SDA India is an online resource for Software, Development,IT, Architecture, Open Source, Mobile, Security, Databases, Delphi, C, OS, Asp, .Net, Php, Xml, Java
Articles
Remote Access Security - Need of the hour!
P .Rangarajan
Rangarajan is the Chief Executive Officer at Vitage Technologies. He is responsible for the complete operations of the company and has a successful 15 years of proven track record in sales & marketing in the IT industry, handling software products and solutions.
Access to critical systems & applications within network, for IT administrators and outsourced partners is becoming an increased requirement. In today’s world of globalization, compliance regulations and outsourcing, Privileged access and control of shared administrative accounts is a continuing area of interest and concern for the enterprise. Today’s increasing compliance requirements have focused additional attention on how the enterprise manages and controls these critical accounts and passwords. In this scenario, it is very difficult to have clear answers to:
· Who has accessed my protected systems, and most importantly what did they do?
· How can my systems be securely accessed?
· Are your administrative passwords shared among multiple administrators, hampering individual accountability?
· Do you have audit trail for managing privileged access to your systems?
Remote access to critical systems within the organization is part of the support process. This makes it mandatory for organization to tighten its security concerns. Thus requiring detailed audit trails particularly of companies who outsource support to third parties. The companies need to know and be able to document exactly what occurred during any remote session. A recent study done by the US Secret Service & Carnegie Mellon University, IT sabotage reveals that 86 percent of insiders who committed IT sabotage held Technical positions and 90percent were granted system administrator or privileged system access. CERT and law enforcement agencies have proven that up to 90 percent of incidents in business relating to the loss of assets results from staffs that have privileged access to IT systems and applications. Another interesting side note from the study is that 57percent who were responsible for the fraud should not have had authorized system access at the time of the attack. Many used privileged system access to take technical steps to set up the attack before termination. In a recent Garter report they conclude, "that too many organizations and too many users have permanent and full super-user, root or administrator privileges, a gaping vulnerability that exposes mission-critical systems to accidental harm and malicious activity.
Since this issue has existed for many years, various solutions have been implemented which have partially addressed this issue. The most common way of addressing the issue is to store the password physically. In many cases, the password is written on a piece of paper, sealed in an envelope, and then stored within a secure location. This storage is then controlled by an operations group, which is tasked with retrieving the correct envelope when needed for system access. Typically, another group is responsible for changing the password of any account that has been used. These process-based solutions are sometimes referred to as ‘firecall IDs.’ But still the solution is predominantly dependent on individual people and their memory capacity. The chances of vulnerability or leakage of this system is very high.
There are a number of commercial solutions that exist that try to address some of the issues around passwords like: Self-Service Password reset tools; In-house developed solutions etc., the issues that typically surface are like: Support, Maintenance, scalability and the Quality of these solutions.
The design requirements for an Administrative Password Management Solution should address the following requirements:
· Password Storage: Since this system will be storing the ‘real’ passwords, encryption and server security are key areas. The encryption algorithm must be up to the standards of the financial systems that are being protected, currently AES256. Key management must be done in a secure way, and the system which will house the passwords must be hardened to prevent unauthorized access
· Password Release: The password release mechanism should support dual control to help achieve the segregation of duties for the managed accounts. In addition, the release mechanism must be secure (encrypted) and support strong authentication. Granular authorization should allow for systems to only allow the required users to request the password.
· Password Update: The system should generate and update the passwords to be managed. Not only does this ensure that strong and random passwords are utilized, but also ensures that individual accountability can be maintained as no user has access to the password until released. The system should also allow passwords to be rotated on a periodic basis, to ensure that these passwords are changed frequently. Finally, the system should be able to change the managed password immediately after use, so that the person requiring access does not have the access any longer than needed.
· Auditing: The system must provide robust auditing so that the process can be reconciled frequently, and reports demonstrating the integrity of the environment can be produced. Reports showing when passwords have been released, password inventories, etc. should all be automatically produced. In addition, the system must address the following operational issues & Compliance:
· Resiliency - The system should be highly available.
· Retention - The system must provide retention criteria and archiving capabilities.
· Password availability - The system should verify that managed passwords are correct so that the system can be accessed when needed.
To address these concerns, Vitage Technologies, a focused IT Infrastructure and Application management company has partnered with eDMZ Securities, a US based Security Company to implement and support this solution in Indian market and to provide granular, clientless, plug – and – play solutions from eDMZ to simplify remote secure access and password management. The solutions offered are:
· Password Auto Repository (PAR) is specifically designed to provide a commercial solution to the problem of shared administrative password management. Designed in a purpose built appliance form factor, the PAR addresses the key requirements of: Password Storage, Password Release, and Password Update & Auditing of administrative passwords. The benefits of this solution include: Auto Password change capabilities across multiple users and platform with dual control mechanism. An end to end security solution protecting your passwords during transmissions, and while in storage. A strong auditing solution with time and date stamping to track password usage, where passwords are stored, with the history of all versions, and the changes made. A granular access control mechanism to control who has accessed each password.
· eGuardPost provides Secure Access & Session Recording – a purpose built stand-alone Security management appliance that provides, a control point for managing system administrator remote connections for protected environments. It provides a simple way to add additional granularity for system level access in your network. The benefits you will get from this solution will ensure peace of mind and complete compliance to your audit requirements along with the features like: Assists with regulatory compliance through granular access control, Protects infrastructure from rogue users, compromised devices, and applications. Captures keystroke logging to provide a complete recording of internal support activities. Delivers clear, centralized reporting through the collection and aggregation of access and management logs. Offers session recording for event reconstruction purposes.
· Who has accessed my protected systems, and most importantly what did they do?
· How can my systems be securely accessed?
· Are your administrative passwords shared among multiple administrators, hampering individual accountability?
· Do you have audit trail for managing privileged access to your systems?
Remote access to critical systems within the organization is part of the support process. This makes it mandatory for organization to tighten its security concerns. Thus requiring detailed audit trails particularly of companies who outsource support to third parties. The companies need to know and be able to document exactly what occurred during any remote session. A recent study done by the US Secret Service & Carnegie Mellon University, IT sabotage reveals that 86 percent of insiders who committed IT sabotage held Technical positions and 90percent were granted system administrator or privileged system access. CERT and law enforcement agencies have proven that up to 90 percent of incidents in business relating to the loss of assets results from staffs that have privileged access to IT systems and applications. Another interesting side note from the study is that 57percent who were responsible for the fraud should not have had authorized system access at the time of the attack. Many used privileged system access to take technical steps to set up the attack before termination. In a recent Garter report they conclude, "that too many organizations and too many users have permanent and full super-user, root or administrator privileges, a gaping vulnerability that exposes mission-critical systems to accidental harm and malicious activity.
Since this issue has existed for many years, various solutions have been implemented which have partially addressed this issue. The most common way of addressing the issue is to store the password physically. In many cases, the password is written on a piece of paper, sealed in an envelope, and then stored within a secure location. This storage is then controlled by an operations group, which is tasked with retrieving the correct envelope when needed for system access. Typically, another group is responsible for changing the password of any account that has been used. These process-based solutions are sometimes referred to as ‘firecall IDs.’ But still the solution is predominantly dependent on individual people and their memory capacity. The chances of vulnerability or leakage of this system is very high.
There are a number of commercial solutions that exist that try to address some of the issues around passwords like: Self-Service Password reset tools; In-house developed solutions etc., the issues that typically surface are like: Support, Maintenance, scalability and the Quality of these solutions.
The design requirements for an Administrative Password Management Solution should address the following requirements:
· Password Storage: Since this system will be storing the ‘real’ passwords, encryption and server security are key areas. The encryption algorithm must be up to the standards of the financial systems that are being protected, currently AES256. Key management must be done in a secure way, and the system which will house the passwords must be hardened to prevent unauthorized access
· Password Release: The password release mechanism should support dual control to help achieve the segregation of duties for the managed accounts. In addition, the release mechanism must be secure (encrypted) and support strong authentication. Granular authorization should allow for systems to only allow the required users to request the password.
· Password Update: The system should generate and update the passwords to be managed. Not only does this ensure that strong and random passwords are utilized, but also ensures that individual accountability can be maintained as no user has access to the password until released. The system should also allow passwords to be rotated on a periodic basis, to ensure that these passwords are changed frequently. Finally, the system should be able to change the managed password immediately after use, so that the person requiring access does not have the access any longer than needed.
· Auditing: The system must provide robust auditing so that the process can be reconciled frequently, and reports demonstrating the integrity of the environment can be produced. Reports showing when passwords have been released, password inventories, etc. should all be automatically produced. In addition, the system must address the following operational issues & Compliance:
· Resiliency - The system should be highly available.
· Retention - The system must provide retention criteria and archiving capabilities.
· Password availability - The system should verify that managed passwords are correct so that the system can be accessed when needed.
To address these concerns, Vitage Technologies, a focused IT Infrastructure and Application management company has partnered with eDMZ Securities, a US based Security Company to implement and support this solution in Indian market and to provide granular, clientless, plug – and – play solutions from eDMZ to simplify remote secure access and password management. The solutions offered are:
· Password Auto Repository (PAR) is specifically designed to provide a commercial solution to the problem of shared administrative password management. Designed in a purpose built appliance form factor, the PAR addresses the key requirements of: Password Storage, Password Release, and Password Update & Auditing of administrative passwords. The benefits of this solution include: Auto Password change capabilities across multiple users and platform with dual control mechanism. An end to end security solution protecting your passwords during transmissions, and while in storage. A strong auditing solution with time and date stamping to track password usage, where passwords are stored, with the history of all versions, and the changes made. A granular access control mechanism to control who has accessed each password.
· eGuardPost provides Secure Access & Session Recording – a purpose built stand-alone Security management appliance that provides, a control point for managing system administrator remote connections for protected environments. It provides a simple way to add additional granularity for system level access in your network. The benefits you will get from this solution will ensure peace of mind and complete compliance to your audit requirements along with the features like: Assists with regulatory compliance through granular access control, Protects infrastructure from rogue users, compromised devices, and applications. Captures keystroke logging to provide a complete recording of internal support activities. Delivers clear, centralized reporting through the collection and aggregation of access and management logs. Offers session recording for event reconstruction purposes.
Related Links
None
