РОСА Центр управления и Dynamic Directory: централизованное управление инфраструктурой

Today's agenda:

Nikolai Dovzhenko, Technical Consultant for Sales Support Solutions at STC IT ROSA, began his presentation by suggesting a discussion about centralized management solutions from STC IT ROSA. ROSA is engaged in the creation and development of infrastructure and system software so that companies can build an effective infrastructure.

We have been on the market since 2010 and have sufficient expertise to meet the needs of IT products for companies. Let's start with our product portfolio. It consists of the following operating systems: ROSA Chrome, ROSA Barium, ROSA Cobalt, and ROSA Mobile. Also, a platform for centralized management of operating systems and access. This is "ROSA Control Center" and Dynamic Directory. The portfolio also includes the RОSA Virtualization virtualization environment and the hybrid and virtual environment management system, "Resource Manager."

In the slide above, we can see which foreign products we are replacing. These include operating systems, virtualization systems, and centralized IT infrastructure management systems for companies. Since today we will be talking about centralized management, a few words about the goals and objectives that centralized management covers.

Achievability through centralized management is the support of business continuity. Why is this important? Because even the slightest downtime for a company means financial and reputational losses. Ideally, of course, these costs should be minimized. Next is increasing efficiency. Here, monitoring and reporting will help us to use resources more effectively. Then, of course, there is the improvement of service quality. That is, based on all sorts of metrics about the state of IT systems and the final ARMs within the company and their status. Next, there is scalability support. That is, any IT infrastructure, to be effective, must be able to quickly and efficiently scale to meet the needs of a growing business.

What other goals and objectives are there? It is improving update management. If we have intensive workstations in our company and they are not updated in time, then these are security breaches, this is the unavailability of all sorts of updated functions, and accordingly, this reduces the efficiency of employees working at the end devices. Also, optimizing costs for IT infrastructure, a high level of response to all sorts of incidents that have occurred and their prevention.

In this slide, we can assess which products of our company replace which foreign products. Dynamic Directory is a domestic directory service management system; it replaces Microsoft Active Directory, which many companies still use at the moment; they are used to the conveniences that this product has. Also, "ROSA Control Center," this platform is more suitable for managing end ARMs. It allows you to manage the configuration of both ARMs and operating systems on them. And it also helps to manage the distribution of software and its updates. Our system is based on free open source software. And our products are adapted for use by Russian customers in the Russian market.

We will dwell on this slide in more detail, because I often encounter the objection that we can assemble a similar solution based on free software completely free of charge. Yes, you can assemble similar software, but, firstly, it will not pass FSTEC certification, it will not be in the Register, plus it will be unsafe, because in order to pass all these events, you need to spend a lot of human resources and a lot of finances. This is in terms of legislation. Now in technical terms. Our developers constantly check the code and applications, and the packages of each application for all sorts of malware, vulnerabilities, and backdoors. To do the same manipulations with all the code of free software, you need to spend a lot of resources. And if you calculate all these costs, then purchasing a ready-made solution is much more profitable than creating it from scratch.

Directory service management systems: Dynamic Directory

The directory service management system is needed to manage access within a large company. That is, this is division by departments, this is division of access to printers, cameras, and other office equipment.

Who needs a directory service management system? Firstly, it is needed by IT specialists. Because this management system, access management, allows you to create a single IT catalog that contains key information about the company's resources, such as computer parameters, printer parameters, for which departments computers or printers are intended, and accordingly, which structure they belong to.

Everything is carried out under control, centrally and distributed across all departments. Setting up automation of access rules and collaboration. That is, here we are already talking about access policies. We can centrally set the necessary access rules through our system, as well as through a single document repository. Almost everywhere, the company has some kind of common internal cloud, and accordingly, it is divided into folders by departments. And each department that does not own this folder should not be able to use this folder or somehow use documents from the folder of the department to which it does not belong. So, we are also centralized with the help of Dynamic Directory, with the help of access control, we can manage these security directions.

Also, the directory and access management system is necessary for IT managers. With the help of the directory service, managers will be able to track all ARMs, their status, and, accordingly, access to the company's resources in a single space. The second point is saving time searching for the necessary objects in the local network. That is, when everything is divided into folders, by departments, by access, it is much easier to search for all this and distribute access than if it were all in a common folder. Firstly, the search will take too much time. Secondly, each employee will be able to use each file and document, which is absolutely unsafe and ineffective.

Untimely computer updates are a security breach and a failure to receive some new functions specifically on the end ARMs. With the help of Dynamic Directory, we can also set update policies for end ARMs and use the company's resources more effectively.

Using documents on any PC. Thanks to the directory service, when creating an account, we can log into it, authenticate on absolutely any ARM within the company.

If our users work in shifts, then you can use two accounts on one PC, and access rights are easily configured in a single window mode.

What advantages does the Dynamic Directory directory service management system give us? Firstly, the functionality of Dynamic Directory is as similar as possible to Microsoft Active Directory. The visual interface is also as close as possible to the Microsoft Active Directory interface. This is done so that administrators who have previously worked with Active Directory can quickly and with less cost switch to using Dynamic Directory. Also, our product has the ability to independently use individual subsystems of Dynamic Directory and an extended IP interface for adding all sorts of additional services, such as, for example, additional monitoring. And what is also important is that all services are developed on the basis of Russian software. Which will also be impossible when creating a similar product from some Open Source projects.

Next, we will compare the Open Source project with the Dynamic Directory system. If we take FreeIPA out of the box, it does not have support for a hierarchical structure of organizational units. That is, this is exactly the structure that we are all used to in Active Directory. Out of the box, FreeIPA does not have it. We have this function in Dynamic Directory. It is also important to support the delegation of rights within the hierarchical structure of organizational units. And this function provides more flexible functionality for transferring rights within the organizational structure of the company, which significantly reduces time. Also, support for the prohibitive access model, since there was no support for the hierarchy, then support for the prohibitive access model in FreeIPA is also not implementable. We have this functionality. Next, this is support for managing the DHCP server using the web interface, which accordingly increases ease of use. Support for extended attributes, as well as shared printers and folders. This functionality increases the percentage of security of interaction within the company, because it differentiates access. And support for managing analogs of group policies. And also an important functionality is support for applying analogs of group policies on the end device. That is, before applying the access policy, the administrator can check it without affecting the real infrastructure.

The main difference between Dynamic Directory and Microsoft Active Directory

The main thing is that support for forests is not yet implemented by any of the vendors at the moment. We plan to implement support for this function at the end of 2024 according to the roadmap. Then this function will be implemented. Authentication in the domain is only possible with the Kerberos protocol. Because even NTLM in the Linux environment is recognized as unsafe. The FSTEC has spoken out about the use of NTLM, that this protocol should not be used, as it is unsafe.

Unique functions of Dynamic Directory

There was a question about operating system support. Yes, we can work with all domestic operating systems right out of the box.

That is, ROSA, Astro Linux, RED OS, and Alt Linux. The ability to delegate rights based on organized units. Also, this is the ability to delegate rights. That is, in our directory service management system, there is the ability to delegate rights from one employee to another, and so on. The administrator can transfer rights to the next user, and the next users, within their powers, can transfer rights to the next user, and the administrator will not have to manually transfer rights to 10,000 users each time.

Also, the number of group policy parameters currently in the delivery package is about 1500, and this value is growing, and the policies are also being finalized.

Here we can take a closer look at our roadmap in the development of Dynamic Directory. Let's take the third quarter. This is the management of DHCP services from the graphical interface and also from the console interface. Also, about two-way trust relationships, this is planned for the 3-4 quarter of 2024. And it is also planned to add support for the SoltStack orchestration system.

About our implementation experience: you can see quite large numbers on the slide. Even in the Russian Railways project, this is 16 data centers, one main data center, approximately 100 servers, and 34 directory service servers. This is quite a lot. For users of this installation, we did not just deploy it from scratch, that is, deploying it from scratch is quite easy. We migrated more than 10,000 users, and accordingly, the entire installation that was organized also functions to this day.

We also implemented a fairly large-scale project at MEPhI, which is the replacement of Microsoft Active Directory. And accordingly, this project also functions to this day and does not cause any complaints.

ROSA Control Center

ROSA Control Center is a platform for centralized management of ARMs, operating systems, and also a private cloud within the company. ROSA Control Center is a single platform for managing the life cycle of operating systems and software on them.

What functionality does ROSA Control Center have? This is the deployment of operating systems and applications in physical, virtual, and private clouds, respectively. Managing the update and configuration of software on ARMs, managing content, that is, updating applications, packages, and so on. Monitoring and reporting on the status of systems, both hardware and virtual, when we need to install all sorts of packages, also the state of fullness, for example, of the same system disks. Another functionality is service options. That is, here we can set options for updating ARMs, updating individual packages, and integrating with external systems in an automated mode.

Just like in Dynamic Directory, in ROSA Control Center, we have an open API that you can add and integrate into your systems, for example, monitoring. The graphical interface of ROSA Control Center is a fairly simple and intuitive user interface, to which administrators of companies also quickly adapt based on feedback from our partners.

In the graphical interface, we have a single window for infrastructure management and monitoring. The administrator can move, replace, and also add some new ones to all the tiles that are presented on the initial tab, specifically for ease of use. Also, the graphical interface has the ability to quickly be aware of events in real time, which also increases the efficiency of use. Also, various facts about the state of ARMs, that is, software, hardware, as well as operating systems and applications.

Reporting, in turn, allows you to respond in a timely manner to incidents within the infrastructure. ROSA Control Center also allows you to manage repositories. This is relevant for enterprises with a closed loop, where there is no Internet access. The repository is a single place to store software in a company with a closed loop. As a result, this greatly reduces the risk of accidental deletion or modification of files by the administrator or users. It also helps to manage versions within the local repository, because in the global repository, the software version may change, but for some reason it is not applicable in the current infrastructure. So, the administrator can manage this function and leave exactly the version that is necessary for use within the company on the local repository. Also, content management allows you to unify and standardize the update process, that is, all ARMs of the company will receive the same version of the software.

There is also such a functionality - deployment automation. In this case, such a deployment helps to reduce time and reduce the human factor in terms of the occurrence of errors.

ROSA Control Center helps to deploy systems on hardware and virtual private clouds, manage systems that are not deployed in ROSA Control Center. That is, if you have PCs ARMs in your company on which, for example, RED OS is installed, then through the "Search" tab, respectively, ROSA Control Center detects these ARMs, while the administrator can add ARMs that have not been added to the system and also manage them. Automation is also possible using Ansible roles and Puppet manifests.

Update management allows you to create lists of systems that require updating. That is, in an automated mode, the administrator can track systems and receive notifications about those of them that should be updated in order to close vulnerability breaches and add updated functionality. It is possible to group hosts according to various criteria, that is, grouping hosts specifically of end ARMs, either by departments for ease of administration, or grouping by some memory criteria, by the state of processors, by the amount of RAM, and so on. That is, there are a lot of criteria and possibilities. Quick response to the need to update the system in order to keep it always up to date.

The architecture of the Control Center consists of the main control center and also subordinates. That is, the main control center is mainly engaged in certification, and accordingly, subordinate servers are engaged in managing end devices. There is also the possibility of managing local repositories to minimize all sorts of confusion with versioning for closed loops of companies.

About the deployment of end ARMs. The ROSA Control Center system can detect computers, even if they have not been connected to ROSA Control Center before. This allows you to load operating systems onto ARMs via PXE, and this accordingly gives you the ability to manage these systems centrally.

Not everyone is using Linux now, so it is necessary to simplify the transition from other operating systems to domestic secure OSs. So, ROSA Control Center also allows you to migrate to domestic operating systems.

The Control Center collects data about users and saves it on the server. Next, the Russian operating system is also installed centrally, then the ARM is profiled, that is, all sorts of applications are added at the time of installation so that the administrator does not manually install all sorts of applications and services after installing the OS, which significantly reduces the administrator's working time and the time for deploying and configuring the operating system for specific tasks of the employee. And then there is also an automated restoration of user data on the end device.

Roadmap for ROSA Control Center for 2024. In the third quarter, we plan to add to the version control channel, expand the ability to manage end ARMs, control and analyze the state of behavior of an object or process in the operating system for more flexible tracking of user and system actions and to improve security. Integration with hardware infrastructure monitoring, that is, for more flexible tracking of the physical state of computers. Porting management functions, expanding the monitoring capabilities of the status and managing the rules of reaction to events. Here, the system will be able to react to all sorts of incidents in a semi-automatic mode. And, of course, expanding the number of supported systems for controlling and analyzing the state of the system itself.

A few calculations based on feedback from our clients, that is, the effect of implementing centralized management: unplanned downtime is reduced by 75% due to the fact that there are fewer errors of the human factor, downtime due to the fact that the software was not updated in time or due to the fact that some software is specifically missing on the employee's PC and you have to manually install it. The productivity of the IT department increases by 30% due to the fact that IT specialists do not have to manually administer ARMs. All this is done centrally in a single window mode. The deployment of new operating systems also increases by 70% due to the fact that this also takes place centrally and all additional configurations, that is, all sorts of services, all sorts of applications, it is possible to install all these applications at the time of installation of the operating system. The company's operating costs are reduced by 28%. Unplanned downtime is 75% less compared to the absence of centralized management. That is, here we are talking more about managing end ARMs, and not about managing the directory service. Also, if we talk about the directory service section, then here we have 75% less downtime due to the fact that in the absence of a directory service system, we have a very large warehouse of company files, to which every employee has access. That is, here we do not have any structure and in order to use all sorts of documents and files, you need to spend quite a lot of time. When we have it structured, then accordingly it will take much less time and downtime in connection with the search for the necessary information, the necessary file is greatly reduced.