Solutions

• Overview
• Vendor & Third-Party Access Control
• Network Segmentation & PCI Scope Control
• PCI DSS Compliance
• HIPAA Compliance
• FISMA Compliance
• NERC CIP Compliance
• Password Management
• Secure Remote Management

Vendor & Third-Party Access Management

In order to do business safely, enterprises today must create least-privilege access control policies for third parties requiring access to critical IT infrastructure. These third parties, including vendors, services providers, independent consultants, contractors and partners, are essential to business and IT operations. But they are, by definition, privileged users—and they must be securely managed.

IT is challenged to balance the need for third-party accessibility against an organization's requirements for security, manageability and control. Traditional methods for providing vendor access include: IPSEC VPN, SSL VPN, modems, T1 lines and jump boxes. These solutions often include complex firewall rules that attempt to manage access, but they typically become unwieldy and introduce new vulnerabilities. Some enterprises also control vendors by having a trusted employee physically "chaperone," or even perform keystrokes dictated to him/her by a privileged user. These methods are often inefficient and costly, and leave obvious holes in a company's security posture. Companies must answer the following tough questions when considering these options:

• Is overall security for our IT infrastructure compromised by creating a series of "back doors" for vendor access?

• Regardless of how they are granted access to the infrastructure, how much of the overall network topology (outside an authorized area) can vendors see once inside—and what devices can they access?

• What steps can we take to ensure that these vendors remain in their authorized areas only?

• Is centralized control compromised by having multiple access points and increasingly complex rules?

• Are vendors sharing administrative passwords? Is it possible to identify specifically who, by name, worked on what?

• Are sensitive administrative credentials stored on third-party networks and devices in an unencrypted format? 

• Are we alerted to policy violations or can we audit what users did during administrative sessions?

• Is a patchwork vendor access model even auditable at all? And if not, what compliance risks does this raise, particularly in the U.S. regarding HIPAA and Sarbanes-Oxley regulations?

Fortunately, there is a solution. Xceedium balances the fine line between access and security by granularly managing vendor and third-party access, protecting critical passwords, and providing a comprehensive audit trail. Xceedium provides secure, centralized, and policy-based access management to IT infrastructures for all your privileged users.

Benefits of Xceedium’s Vendor and Third-Party Access Management Solution:

• Unintrusive, appliance-based solution – Xceedium’s appliance-based solution can be quickly deployed and easily maintained. The solution is browser-based and minimizes the impact of endpoints

• A more secure model for vendor and third-party access – Through its patent-pending access control and containment technologies, Xceedium provides a new model for least-privilege vendor access management. Rather than bringing users into your data center (and running the risk of granting them "keys to the kingdom"), Xceedium brings services out of the data center to the users’ desktops

• Consolidated access via a single, secure point of ingress – Xceedium solves the problem of having multiple entry points by creating a single encrypted point of ingress for all users, eliminating illegitimate "back doors." The single entry point is enforced by requiring all users to log on via a single browser-based interface

• Centralized management – Xceedium provides a centralized management point from policy to enforcement, monitoring, tracking and reporting, and gives companies an easy way to manage the access of individuals or groups of vendors. IT administrators can easily find out what vendors are doing and can deliver testing of controls for auditors

• Policy – Vendor access management policies can be stored by individual, group, or role, and can be imported from directory engines like LDAP, Active Directory, Open LDAP, etc. Xceedium also integrates with authentication engines like RSA, Radius, PKI/CAC, etc. From one centralized place, the solution virtualizes heterogeneous infrastructures and ties in all access methods and protocols within a user profile presented in a single view, so policy can be easily defined

• A safe access methodology: no footprint, no visibility – Not all users are authorized to access sensitive applications or data that may reside on a particular server (i.e., human resource information, financial data, etc.). Xceedium's vendor access management, which creates policies based on user profiles, can easily restrict users’ access to only those applications required to perform their jobs. Unauthorized areas can be made invisible

• Compartmentalization and granular enforcement – Xceedium's unique access management method provides the ability to enforce security policies for your entire IT infrastructure. Because least-privilege access is based on user profiles, vendors and other third parties are allowed access to only the devices and systems for which they have authorization, and for specified time periods. Users are effectively compartmentalized; they have no visibility into other resources in the infrastructure—hardware, software or data. Separation of user activities may then be strictly enforced

• Containment / LeapFrog Prevention™ capabilities – LeapFrog Prevention is a patent-pending feature that enables IT operations managers to give users seamless access to areas of the IT infrastructure and systems for which they are authorized. It prevents these people from “leapfrogging” from their authorized systems into other areas of the infrastructure. Based on a customizable “white list” or “black list” of keyword commands, Xceedium’s application recognizes an unauthorized command and does not execute it. The unexecuted attempt is tracked, and an e-mail alert identifying the user trying to subvert the security model is sent to a manager

• Monitoring, alerting and remediation in real-time – Xceedium continuously monitors vendor and third party activity on the IT infrastructure. It also allows IT to create a keyword list that signals and reports unauthorized activity. For example, an administrator may be allowed to Telnet into a router, but if he or she then tries to Telnet out of the router to an unauthorized area of the IT infrastructure, a warning message flashes on his or her desktop indicating a violation— and the system administrator or MSSP is immediately alerted—all in real-time. The unauthorized activity will continue to trigger warnings and send alerts, and the session will cycle off after a predetermined number of events.  All activity is all monitored and logged

• Tracking, logging and session-recording – With Xceedium, organizations have the ability to easily see all vendor activities—by day, by device, by violation, etc. Additionally, Xceedium's patent-pending keystroke-logging and session-recording capabilities capture a complete picture of what is going on across the entire infrastructure. With a centralized view of all activity and comprehensive tracking of all keystrokes and sessions, companies can cost-effectively maintain vendor accountability and satisfy compliance requirements

• Protecting privileged user and application-to-application passwords – Xceedium protects application-to-application and privileged user passwords from disclosure and misuse, in storage, in transit and in use. The solution can be configured to provide secure single-sign-on access to authorized resources in a manner that does not disclose the password to the user. So even if a vendor or other third party 'walks up' to a server or network device, he or she will be unable to log in directly

• Establishing and enforcing password management policies  – Your organization can control password factors such as complexity and length, frequency of change, use, and requirements for dual authorization

• Comprehensive reporting for testing of controls – IT administrators today are subject to more audit and compliance requirements than ever before, including government mandates such as Sarbanes-Oxley and HIPAA. When vendors, third parties and other privileged users access your critical IT infrastructure, the ability to identify and track their activities becomes essential. Xceedium provides end-to-end accountability and satisfies these compliance requirements by providing extensive reporting, keystroke logging and session recording capabilities that deliver a complete picture of user activities

• Enhanced vendor productivity – Based on an individual's defined profile, the user is provisioned with appropriate tools (Telnet, VNC, out-of-band, etc.) to use with a specific device, serving the tools up as Java applets to the user desktop. Productivity of vendors and third-party support personnel is enhanced, enabling them to meet service-level agreements while you control their activities.
   

Related Links

• Xsuite Brochure

• Data Sheets

• White Papers

• Case Studies

• Free Evaluation

• Request a Quote

Xsuite
2-Minute Explainer:

Xceedium's Next Webinar:

Xceedium Xsuite -
Zero Trust Privileged
Access Management

Date: TBD
Time: TBD