IDM systems promoted by world leaders in the field of IT and information security.
The Avanpost product complies with the Russian regulatory framework in the field of information security, supports the most important Russian developments in this area (TC, EP, smart cards and tokens, universal cards, etc.) and ensures the technological independence of Russian business and public administration systems in such an important area of information security as comprehensive control of access to confidential information.
After the release of 3.0 (March 2012), a number of important developments were made:
- new integration infrastructure with trusted sources of information and with certification centers,
- support for two- and three-factor authentication and biometric identification technologies,
- implemented SSOThe [1] for leading mobile platforms Android and, iOS
- many new connectors (interface modules) of the Avanpost PC with application and infrastructure elements of the enterprise IS have been released.
The product architecture has been redesigned, which simplified the creation of connectors and helps to add new authentication mechanisms, implement various options for N-factor authentication (for example, through interaction with IDM, PKI, biometrics, MCDS, etc.).
The product includes three main modules ([2], [3] and SSO) that can be implemented separately or in any combination.
Another significant part of the Avanpost 4.0 PC is various tools:
- Help you create and maintain role models
- Organize access control-related workflow
- develop connectors to various IT and information security systems;
- flexibly set up information and analysis reports.
The functions of the Avanpost Mobile module (see below) are transferred to the SSO module.
Benefits of "Avanpost 4.0":
- The Avanpost 4.0 PC version is designed for a wide range of implementations - for the first time, a full-featured IDM solution has become available for the medium-sized Russian business.
- The new release of the Avanpost PC includes in a generalized form all the key improvements made in 2013 as part of major implementations. Avanpost 4.0 supports decentralized organizations of any size that simultaneously use heterogeneous human resources systems in different departments.
- The scalability of the solution has been significantly increased: load tests confirm the performance of the Avanpost 4.0 PC in a configuration of 30 thousand groups and 150 thousand users in the domain. The top scale bar is much higher.
- "Avanpost 4.0" supports various cross-border access rights management options in groups of organizations that communicate in a cluster scheme. In such a scheme, the central organization should reliably control access to its applications, information resources and IT infrastructure elements for employees of many third-party organizations (partners, outsourcers, members of the extended supply chain, etc.), without having direct access to their internal personnel systems. In the Russian economy, such clusters are characteristic of vertically integrated companies, as well as for a number of sectors of the economy (telecommunications, fuel and energy complex, agricultural production, aerospace, mechanical engineering, etc.).
- On the Avanpost 4.0 PC platform, you can create IDM solutions and comprehensive access control systems for hybrid ICs, combining traditional applications and elements of the IT infrastructure and private clouds operating according to the IaaS, PaaS and SaaS scheme (in the latter case, the cloud application API is required).
- The Avanpost solution for private clouds and hybrid ICs has been fully developed, its commercial promotion will begin as soon as a steady demand for such solutions appears on the Russian market.
- Increased the number of points of interaction of the Avanpost 4.0 PC with other systems. Among them: remote banking systems (RBS), certifying centers (all CTs popular on the Russian market are supported), devices for biometric identification, MCDS, various additional authentication tools.
- For each type of interaction (for example, the IDM kernel - with trusted data sources and target systems), a unified interface and the integration infrastructure used by all connectors are developed, into which many of the most complex functions are transferred (for example, data synchronization).
- For connectors with trusted data sources and target systems, a developer's toolkit (SDK) has been created, which can be used by third-party organizations. This simplifies the integration of Avanpost 4.0 PCs with legacy systems, closed enterprise developments, industry solutions, and systems for narrow market segments.
- As of June 5, 2014, the Avanpost 4.0 PC has the largest number of ready-made connectors to IT systems common on the Russian market, as well as available technologies for their development by the vendor, partners and customers.
- The Avanpost 4.0 PC has a solution - the functionality of the Avanpost Mobile module transferred to the SSO module, which supports both the most popular mobile platforms: Android and iOS. For both platforms, this module provides secure web browser access from mobile devices to intracorporate portals and intranet applications (intranet portal, Microsoft Outlook Web App enterprise webmail, etc.). The Android version also contains a built-in fully functional SSO system that supports VoIP telephony, video and video conferencing (Skype, SIP) systems, as well as any Android applications (enterprise system clients: CRM, ERP, HRM, accounting, etc.) and cloud web services. The Avanpost Mobile module and the Mobile SSO system allow the client company to fully integrate devices using the most popular mobile platforms into the IDM enterprise infrastructure based on the Avanpost PC.
- One of the key innovations was the tools for creating and maintaining "role models." Such models, which are the core of the IDM solution, clearly state the categories of employees, their rights in each infrastructure or application subsystem of the IE, as well as individual deviations from this scheme for individual employees and groups.
According to the developers, as of June 5, 2014, the Avanpost 4.0 PC is the only IDM solution on the Russian market, with a built-in full set of tools for creating role models and keeping them up to date.
- The use of the requisition mechanism in the role recertification module and in a number of other subsystems of the Avanpost PC simplifies the involvement of business units in IDM administration processes as much as possible. In the PC "Avanpost 4.0" it is implemented as a web application with which all categories of users work: employees can independently register applications, which then go through the specified routes and sighting regulations; and you need the appropriate permissions to set them up. In particular, a delegation mechanism is implemented, complex rules for managing group applications (sighting persons can approve an application for some candidates and reject it for others), visibility areas, as well as applications that cause a change in the operating mode of the Avanpost PC (for example, creating a role valid for one week), which after the specified period will be automatically canceled. Note that when considering applications for changing IDM settings, users confirm their decisions with a qualified electronic signature (previously such a mechanism acted only when processing applications in the PKI module).
The Avanpost Workflow subsystem allows you to describe fairly complex case processing scenarios.
- The Avanpost 4.0 PC has a new unified reporting subsystem that is used in all functional modules: IDM, PKI, Role Manager, etc. Work with this system goes through a special Web application, and the technology for creating a report is designed for users and administrators with basic programming skills in HTML and C#. This provides almost unlimited flexibility, allows you to create reports with complex logic, as well as templates of complex reports that, during implementation, undergo deep customization to the needs of a particular organization. The development and customization of reports can be carried out by both integrators and customer specialists.
- A library with more than ten predefined report forms.
"Two years ago, a month after the release of the Avanpost 3.0 PC, a fundamentally new stage in the development of our company began: in the shortest possible time, it was supposed to turn from a niche supplier of good technologies in the field of IDM, PKI and SSO into a respectable information security vendor offering the market a fully functional Russian IDM system that can successfully compete with world giants in this area, and at the same time be much more affordable and easy to implement. The development of basic technologies, the integration of many new functions and service tools into the product have become one of the three main priorities (along with a development strategy and the construction of effective promotion channels). Release 4.0 is the result of these efforts, which took place against the background of high variability in the global and Russian information security markets, where some trends acted similarly, and others in different directions, - said Andrei Konusov, CEO of Avanpost. - For the first time, the Russian IDM reached such balance and maturity, when there were no significant functions for which it fundamentally lags behind the leading Western solutions. Moreover, it wins against them not only in price, but also in a number of fundamental features related to functionality, practicality, methodological provision, openness and depth of integration into the enterprise's IS. This is an important stage in the development of the entire Russian information security market, because IDM is one of the few successfully developing segments of it. We are not going to slow down the pace of development of the Avanpost PC. Many developments have already been completed and are waiting for the optimal moment for entering the market, many are close to completion, there are many ideas. Our task is to make the Avanpost PC the most attractive and flexible platform for creating complex access control systems for any Russian enterprise. "
Avanpost 3.0 PC integrated with CheckPoint Certification Center
In May 2014, the release of the Avanpost 3.0 software complex (PC) interface module (connector) with the CheckPoint certification center (CA) was announced. The connector is embedded in the public key subsystem (PKI) of the Avanpost PC and allows you to issue, update and revoke certificates of the specified CA.
Issued certificates can be used in the SSO module (one-time authentication when entering applications).
All work with the CheckPoint CA, as well as with other supported CAs, is done through the user interface of the Avanpost 3.0 PC Security Administrator console.
The request to issue the certificate generated here is automatically submitted to the CA operator. If the request is approved, the Avanpost PC server issues a certificate to the CheckPoint CA using the connector. After that, the server notifies (in the administrator console interface and by e-mail) the security administrator who created the request about the successful release of the certificate and allows him to install the issued certificate on key media using the standard PC interface "Avanpost 3.0." Similarly, requests for updating and revoking certificates are processed. Thus, the use of a new CT does not change the established document flow of the organization, does not create an additional burden on personnel and does not require additional training.
The creation of a connector to CheckPoint CC was the next step in the implementation of the Avanpost 3.0 PC integration program with the most popular certification centers on the Russian market. Currently, along with CheckPoint, supported CAs also include: CryptoPro, RSA Keon, NotaryPRO, Microsoft and Validata. Note that in the future, the functionality of the connector to the CheckPoint CA will be expanded. In particular, CheckPoint CA license accounting will appear - similar to how this function is implemented for CryptoPro CA.
Role Recertification Module (MRP)
In May 2014, it announced the release of the Role Recertification Module (MRP), which provides users of the Avanpost 3.0 software package with business role lifecycle management tools. Thus, the new Avanpost development is of interest to all users of the Avanpost 3.0 PC, since it allows you to maintain the role model (PM), which controls the IDM solution and determines what rights in certain information systems of the enterprise should have its employees and external users (for example, working according to the outsourcing scheme). At the same time, the processes of making changes to the role model are easily superimposed on the organizational structure of the enterprise, as well as the coordination and sighting procedures provided for by the electronic document management regulations.
In any organization using IDM, the need to adjust the role model arises constantly: when a new, replacement or cessation of use of any existing information system appears; when changing the job responsibilities of employees and the organizational structure; when new positions appear; when forming working groups focused on solving any problem affecting several departments at once. In all such cases, authorized employees (role owners) turn to the new Avanpost 3.0 PC role recertification module. Here they draw up applications for the creation, modification or removal of certain roles, after which applications are approved by officials in accordance with approved regulations. If the application has received all the necessary visas, Avanpost MRP automatically adjusts the role model - and the IDM solution begins to work according to the new rules, having carried out the necessary reconfiguration of access control subsystems built into the application and infrastructure elements of the enterprise's IS.
Avanpost MRP provides a flexible means of describing the requested PM changes and document management, sufficient to reflect the specifics of almost any enterprise. So, applications can contain requests for approval of both a new role and an additional right or property within an existing role. You can limit the addition, modification, and exclusion of properties in a role to a specific period after which the role will be restored to its original settings. You can describe the approval routes of applications in advance, but if the route is not specified, it is easy to form it taking into account the responsible persons for this resource. You can create route packages, add multiple rights and properties to a single claim negotiation route for a number of resources. Note that Avanpost MPP implements scope areas, i.e. delimitation of access by roles and resources for users.
The role recertification module performs several more important functions, in particular, it maintains a log of changes to the role model, and also allows you to find out (also based on purchase requisitions) which roles are assigned to certain categories of employees.
The implementation of the Avanpost 3.0 PC role recertification module allows you to engage business managers and key employees in collective work on the role model of the organization. The role administration now includes not only security administrators who have access to the IDM management console, but also business users responsible for specific business processes and/or information resources of the business unit or enterprise as a whole, as well as administrators of application information systems and other stakeholders. These user categories work with Avanpost IDM Workflow's simple and ergonomic Web interface, which makes all claim operations and access change decisions transparent to user groups.
Control, automation and centralized management of the role model involving both security officers and business units significantly increases the level of information security of the organization. At the same time, the Avanpost 3.0 PC role recertification module simplifies the analytical work of security officers aimed at finding out how changing access rights affects the security of the enterprise information system.
Let's emphasize that users of the PC "Avanpost 3.0" receive MRP for free. Note also that MRP relies on the infrastructure elements of this IDM solution, in particular, on the Avanpost IDM Workflow electronic document management subsystem.
PC "Avanpost 3.0" is integrated with any trusted data sources
Avanpost's development more than halves the time it takes to create Avanpost 3.0 PC connectors (connection modules) to trusted data sources, and significantly reduces the cost of maintaining these modules. This is due to the fact that now many complex functions are carried out in a universal functional unit shared by different connectors. Now, in order to connect almost any data source to the Avanpost PC, you just need to write a simple plugin describing the data structure and how to interact with the source.
Note also that the new integration infrastructure greatly facilitates implementation, as implementation participants work with well-documented application programming interfaces (APIs) and a single, flexible integration service.
Moreover, on the basis of the new integration infrastructure, Outpost has created a developer toolkit (Software Development Kit, or SDK), which in the near future will be able to use the company's partners and customers who have implemented the Avanpost PC. The large number of ready-made connectors and the ease of their development are a significant competitive advantage of the Avanpost 3.0 PC. Now this advantage will increase even more.
The new development of Outpost solves several more tasks, especially important for large customers. So, support for downloading from many sources at once greatly facilitates the centralized implementation of Avanpost 3.0 PCs in enterprises with an initially decentralized infrastructure that use different human resources systems in different departments, as well as additional data sources: corporate portals, registers of contracts and external employees, etc. Another important innovation concerns the strategy of downloading information from sources. The system can work with several sources at once, while in each case the operation algorithm can differ significantly. With the help of settings, this algorithm can be flexibly configured - taking into account priorities, priority, as well as the completeness of data in the source, the presence of information about events (for example, personnel orders), the method of working with the source, its support for the logging function, etc. The strategy mechanism completely frees the connector developer from the implementation of the synchronization algorithm, ensuring data integrity, the need to study the structure of the Avanpost database.
Avanpost 3.0 integrated with RBS systems
The flagship product of Outpost can be easily integrated with almost any RBS systems for managing certificates and carriers of bank customers. Integration greatly simplifies the work of banking security administrators, as well as speeds up the development of connectors to specific RBS systems.
The interface is implemented in the form of server software, which automatically "takes" the necessary information about requests and clients from the RBS system and transfers it to the internal database of the PKI module of the Avanpost PC. Here, security administrators check and confirm the request, after which the certificate is transferred back to the RBS system and delivered to the user by its standard means. The work schedule and many other service parameters are set by settings, which not only provides greater flexibility in managing the integration mechanism, but also allows you to unify the most complex connector components to RBS systems and take them into one reusable element with well-documented application programming interfaces (APIs). To connect almost any certificate store to the Avanpost PC, you just need to write the simplest plugin describing the storage format. As a result, according to Avanpost experts, the use of the new development allows you to reduce the time for creating connectors to RBS systems by two to three times and practically eliminates the need to modify them when new versions of the kernel and the main modules of the Avanpost PC are released.
The integration mechanism in the RBS has successfully passed the test in pilot projects and is already used in several large credit and financial organizations in industrial operation.
Avanpost 3.0 integrated with Tax-3 AIS
On February 4, 2014, Outpost announced the completion of the first stage of creating a subsystem for managing identity information and electronic keys based on the Avanpost 3.0 software complex (PC) in Tax-3 AIS.
The subsystem is one of the key elements of the information security system (ISI) of the Tax-3 AIS. By February 4, 2014, the delivery of the Avanpost 3.0 PC was completed, all work on deploying the subsystem within several customer sites was completed.
The Federal Tax Service of Russia chose PC "Avanpost 3.0" based on the results of an open competition for the creation of the first launch stage of SOBI IS "Tax-3." The contractor for the creation of a subsystem for managing identification information and electronic keys was Elvis-Plus, a platinum partner of Avanpost.
AIS "Tax-3" is a new industry information system to ensure the main activities of the Federal Tax Service of Russia, its task is to simplify and speed up the consolidation of tax data, to provide access to them throughout the Russian Federation. AIS "Tax-3" has a single-level centralized architecture, which creates great advantages in terms of deployment, maintenance and use, but also creates new risks, increases information security requirements.
Choosing a technology platform for the identification and electronic key management subsystem, the customer presented a detailed set of requirements for functional and operational characteristics, conducted a large-scale pilot project, during which the Avanpost 3.0 PC was tested on a common stand with an integrated information security system. The Avanpost 3.0 PC was integrated with the customer's pilot information systems, load testing was carried out. The test results confirmed that the Avanpost 3.0 PC meets all customer requirements.
The next step in the implementation of the project will be the pilot operation of the identification information and electronic keys management system (as part of SOBI AIS "Tax-3") in 20 inspections of the Federal Tax Service located in Moscow, the Republic of Tatarstan, Volgograd, Kaluga, Moscow, Nizhny Novgorod, Ryazan regions. After commissioning in full, the Tax-3 AIS will have to support the work of 120 thousand users and about 2 thousand territorial units of the Federal Tax Service of Russia.
"The creation of a fundamentally new AIS" Tax-3 "is the most important IT project of the Federal Tax Service of Russia. Given its significance and the special role of information security for the normal operation of AIS, we have established a very high level of requirements for all elements of SOBI and, in particular, for the technological platform of the subsystem for managing identification information and electronic keys, - said Oleg Kovalev, head of the Information Security Center FSUE GNIVC FTS of Russia. - The selection and verification in the context of a large-scale pilot project showed that the Russian development that won the competition in terms of functionality is not inferior to the best foreign solutions in the field of IDM and PKI, that it is provided with high-quality support and allows you to significantly reduce costs by saving budget funds. This indicates significant progress of the entire Russian information security industry. "
Compliance with the requirements of STO BR IBBS-1.0-2010, PCI DSS v2.0 and No. 152-FZ
As of February 2014, Avanpost is a universal product ready for implementation in companies of various profiles. The software package complies with the requirements of the Standard CENTRAL BANK OF THE RUSSIAN FEDERATION (- STO BR IBBS 1.0-2010), PCI DSS v2.0, as well as the Federal Law No. " 152-FZ On Personal Data" and the requirements for FSB managing CIPF licenses and distributions. Unlike similar systems from foreign manufacturers, Avanpost PCs take into account all the nuances of legislation of the Russian Federation and requirements of industry standards.
Avanpost PC was introduced in a number of Russian banks (including those included in the TOP-50), at the moment, work on the implementation of the product is underway in several large construction companies. One of the first customers to implement the Avanpost PC was Rus-Bank.
Avanpost has taken measures to overcome such inherent shortcomings in consumer characteristics as high cost, lack of connectors to information systems popular among Russian corporate users, and strict requirements for the role model of access. Thus, the vendor promises to release a new Role Management & Analytics toolkit at the end of the third quarter of this year, which will automate the assignment of access rights based on the business role model, which will greatly simplify and reduce the process of implementing IDM Avanpost.
The average cost of the Avanpost PC implementation project is 15 million rubles, this includes the cost of client and server licenses, servers, consulting services, the development of connectors to the customer's information systems and implementation work.
The price of the average connector is about 150 thousand rubles. (At the moment, the vendor's portfolio contains more than a hundred ready-made connectors to the most common application systems in Russia). As a rule, more than a dozen ICs work in coordination with IDM, and each of them requires its own connector. As a result, the cost of connectors in the total cost of the project is a significant part.
Since the work of connectors is closely related to the core of the system, Avanpost is engaged in their creation on its own and does not offer application programming interfaces (APIs) to third-party companies. This allows you to correctly make changes to the product as a whole against the background of the constantly upgraded system core.
Potential customers may find Avanpost's capabilities reflecting current IT trends such as user access mobility and cloud architecture support.[4]
The Avanpost Mobile module already supports one-time authentication (SSO) for tablets both smartphones platform-based and Android enterprise information security by providing a secure connection during a session. Avanpost announced the completion in the near future of a similar module for OS WindowsPhone and intentions to develop by mid-autumn the same module for the platform. iOS
2012
Avanpost 3.0
The Avanpost 3.0 software package is a system for identifying and managing access to enterprise information resources (IDM) and managing public key infrastructure (PKI). PC "Avanpost 3.0" is a unique product that has no analogues in the Russian and Western markets in terms of completeness of functionality and cost. Designed specifically to single-handedly close most of the problems that information security services have when implementing security policies in various areas.
In September 2012, Avanpost announced the completion of the certification procedure at the FSTEC of Russia for its main development - the Avanpost 3.0 software complex (PC). Certification tests were carried out in the laboratory of CJSC Scientific and Production Association Echelon. Certificate of Compliance No. 2710 for the period until September 7, 2015 certifies that Avanpost PC has built-in means of protection against unauthorized access to information (which does not contain information constituting a state secret), which meet the requirements of the current technical specifications and guiding documents, and that this software does not contain undeclared capabilities (NDV). Note that the certification of the Avanpost PC according to the EID was carried out according to the fourth level of control.
Obtaining the FSTEC certificate is the most important stage in the development of the Avanpost PC, because in many cases the legislation of the Russian Federation prescribes the use of only certified solutions in information security systems. This, in particular, is required by fundamental regulatory documents in the field of personal data protection (FZ-152) and information security in the banking system (STO BR IBBS).
We emphasize that the text of the certificate directly states that Avanpost PC can be used to protect information in personal data information systems (ISDS) up to and including class 1, in automated systems (AS) up to and including class 1G. The possibility of using Avanpost PCs in systems requiring the highest class of personal data protection is extremely important for the entire IDM market, since in the coming years it is the protection of personal data and IP of credit and financial organizations that will remain the main drivers of the information security market development in Russia.
Note that in terms of its functional characteristics, the Avanpost PC fully meets the requirements of even the largest organizations, while the cost of introducing this first Russian comprehensive IDM solution is quite acceptable for medium-sized businesses. Many such organizations have already realized the need to urgently implement IDM systems, even more potential customers are currently implementing infrastructure systems and business applications that directly lead to IDM systems. Accordingly, Avanpost and its partners predict the rapid growth of the Russian IDM market and are confident that it is the Avanpost PC that will be the best choice for most new customers. At the same time, the absence of an FSTEC certificate would force many of them to limit themselves to pilot projects. Now this barrier has been removed, which will undoubtedly contribute to the accelerated development of the entire Russian IDM market.
Support for personal authentication hardware (tokens, smart cards, etc.), which are the basis of two-factor authentication. PC "Avanpost 3.0" is compatible with all variants of tokens common on the Russian market, including the popular eTocken (Aladdin R.D.) and Rutoken (Aktiv company) families, the MultiSoft (MS_Key) and ISBC lines of companies, as well as the latest developments of Aladdin R.D. based on the JaCarta platform. Note that Aladdin R.D. and Aktiv are technological partners of Avanpost.
The second project is associated with a rapid increase in interest in three-factor authentication, which strengthens authentication based on key media by using information about the actual location of an employee obtained from the MCDS system . The outpost actively supports this new promising trend, since three-factor authentication allows you to counteract negligence and violations of token regulations, as well as identify and suppress various computer crime schemes, when an attacker, posing as a legitimate user of a protected IP, becomes invisible to the information security system. Currently, the architecture of the three-factor authentication system based on the Avanpost 3.0 PC has been fully developed, a universal connector to the popular MCDS has been implemented AS101 (manufactured by MIKKOM-ISB), which allows the IDM system not only to receive the necessary information from the MCDS system, but also to automatically start users in it and manage their access rights to various areas of the building (for example, central entrance, offices, departments, production premises, etc.). Currently, this solution has been tested in a pilot project carried out for one of the largest vertically integrated Russian companies. In the future, it is planned to ensure the compatibility of the Avanpost 3.0 PC with other MCDS systems popular on the Russian market .
As part of the third project, existing and new connector modules were improved, providing transparent automatic interaction of the Avanpost 3.0 PC with other elements of the enterprise's IS. Today, more than 100 connectors have been developed to the most common IT solutions in Russia for various purposes. These are HR systems SAP HR 1C: Personnel(,,, BOSS-personnel officer AD, etc.), Diasoft account management infrastructure (,), MS Active Directory Citrix (,), DBMS Oracle MS SQL corporate mail and groupware class systems (Lotus Notes/Domino, MS Exchange), (platform, enterprise management systems SAP product line 1C , etc.), banking systems, corporate portals, systems, etc. More than CRM thirty new connectors are in development, in addition, enterprises can order non-standard connectors to rare, highly specialized, industry-specific and "self-described" systems. Let's emphasize that any connectors (including custom ones) are created by the main Avanpost PC development team, while the company guarantees their compatibility with new versions of systems. The development is carried out in a short time, and its cost corresponds to the capabilities of the medium-sized business. Today, the Avanpost 3.0 PC offers the widest integration opportunities among IDM systems on the Russian market.
The main changes in release 3.0 are associated with the emergence of two new modules:
- Avanpost IDM (Identity Management) - user account management in corporate information systems;
- Avanpost SLS (Self Service) - user self-service module.
Avanpost IDM is designed for centralized management of accounts and user access rights to various information systems connected to the software complex through the so-called connectors. As a result of the evolutionary development of the Avanpost ADM module, the IDM module is built on the principle of ensuring centralized management of information resources with the ability to transfer administrative authority to manage certain elements. Subsequently, it was the IDM that became the flagship component of the entire Avanpost software complex.
The Avanpost SLS module has become a logical continuation of the concept of automation of business processes of IT and information security services. It was a self-service web console for users, in which they could independently perform a number of daily tasks, thereby reducing the load of service units.
The fourth project is aimed at supporting mobile devices, the massive use of which for working with corporate information and the rapid growth of the concept's popularity () BYOD - Bring Your Own Device This is the most important trend in 2012-2013. Responding to this trend, the company has developed a new Avanpost Mobile module for the PC "Avanpost 3.0," providing single authentication functions (SSO) for tablets and for smartphones Android safe work with corporate information both through the browser and through any applications. The use of Avanpost Mobile dramatically increases the security of mobile and remote workplaces for the most common mobile platform. In the future, Outpost plans to create a similar module for the platform. iOS
Avanpost 3.0 PC integrated with 1C frame system
In the summer of 2012, Avanpost announced the completion of the development and start of providing customers with the Avanpost software integration module (PC) with the 1C Enterprise: Salary and Personnel Management personnel workflow module. This is an important step in the implementation of Avanpost's strategy, which provides for the full-featured integration of Avanpost PCs with the most popular business applications on the Russian market, enterprise management systems, DBMS, corporate portals, electronic document management systems and specialized solutions for personnel workflow and personnel management.
The main specialization of the multidisciplinary Avanpost software complex in the customer's information system is the centralized management throughout the organization of user access rights to information, as well as personal authentication hardware (for example, tokens). Hiring and dismissal, job movements and vacations (personnel events) all require appropriate reconfiguration of access rights, issuance, cancellation and reactivation of tokens. Integration with the personnel system allows the IDM system to automatically respond to personnel events, and integration with DBMS and application software - to automatically translate these events into the correct settings of their information security subsystems. The wider the range of systems with which the Avanpost PC is integrated, the more this solution systematizes and automates the work of IT departments and information security services of the customer enterprise. The new connector provides full integration of the Avanpost PC with the personnel system of the 1C Enterprise: Salary and Human Resources module.
As soon as the connector is installed and configured, information about personnel events begins to flow to the Avanpost PC in real time. Based on this data, the automated issuance of signing key certificates is carried out, a full life cycle of tokens issued to employees of the enterprise is provided. Avanpost PC updates signature key certificates in a timely manner upon expiration of their validity period or changes in the main details of the owners, keeps a copy-by-copy record of the information cryptographic protection tools issued to employees - in full compliance with the requirements of regulatory and legislative acts. A convenient function has been implemented that allows you to promptly suspend the validity of certificates for the duration of vacations or illness of employees, revoke certificates upon dismissal and termination of an employment contract.
Moreover, personnel events and approved access and business role matrices serve as the basis for automatic management of employee accounts in corporate information resources and applications, including the creation, blocking, and granting and revoking of access rights.
The new development of Avanpost frees system administrators and security officers from a huge amount of routine operations, prevents delays and technical errors associated with the transfer of information, allowing these specialists to concentrate on the complex tasks of information security and administration of corporate IS. The efficiency of work is even more increased due to the thoughtful distribution of functions between AWS. As an example, we can cite a single console that allows you to control the initialization, accounting, issuance and recall of media from dismissed employees. Note that at the same time, work with PIN envelopes with PIN codes is also supported.
Avanpost 3.0 PC integrated with IBM Lotus Notes/Domino
In October 2012, Avanpost announced the completion of the Avanpost software integration module (PC) with the IBM Lotus Notes/Domino platform, which is one of the most mature scalable and advanced solutions for creating groupware systems at territorial-distributed enterprises of any scale. The creation of a new connector is another important step towards the full-featured integration of Avanpost PCs with electronic document management systems, enterprise management, corporate portals, personnel, business applications and DBMS.
The new Avanpost PC connector automates almost every aspect of Lotus Domino's user management administrator. Responding to events logged in the personnel accounting system, the connector creates, blocks and unlocks users, includes them in groups and removes them from them, recertifies them in case of a change in name, and also creates personal mailboxes. Note that when using the standard Lotus Domino administration tools, creating a user and mailbox for him is labor-intensive than creating an account in the domain. The connector allows this action to be automated, thereby significantly reducing the time spent on it. The total load on the administrator of a large territorial-distributed network, taking into account all the operations supported by the connector, is reduced by 70-80%.
It is equally important that automatic control of user accounts and their access to information in the Notes database using the connector increases the security of the company's information systems. In this regard, we emphasize that the connector increases control over Domino administrators. In particular, the registration in the personnel system of hiring and dismissal, temporary suspension and renewal of the administrator's powers immediately affects his administrative rights in the system.
The new Avanpost PC connector is implemented in the form of two software components: one communicates with the Avanpost IDM and issues control effects, the other (Avanpost Lotus Agent) is installed on the Domino server and translates these effects into calls to its API. This component is written in Java, it is a standard Lotus application and can run on any operating system for which there is a version of the Lotus Domino server (version 6.5 and higher). To transmit control actions, the standard HTTP protocol and REST interface formed by the Avanpost Lotus Agent component are used. Each call can contain all data, or it can be incomplete. In the latter case, each component will help complement it with information from external sources. This process is completely controlled by the settings. The connector fully logs all executed requests, the log is stored in the Lotus Notes database, the access rights to which are also under the control of the connector.
The new connector significantly complements the pre-existing means of integrating the SSO module with the IBM Lotus Notes/Domino platform in the Avanpost PC. Recall that these tools added to Domino's built-in authorization through a domain controller support for centralized authorization using certificates, hardware keys (tokens, smart cards, etc.) and biometric technologies (if there is appropriate equipment).
"Atone time, IBM Lotus Notes changed the nature of teamwork with unstructured and poorly structured information in the corporate environment, formed a new category of groupware and approved it as one of the key elements of enterprise IP. Despite technological revolutions and the emergence of many developments that proclaimed themselves "killers of Notes' (Notes Killer App), this platform still retains its status as a leader," says Alexander Sanin, commercial director of Avanpost. - Groupware systems based on IBM Lotus/Domino are widely used in Russian business and in the public administration system, and this platform itself is the technological basis of many universal and specialized electronic document management and workflow systems created by Russian developers. I am confident that our new development will allow many domestic companies to move from assessing the benefits of IDM to real projects and choose Avanpost as a platform. "
Avanpost 3.0 PC integrated with SAP HR
The SAP HR solution is very popular in large Russian organizations, since it covers and links work with personnel at all levels, from operational to strategic, into a single system. Depending on the configuration, SAP HR allows you to: manage the organizational structure and staffing, maintain personnel records and maintain appropriate electronic document management, plan careers and track employee movements, work with personnel reserves, manage competencies and solve many other tasks.
In today's enterprise , most events controlled by the SAP HR system involve changing the range of applications and corporate information resources available to the user, as well as information access rights. This applies not only to hiring and dismissing an employee, but also to corporate training, assessments, temporary and permanent official movements, business trips and vacations. It is the completeness of the HR processes in the SAP HR system, which is an attractive party for the user of this solution, that leads to an avalanche-like increase in the number of events that require error-free and timely adjustment of access rights in certain components of the enterprise information system. This creates a huge burden on the information security unit, which is almost impossible to cope with without IDM.
The new Avanpost PC connector allows IDM to automatically receive all necessary information from the SAP HR system, including: employee guides, positions, departments, information about hiring, leave, dismissal, appointment and change of employee data. The connector starts on a schedule or an event and synchronizes the Avanpost HR data store with SAP HR: the first time you connect from SAP HR to an Avanpost PC, all the reference books are copied, and the connector tracks changes that have occurred in SAP HR since the last synchronization and reflects these changes in the Avanpost PC.
The connector is designed in accordance with SOA (Service-oriented Architecture) principles and uses standard and additional web services of the SAP platform. Such an architecture fits well into the modern corporate IT infrastructure, and also practically removes restrictions on the distribution of individual components of the SAP HR - Connector - Avanpost PC system by elements of the server infrastructure and does not create obstacles when migrating to the cloud architecture.
"Creating a connector to SAP HR is a milestone event for our company, " says Andrey Konusov, CEO of Avanpost. - We have not just taught our IDM system to interact with the HR solution, on which most large enterprises base their personnel workflow and organizational management. In fact, we have reached a state where the Avanpost software package is integrated with all personnel systems that are widespread in Russian companies. This is a significant competitive advantage and reaffirms the technological leadership of Avanpost in the Russian IDM market. "
Avanpost 3.0 PC integrated with MySQL
Creating a connector simplifies the integration of Avanpost PCs with Internet and intranet portals, online stores, business applications, as well as a variety of cloud services for businesses and individuals.
The integration module allows you to automate the control of access of enterprise employees to any database objects and user properties, including SSL connection parameters and restrictions on the use of DBMS resources . In addition, the connector allows you to create, lock and unlock users. All these actions are carried out without the participation of the administrator as a reaction to personnel events: hiring and dismissal, job changes, business trips, etc.
The implementation of the MySQL connector supports the execution of a complete set of IDM functions, such as auditing, correcting access rights, monitoring the intervention of administrators at the system level, etc. This allows you to automatically identify all deviations from the approved access model that the database administrator made by mistake or malicious intent. Deviations can be promptly canceled (automatically or manually), and their summary is submitted for further analysis to the security service.
Note the extreme ease of implementation and configuration of the connector. So, on the MySQL side, installation of any additional components is not required. With DBMS, the connector works through the standard MySQL provider for the.NET platform, installed on the Avanpost PC server. In addition, a technical user with the necessary rights is created in each database to be controlled by the IDM system.
The creation of an integration module for MySQL is an important step towards the full-featured integration of Avanpost PCs with DBMS, which are most widely used in Russian enterprises. Recall that earlier such modules were developed for MS SQL and Oracle.
Single Sign-On (SSO) features are included in the Avanpost Mobile module
SSO functions are included in the Avanpost Mobile module of the Outpost 3.0 software complex (PC). Creating an SSO mechanism for the most common mobile platform integrated with IDM and PKI dramatically increases the security of mobile and remote workplaces, the popularity of which is growing rapidly in enterprises of all sizes and activities. Accordingly, the new development of Outpost is of paramount interest to almost any organization, including those that use the BYOD (Bring Your Own Device) concept - employees use personal mobile devices to work with corporate information.
Using the new version of the Avanpost Mobile system, the user automatically (without entering a login and password) starts working on any of his mobile devices with secure internal corporate Web resources (intranet portal, corporate Microsoft Outlook Web App webmail, etc.), VoIP telephony systems, video video conferencings and video (for example, Skype SIP), as well as with any Android applications that are clients of the corporate information system (,, CRM ERP HR accounting, etc.) and cloud Web services. Thus, the main advantage of SSO is provided on a mobile device: users do not need to remember many identification pairs, while the organization can apply security policies that require the use of long persistent hard-to-remember, often changing passwords, which also differ in all applications.
The main settings of the Avanpost Mobile system are made on the Avanpost PC server, which controls which applications are available to the employee on certain mobile devices (while the main IDM core of the Avanpost PC provides password generation and updating). Here, a unique PIN code of the mobile device is formed, and if there are corresponding modules, the Avanpost PC system can print a PIN envelope, which excludes the access of the system administrator to this information. Note that when working with mobile devices, the same infrastructure is used that controls the work of users on laptops and desktops. So, on a mobile device, you need to enter the same PIN code as on the user's hardware USB token. At the same time, you do not need to connect a token to a smartphone or tablet - information about certificates and passwords is taken directly from the Avanpost PC storage. This scheme is as user-friendly as possible and, at the same time, does not reduce the level of system security.
On a mobile device, you just need to install an Android application, and root privileges are not required for it to work. The latter circumstance is extremely important, since "rupturing" creates gaps in the built-in information security system of the Android platform, and can also create problems with warranty repairs of the device.
Note that the new version of the Avapost Mobile module also implements the MDM (Mobile Device Management) function, which allows you to remotely control the operating system of a mobile device, counteract malware, prevent the installation of software on mobile devices, prohibited in accordance with corporate information security policy, control user access to local applications. In the next versions of Avanpost Mobile, the functionality of MDM will be expanded: remote software installation, device blocking and complete removal of confidential information when it is lost, selective blocking of hardware components (SD card, camera, WiFi, Bluetooth, etc.), centralized GPS monitoring of the location of the company's mobile devices. In addition, a log of actions of users who violate the corporate policy of information security will be automatically maintained, and it will be possible to automatically transfer it to the system server.
Avanpost Mobile runs on any version of Android since version 2.3.
Avanpost 3.0 - support for biometric authentication tools is enabled
On November 21, 2013, the company Avanpost announced the integration of support for funds biometric authentications into the Avanpost 3.0 software package (PC).
The added functionality opens up new opportunities for the accelerated implementation of complex highly reliable access control systems, as well as two- and three-factor authentication systems in the public sector and among commercial customers.
Fingerprint authentication becomes available to users of the Avanpost 3.0 PC. It is possible to limit yourself only to biometrics or supplement it with entering a PIN code and/or presenting a smart card (with built-in cryptography). In the latter case, successful biometric verification opens up access to the smart card and, in particular, to the closed key stored on it.
The administration system allows you to control which corporate applications and which groups of persons are subject to certain combinations of checks. All this without additional costs for system integration and development of specialized software.
2009: Avanpost 2.0
In late 2009 - early 2010, new developments were tested and in February 2010 the release of Avanpost 2.0 was released.
It included new modules:
- Avanpost IPSec (Internet Security Protocol) - building secure VPN connections, including using GOST crypto algorithms;
- Avanpost ADM (Active Directory Management) - Manage accounts in the MicrosoftActive Directory directory.
The first module was intended to ensure the confidentiality and reliability of data flows transmitted over the network and to authorize users when accessing network nodes. This module is a reaction to the request of a key customer: since the company is widely distributed geographically, traffic encryption between branches was required. It is important that the system operated at the IP network protocol level. Accordingly, programs directly using transmission control protocols (TCP) and various transport protocols (FTP, HTTP, etc.) did not "notice" the use of tunneling. This made it possible to operate the vast majority of application programs together with the system, without making any changes to them, and without adjusting their settings.
The Avanpost ADM module is a prototype of the current Avanpost IDM (Identity Management) module, it has automated the process of managing user accounts in the MicrosoftActive Directory (AD) directory. The module contained a fairly flexible mechanism for monitoring events about the admission and dismissal of employees in the personnel base of the company. Based on this information, the module automatically created or blocked accounts in AD.
In addition to the new modules, the functionality of the existing ones has been significantly improved. Avanpost PKI v.2.0 has learned to work with most of the types of key media on the Russian market (eToken, Rutoken, smart cards, etc.). The product is integrated with a remote banking system (RBS) to manage the lifecycle of tokens issued to bank customers (individuals and legal entities).
In early 2011, the company decided to start the Avanpost PC certification procedure at the FSTEC of Russia.
2007: Avanpost 1.0
In 2007, the first release of the Avanpost software complex (PC) was released. The goal is to automate many information security processes in the enterprise. After putting into commercial operation, they decided to bring the team of developer programmers into a separate legal entity and transfer them to support mode.
The first release of the Avanpost PC includes modules:
- Avanpost PKI (Public Key Infrastructure) - management of elements of the public key infrastructure;
- Avanpost SSO (Single Sign-On) - one-time authentication in several application and infrastructure-level systems at once;
- Avanpost SeS (Security Supervisor) - control and monitoring of user actions.
The Avanpost PKI v.1.0 module has assembled automation and centralized management functionality from a single interface to all elements of the public key infrastructure. This included:
- management of electronic certificates and key media,
- maintaining a copy-by-copy record of cryptographic information protection tools (CIPF),
- automation of the process of issuing certificates,
- implementation of the full cycle of the development environment,
- Event logging.
As part of the Avanpost SSO v.1.0 module, functions for centralized updating of password information in key media (tokens) of the user and its automatic substitution into applications serviced by the SSO system. The module intercepted pop-ups of applications into which password information must be entered, and substituted data stored in a protected area of the key media memory. At the same time, the recording and deletion of password information on the key medium took place centrally - using the password distribution server.
The Avanpost SeS v.1.0 module was designed to control the access of employees to automated workplaces (AWS) and to information input/output devices that are part of the corporate information system. In fact, the module was a kind of prototype of modern systems of the DLP and SIEM classes. With its help, security administrators could monitor the work of users with I/O ports, manage "white" and "black" lists of applications, as well as monitor and signal to the administrator about unwanted user actions that violate certain information security policies.
After the introduction of version 1.0, the development company continued to develop the functionality of the product. In early 2008, the product was first introduced commercially in a third-party organization.
For two years - 2008 and 2009, the developers developed the functionality of the Avanpost PC. Several minor versions of the product have been released, improving the existing functionality, correcting the identified flaws.
2004: Creation of Avanpost
The Avanpost system was created in 2004, and the first large customers to implement it were banks, since the product was developed in full compliance with the high information security requirements imposed by regulators on credit and financial institutions. This feature increases the relevance of the product for use in companies of various business profiles.
Notes
- ↑ Single Sign-On technology
- ↑ IDM Information and Data Management
- ↑ PKI Public Key Infrastructure
- ↑ Avanpost: Russian information security integrators underestimate IDM