Third Party Access Protection
Outsource your IT Services, not your Trust and Security
Organizations usually outsource IT services to 3rd party providers for reasons of costs, service flexibility and specific knowledge or expertise.
They are then typically given full VPN access even though they are essentially new and untrusted suppliers. They will also be given unlimited privileged access, well in excess of that required for them to do their jobs, and as a result, these 3rd party “outsiders” actually become “trusted insiders”, often more powerful than the authentic insiders of the home organization.
The misuse of privilege in the hybrid-cloud world has become one of the most critical security challenges, because uncontrolled access to Privileged Accounts opens a “barn door” through which untrusted 3rd parties can compromise data and inflict cyber-attacks, ultimately causing irreparable damage to the business and its corporate reputation.
Take a look at Third Party Access Protection features
find out in 5 minutes
Osirium’s PxM Platform manages third party access to your systems with time windows and session recording.
Single Access Point
Provides a central point of control for all 3rd party access into hybrid-cloud infrastructures of many different technologies.
Including networking devices, Windows, Unix and even Web-based applications.
Generic Account Access
Allows 3rd party access to infrastructure devices/systems using generic Admin/Administrator accounts WITHOUT revealing the password.
Intermediate levels of accounts such as read-only can also be shared.
Personalised Account Access
Create and fully manage the lifecycle of personalised accounts for each 3rd party requiring access, including the automatic renewal of long and strong passwords, without revealing them to the SysAdmin teams.
3rd parties are automatically granted secure access using their own credentials, with full audit trails recorded on both the end devices and Osirium too.
SSO with Password Injection Security
Single Sign On is performed by injecting the required credentials as the connection request passes through Osirium’s proxies.
This means passwords are never sent down to the client, thereby removing the possibility that sniffing memory, or looking at command strings within the process tree, will ever reveal a password.
Searchable Device List
3rd parties can use the Desktop Client to easily search for devices by name, type, ip/name etc.
Adding meta information also enriches the way 3rd parties can search and find devices, i.e. location, country, use etc.
Alerts can be raised whenever a 3rd party establishes a connection to a device or system.
This provides real-time information on who is accessing and working on critical problems while they happen.
Time Windowed Access
3rd party access can be restricted to specific time windows, so whether overnight, at weekends or during routine daily maintenance, specific change windows can restrict write permissions to certain times.
Read-only access control can be also used to complement the restricted write access, allowing for in-house diagnostics and troubleshooting.
3rd party access connections can be restricted to various options.
Such as controlling drive mapping or adding clipboard support in Remote Desktop connections.
All 3rd party access can be recorded, providing a video-style playback of each session (including a fast-play mode) along with a thumbnail view for rapid review of sessions.
Keystrokes are also captured to help locate where specific commands were typed.
3rd party access sessions can also be viewed in real-time.
This enables 3rd party access to be monitored while it happens, without the need to give up a workstation in a remote control session.
The Red Box
When a session is being recorded, a Red Box appears around the window providing a clear indication to the 3rd party that they are being monitored and recorded.
Optionally, this red box feature can be disabled.
Osirium provides a real time view of exactly who is accessing which device.
It can also show for how long, with what level of access and the activity performed on that device.
I realised that the beauty of task delegation was twofold: first, privileges need not be granted in the first place, and second the tasks are consistent and audited
Feature Highlights cont.
Data Collection Tasks
3rd parties can be given easy-to-run tasks (known as Tech-outs) which collect diagnostic data and download it from Osirium.
This allows data to be collected in the background without allowing direct privileged access to the device. Alerts can also be sent when tasks are performed.
Automation tasks can be used to ask IT service questions such as;
“is X service running?”, “What port is the VLAN on?”, “How much disk space is available in the root partition?” Many common investigative questions can be answered through tasks that do not require direct privileged access to devices.
Known Fault Workaround Tasks
Common fixes can be packaged up into automation tasks to enable 3rd parties to perform known fixes, without the risks of privileged access.
Whether flushing a cache or restarting a number of services in the correct order, Known Fault Workaround tasks enable 3rd parties to reliably fix problems error-free but without risky privileged access.
Repetitive admin tasks such as “adding users to groups” or “resetting regular user passwords” can be packaged up to create pre-approved error-free tasks that can be performed during times when direct privileged access is not permitted.
This also allows unskilled staff to make changes without needing privileged expertise.
Learn from 3rd Party Expertise
When utilizing 3rd parties for expert level services, the sessions can be recorded to provide training material for internal staff to learn from the expert’s actions.
Osirium provides a clear and concise view of all actions taken by all parties on a device.
This allows of closer co-managed arrangements and less configuration dispute time.
Osirium can be deployed as a password “Vault” to simply store access credentials without refreshing the passwords.
This allows access to be granted to 3rd parties with an entirely passive deployment of Osirium, with no changes or disruption to the existing device accounts.
No agents are required to be installed in order for access to be controlled and recorded by Osirium.
All the information of how to connect to devices is stored in Osirium’s Knowledge Templates which can be customized, or new ones created, to fit perfectly the requirements of any organization, now and in the future.
Strong Authentication Support
Osirium supports external authentication through RADIUS, allowing 3rd parties to authenticate using strong or two-factor authentication.
This allows multiple steps to be run, followed by tasks to check that it has executed correctly, or in the case of failure, third parties can also be given local accounts within Osirium, without needing to create accounts elsewhere in the infrastructure, i.e. AD accounts. A full password policy can be applied to these local accounts.