Third Party Access Protection

Outsource your IT Services, not your Trust and Security

Organizations usually outsource IT services to 3rd party providers for reasons of costs, service flexibility and specific knowledge or expertise.

They are then typically given full VPN access even though they are essentially new and untrusted suppliers. They will also be given unlimited privileged access, well in excess of that required for them to do their jobs, and as a result, these 3rd party “outsiders” actually become “trusted insiders”, often more powerful than the authentic insiders of the home organization.

The misuse of privilege in the hybrid-cloud world has become one of the most critical security challenges, because uncontrolled access to Privileged Accounts opens a “barn door” through which untrusted 3rd parties can compromise data and inflict cyber-attacks, ultimately causing irreparable damage to the business and its corporate reputation.

Launch video

Take a look at Third Party Access Protection features
find out in 5 minutes

Osirium manages third party access to your systems with time windows and session recording.

    Launch Video

    Feature Highlights

    Single Access Point Icon

    Single Access Point

    Provides a central point of control for all 3rd party access into hybrid-cloud infrastructures of many different technologies.

    Including networking devices, Windows, Unix and even Web-based applications.

    Generic Account Access Icon

    Generic Account Access

    Allows 3rd party access to infrastructure devices/systems using generic Admin/Administrator accounts WITHOUT revealing the password.

    Intermediate levels of accounts such as read-only can also be shared.

    Personalised Account Access Icon

    Personalised Account Access

    Create and fully manage the lifecycle of personalised accounts for each 3rd party requiring access, including the automatic renewal of long and strong passwords, without revealing them to the SysAdmin teams.

    3rd parties are automatically granted secure access using their own credentials, with full audit trails recorded on both the end devices and Osirium too.

    SSO with Password Injection Security Icon

    SSO with Password Injection Security

    Single Sign On is performed by injecting the required credentials as the connection request passes through Osirium’s proxies.

    This means passwords are never sent down to the client, thereby removing the possibility that sniffing memory, or looking at command strings within the process tree, will ever reveal a password.

    Searchable Device List Icon

    Searchable Device List

    3rd parties can use the Desktop Client to easily search for devices by name, type, ip/name etc.

    Adding meta information also enriches the way 3rd parties can search and find devices, i.e. location, country, use etc.

    Connection Alerts Icon

    Connection Alerts

    Alerts can be raised whenever a 3rd party establishes a connection to a device or system.

    This provides real-time information on who is accessing and working on critical problems while they happen.

    Time Windowed Access Icon

    Time Windowed Access

    3rd party access can be restricted to specific time windows, so whether overnight, at weekends or during routine daily maintenance, specific change windows can restrict write permissions to certain times.

    Read-only access control can be also used to complement the restricted write access, allowing for in-house diagnostics and troubleshooting.

    Connection Options Icon

    Connection Options

    3rd party access connections can be restricted to various options.

    Such as controlling drive mapping or adding clipboard support in Remote Desktop connections.

    Session Recording Icon

    Session Recording

    All 3rd party access can be recorded, providing a video-style playback of each session (including a fast-play mode) along with a thumbnail view for rapid review of sessions.

    Keystrokes are also captured to help locate where specific commands were typed.

    Session Shadowing Icon

    Session Shadowing

    3rd party access sessions can also be viewed in real-time.

    This enables 3rd party access to be monitored while it happens, without the need to give up a workstation in a remote control session.

    The Red Box Icon

    The Red Box

    When a session is being recorded, a Red Box appears around the window providing a clear indication to the 3rd party that they are being monitored and recorded.

    Optionally, this red box feature can be disabled.

    Visibility Icon

    Visibility

    Osirium provides a real time view of exactly who is accessing which device.

    It can also show for how long, with what level of access and the activity performed on that device.

    I realised that the beauty of task delegation was twofold: first, privileges need not be granted in the first place, and second the tasks are consistent and audited

    thinkmoney

    Feature Highlights cont.

    Data Collection Tasks

    Data Collection Tasks

    3rd parties can be given easy-to-run tasks (known as Tech-outs) which collect diagnostic data and download it from Osirium.

    This allows data to be collected in the background without allowing direct privileged access to the device. Alerts can also be sent when tasks are performed.

    Question Tasks

    Question Tasks

    Automation tasks can be used to ask IT service questions such as;

    “is X service running?”, “What port is the VLAN on?”, “How much disk space is available in the root partition?” Many common investigative questions can be answered through tasks that do not require direct privileged access to devices.

    Known Fault Workaround Tasks

    Known Fault Workaround Tasks

    Common fixes can be packaged up into automation tasks to enable 3rd parties to perform known fixes, without the risks of privileged access.

    Whether flushing a cache or restarting a number of services in the correct order, Known Fault Workaround tasks enable 3rd parties to reliably fix problems error-free but without risky privileged access.

    Admin Tasks

    Admin Tasks

    Repetitive admin tasks such as “adding users to groups” or “resetting regular user passwords” can be packaged up to create pre-approved error-free tasks that can be performed during times when direct privileged access is not permitted.

    This also allows unskilled staff to make changes without needing privileged expertise.

    Learn from 3rd Party Expertise

    Learn from 3rd Party Expertise

    When utilizing 3rd parties for expert level services, the sessions can be recorded to provide training material for internal staff to learn from the expert’s actions.

    Co-manage Devices

    Co-manage Devices

    Osirium provides a clear and concise view of all actions taken by all parties on a device.

    This allows of closer co-managed arrangements and less configuration dispute time.

    Passive Deployment

    Passive Deployment

    Osirium can be deployed as a password “Vault” to simply store access credentials without refreshing the passwords.

    This allows access to be granted to 3rd parties with an entirely passive deployment of Osirium, with no changes or disruption to the existing device accounts.

    Agent-less Technology

    Agent-less Technology

    No agents are required to be installed in order for access to be controlled and recorded by Osirium.

    All the information of how to connect to devices is stored in Osirium’s Knowledge Templates which can be customized, or new ones created, to fit perfectly the requirements of any organization, now and in the future.

    Strong Authentication Support

    Strong Authentication Support

    Osirium supports external authentication through RADIUS, allowing 3rd parties to authenticate using strong or two-factor authentication.

    This allows multiple steps to be run, followed by tasks to check that it has executed correctly, or in the case of failure, third parties can also be given local accounts within Osirium, without needing to create accounts elsewhere in the infrastructure, i.e. AD accounts. A full password policy can be applied to these local accounts.

    Third Party Access Protection Features

    Third Party Access Protection Features