Control and Audit Privileged Access to the Hybrid Cloud
Xceedium’s Xsuite® seamlessly controls, monitors, and audits everything privileged users do across the hybrid cloud. It’s built on a zero trust model that expressly denies access to all systems and resources except those permitted by policy.
Xceedium Xsuite delivers robust zero trust access controls for privileged users across the widest range of enterprise IT infrastructure, including multiple Linux distributions, Microsoft Windows, popular versions of Unix, networking devices including routers and switches, a comprehensive range of databases and business applications, and more. Optional Xsuite extensions provide enhanced integration, and superior protection, for hybrid-cloud infrastructure technologies including mainframes and traditional datacenter resources, Amazon Web Services (AWS), and VMware vSphere.
Comprehensive Privileged Identity Management Controls
Cohesive Hybrid Cloud Protection
Today’s hybrid-cloud computing environments exacerbate long-standing privileged identity management issues, while adding new challenges to the mix. With Xsuite, you seamlessly define, apply, and enforce privileged identity management and access controls across the full range of IT infrastructure: enterprise data centers, virtualized infrastructure, and public or private clouds.
Consistent, concise controls on privileged users based on defined roles, leveraging existing identity and access management (IAM) infrastructure, are ensured regardless of where resources are running, or where you’ve implemented management capabilities. And in the Amazon Web Services (AWS) environment, Xsuite policies are automatically mapped to AWS IAM role definitions when sessions are established, even for AWS Federated users.
You’ll save time, money, and administrative overhead while enhancing the quality and consistency of controls. And a single source for policy definitions — along with comprehensive records of activity — ensures audit reporting is easier and faster.
Control Privileged User Access
Xsuite provides highly granular, role-based access control for the hybrid cloud. Xsuite controls access by network administrators, trusted insiders, third parties, and other privileged users. Control begins when privileged users initially access the system, as Xsuite implements a deny all, permit by exception (DAPE) approach to least privilege access controls. Users see only those systems and access methods to which they’ve expressly been provided access. Once they’re logged into a system, Xsuite policies provide an additional level of control by selectively filtering commands issued. Unauthorized commands are blocked, with optional user warnings and policy violation alerts to security teams and logs. In addition, Xsuite contains privileged users to authorized systems through “leapfrog” prevention that limits the ability to use one system as a launch point for additional attacks.
Protect Sensitive Credentials
Xsuite protects and defends sensitive administrative credentials. Safely stored in a powerful vault, credentials are encrypted at rest, in transit, and in memory, limiting exposure to the risk of theft or disclosure. Xsuite can even eliminate the risks of passwords hard-coded into scripts and applications. Out-of-the-box support is provided for target applications including SAP, Oracle, Sybase, DB2, and many others. A comprehensive API enables programmatic access to and control over credentials from a wide assortment of applications, operating systems, and programming and scripting languages.
The Xsuite credential vault protects the AWS environment as well. AWS credentials (PEM-encoded keys) are securely vaulted and passed directly between Xsuite and the target resource. Credentials are not revealed to users or exposed to potential malware.
Monitor, React, and Record Everything
Xsuite examines everything privileged users do while accessing managed resources. Actions are compared with access control policies before execution, delivering proactive protection from unauthorized activities, malicious activity, and simple mistakes. Events can be logged for later review or forensic analysis, and alerts can be generated to garner the attention of Security Operations Center teams while individuals can be warned or their sessions terminated.
Xsuite captures continuous, tamper-proof logging and recording of both text and graphical administrative sessions–even for web-based applications. With DVR-like playback, supervisors can see exactly what actions were taken – and by who. That’s true even when using shared administrative accounts, since Xsuite provides full attribution of actions taken to specific individuals. Xsuite eliminates anonymous administrator activity.
Protect Hybrid Cloud Consoles
Cloud computing and virtualized infrastructure expand attack surfaces and introduce complex new administrative structures to manage and control. With access to hybrid cloud management consoles, privileged users can make changes with a speed and scale unprecedented in traditional data centers. Xsuite adds comprehensive management controls – role-based access limits, single sign-on, separation of duties, audit trails and session monitoring, password and key management, and more – to these powerful new management consoles. Xsuite is tightly integrated with both the AWS Management Console and vCenter Server, delivering protection for both operational servers and systems and underlying infrastructure technology.
Ensure Positive Privileged User Authentication
Privileged users control the most sensitive IT resources in your organization. It’s essential these powerful individuals (or, increasingly, the scripts and programs written and deployed to perform administrative tasks on their behalf) are accurately authenticated.
Xsuite fully leverages your existing identity and access management infrastructure, with integration to Active Directory and LDAP-compliant directories, as well as authentication systems like Radius. Xsuite fully supports enabling technologies like PKI/X.509 certificates and security tokens. Support for Personal Identity Verification/Common Access Cards (PIV/CAC) ensures your compliance with HSPD-12 and OMB M-11-11 mandates within the Federal sector.
In addition, Xsuite’s comprehensive authentication support lets you enforce composite multi-factor authentication techniques combining traditional approaches like user identification and passwords with RSA PINs and codes.
Prevent Leapfrogging
A common attack technique exploits the rich mesh of corporate network connectivity to move ever closer to sensitive assets. Starting from less critical and low profile resources, privileged users can exploit their position of trust to “leapfrog” from one system to another. In typical networks, a trusted user can take intermediate steps – connecting to servers via SSH, Telnet, or other means – to access sensitive servers they’re restricted from accessing directly.
With Xsuite, a small footprint on your network can’t be exploited to gain roundabout access to unauthorized resources. Unlike usual approaches, Xsuite provides trusted users with a list of only those systems to which they’re expressly permitted access. And Xsuite proactively defends against attempts to take advantage of inside information about network resources, actively blocking attempts to connect to systems and resources other than those expressly permitted.
Automatically Discover and Protect AWS and Virtualized Resources
Classic approaches to defining and provisioning policy will fail in today’s hybrid cloud environments. It’s just that simple – when operators can create hundreds, or thousands, of new systems with a simple command, there’s just no way traditional provisioning and policy management approaches can keep pace.
Xsuite overcomes these limitations with the unique ability to automatically discover virtualized and cloud resources. Xsuite automatically establishes – and begins enforcing – desired policies on these dynamic resources. Infrastructure is never exposed, regardless of how rapidly it may appear. New instances are automatically added or removed from individual users’ access portals based on individual policies and group memberships.
