Privileged Access Management with ConsoleWorks. A unified in-band and out-of-band solution. Solution Brief

Similar documents
NERC CIP Compliance Gaining Oversight with ConsoleWorks

CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System

Creating Added Value for the IT Service Management Practice. How ConsoleWorks Creates Value for ITSM Best Practices

The role of Access and Control in DCIM

Out-of-Band Management: the Integrated Approach to Remote IT Infrastructure Management

DS Series Solutions Integrated Solutions for Secure, Centralized Data Center Management

Dell Client. Take Control of Your Environment. Powered by Intel Core 2 processor with vpro technology

Optimally Manage the Data Center Using Systems Management Tools from Cisco and Microsoft

IT Networking and Security

Best Practices for PCI DSS V3.0 Network Security Compliance

MEGARAC XMS Sx EXTENDIBLE MANAGEMENT SUITE SERVER MANAGER EDITION

Better Integration of Systems Management Hardware with Linux

BeyondInsight Version 5.6 New and Updated Features

Secure, Remote Access for IT Infrastructure Management

2012 CIP Spring Compliance Workshop May Testing, Ports & Services and Patch Management

Lumension Endpoint Management and Security Suite

AMD DASHConfig Tool. White Paper Descriptor. Document version: 1.0. March 27 th, 2013

HP Server Automation Standard

Proactively Managing Servers with Dell KACE and Open Manage Essentials

HP Cloud Map for TIBCO ActiveMatrix BusinessWorks: Importing the template

MergePoint 53xx Service Processor Manager Firmware Release Notes

Monitor the Cisco Unified Computing System

Intel AMT Provides Out-of-Band Remote Manageability for Digital Security Surveillance

A M D DA S 1. 0 For the Manageability, Virtualization and Security of Embedded Solutions

Introducing logical servers: Making data center infrastructures more adaptive

Securing OS Legacy Systems Alexander Rau

Exploring the Remote Access Configuration Utility

HP ilo mobile app for Android

Consolidating IT Infrastructure Management: Unifying Data Center Hardware and Software Administration

Using Symantec NetBackup with Symantec Security Information Manager 4.5

Security Overview of the Integrity Virtual Machines Architecture

How To Run A Hosted Physical Server On A Server At Redcentric

Dell EqualLogic Red Hat Enterprise Linux 6.2 Boot from SAN

HP Client Automation software Starter and Standard Editions

IT Networking and Security

CommandCenter Secure Gateway User Guide Release 6.0

DELL. Unified Server Configurator: IT and Systems Management Overview. A Dell Technical White Paper

IT Operations Management. Intelligent. Integrated. Innovative.

Hardware Monitoring with the new Nagios IPMI Plugin

Kaseya IT Automation Framework

Systems Management Tools And Documentation Version 8.1 Installation Guide

Statement of Work for

Errata Sheet for HP OpenVMS Support of HP Integrity BL860c Server Blade

Managing BitLocker Encryption

Server Room Solutions: How small to midsize IT businesses can make their IT budgets appear larger than they are

Overview of Avaya Aura System Platform

Cisco Unified Computing Remote Management Services

ProCurve Manager Plus 2.2

Viewfinity Privilege Management Integration with Microsoft System Center Configuration Manager. By Dwain Kinghorn

User. Guide. February Intel Multi Server Manager - User Guide 1

Avocent Universal Management Gateway Appliance Plug-in for DSView 4 Management Software Release Notes Version

PS Series Storage Array - Configuration, Operation and Management

ProCurve Mobility Manager 1.0

From Ethernet Ubiquity to Ethernet Convergence: The Emergence of the Converged Network Interface Controller

Host/Platform Security. Module 11

Section 5 Configuring the Partition for Enterprise Output Manager (EOM)

Migrating Control System Servers to Virtual Machines

What the student will need:

HP Client Manager 6.1

Achieve Automated, End-to-End Firmware Management with Cisco UCS Manager

Business Case for Data Center Network Consolidation

BSM for IT Governance, Risk and Compliance: NERC CIP

McAfee epolicy Orchestrator * Deep Command *

Reining in the Effects of Uncontrolled Change

Zero Trust. Privileged Access Management

<Insert Picture Here> Oracle Premier Support Get Ahead. Stay Ahead.

2011 Cyber Security and the Advanced Persistent Threat A Holistic View

Microsoft Windows Server 2008* (x86 & x64) Dual SCM (ALUA) Installation BKM. Intel Order Number: E

Intel Active Management Technology Embedded Host-based Configuration in Intelligent Systems

HP EVA to 3PAR Online Import for EVA-to-3PAR StoreServ Migration

Customer Responsibilities

whitepaper Absolute Manage: Client Management Managing Macs in a Windows Environment

Hardware + Software Solutions for The Best in Client Management & Security. Malcolm Hay Intel Technology Manager

Identity and Access Management Integration with PowerBroker. Providing Complete Visibility and Auditing of Identities

VDI can reduce costs, simplify systems and provide a less frustrating experience for users.

Dell OpenManage SNMP Reference Guide Version 8.0.1

HP Systems Insight Manager 7.0 and HP Agentless Management overview

IBM Software InfoSphere Guardium. Planning a data security and auditing deployment for Hadoop

HP2-T25: SERVICING HP RACK AND TOWER SERVER SOLUTIONS

Nessus Agents. October 2015

FISMA / NIST REVISION 3 COMPLIANCE

Service Description Remote Yearly Maintenance of Dell PowerEdge Servers and PowerVault Storage

System Area Manager. Remote Management

It s time to confront IT complexity and deal with it. With Avocent s Control and Manageability Solution

Management of VMware ESXi. on HP ProLiant Servers

Common Access Card Application

Acer Smart Client Manager

State of Wisconsin DET File Transfer Protocol Service Offering Definition (FTP & SFTP)

NCIRC Security Tools NIAPC Submission Summary Harris STAT Scanner

Implementing SANS Top 20 Critical Security Controls with ConsoleWorks

Transcription:

Privileged Access Management with ConsoleWorks A unified in-band and out-of-band solution Solution Brief

Privileged Access Management with ConsoleWorks A unified in-band and out-of-band solution ConsoleWorks Privileged Access Platform ConsoleWorks offers organizations a single tool that can manage all privileged access in the organization. From operating systems to configuration ports, ConsoleWorks can control access, enforce permission models, and record (down to the keystroke) all privileged user activity for virtually any asset in the IT infrastructure. Access Management Access management is the practice of controlling the IT resources each person in the organization has access to along with the permissions they are granted for each resource they can access. In simpler terms, access management determines who can go where, and what they can do when they get there. From a security perspective this is normally discussed in terms of role-based access and control. In a role-based access and control security model, each role is assigned a specific list of access permissions (what the role has permission to access) and the associated privileges (what a person is allowed to do for each access permission granted). People are then assigned to one or more roles in order to grant them the access and privilege they need to perform their work. Privileged Access Management Privileged access management is a specific subset of access management where the interfaces being managed have an inordinately high level of privilege associated to them. The most common example of a privileged interface is an account on an operating system. For example, having permission to access a shared drive has a relatively low level of privilege with a limited set of permissions like read, change and full control. Access to an operating system can offer thousands of commands, many of which can have broad reaching affects on operations, security, and compliance. ConsoleWorks addresses privileged access management, which is further broken-down into two broad functional groups: in-band access and out-of-band access. 2011 TDi Technologies, Inc. www.tditechnologies.com P a g e 2

In-Band Access System analysts, programmers, production staff, application support, and others need regular access to the operating system accounts to support business operations. These people access operating systems over the normal network, also called the in-band network. This is the primary scope of most privileged access management programs. Out-of-Band Access IT systems and infrastructure management teams support the actual devices for break/fix, configuration, build, firmware upgrades, provisioning, patching, and maintenance. These people typically access those same servers through configuration ports 1, often over a separate network commonly termed the maintenance or out-of-band network. Out-ofband Network Functions In-band Network Functions Different Network, Different Interfaces These two networks use different network interfaces. The in-band network uses one or more of the NIC ports on the server for network connections. The out-of-band network uses 1 Configuration ports are on baseboard management controllers including HP ilo, Dell DRAC, Sun ALOM, etc. 2011 TDi Technologies, Inc. www.tditechnologies.com P a g e 3

configuration ports that are connected to dedicated service processor computers in almost all servers on the market today. These service processors run completely independently accessible at any time and under any condition as long as power is connected to the server chassis. Production (Data) and Maintenance Networks 1) Maintenance Network Service Processor built in to servers (on Motherboard) Is a computer in the computer Is live (external communications) anytime power is applied to chassis Has dedicated (maintenance) TCP/IP connection 2) Production (Data) Network Uses normal Network Interface (NIC) Both groups are accessing interfaces with extremely high privileges where mistakes can directly result in service disruption, compliance failure, and data breaches. They both need to be under privileged access management control. If they are not, the business is placed under a high degree of risk. The use cases are quite different though. In-band access is typically a many people to one interface scenario. Least privilege plays a very important role with in-band access, as the people accessing operating system accounts often touch sensitive data and their activity must be tightly controlled. ConsoleWorks manages the many people to one interface within its Privileged Access Platform module that can create, and manage, an unlimited number of private user sessions to operating system, database or application interfaces. 2011 TDi Technologies, Inc. www.tditechnologies.com P a g e 4

Out-of-band access is typically a one user to many interfaces scenario. Least privilege remains important with out-of-band access but there are typically more privileges granted for out-of-band access as they are needed for break/fix operations, patching, device configuration, firmware/bios updates, and device build. ConsoleWorks manages the one person to many interfaces within its Privileged Access Platform module that can create, and manage, multiple user device sessions for a single ConsoleWorks user. Privileged User Risks The risk associated with user access to operating systems over the in-band network is compounded by the fact that so many people in the organization require some form of privileged access. Maintaining control over an environment where many people are accessing devices at the operating system level is best achieved through tightly defined permissions that often include specific set of commands users can execute (and nothing else). ConsoleWorks already has a robust permissions model built into its role-based access and control functions this capability being augmented with explicitly defined commands sets for each role. The next release of ConsoleWorks includes this additional functionality. The risk associated to configuration port access over the out-of-band network is actually higher than the risk of operating system access because the configuration port has command and control over the operating system and every other component of the server. Configuration ports are the highest privileged interface that exists on every modern server. This makes control (access, permissions, limiting permission to specific commands) over outof-band interfaces even more important as most organizations have limited controls in place to address this security risk. 2011 TDi Technologies, Inc. www.tditechnologies.com P a g e 5

Several of the more prominent high-risk capabilities provided by out-of-band interfaces are: Summary Mount media devices and copy data Install malware at multiple levels (Bios, Firmware, OS) Add, change or delete user accounts and privileges Change device and component configuration Execute operating system commands without an OS account Open, close or reconfigure network ports Providing a unified security approach across the in-band and out-of-band networks ensures that privileged interfaces are controlled and risk is mitigated. A unified approach dramatically simplifies the security practice and addresses the vulnerabilities with privileged interfaces that present an extremely high security issue today. About TDi Technologies TDi Technologies is the leader in IT Foundation Management, delivering IT Foundation Management solutions to a global customer base with key verticals including Utilities, Financial Services, Telecommunications, Healthcare, and Government. The company s solutions help customers reduce operating costs, meet foundational compliance requirements, secure the IT foundation, and improve IT Service delivery. 2011 TDi Technologies, Inc. www.tditechnologies.com P a g e 6