BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Role-Based Access for Your Teams

Posted May 2, 2011    Morey Haber

Regulatory controls all require the access restriction of sensitive data to the individuals that need to know. Many corporate policies also segregate users to access devices by geographical location or by platform and function. Vulnerability data is sensitive information. In the wrong hands, it provides a blueprint on how to potentially access systems without proper permissions and provisioning.  Many discussions have occurred regarding how to safeguard this data internally and how trusting you should be of a SaaS solution to house this data. Regardless of the vulnerability management solution implementation, restricting improper access to assessment data has traditionally been IP address based. That is a list of IP addresses or host names which governs who has access to what vulnerability assessment data and assets. People generally refer to these as “Sites” or “Policies”.  Within eEye we refer to them as “Smart Groups”.

In many organizations, IP addresses are not allocated per business function. Subnets can have a mix of printers, desktops, and occasionally servers. Subnets are generally allocated for the raised floor, DMZ, and other supporting infrastructure but the user space and supporting infrastructure is generally all over the board and not standardized. Many companies still do not even use standardized naming conventions for hosts and this represents another challenge for asset identification. So, how do you build role based access for a Desktop Administrator when they may have a dynamic IP list to manage; especially in consideration of DHCP? How would you delegate VA data to the infrastructure team for let’s say for only Cisco devices? Do you even have a list of all the devices that can be imported and is it maintained regularly for corrected assessment and ultimately proper role based access?

In a previous blog, I discussed advanced targeting techniques with Retina CS and how a Smart Group can be constructed on any OS, software installed, patterns in the host name, etc. Consider this technique also applies to the Role Based Access Model within Retina CS. Various Smart Groups can be constructed for only Desktop Operating Systems, Windows Servers, Red Hat Linux, or even only Cisco Devices completely independent of the IP addresses assigned to them. Retina CS will maintain the group automatically with each subsequent scan of the target and keep them up to date regardless of host name or any other traditional “Site” based techniques. The User Based Security Model within Retina CS allows you then to assign User Groups to the Smart Groups and control access based on business function rather than just traditional IP space. If users are uncomfortable with that model, Smart Groups can be built from Address Groups and Active Directory just like any other traditional VA solution or even better, a combination of both! Users can be restricted to a certain platform or device type and the IP range it may be present in. For an enterprise environment, this is priceless. A remote office can have VA data solely for a Desktop Admin in the building he/she works in regardless of DHCP and device type; workstation or laptop.

 

Consider that role based access for your vulnerability assessment data means so much more in the proper hands rather than in the wrong hands. It can improve your overall security posture and make sure individual teams are response for their security patches and not just the security team providing reports on how to fix the problem. Role based access is a fundamental part of Retina CS and will help you change the way you manage vulnerability data within your environment; secure, role based, and business function delegated. For more information on Retina CS, please click here.

Leave a Reply

Additional articles

powerbroker-for-mac-diagram-small

PowerBroker for Mac: A Least-Privileged Apple a Day…

Posted July 27, 2015    Jason Silva

BeyondTrust PowerBroker for Mac reduces the risk of privilege misuse by enabling standard users on Mac OS X to perform administrative tasks successfully without entering elevated credentials.

Tags:
, ,
PrivilegedAccountManagement

On Demand Webinar – Now is the time for Privileged Account Management

Posted July 24, 2015    BeyondTrust Software

In this webinar, SANS Instructor and Founder of Voodoo Security, Dave Shackleford, will revisit several hacking and breach scenarios that involved privileged accounts, and use these as examples while discussing tools and tactics to get this problem under control once and for all.

Tags:
, ,
dave-shackleford-headshot

Privileged Account Management: The Time is Now

Posted July 22, 2015    Dave Shackleford

There’s plenty of problems we don’t have great options for in InfoSec today. Malware is a pain point that keeps evolving rapidly. 0-day exploits are tough to prepare for. Privileged account management? We got this. We know the root causes, we know how it manifests, we know how to get it under control effectively, and there are great technology solutions that are enterprise-class.

Tags:
, ,