Solutions

• Overview
• Vendor Access Control
• Network Segmentation
• PCI DSS Compliance
• HIPAA Compliance
• FISMA Compliance
• NERC CIP Compliance
• Password Management
• Remote Access Control

Vendor Access Control

In order to do business safely, enterprises today must create access control policies for third parties requiring administrative privileges to critical IT infrastructure. These third parties, including vendors, services providers, independent consultants, contractors and partners, are essential to business and IT operations. But they are, by definition, privileged users—and they must be securely managed.

IT is challenged to balance the need for third-party network accessibility against an organization's requirements for security, manageability and access control. Traditional methods for providing vendor access include: IPSEC VPN, SSL VPN, modems, T1 lines and jump boxes. These solutions often include complex firewall rules that attempt to manage network access, but they typically become unwieldy and introduce new vulnerabilities. Some enterprises also control vendors by having a trusted employee physically "chaperone," or even perform keystrokes dictated to him/her by a privileged user. These methods are often inefficient and costly, and leave obvious holes in a company's security posture. Companies must answer the following tough questions when considering these options:

• Is overall security for our IT infrastructure compromised by creating a series of "back doors" for vendor network access?

• Regardless of how they are granted access to the infrastructure, how much of the overall network topology (outside an authorized area) can vendors see once inside—and what administrative privileges do they have?

• What steps can we take to ensure that these vendors remain in only their authorized areas?

• Is centralized access control compromised by having multiple access points and increasingly complex rules?

• Are vendors sharing administrative privileges and passwords? Is it possible to identify specifically who, by name, worked on what?

• Are sensitive administrative credentials stored on third-party networks and devices in an unencrypted format?

• Are we alerted to policy violations or can we audit what users did during administrative sessions?

• Is a patchwork vendor network access model even auditable at all? And if not, what compliance risks does this raise, particularly in the U.S. regarding HIPAA and Sarbanes-Oxley regulations?

Fortunately, there is a solution. Xceedium balances the fine line between accessibility and security by granularly controlling vendor and third-party access and privileges, protecting critical passwords, and providing a comprehensive audit trail. Xceedium provides secure, centralized, and policy-based network access control to IT infrastructures for all your privileged administrative users.

Xceedium’s Vendor Access Control Benefits:

• Unobtrusive, appliance-based solution – Xceedium’s appliance-based access control solution can be quickly deployed and easily maintained. The solution is browser-based and minimizes the impact of endpoints

• A more secure model for vendor and third-party access – Through its patent-pending access control and containment technologies, Xceedium provides a new model for managing administrative privileges and network access. Rather than bringing users into your data center (and running the risk of granting them "keys to the kingdom"), Xceedium brings services out of the data center to the users’ desktops

• Consolidated access via a single, secure point of ingress – Xceedium solves the problem of having multiple entry points by creating a single encrypted point of ingress for all users, eliminating illegitimate "back doors." The single entry point is enforced by requiring all users to log on via a single browser-based interface

• Centralized management – Xceedium provides a centralized management point for enforcement, monitoring, tracking and reporting, and gives companies an easy way to manage the access of individuals or groups of vendors. IT administrators can easily find out what vendors are doing and can deliver testing of administrative privilege controls for auditors

• Policy enforcement – Vendor access control policies can be stored by individual, group or role, and can be imported from directory engines like LDAP, Active Directory, Open LDAP, etc. Xceedium also integrates with authentication engines like RSA, Radius, PKI/CAC, etc. From one centralized place, the solution virtualizes heterogeneous infrastructures and ties in all network access methods and protocols within a user profile, presented in a single view, so policy can be easily defined

• A safe access methodology: no footprint, no visibility – Not all users are given administrative privileges to access sensitive applications or data that may reside on a particular server (i.e., human resource information, financial data, etc.). Xceedium's vendor access control, which creates policies based on user profiles, can easily restrict users’ network access to only those applications required to perform their jobs. Unauthorized areas can be made invisible

• Compartmentalization and granular enforcement – Xceedium's unique vendor access control method provides the ability to enforce security policies for your entire IT infrastructure. Because administrative privileges are based on user profiles, vendors and other third parties are allowed access to only the devices and systems for which they have authorization, and for specified time periods. Administrative users are effectively compartmentalized; they have no visibility into other resources in the infrastructure—hardware, software or data. Separation of user activities may then be strictly enforced

• Containment / leapfrog prevention – Leapfrog prevention enables IT operations managers to give users seamless access to areas of the network for which they are authorized. However, it prevents these people from “leapfrogging” from their authorized systems into other areas of the infrastructure. Based on a customizable “white list” or “black list” of keyword commands, Xceedium’s access control system recognizes an unauthorized command and does not execute it. The unexecuted attempt is tracked, and an e-mail alert identifying the user trying to subvert the security model is sent to a manager

• Monitoring, alerting and remediation in real-time – Xceedium continuously monitors vendor and third-party activity on the network. It also allows IT to create a keyword list that signals and reports unauthorized activity. For example, an administrator may have privileges to Telnet into a router, but if he or she then tries to Telnet out of the router to an unauthorized area of the IT infrastructure, a warning message flashes on his or her desktop indicating a violation—and the system administrator or MSSP is immediately alerted—all in real-time. The unauthorized activity will continue to trigger warnings and send alerts, and the session will cycle off after a predetermined number of events.  All activity is all monitored and logged

• Monitoring, logging and session-recording – With Xceedium, organizations have the ability to easily see all vendor activities—by day, by device, by violation, etc. Additionally, Xceedium's patent-pending keystroke-logging and session-recording capabilities capture a complete picture of what is going on across the entire network. With a centralized view of all activity and comprehensive tracking of all keystrokes and sessions, companies can cost-effectively maintain vendor accountability and satisfy compliance requirements

• Protecting privileged administrator and application passwords – Xceedium protects application and privileged administrator passwords from disclosure and misuse, in storage, in transit and in use. The solution can be configured to provide secure single-sign-on access to authorized resources in a manner that does not disclose the password to the user. So even if a vendor or other third party 'walks up' to a server or network device, he or she will be unable to log in directly

• Establishing and enforcing password management policies  – Your organization can control password factors such as complexity and length, frequency of change, use, and requirements for dual authorization

• Comprehensive reporting for testing of controls – IT administrators today are subject to more audit and compliance requirements than ever before, including government mandates such as Sarbanes-Oxley and HIPAA. When vendors, third parties and other privileged administrative users access your network, the ability to identify and track their activities becomes essential. Xceedium provides end-to-end accountability and satisfies compliance requirements by providing extensive reporting, keystroke-logging and session-recording capabilities that deliver a complete picture of user activities

• Enhanced vendor productivity – Based on an individual's defined profile, the user is provisioned with appropriate administrative privileges and tools (Telnet, VNC, out-of-band, etc.) to use with a specific device, serving the tools up as Java applets to the user desktop. Productivity of vendors and third-party support personnel is enhanced, enabling them to meet service-level agreements while you control their activities on your network.