Control and management of privileged users

Transcription

1 Control and management of privileged users The secure solution for monitoring and recording privileged users

2 Visulox The complete Access Management Solution ToolBox Solution GmbH, established in 2003, developed Visulox to provide secure, monitored, remote access to allow organisation to conform to compliance regulations. Uncontrolled Zone Controlling Gateway Inner Security Zone The Visulox solution ensures that critical services can be managed remotely, by privileged users, in a secure, controlled and monitored way. Visulox can record all interaction with critical services providing complete audit information and, where necessary, verifiable evidence. Visulox forms the interface between the privileged users and the applications and servers in the data centre. However, integration of Visulox does not require any changes to be made to the application servers or client devices. The Visulox solution provides secure, monitored remote access for global organisations including; governments and the finance, manufacturing and telecommunication industries. The Visulox system Control Gateway ensures that secure remote access from the Uncontrolled Zone to the Inner Security Zone (data centre) is only available to privileged users. No data or applications are required to be installed on the client, therefore, sensitive data remains in the Inner Security Zone at all times.

3 Visulox Access Management flexible secure documented Visulox Access Management provides the ability to monitor, administer and centrally control the remote access services of the Visulox suite. Allowing the definition and control of access authorisations, along with the ability to assign role and rule-based rights to user groups and individual users. Access Times Fixed times (e.g. weekdays from 0800 to 1800) Specific times (e.g. on from 0800 to 1200) Project based access (e.g. 40 hours) Access Rights Applications (which applications may be used) Data Transfer (which data may be transferred) Access Rules: Options include: Record/Store the session as a film Key Stroke Recording Report Generation Two-Factor Authentication ( / SMS) Dual Control Mode Task Ticket Assignment Data Transfer Security access can be defined as individual user level and/or be role based. Role information can be stored and retrieved from organisations user directories (AD, LDAP). An existing interface allows other authentication mechanisms to be integrated into Visulox.

4 Visulox File Transfer Secure Internet Access Visulox ensures that IT employees and service providers, connected via remote means, can carry out data transfers (uploading and downloading of files) according to the rules of the Security Policy. All transfers are monitored and logged by Visulox, even activities such as cut & paste, to ensure security and transparency. Incoming and outgoing data pass through an Inspection Zone before they are forwarded. This process limits risk, as all data reaches the applications servers in a controlled way. Visulox checks and documents the sender, recipient, location and time, along with information concerning the data content and/or file types (e.g. executable files) to be transmitted. Visulox automatically saves the incoming and outgoing data in encrypted form. Data can also be traced and retrieved at a later date. On request, the files can be archived on a separate server. Web-based applications require the exchange of data through a web browser, this provides a quick and convenient way to perform business activities via the internet. For example; research, diary management, corporate application access and general communication. The exchange of data using the browser, however, conceals a potential risk, as it exposes the client devices to external attack ( refer to press reports) from malicious software. To ensure protection of data from malicious software (malware) defences have become increasingly sophisticated, however, this protection only relates to known scenarios. Therefore, there is always a risk from new, as yet undetected, malware. Visulox minimises the risk of external attack by removing the direct communication from the local browser and placing it within the managed corporate environment. Visulox creates a secure and controlled browser environment, therefore, limiting the risk of external attack through compromised client devices.

5 Visulox Recording Proof of the facts Reproducable actions Visulox video recording allows organisations to record screen activities to retain control over the processes in the data centre. The logged information consists of metadata and, where necessary, video films of sessions, these allow companies to adhere to existing laws and other compliance regulations. The video films and supplementary keystroke logs, produced by Visulox, provide documented evidence of all actions carried out on critical systems by authorised privileged users. This greatly reduces recovery time following a breach of security. The privileged user must agree to each recording and the films are saved in encrypted form and, on request, archived on a separate server.visulox ensures that all personnel can be managed, monitored, documented, checked and approved, minimising the risk to sensitive data. Experience has also shown that privileged users agreeing to be recorded improves the quality of work. Stored sessions must be checked out of the archive before they can be reviewed. The session log includes documented evidence of all actions carried out by the authorised user. This information can also be obtained in text form, which can be accessed directly in the file. Film examples, are available at

6 Visulox Dual Control Prevent Data Loss Control your Data Co-operation allows internal and external administrators to work efficiently together via remote connections. Allowing colleagues to support each other and solve problems through collaboration, allowing simultaneous access to the same applications or servers in the data centre. A user can integrate another user into their session, without the need for additional software. Visulox co-operation offers two modes: Interaction: each participating user can work in the session Observe: the invited user can only observe the session If the Security Policy requires use of the Four-eye Principle, Visulox offers the high-performance function Dual Control that is real, synchronous and unavoidable peer review. This function implements the dual control principle and is consistently used with defined processes. Both users have to be logged into the session at the same time and have to be active. (A trigger mechanism monitors the interactions). Activities in the session are only possible if the two requirements are fulfilled. If either user becomes inactive, the screen session is closed for new entries. However, the session is locked, not terminated, and can be continued when the both users become active again.

7 Visulox Reporting Audit reports Incident information The Visulox Management Desk provides the ability to monitor, administer and view the recorded session infor mation, including video films. This ensures that it is always possible to check and trace privileged user application authorisation and session information. The Visulox Archive Module offers the possibility of securely storing information in a dedicated, automated archive zone. In order to satisfy (internal) data protection requirements, access to the archive zone is limited to authorised personnel only. All archived films and session data are stored for a period of time and then automatically deleted, in accordance with the Retention Policy. The audit logs are also stored in the archive zone and provide comprehensive evidence concerning the access to critical information. Visulox offers high-performance reporting with numerous pre-prepared, configurable reports. Reports can be retrieved from the Management Desk to be used for documentation and compliance records.

8 Visulox Architecture Scalable reliable proven technology Visulox enhances Oracle Secure Global Desktop (OSGD, formerly Tarantella) and provides greater functionality, without compromise. Visulox uses the existing standard interfaces and can, therefore, be easily integrated into existing OSGD environments. The flexible architecture allows for both distributed and centra lised solutions, that are secure and scalable. Redundancy can be introduced as needed by simply adding servers. Unix/Linux Windows Hypervisor AS/400 Mainframe Session Control Webtop Authentication Datacenter Network Server Access [SSH, X11, RDP, VNC, Telnet, ICA] Access Control 2FA File Transfer Management Recording Cooperation SecureID UNIX/PAM LDAP/AD 3Party Visulox requires a database for the storage of metadata, it supports Oracle, Postgres or MySQL. The Visulox data (films and files) can be stored locally on connected file systems, or outsourced to external storage facilities. Visulox allows the integration of other data sources and components, for example: ticketing management systems. Client Access [https] DMZ Network Proxy Access Network PC/Macintosh PDA Workstation

9 Visulox - Development Visulox, developed by ToolBox Solution GmbH, was first introduced in 2003 to provide secure, monitored, remote access for the banking and telecommunication industries and is now a globally recognised solution Visulox - Sales & Service amitego AG is responsible for worldwide sales and service of Visulox and has a network of certified solution partners in many countries. For example, Europe, Central America, Asia and Africa.