pappa_recd1 Absent Member.
Absent Member.
815 views

Customer Requirement

Hi,

We have a custom requirement for one customer. Below is the requirement

Present Architecture
1. Vendor access client servers via 3 methods
a. Site to Site VPN connection – Vendor user logs into the client servers directly
b. Site to Site VPN connection via a jumpbox – Vendor user connects to a jumpbox(Red Hat Linux 6.2) (in Vendornetwork ) with the AD credentials and from there the Vendor logs into the client servers , DB and apps
c. Remote VPN connection – Using Cisco VPN AnyConnect Vendor log into the client network and then access the client serves ,databases and applications

Use Cases
1. Vendor want to replace the jumpbox with a PAM solution
2. Vendor want the activities of the users logged into the servers, applications and DBs to be monitored
a. For Admin / Super user approval workflow should be triggered to the manager of the user (manager attribute in AD) (NOTE: No IDM is present)
b. Key Stroke Logging Feature to be present for the user activities
c. Command Control feature to be enabled
i. Revoke Access on issuance of non-permissible commands
ii. Non permissible commands should trigger notification to user and user’s manager picking the manager attribute from AD
iii. Indexing of records based on commands / behavior
3. Entire PAM solution should be capable of getting deployed in Vendornetwork and should monitor client server (NOTE: No PAM Agents are allowed to be deployed on client server)
4. The video recording sessions should have capability for the video tagging and highlighting of the events flow which are being captured so that at the time of incident the administrators will not have to watch the complete video for getting the event analysis

Please let me know if the use cases can be achieved using PAM latest version. NOTE: No IDM is present in the scenario.

Regards,
Prabhat
0 Likes
3 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Customer Requirement

On 12/06/2017 11:16 PM, pappa recd1 wrote:
>
> We have a custom requirement for one customer. Below is the requirement
>
> Present Architecture
> 1. Vendor access client servers via 3 methods
> a. Site to Site VPN connection � Vendor user logs into the client
> servers directly
> b. Site to Site VPN connection via a jumpbox � Vendor user connects to a
> jumpbox(Red Hat Linux 6.2) (in Vendornetwork ) with the AD credentials
> and from there the Vendor logs into the client servers , DB and apps
> c. Remote VPN connection � Using Cisco VPN AnyConnect Vendor log into
> the client network and then access the client serves ,databases and
> applications
>
> Use Cases
> 1. Vendor want to replace the jumpbox with a PAM solution
> 2. Vendor want the activities of the users logged into the servers,
> applications and DBs to be monitored
> a. For Admin / Super user approval workflow should be triggered to the
> manager of the user (manager attribute in AD) (NOTE: No IDM is present)


I am not sure what you mean by this; anytime anybody wants to run any
command as a privileged user they want a manager to approve it on the fly?
Surely that is not the request.

> b. Key Stroke Logging Feature to be present for the user activities
> c. Command Control feature to be enabled
> i. Revoke Access on issuance of non-permissible commands
> ii. Non permissible commands should trigger notification to user
> and user�s manager picking the manager attribute from AD
> iii. Indexing of records based on commands / behavior
> 3. Entire PAM solution should be capable of getting deployed in
> Vendornetwork and should monitor client server (NOTE: No PAM Agents are
> allowed to be deployed on client server)
> 4. The video recording sessions should have capability for the video
> tagging and highlighting of the events flow which are being captured so
> that at the time of incident the administrators will not have to watch
> the complete video for getting the event analysis


Other than perhaps my question on the approval side I think PUM/PAM has
been able to do this for a while. With that in mind, though, it is
probably worthwhile to point out that monitoring a single jumpbox is
pointless if the users, as you described, still have another method in,
e.g. directly. I presume those other methods would need to go away entirely.

Also, perhaps notable, is I do not believe PUM/PAM has any kind of
provisioning for actual accounts. You mentioned they do not have IDM,so
they may need to get it, or something similar, unless they are going to
push out accounts manually or something horrible like that.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Customer Requirement

This is a good question for PM. Please feel free to reach out to me for help in contacting if needed.
0 Likes
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: Customer Requirement

If you would like to suggest a Privileged Account Manager enhancement idea, please submit your idea here: https://ideas.microfocus.com/MFI/pam
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.