Identity and access management is an important part of any enterprise security plan, because in today's digital economy, it is inseparable from enterprise security and productivity. Stolen user credentials are often the entry point to the enterprise network and its information assets. Enterprises use identity management to protect information assets from increasing extortion software, criminal hacking, phishing and other malware attacks. Cybersecurity ventures has predicted that the loss caused by global extortion software will exceed US $5 billion in 2017, an increase of 15% over 2016. In many enterprises, users sometimes have more access than they need to work. The robust Iam system can implement user access rules and policies and add an important layer of protection to the whole enterprise.

Sarbanes Oxley Act stipulates that companies and enterprises shall be responsible for the access control of customer and employee information. The recently issued general data protection regulations (gdpr) has stricter requirements on security and user access control. Enterprises protect the personal data and privacy of EU citizens, affecting every company doing business in the EU or having EU citizens among customers, There are also corresponding identification requirements in the basic requirements of hierarchical protection. Businesses covering the Chinese mainland, the European Union and the US listed companies all need to abide by the above bills and regulations.

Industry demand

Palladium summarized the pain points encountered by enterprises in identity authentication and access security as follows:

1. Many application systems are independent of each other, forming an information island with complex management, which is not conducive to security control;

2. Multiple authentication methods coexist, and there is a lack of unified authentication management platform;

3. There is no unified account management platform, and the new accounts, permission changes and account deletion of multiple application systems are completed manually, which not only has low efficiency and high time cost, but also is prone to omissions, resulting in potential access hazards;

4. A unified enterprise portal is needed to complete fast and convenient access to business resources in combination with single sign on;

5. Employees need to memorize accounts and passwords of multiple application systems, resulting in weak passwords, which are easy to be exploded and hit in the production process;

6. The security level of the business system is uneven, the code vulnerability rectification is difficult and the cost is high;

7. Lack of audit means for employees to access the business system.

Palladium identity authentication and access security management system (IAM) is used to define and manage digital identities, securely control authentication and authorize them to use specific resources, ensure that digital identities are well maintained, adjusted, controlled and monitored throughout the "access life cycle", and provide customers with the ability to modify user identity roles, track role activities Tools and techniques for creating user activity reports and implementing management policies.

IAM supports flexible modular deployment. Enterprises can choose the following subsystems according to their actual needs to build an enterprise ecological platform of "enterprise unified portal", "application single sign on", "centralized account control", "authentication access authorization management" and "unified audit traceability and threat analysis".

Application safety management and control system (iam-casb)

Iam-casb consists of one basic module and two extension modules

Single sign on management module (iam-sso)

Iam-sso does not need the secondary development of the user business system to realize the single sign on of the HTTP / HTTPS business system account. Each business system can uniformly set multi factor strong identity authentication on the Iam platform, including radius, ad, LDAP, OTP, digital certificate, SMS, wechat, fingerprint, etc;

Application account management module (iam-acm)

The iam-acm module provides the establishment of a centralized account management system and the implementation of the effective life cycle management strategy of user accounts. The addition, deletion and modification of business system accounts caused by personnel changes can be managed only through Iam. On the basis of centralized account management, establish a centralized account authorization system and the access relationship between authorizers, applications and resources, which can support periodic automatic modification of business accounts and eradicate the problem of weak passwords;

Application security reinforcement module (iam-wvp)

Iam-wvp establishes a white list model for all business file paths and business parameters through high-fine-grained feature library defense and the exclusively developed "white list" dynamic modeling technology, eliminating the tedious work of reinforcing parameters in the source code;

Operation and maintenance safety management system (iam-sms)

Provide support for various operation and maintenance protocols and tools, expand a variety of multi factor identity authentication methods, unify the rational division of permissions, centralized access control, support single sign on, account and password filling, seamless application publishing, support mobile operation and maintenance and distributed clusters, and quickly meet compliance requirements;

Security policy control system (iam-scm)

Iam-scm uses TCP quintuple control to prevent business personnel from bypassing the Iam platform to directly access the business system. It can support two modes: Series deployment and bypass deployment. Bypass deployment can also achieve 100% blocking effect, and can effectively control the connection initiated by the intranet host to the extranet service port;

Audit traceability and threat analysis

The Iam platform can conduct comprehensive audit records on the access of enterprise business personnel to OA, ERP, CRM, his / boss and other systems, standardize the recording of business form information, access URL information, etc., and generate e-mail and SMS reminders for the logs that trigger security policies; Uniformly display and analyze all delivery information at the operation and maintenance level and business level of the enterprise, and can trace the whole business delivery process of Iam users. Help enterprises protect confidential information, continuously improve information system management system, and meet compliance and best practice requirements.

Deployment mode

1. Establish a unified application security delivery platform for customers, provide a unified operation entrance for the core business system, and realize single sign on. All business and operation and maintenance personnel first log in to the Iam platform to conduct business operations on the system to realize unified identity management.

2. Reasonably allocate the specific situation of users' use of resources in the business system, realize the legal access of different users to different entity resources, and eliminate illegal access and unauthorized access. The permissions of each business personnel are effectively controlled, and the policy is fine-grained to the accessible devices and available system accounts and application accounts.

3. The operation contents of business personnel are completely recorded by Palladium Iam platform, which not only meets the audit requirements of regulatory authorities, but also provides technical support for accidents caused by misoperation and illegal operation.

4. Provide effective audit reports and original and accurate operation log records for the regulatory department, which will help to improve the organization's it internal control and external audit system and enable the organization to successfully pass the IT audit.