Choosing a Remote Access Management Solution

- Eran Kessel, vice president of marketing & products for Minicom (www.minicom.com), says:

Let’s say you’ve decided to adopt a Remote Access Management solution. What do you need to know? How do you compare systems? Here are four questions to ask your vendor about their Remote Access Management system.

1. Does it have a centralized web-based dashboard?
For security and efficiency, the Remote Access Management system should centralize access to servers and devices in a single web-based dashboard, with a simple interface that enables one-click access to servers and devices, and restricts access to task-appropriate servers and tools.

2. Is it device and manufacturer agnostic
In today’s technology market, change is constant. To protect your investment, don’t choose a Remote Access Management solution that restricts your future equipment choices. You may have standardized on one vendor’s servers, but you don’t want to be locked out, should a better server come on the market. Choose a system based on open standards, with the capability to monitor and control all major vendors’ equipment.

3. Does it support in-band, out-of-band and Service Processor access
Your IT staff may use nothing but RDP today, but as you’ve read, there are major advantages to out-of-band access. Be sure that the system you choose will allow your technical capabilities to grow, by allowing the monitoring and control of out-of-band devices, Service Processors, and whatever new devices may appear in the future.

For a brief background on these types of access:

• In-band access (RDP, VNC, SSH, Telnet) allows two-way communication to remote computers, to view the remote desktop or to share data. These tools are common and low-cost, but they’re only useful if the server’s operating system is still working (the computer hasn’t completely crashed)
• Out-of-band access communicates via hardware devices, such as KVM switches (which control multiple computers from a single desktop); console servers (which provide remote serial access to networking equipment; and PDUs (power distribution units)
• Service Processor access talks to the server’s internal management processes, e.g. iLO from HP, DRAC from Dell, RSA from IBM, and IPMI from Intel.

4. Does it accommodate your existing equipment, or will you need a “forklift upgrade”?
Some Remote Access Management systems require you to replace your older gear—servers, PDUs, KVMs and/or console servers—or to purchase costly licenses in order to use the tools you already have in place. Not only is this large-scale replacement costly and wasteful, it can cause massive disruption to a company’s daily activities—for example, replacing PDUs could require a complete server shutdown, and likely a total interruption of business.

And it’s not necessary. Solutions are available that accommodate existing equipment and tools. While newer tools may add functionality, they can be brought online in phases, without the costs and disruption of wholesale replacement.

When comparing Remote Access Management solutions, compare the complete costs of the deployment. The advantages are clear: you can maximize your security, increase operational efficiency and save on energy. And with proper planning a selection, you can minimize the complications and costs of the deployment, and ensure that the benefits of Remote Access Management will continue into the future.

Remote Access Management: Operational Efficiency and Data Center Security

- David Zucker, Director of Solution Sales at Minicom (www.minicom.com), says:

Over the course of the last 5-10 years, IT organizations from the smallest of the SMB to the largest of the Enterprise have become dependent upon remote access tools to manage their servers and devices. The problem, however, is that these tools were adopted by different groups within the organization, without a clear strategy (i.e., the Windows team adopted IP KVM and RDP, while the network team bought console servers and adopted SSH).

Over time, the vast majority of IT departments have taken on in-band (i.e., RDP, VNC, SSH) and out-of-band (PDU, KVM, console) tools, as well as the service processors (ILO, DRAC, IPMI), each with their own IP addresses, passwords, usernames and more.

Today, IT managers face the challenge in managing all of these methods of access to their critical infrastructure. They *might* have a spreadsheet with all of the pathways. Others have all of this critical information on a white board, on post its or worse, in the “head” of the administrators.

This presents major issues with operational efficiency and data center security. With regard to efficiency, using a spreadsheet (or worse) means that each time an administrator is notified of an issue, he must first locate the server/device with the issue, copy and paste the IP, password and username for the selected tool just to gain access. If the first tool is ineffectual (RDP when Windows is down), he must do the same for the 2nd tool and if, for instance, the solution is powering down the server, he must do it a 3rd time for the PDU. This is not only a slow, painstaking process, but one that opens the door to human error.

The 2nd major issue with the current state of remote access management is security. When all of the passwords, IPs and usernames to an organization’s critical infrastructure are in a spreadsheet or in someone’s head, you are just begging for trouble. These pathways allow access to the most sensitive data in an organization, but they are not currently being treated that way. To ensure the security of a data center’s servers and devices, a RAM solution that locks down this critical information must be adopted.

With AccessIT, a data center can drastically increase how quickly his users can access and remediate issues on their servers and devices, all while utilizing the tools and hardware currently deployed, all while improving security and locking down remote access.

The complexities and challenges associated with Remote Access Management (RAM) are typically overlooked by IT managers. Any ITIL or disaster recovery plan undertaken by an IT department is not complete without considering how to deal with managing and controlling the remote access to your data center and IT equipment.

Remote Access has become a standard, but was deployed without a clear plan. With so many tools acquired over time, it has become increasingly difficult to track and manage access. IT Managers want to deploy a RAM solution, but for the most part, these solutions are extremely costly, require fork lifting legacy hardware, and cause an enormous disruption (i.e., shut down of servers to change out PDUs). This has led many to deem that the status quo (spreadsheet, homegrown tools, etc.) will have to do. But the problem still persists.

This is what makes AccessIT so unique. IT managers can gain the security and efficiency increases that RAM affords, without the cost, rip and replace and disruption of competitive products.

By implementing AccessIT DC managers can gain the benefits of RAM very quickly, without the cost and disruption associated with competitive products.

IT Managers must consider the architecture of the remote access management system. Is it an open system that will allow you to adopt technologies from other vendors easily or is it a closed system that locks you in to that vendor? An IT manager must also consider the easy of installation and operation of a system. Many companies will promise to do everything but the complexity of implementing these systems and the overhead required to maintain them can quickly overcome the intended benefits.

Access Management: Under Control in the Enterprise

- Brian Cleary, vice president of products and marketing at Aveksa (www.aveksa.com), says:

Why do former company employees still have access to proprietary data and organizational information after they’ve left the job?
Many organizations lack the enterprise-wide visibility into the access that users have and don’t have a governance control framework in place that can manage access related change events such as a termination with a “leaver” control. If an organization has weak manual controls, and no access change remediation/validation process, access to sensitive corporate information can remain after a person leaves and organization. This is especially true with applications that have web interfaces or live outside the firewall.

Why should data center/IT managers be concerned about access management in light of the current rate of layoffs/job cuts, etc?
Information access related risk goes up during a workforce reduction. At the scale that some organizations have had to de-provision users, a lack of automation has made it nearly impossible to revoke access in a timely fashion.

What can data center/IT managers at small to midsized enterprises do to make sure they have access management under control in their enterprises?
Implement a strong access governance framework that leverages a role-based approach for access deliver. This will ensure that access to information resources is appropriate for a particular functional or process role and provides a preventative control point that can be applied at the point of requesting access or making a change to access.

Getting Access Management Under Control in Your Enterprise

- Chris Wraight, Senior Director, CA Security Management (www.ca.com), says:

Former company employees still have access to proprietary data and organizational information after they’ve left the job for a number of reasons. Any instance where former employees still have access to corporate systems and data is a serious business and compliance issue. From a technical security perspective, this is a problem that identity and access management can help solve. When an employee joins a company, they are granted access to systems, servers, applications and data based on their role or identity in an organization. Ideally that new employee should have access to all the information he or she needs to be productive when they start their job on day one.

The converse is true when an employee leaves a job or is terminated. The expectation by the business and auditors is that all access granted to that employee is terminated immediately. Some possible reasons why access may not immediately be terminated include:

• The HR staff or systems did not communicate to the IT staff or systems that an employee has left the company.

• Third party applications that a business might use that aren’t federated into an organization’s access management system may not learn of an employee’s termination immediately, and that individual would still have access to that application.

There are several reasons data center and IT managers need to be concerned about rogue and unauthorized access to their systems:

• Generally, failure to manage server resources and their access has been directly responsible for high profile data breaches. In October 2008, a fired computer engineer for a large mortgage broker was arrested and charged with planting a malicious software script designed to permanently destroy millions of dollars worth of data from all 4,000 servers operated by the mortgage company. Despite his dismissal on October 24, his highly privileged computer access wasn't terminated until late into the evening because of bureaucratic procedures in the procurement department, according to court documents.

• Compliance. Regulations such as HIPAA, PCI DSS, Sarbanes-Oxley, the EU Privacy Directive, Basel II and others all have a requirement for compliance that server access is controlled, tracked and logged. Sarbanes-Oxley adds a “segregation of duties” requirement to ensure that complex business processes are distributed among resources to provide checks and balances.

• Intellectual property confidentiality. One industry survey showed that 59% of former employees admitted to stealing confidential company data. They did it while still employed, but if they had access after being terminated, nothing is to stop them from keeping the flow of corporate IP coming their way.

• Access to virtualized servers. Organizations are adopting virtualization technology to reduce total cost of ownership and improve quality of service of IT systems. An effective solution must ensure that only authorized users perform authorized operations on the hosting system. And, all sensitive administrative activities on both the hosting operating system and guest virtual machines must be closely audited for compliance requirements as well as risk mitigation.

What special issues does an increasingly mobile and telecommuting workforce bring into play?

A privileged user management system should be able to maintain its policies across the enterprise, regardless of where the user is. In addition, the system should have a ‘break glass’ workflow that facilitates one-time use passwords when necessary, with appropriate approvals. An example would be an IT crisis on a weekend that can be fixed remotely, but privileged access to a server or application is required. The system should allow an IT senior manager to approve a special, one-time (and time limited) use password that allows an IT specialist access to resolve the issue. And, like any other privileged user, their actions have to be recorded and tracked for audit purposes.

How do you keep track of privileged users and what they do?

Use software that can manage who the privileged users are, and what they are allowed to do. The software should also track their actions and easily produce reports for compliance audits. Ideally, the software should be able to simultaneously manage server access as well as privileged user access to devices and applications across operating environments.

Enterprise Access Management: It's YOUR Data

- Rob Grapes, chief technologist from Cloakware (www.irdeto.com/cloakware.html), says:

Why do former company employees still have access to proprietary data and organizational information after they’ve left the job?

There are many reasons that company employees still have access to company data and information after they’ve left. Here are a few examples:

• They may have taken the data with them before leaving, perhaps on disk or USB token. Other studies have reported that employees do not necessarily understand that just because they have access to the data that they don't actually have the rights to copy it.
• In some cases, employees have maliciously created new, unauthorized entry points to their networks, such as the case of network administrator Terry Childs from the City of San Francisco.
• It may be that a former employee is leveraging the sympathies of a remaining employee to gain access to the data.

Why should managers be concerned about access management in light of the current rate of layoffs/job cuts?

Companies are realizing that access management is far easier to implement and maintain than complex encryption, key management or rights management systems.

What can managers do to make sure they have access management under control in their enterprises?

• Access management is not a one-time task; it is an ongoing management effort that can be aided by many automation tools and utilities to simplify efforts, enhance efficiency, improve coverage and enable the least level of privilege while allowing administrators/users to do their jobs.
• Recertification is a relatively new initiative to review on a regular basis the rights/permissions assigned to a user or role. It is recommended that organizations of all sizes begin to recertify the permissions assigned to their users and administrators.

What special issues does an increasingly mobile and telecommuting workforce bring into play?

• Mobile and telecommuting users stretch the boundaries of the “trusted network". Fortunately, there are many tools to help establish trusted connections for remote sessions; however the registration model for these tools can sometimes break down as you go beyond mobile and telecommuting workers to "trusted" partners rather than insiders.
• Federated identity systems will help with this new model of trust, yet few organizations have fully embraced the federated trust model to date. 

Getting Serious About Access Management

- David Ting, co-founder and CTO of Imprivata (www.imprivata.com), says:

Why do former company employees still have access to proprietary data and organizational information after they’ve left the job?

There are several reasons that employees could still have access to company data and systems after leaving a job, regardless of whether they did so voluntarily or involuntarily. In most cases, this happens because there is a lag time in between an employee being terminated and his/her system access being eliminated. Often the administrator has to disable the user’s access at several different points – network, applications, buildings - within the enterprise. Depending on the organization, this operation can take some time.

Some organizations do not escort terminated employees out of the facility right away, giving them time to clean up their belongings—which can be enough time to cause major damage, as evidenced by the logic bomb planted by the outgoing Fannie Mae employee earlier this year. In other organizations, employees are escorted from the building and stripped of their building access right away, but not of their remote access—giving them the time to head to the local Starbucks and transfer sensitive information to their personal devices before anyone catches on.

The underlying problem in both of these instances is the lack of a connection between the physical identity and logical identity of an employee. In short, the building access system is completely different than the network access system—and neither talk to each other, nor are both monitored by the same people. Without a bridge between the two—or at least a strong policy or manager making the needed connections—there will continue to be lapses in between access removals, creating a huge security issue for the company.

IT departments are not immune to layoffs themselves, meaning that in many cases administrators are expected to do more with less resources.

Layoffs and job cuts often drive hiring of contractors, or non-permanent employees. Providing access to non-employees presents a different set of security risks as they can be less trusted than employees and their access privileges are often temporary, restricted and remote.

Trust is not a good security policy. For proof, just consider the number of insider related security breaches over the last year.

To be successful at your job, you need to understand exactly what data employees are accessing, how they are doing it and from where. The ability to track and audit usage is critically important. Having confidence in who is accessing your system means believing more than just who someone is as a username and password. Strong authentication and a comprehensive model of device-based authentication need to be in place to prove employee identity—especially when sensitive customer or company data is at stake.

The dramatic reduction in the cost of fingerprint biometric scanners, card scanners and tokens allows for corporate wide deployment of this technology—technology that can prevent the nightmare of what happens to your company and its reputation if the wrong person gets onto a computer, onto the network, or uses an application to steal information.

Access Management: Get Serious

- Kurt Johnson, vice president of corporate development at Courion Corporation (www.courion.com), says:


It should be noted that the proliferation of web-based applications, particularly Salesforce.com, and ubiquitous collaboration tools like Microsoft SharePoint, make it even harder for organizations to keep track of which systems employees are accessing, without the use of automated access management tools. A 2008 survey conducted by Courion found that more than 36% of companies do not monitor SharePoint usage on their networks, yet 87% consider SharePoint a source of concern for sensitive data leaks.

Even when an organization can recognize all of the systems an employee has access to, there can be a lag time between when an employee is let go and when HR communicates to IT that an employee has been terminated. A recent Courion survey found that 48% of organizations take more than one business day to alert IT about employee terminations. During this lag time – which can sometimes be days or even weeks – former employees can access data and subject an organization to untold data breaches.

Probably the single biggest reason former employees are sometimes able to access company information is the time and effort it takes for a company to manually de-provision an employee. For companies not using automated provisioning and de-provisioning systems, it can take hours to de-provision access for a single employee as employees often have access to more than a dozen separate applications. In the case of a wide-scale layoff, it could take several weeks to manually de-provision all terminated employees.

Why is access management important?
In a tough economy with wide-scale layoffs, internal threats posed by disgruntled former employees become as significant a threat for IT mangers as external hackers. In this regard, access management is becoming a key component of IT security. By analyzing trends such as when active employees access applications and for what reasons, IT managers can observe anomalous usage (e.g., a sudden amount of high activity within an SAP database at 2 a.m.) that can indicate employee misconduct. For example, according to press reports, Abdirahman Ismail Abdi resigned from a position as an internal auditor at the California Water Service Company (CWSC) in San Jose and, later that evening, logged onto some accounts where he still had access and transferred $9 million to offshore bank accounts in Qatar.

IT managers should also be concerned about the threat of collaboration between disgruntled employees and cybercriminals, who are increasingly approaching and bribing employees to provide them with sensitive data or access to the systems housing the data. Under normal circumstances, employees typically refuse to conspire with cybercriminals; however, disgruntled employees could be more tempted to make money and facilitate cybercrime. It’s not surprising that employees are the most dissatisfied at the time when they are unexpectedly laid off. If access to a recently-terminated employee’s accounts is not quickly turned off, “zombie accounts” will exist, which can be an easy vector for cybercrime. IT managers should make disabling access a priority to protect their organizations against the vulnerabilities that zombie accounts and unhappy ex-employees can cause.

What does an increasingly mobile and telecommuting workforce bring into play?
From an IAM viewpoint, the same rules that apply to assuring the access and security of traditional workers apply to mobile workers and telecommuters. Likewise, IAM systems have gained the capacity to provision devices – such as laptops and smart phones. Thus, when an employee no longer works for a company, IT can block device access to internal company systems at the same time that network access is de-provisioned.

For some companies, managing access rights for contractors is especially complex because they are often not included in a single consolidated HR system of record the way employees are. The provisioning/de-provisioning solution should be flexible enough to integrate with systems besides the core HR system to track and manage access rights for contractors as they enter and leave the organization’s employ.

Courion offers such solutions as the AssetLink Connector, which extends its core Access Assurance capabilities to provision and manage access to a wide variety of assets including mobile phones and laptops. Courion also offers a RIM Connector, which integrates with the Blackberry Enterprise Solution, to automatically provision and de-provision access to Blackberry devices and support compliance with such regulatory requirements as HIPAA. It is important that organizations consider all of the access points that employees utilize to view company data, and that they take steps to ensure that all communication streams are protected.