Published: 18 November 2013
Explaining the new report layout
For some time now, Osirium has included management reports as a page in the Web UI. For version 4, we have made them more informative and print optimised.
In this piece we're going to look at what the report numbers tell us, what use they are, and how we can make them better reading for our management colleagues.
Users is the number of users defined in Osirium. Another way of looking at this is the number of defined inbound credentials.
Devices is effectively n+1 devices you are managing with Osirium, the +1 is because Osirium is a device itself, which it is managing.
Accounts is more interesting, in that this is the total number of accounts that Osirium has found on devices and this is where password compliance is shown.
The password management coverage column outlines percentage of each device account type found. This is what they each mean:
i) Osirium Managed. These are the most 'compliant' device accounts. Osirium created these accounts, only Osirium knows the password and it will regularly refresh them. If these accounts are no longer referred to in profiles then Osirium will delete these accounts, thus completing the whole password life cycle management.
ii) Password Managed. These are the next most 'compliant' device accounts. Osirium has changed the passwords on these accounts and will regularly update them. If these accounts are not used in any profiles, Osirium will not delete or modify other than password update.
iii) Password Known. These device accounts can only be considered 'compliant' if there are organisational procedures in place to refresh the passwords. Although the compliance is low this is still a very useful class of device accounts. In particular, these are useful for third parties or vendors. For example, if you needed to give a vendor 'Admistrator' access to a device you'd have the knowledge of that password leaving your organisational boundaries, but, with Osirium, you can create an account for the vendor and then place the device in that profile using the Password Known state. The vendor then transparently accesses the device, but never gets to know the original password.
iv) Approved. These device accounts tend to be internal or service accounts. These are accounts that systems need to operate in the first place and are mostly defined by the operating system itself or backup and anti-malware software. Osirium knows about these accounts and never presents them for deletion or modification.
v) Unapproved. These are all the other device accounts that were found. Osirium can't account for these and therefore marks them as the least compliant state.
The proportion of these values then makes up the piechart and the colours from green through red show the most 'compliant' to the least. Once you manage to get all you accounts under control, all the red in the pie chart disappears. Now you'll have a great management report, and your privilege user risk will be in great shape too.