The story of how the “non-copyable” token changed the concept of working with keys
“Throwing pebbles into the water, look at the circles they form; otherwise, such throwing will be empty fun. Perhaps, guided by this particular wisdom of Kozma Prutkov, the management of our company completely changed the method of working with access keys to resources and documents.
IFSN token: convenience or headache?
This story began when the management of our company decided to obtain an EDS from the Federal Tax Service. With this signature, you can file tax returns, send documentation to government agencies, accept government orders, work with EGAIS, and so on. True, there is one caveat – the key cannot be copied. But we didn’t pay much attention to this. As it turned out, in vain.
However, if you do not go beyond the “book” business processes, then you do not need to make any copies. One person has the right to sign, so the token must be with him. When he goes on vacation or falls ill, he hands over the key to his deputy. The important thing here is that at any given time there can be only one “owner” of a corporate EDS.
But in practice this does not always work. For example. Our company has two owners with almost identical rights. Plus, there is a remotely working chief accountant. One needs to sign a report, another – an agreement, a third – go to EGAIS …
Constantly transferring a token from hand to hand is a very bad option. We gave up on it within a week. And they began to look for another method.
Our choice is a USB over IP router
The use of solutions built on “USB over IP technology” allows you to remotely connect various USB devices. Including tokens.
We were looking for a solution for a short time. Strategically, our company is focused on import substitution, since we have long learned to consider risks, including political ones. There are more than enough examples of how suddenly imposed sanctions can seriously damage a business. Therefore, the “USB over IP” router is without options.
Additional conveniences were also taken into account: the ability to test the operation of the device in advance, the availability of technical support in Russian, etc. In addition, according to the price / quality criterion, the Russian model looks preferable to the others.
Since the fundamental decision has already been made, it remains only to choose the number of ports. Options offered by developers: 16, 32, 48 and 64. And this despite the fact that we needed to make only one token remotely available.
Under such conditions, the management made a paradoxical decision – to purchase an older model with 64 ports. Practice has shown that the choice was made correctly. And not only because the cost of one port in the older model is minimal.
A crutch or a paradigm shift?
The fact is that in addition to the IFTS key, we also have other tokens. For example, to access internal resources. These can be copied, which we used. In other words, the current problem concerned only one key and its solution required what programmers call a crutch.
The attitude towards this method of solving problems is fully characterized by its name. One crutch will surely lead to the next, and there will be no end to it. Our leadership understood this very well and did not approve of such methods. Especially if there are other options.
So, it was decided to completely abandon the issuance of tokens on hand and gradually switch to a remote model. The main advantage of the new paradigm is full control over the use of keys.
Transition Practice
The plan was next. The IFNS token connected to the router immediately. Access to it was allowed to the owners and the chief accountant. Subsequently, the head of the sales department was included in this list, who often replaced one of the business owners.
There were no particular problems with this. The circle of people was initially limited and all of them are quite disciplined and responsibly treat their work.
But we have been planning the next step for a long time. We chose an access token to the catalog with contracts. In total, eight copies were produced, which were held by the heads of commercial divisions. Those, in turn, gave the keys for temporary use to their employees working with the documentation.
At first, we wanted to try to implement some kind of hybrid scheme. All physical keys remained with the employees, and in parallel with this, one token was connected to the “USB over IP” router. But a smooth transition did not work out – the employees preferred their usual scheme of work.
Therefore, all physical keys were seized. From all employees of each department, we formed groups that have access to this token. Why of all? Because the heads of departments did not keep records of the issued keys and found it difficult to compile a ready list of groups.
A week later, the administrator looked at the log files and excluded from the groups those employees who had never used the token during this time. Only those who obviously needed access remained. Subsequently, the composition of the groups was adjusted, but already strictly according to the memo of the head of the unit.
When all this returned to normal, the heads of departments were delegated the rights of the administrator of the group. Thus, all his actions were tracked by login, which contributed to the rapid detection and correction of possible errors.
Other departments were connected in the same way. To avoid confusion, each group only saw the keys they were allowed to access.
Having already been worked out, the entire procedure for migrating from physical copies to network access took a maximum of ten days. During this time, it was possible to solve all the working issues.
Finally, it was the turn of permanent and temporary groups, consisting of employees from different departments. In fact, the scheme of work was the same, although administrative rights were not transferred to anyone – it was difficult to single out the main one in such teams.
So, starting with one “non-copyable” token, we completely changed the concept of working with access keys. The use of the “USB over IP technology” router allowed us to completely abandon the production of duplicates and streamline a number of critical business processes of the company.
