BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Role-Based Access for Your Teams

Posted May 2, 2011    Morey Haber

Regulatory controls all require the access restriction of sensitive data to the individuals that need to know. Many corporate policies also segregate users to access devices by geographical location or by platform and function. Vulnerability data is sensitive information. In the wrong hands, it provides a blueprint on how to potentially access systems without proper permissions and provisioning.  Many discussions have occurred regarding how to safeguard this data internally and how trusting you should be of a SaaS solution to house this data. Regardless of the vulnerability management solution implementation, restricting improper access to assessment data has traditionally been IP address based. That is a list of IP addresses or host names which governs who has access to what vulnerability assessment data and assets. People generally refer to these as “Sites” or “Policies”.  Within eEye we refer to them as “Smart Groups”.

In many organizations, IP addresses are not allocated per business function. Subnets can have a mix of printers, desktops, and occasionally servers. Subnets are generally allocated for the raised floor, DMZ, and other supporting infrastructure but the user space and supporting infrastructure is generally all over the board and not standardized. Many companies still do not even use standardized naming conventions for hosts and this represents another challenge for asset identification. So, how do you build role based access for a Desktop Administrator when they may have a dynamic IP list to manage; especially in consideration of DHCP? How would you delegate VA data to the infrastructure team for let’s say for only Cisco devices? Do you even have a list of all the devices that can be imported and is it maintained regularly for corrected assessment and ultimately proper role based access?

In a previous blog, I discussed advanced targeting techniques with Retina CS and how a Smart Group can be constructed on any OS, software installed, patterns in the host name, etc. Consider this technique also applies to the Role Based Access Model within Retina CS. Various Smart Groups can be constructed for only Desktop Operating Systems, Windows Servers, Red Hat Linux, or even only Cisco Devices completely independent of the IP addresses assigned to them. Retina CS will maintain the group automatically with each subsequent scan of the target and keep them up to date regardless of host name or any other traditional “Site” based techniques. The User Based Security Model within Retina CS allows you then to assign User Groups to the Smart Groups and control access based on business function rather than just traditional IP space. If users are uncomfortable with that model, Smart Groups can be built from Address Groups and Active Directory just like any other traditional VA solution or even better, a combination of both! Users can be restricted to a certain platform or device type and the IP range it may be present in. For an enterprise environment, this is priceless. A remote office can have VA data solely for a Desktop Admin in the building he/she works in regardless of DHCP and device type; workstation or laptop.

 

Consider that role based access for your vulnerability assessment data means so much more in the proper hands rather than in the wrong hands. It can improve your overall security posture and make sure individual teams are response for their security patches and not just the security team providing reports on how to fix the problem. Role based access is a fundamental part of Retina CS and will help you change the way you manage vulnerability data within your environment; secure, role based, and business function delegated. For more information on Retina CS, please click here.

Leave a Reply

Additional articles

Dark Reading

2014: The Year of Privilege Vulnerabilities

Posted December 18, 2014    Chris Burd

Of the 30 critical-rated Microsoft Security Bulletins this year, 24 involved vulnerabilities where the age-old best practice of “least privilege” could limit the impact of malware and raise the bar of difficulty for attackers.

Tags:
, , , , ,
dave-shackleford-headshot

Looking back on information security in 2014

Posted December 16, 2014    Dave Shackleford

Dave Shackleford is a SANS Instructor and founder of Voodoo Security. Join Dave for a closer look at the year in security, and learn what you can do to prepare for 2015, with this upcoming webinar. 2014 has been one heck of an insane year for information security professionals. To start with, we’ve been forced…

Tags:
, ,
patch-tuesday

December 2014 Patch Tuesday

Posted December 9, 2014    BeyondTrust Research Team

This month marks the final Patch Tuesday of 2014. Most of what is being patched this month includes Internet Explorer, Exchange, Office, etc… and continues a trend of the greatest hits collection of commonly attacked Microsoft software. Probably the one thing that broke the mold this month is that for once there is not some…

Tags:
,