Back to top

IT security

Authentication and identity management

The basis of information system security is a thorough verification process of employee identities (authentication), followed by assigning permissions to access ICT/IS resources (authorization). The most common authentication process uses passwords, which, however, requires mastering of certain processes which generate, modify or handle passwords (the so-called policies).

The first important prerequisite for this system is a proper implementation of the Active Directory system, starting with optimal group structure and a system assigning authorizations in relation to processes used to manage human resources and the asset protection system. An integral part is a directory management process done either manually, or preferably through the use of an intranet form, where you also have an option to automatically apply required changes (entries in the Active Directory) based on a requirement issued by for example, a HR department. If larger customers require, we may integrate this system directly with the HR information system to one consistent workflow.

For key IT systems or to grant access, simple use of passwords is not sufficient and therefore, a more secure multi-factor authentication process using one-time password generators (tokens or over mobile phone), biometric identifiers (e.g. fingerprints) and PKI infrastructure, is needed.

Complex business solutions (not only for IT), using positive identification are achieved through the use of chip cards (the so-called SmartCard) or through the use of combined cards equipped security chip with PKI and passive RFID circuit allowing contactless access control. These cards cover a wide range of different uses: identification necessary for the information system, attendance and catering system, building access control (replacement for regular keys), material check out, etc. We supply this solution together with integration with ERP systems and with follow-up applications produced by other companies.

Part of this issue also deals with the question of how to handle the verification process and whether stations accessing the network comply with requirements established by the relevant security policy (so-called Network Access Policies). We also implement relevant NPS servers, authentications done on active network elements pursuant to 802.1X standards, and other subsystems.

Our solutions are based on Microsoft platform and use the authentication systems RSA and Gemalto chip cards.

Protection against malicious codes

The most common safety attacks include viruses or generation of junk emails, so-called spam. We supply especially solutions produced by Intel McAfee for protection of file and mail applications, Internet interface (dataflow) and enduser stations where protection against hidden software, so-called adware and spyware, is required as well. The useful solution is also the anti malware protection of virtualized environment of servers and VDI or databases including SharePoint environment. An inseparable part of the implementation process is the actual startup of the central management, automatic virus sample update, and system repairs.

Protection against attacks

A targeted attack against an information system is the most dangerous type of disruption. This attack usually focuses on the interface between the internal company network and the Internet. Attacks may be done anonymously (e.g. overload of the relevant interface), or to gain illicit authentication. Lastly, the attack may originate from within the company itself - done by an validly authorized user. Such an attack is usually underestimated, but poses much larger risks.

Protection systems against attacks newly evolved from originally standalone components placed in a serial chain into two topologies:

  • Next Generation Firewall (NGFW) includes very powerful border elements with number of features that use for specialized and performance-intensive functions (https inspection, proxy, email filtering) specialized appliances SWG a SEG and
  • Unified Thread Management (UTM) -  this is an all-in-one solution with full functionality in a single box - suitable for SMB/E environment with about up to thousand users.

We offer both technology solutions in case NGFW from Cisco Systems and Intel McAfee, then the UTM from WatchGuard.

Data privacy protection

A huge increase in the use of mobile devices (laptops, handhelds) and portable storage devices (flash drives in particular) further enhances the problem of data protection used by these devices against unauthorized access or data loss. Similarly, the ever growing volume of data transferred by electronic devices using the insecure public environment also increases the risk that some communications or data - such as email messages, will be illegally accessed or modified.

Therefore, we also offer data encoding solutions applicable to local devices or shared files, protection systems against unauthorized tampering as well as solutions offering encoding of data transferred via email (PKI, certificates, digital signature).

Protection the health of network

In this issue we are dealing with preventing or limiting access of clients to the network proximate active device. Switch or WiFi access point verify the identity and also the ability to work in a corporate network. According to the set of policies can either allow access only on the basis of user authentication in Active Directory, or check whether it has installed security updates, antivirus and other functional attributes that could impair the health of the network environment. A client who does not meet any of the policy will be redirected into a quarantine network where it will be either remedied or be disconnected from the network. Node without without valid user credentials will have no access to the network for any communications.

The solutions are based on the IEEE 802.1X standard, particular implementation then on the Microsoft NAP (Network Access Protection) or Cisco ISE (Identity Service Engine).