Today, the distribution company OCS and «Indeed», a Russian developer of software systems in the field of information security, are holding an event where the vendor's following products will be presented: • Indeed Access Manager – multi-factor authentication for employees and a single point of access to the company's IT systems; • Indeed Privileged Access Manager – managing privileged user access to the company's IT systems; • Indeed Certificate Manager – centralized management of digital certificates, smart cards, tokens, and automates processes for working with them.
Today on the agenda:
- Problems, incidents, and cases;
- Scenarios and application practices;
- Sales recommendations;
- Partnership terms.
Today's event is led by Anna Shlapak, Partner Account Manager, Indeed. Indeed is a Russian vendor, a Russian developer. We have completely our own components, we write them ourselves, and use domestic software. We have been on the market for 15 years. The company has over 500 active customers, implemented projects, over 200 regional partners, more than 100 employees, most of whom are technical specialists.
Indeed has 3 offices: in Moscow, St. Petersburg, and Veliky Novgorod. Over 15 years, we have developed 3 products. All of them are in the register of domestic software.
The first product is Indeed Access Manager. Centralized management of user access to the company's IT resources. The second product is Indeed Privileged Access Manager management and protection of access to privileged accounts. And the third product is - Indeed Certificate Manager – centralized management of digital certificates and tokens.
Indeed Access Manager - is a solution for multi-factor authentication with single sign-on technology to all corporate resources. The biggest problem for customers is usually passwords. Knowing the password allows attackers to obtain confidential employee data, and then confidential data of the entire company. There are 2 types of common passwords: complex and simple. Simple passwords are easy to remember, they don't need to be written down anywhere, but an attacker can easily find access to a simple password. There are more complex passwords with a diverse set of letters, numbers, and other characters, which are very difficult to remember. Therefore, employees often write down such passwords on pieces of paper, stick these pieces of paper on the monitor so they don't forget where they put them, or write them in notebooks or in notes on their phone, and some hide them under the keyboard, and even sometimes under the transparent phone case. No matter how complex the password is, in any case, an attacker will be able to obtain it, it will just take a little more time and resources to crack it.
Another problem is when employees have third-party web resources on which they are registered, sites, or social networks. As a rule, no one comes up with a new password for a large number of internet resources. And if an attacker obtains, for example, the password from an employee's social network account, they can gain access to their work account. This is easy to do, as passwords are usually used for all web resources.
Another problem is that employees sometimes forget their passwords. And then they need to change them. They need to go to the administrator, and for this in many companies, there is a process of согласования и подписания служебного заявления у руководителя, нужно всех найти, у всех взять подписи, кого-то может не оказаться на рабочем месте. As a result, the employee will be in front of their workplace, without access for several hours, which, of course, is not effective.
I also want to note that compared to 2022, we have a 33% increase in data leakage statistics in January – May. And most of the leakage is precisely passwords and logins.
In 2022, the most popular password was - «password». Also very popular are passwords «12345» or «123456», as well as «poe» or «POE» and various variations of this password from upper and lower case letters.
I'll tell an interesting story. Once Prince William came to the Ministry of Defense for an inspection. On such an occasion, it was necessary to gather the press service in order to take photographs. The photographs were taken. And in one of them, a piece of paper with the login and password of a Ministry of Defense employee accidentally ended up in the frame, which he had hung on the table higher so that everyone could see it, so that he himself could see it. The distribution of this photograph could not be prevented. It ended up on the Internet, but the Ministry of Defense managed to change access for all its employees in the shortest possible time. Attackers did not manage to carry out any malicious actions in the infrastructure of the ministry.
Understanding the importance of password secrecy, our company has developed the Indeed Access Manager product. This product is aimed at controlling employee actions, controlling access to company resources both from the internal and external network.
Our product is licensed by users and by integration modules. In total, we have 8 modules. The most popular modules are the remote employee connection module, the access module to stationary workstations, to web applications, and to target applications. All these modules are collected through a questionnaire. The customer fills it out themselves, where they indicate what functionality they need.
We also have a large number of authentication elements. Customers do not need to pay additional funds for them. The customer buys a license for users, buys the necessary module, for example, a module for remote connection, in their infrastructure can come up with an authentication method, whatever they want. It can be additional factor authentication, it can be multi-factor authentication.
What are these enhanced authentication methods that I mentioned? These are biometric technologies: fingerprint, palm vein scan, 2D-3D face contour, these are hardware tokens. Let me clarify right away. We are software vendors. We do not have our own physical tokens, we do not develop hardware platforms and other physical tokens. We can load our software onto a friendly hardware token developer. These are cards or scans for the hand or finger. Also this is the generation of one-time passwords and push notifications.
Also to enhanced authentication belongs our mobile application Indeed Key. It works in two modes. The first mode is the generation of one-time passwords. In this case, a network connection is not required. The second way is the generation of push notifications. Here, a network connection is already required. The mobile application is free. It can be downloaded. And it works in two languages: Russian and English.
I told you about the single authentication method in all corporate applications. We have an agent that allows an employee to no longer enter their passwords. Access to all corporate resources and web resources this agent is installed by the employee on their workplace.
And, when they launch the window for entering their data, this agent can intercept this session and enter the necessary data without the employee's participation. That is, thereby we can disable the employee's knowledge of the password.
Also we always highlight the remote access protection module with a separate slide. Because it's no secret that since the beginning of the pandemic and now, in the current realities, remote work has become very relevant. Many customers are transferring their employees to remote work, and employees can connect to the company's internal network from any device from outside. And the customer must be sure that such a connection will be secure, it will also be protected by a second factor or many factors of authentication. In this case, we close the need for secure access to the company's internal resources from the external network.
So, the question arises of who needs our product. We have 6 points on the slide. If at least 2 of them are suitable, you can safely go to the customer. For example, if an organization employs 100 or more employees, or a significant part of the employees are working remotely, or the branches are geographically distributed. We know such - we boldly go and offer our IАМ.
How to start a conversation with a potential customer? To help you, we have compiled a list of questions that you can use. These questions allow you, when you come to the customer, to identify their needs. Or vice versa, to plant in them the idea that something in their infrastructure is not right, and isn't it time for them to think about a product like IАМ?
Next. We know who the customer is, we know what questions to ask them, it's worth talking about the benefits of our offer.
The first obvious benefit is either the complete absence of passwords, or the knowledge of passwords by employees, but protection by a second factor or many factors. Attackers can obtain employee passwords, we know how sophisticated they are in approaching this issue. But, even if an attacker obtains an employee's password, they will simply run into a second factor or multi-factor authentication. They will not be able to obtain biometrics or a card in any way. Of course, we do not consider the case when an employee, committing intentional actions, intentionally transfers their card to an attacker. But, if we do not consider such an option, then the attacker will not be able to gain access to the employee's data.
The second benefit is that when an employee forgets their password, they no longer need to run, sign a memo with the boss, the main IАМ administrator can do this. They can change the password in the program, or completely cancel the password.
The slide shows the upcoming releases. These releases are planned for approximately the end of the summer. I will add that we have already added the ability to authenticate using Telegram from the upcoming releases. UTP- and push notifications can come there. For example, you can make it so that an employee receives a push notification and they only need to press the confirmation or rejection button when they try to authenticate.
The first interesting case is Domodedovo Airport. Here, the customer does not have their own stationary places for all employees. For such employees, they have installed a device like the one in the picture. It looks like a kiwi machine, through which we once topped up our mobile account. Such employees have their card, have a palm. They approach this device, attach the card, then the palm. The scanner scans the palm vein pattern. And, if everything is successful, the vein pattern matches, they are allowed into their work session, they can view confidential information about themselves, can write an application or perform other actions. What would happen if there was no second factor? Such an employee may lose their card. At best, this card will be found by their colleague. They will be able to log in with it, see, for example, the colleague's salary, can take some confidential information. But in any case, such a situation will not be critical for the company as a whole. If this card is obtained by an attacker, then they will be able to gain access to all information about the employee and about other employees of the company, and steal confidential information from the company.
The second case is interesting because the customer, Bank St. Petersburg, has all 3 of our products. Initially, the customer bought our IАМ for employees who travel to customers with their laptops and tablets. What can happen if an attacker gets such a tablet or laptop? Of course, they will be able to gain access to all information about the employee, about the company, and, even worse, about the customers of this bank. Of course, this is completely unacceptable. Here, the customer uses sms messages as a second factor, which come to the employee's mobile phone. If an employee has lost their laptop or tablet, they can always quickly contact their admin, explain the situation to them, and they will simply block all access for them.
This slide is about our customers. Of course, these are not all, but only those who have allowed us to tell about them. These customers are размещены у нас на сайте. You can read, they share their opinions and impressions about the implementations. And they also talk about the problems, why they decided to install our product.
About foreign competitors. I am sure that you all know them. And therefore, if you know that customers, for example, are running out of technical support, then you can safely offer them migration to us.
Our domestic competitors: Мультифактор, Аладдин, Аванпост. Мультифактор is a cloud solution. Аладдин and Аванпост, like us, are on-premise. What are our advantages? We have the most mature product on the market. Our product, like the entire company, is turning 15 years old. We have the largest number of supported authentication methods, our own mobile application.
The website shows the approximate cost of the products. Because our price list is closed. We provide prices only when filling out a questionnaire, an authorization form for a specific customer for a project.
Licensing – by the number of users and by integration modules. The minimum number of users – from 100. Licenses are срочные и бессрочные. Срочная лицензия - is when the customer buys a license for one year. It includes support for 12 months. Next year, the customer will need to buy the same package of licenses. Бессрочная лицензия remains with the customer forever. It includes support for 12 months. Next year, the customer will only need to renew support.
Indeed Privileged Access Manager
I will move on to the next product - Indeed Privileged Access Manager. Management and protection of privileged access by privileged users. The question arises, who are privileged users? There is a very informative slide «Categories of Privileged Users».
We have distributed privileged users by authority and by the peculiarities of work. This may be an external employee who, for example, has access to the customer's infrastructure, or it may be an authorized auditor who cannot make any changes to the customer's infrastructure, but can see confidential information and use it. For some customers, the financial director or accountant is considered a privileged user. But we are considering here administrators and contractors.
Here the customer has a problem. We know what can happen if an attacker gets the password of ordinary employees. This, of course, is not a good situation, but not critical. If an attacker gets the password of an administrator who has access to the entire infrastructure of the customer, then this situation becomes catastrophic. An attacker can collapse the infrastructure, can produce some incident, can stop production, i.e. cause irreparable damage to the customer's infrastructure.
Indeed Privileged Access Manager
The next problem is incidents. When an incident occurs in a company, a long process of выяснения is launched, what happened, who is to blame. Of course, incidents are resolved, but the root of the problem is not found, it is not clear why the incident occurred. Understanding all this, we have developed the product Indeed Privileged Access Manager. For ourselves, we here выделяем three main blocks of functions. The first block of functions is management of privileged users, the second block is control of privileged users, and the third block is fixing actions in various formats and further monitoring and analysis of these actions.
Also in our PAM, two-factor authentication is supported and the possibility of integration via syslog with our Russian IB systems.
I will tell you about one of the scenarios. The fastest and easiest. We have many supported protocols and connection scenarios. Let's imagine that I am a system administrator. I have a login and password with the lowest rights, literally for entry and exit. I enter my login and password, connect to my account, find the web console for PAM, download the RDP file from there, launch it, and with the help of this launch a connection to the access server occurs. At this moment, I am asked for a second factor. I must enter this factor. Then the access server checks all accesses, policies, and, if everything is successful, I am allowed to target applications, to web applications already as a privileged user, for example, admin1. That is, I get access to target applications not as an ordinary administrator, but as a privileged user. At the same time, I do not know either the login or the password of the privileged user. The main administrator, superadmin, manages everything with PAM. This may be an IT employee who will control the customer, this may be an IB specialist who controls themselves, it all depends on how the policy is arranged at the customer. They choose the scenarios for themselves. Such a main administrator, managing everything with PAM, assigns policies, assigns accounts of privileged users. For example, some administrator «Вася» will sit under admin2, and «Иван» under admin3, etc. Assigns which target applications this or that privileged user will have, and at what time they will be able to access these target applications, etc.
As soon as the administrator gains access to the target applications, the fixing and control of actions occurs. This is video recording, screenshots, recording in the blog, this is pressing keys. There is also the possibility to monitor in real time what the administrator is doing now? The main administrator receives a notification in the PAM console that there is now an active session or sessions. They can «fall» into one of the sessions and see what the administrator is doing there. If they do not like any actions that they consider suspicious, they can block this session. After blocking the session, the administrator will be kicked out of the system and they will receive a message that their session is blocked.
Also in PAM there is the possibility to prescribe forbidden commands. That is, if the administrator will try to prescribe some forbidden commands, their session will also be blocked.
By tradition, if 2 out of 6 points are suitable, then you can safely go to such a customer. For example, the organization employs 10 or more administrators, the administrator has remote access to the company's IT infrastructure, if these are data centers.
On the next two slides are questions that it makes sense to ask customers and what benefits IPAM gives.
It is clear that ordinary employees do not know the passwords of privileged users, they have access only to their account. If some incident occurs in the company, then you can see screenshots, logs and in a short time eliminate such an incident. The slide shows the releases planned for the summer of this year.
Literally in a month we will «move» to Linux, all OS of this system will be supported. Case Federal Ministry.
Here the customer forbade talking about themselves, but employees of this ministry use fingerprint as a 2nd factor. The next slide shows foreign products that IPAM can replace.
The next slide shows the advantages of IPAM over competitors.
We have the best combination of price and quality on the market. We have all our own components. Despite the fact that we received the FSTEC certificate, we nevertheless did not raise prices.
The slide shows the approximate cost of IPAM projects.
IPAM is licensed by the number of users. A limited number of users can generate an unlimited number of sessions, therefore there is also a limit on the number of simultaneous connections. Licenses are срочные и бессрочные.
ICM is the centralized management of the public key infrastructure and digital certificate tokens. There are customers who have their own certification centers or a large number of employees with their electronic signatures and certificates.
These certificates need to be controlled. You need to monitor when these certificates expire. If an employee's certificate has expired, they need to urgently go to their administrator, insert their token into their computer and reissue the certificate. We have developed Indeed Certificate Manager, which automatically collects information about what certificates users have and in semi-automatic mode can issue such a certificate.
We support 3 certification centers: КриптоПРО, Microsoft CA and Валидата УЦ, support smart cards from third-party manufacturers: Рутокен, JaCarta, ESMART and others on the slide. Accordingly, there is an employee's personal account and there is an administrator's console.
The administrator has a console where they see all the certificates, they can manage them, they can reissue them, transfer certificates from one physical token to another, they can configure notifications about important events. You can allow an employee to reissue their certificate themselves.
Now on home
