Secure Remote Vendor Access to the Enterprise Data Center

white paper Secure Remote Vendor Access to the Enterprise Data Center To maximize uptime and lower total cost of ownership, more and more enterprises are allowing their IT equipment vendors and service providers to access their network to diagnose and, when possible, resolve issues remotely. However, current remote service methods—such as technology for remote network access that is customized for remote vendor access—can introduce risk and security vulnerabilities to the enterprise data center. Considering that a single security breach can cost an organization millions of dollars (not to mention market cap and negative PR), enterprises are questioning whether their current remote service methods are putting them at risk. To minimize risk while achieving high availability of their data centers, companies are seeking a centralized, secure, and easy-to-manage platform that is specifically designed for securing remote vendor access—without exposing the network to the security vulnerabilities and costs of modems, VPNs, or other changes to the network or security infrastructure. This next-generation platform must increase the accountability of service providers by offering complete visibility into how they perform against their service-level agreements (SLAs) as well as auditing capabilities for internal and external compliance reporting, while enabling vendors to leverage the benefits of outsourcing while maintaining or increasing margins. Today’s Complex, Always-On Enterprise As recently as the late 1990s, the number of applications for which IT was responsible to support seemed somewhat manageable. Today, with the wide adoption of the Internet, application technology has evolved into distributed systems in geographically dispersed locations that reach beyond corporate firewalls. Applications now comprise different—often temperamental and fragile—technology layers, such as storage servers, routers, switches, Web servers, as well as the applications themselves. These highly complex, interdependent layers make it challenging for IT departments to maintain technology knowledge while achieving high availability. To handle the class of problems that require expert-level assistance, organizations increasingly rely on third-party experts, who, in turn, diagnose issues by accessing their networks with mostly reactive network-connectivity solutions. These solutions open the enterprise to security vulnerabilities by granting access to untrusted users and providing inadequate control and auditing to meet compliance requirements. VLAN (Internet) VPN Connection VLAN (DMZ) Switch / Router Web Servers Switch / Router VLAN (Internal) Switch / Router Application Server Cluster SAN (Fiber) SAN Fiber Switches Database Server Cluster Directory Server Cluster Storage Arrays Tape Backup Figure 1: Typical example of a high-availability architecture. The Pitfalls of Current Network-Connectivity Solutions There’s a movement underway for IT organizations to harden their network access policies and procedures. This involves removing modem and desktop-sharing access, while providing capabilities to monitor and control all third-party activities. At the same time, increasing collaboration between enterprises and their service ecosystem of external vendors, partners, and service providers is the impetus behind more efficient and secure remote access and support solutions. Legacy technologies are a stop-gap measure to solve third-party remote access needs, often requiring IT to cobble together firewalls, modems, and VPNs. Although these approaches may suffice for the short term, increasing demand and complexity will quickly make these solutions unmanageable and highly expensive to maintain. The majority of these network-connectivity solutions fall short in meeting the top-line objectives of enterprises, which include: • Managing Risk – Modem solutions are used pervasively across the organization, but they are widely known to be a high security risk. • Reducing Cost – Internal organizations dedicate far too much time and effort reviewing, approving, and provisioning third-party access.  Secure remote Vendor AcceSS to the enterpriSe dAtA center Top Features and Benefits of Axeda ServiceLink for Data Centers Centralized Management – Easily enforcing and changing access security policies is the key to effective remote user management. Axeda ServiceLink gives administrators control over all devices and user access, saving time and lowering costs, when compared to managing connections via VPNs or modems. Secure Access – Patented Firewall-Friendly™ technology establishes a secure connection between an external vendor and an internal endpoint within your network. This granular level of control provides you with a secure method of connecting your devices to your service partners—without requiring any changes to IT security policies. User Authentication – Supports RADIUS, LDAP, and Active Directory for authentication and authorization information, while easily overcoming firewall or NAT issues. This ensures complete user and information authentication. Case Management – Enables support organizations to manage and track activities to resolve device issues. Case records aggregate all the actions (who, what, when, and results) executed within Axeda ServiceLink to troubleshoot and resolve problems. Business rules enable case assignments to be automatically assigned to technicians with the expertise for that particular device. Finally, maintain a single system of record for your case data by seamlessly integrating case data with your existing ticketing system. Tracking and Auditing – All remote sessions through the platform are tracked and monitored in real time, with easy report generation and audit trails that comprehensively record each session, including user, device, application, time, and activity. These granular tracking and auditing capabilities help your organization comply with government and industry regulations. Service Metrics Visibility – Devices monitored are configured to collect data to measure the performance and the state of devices. Data generated by the device can be reported on, graphed, and displayed to understand how devices and service providers are performing via key performance indicators (KPIs) and service-level agreements (SLAs). End-to-End Security – Provides complete endto-end layered security, including network, device, and data-layered security controls. Data is sent securely over the Internet using HTTPS with SSL encryption (up to 168-bit) and/or optional AES encryption (up to 256-bit). • Achieving Compliance – Current network-connectivity solutions provide no way of meeting external and internal compliance requirements, which are driving the need for improved visibility and control over third-party access. • Improving Operations – Service and support processes that require external assistance are cumbersome and disruptive to the business. ENTERPRISE TODAY Modem • Low speed connection • Minimal security and control • High costs associated with phone lines Common Issues • High Costs • Security Risks • Poor Auditing Desktop Sharing • Auditing capabilities are limited or do not exist • End users often need to give up control of their workstations • Security issues related to granting workstation/ network access • Third party can assume network credentials (authorization and access control) of internal user VPN • Requires significant IT involvement to configure, manage, and maintain • Often requires install of remote client software at each end point • Designed for network access rather than point-to-point access, requires additional technology to limit access control once on the network Figure : Common deficiencies with today’s remote service methods. Introducing Axeda ServiceLink for Data Centers Axeda® ServiceLink for Data Centers is the solution for managing secure external access directly to mission-critical equipment within your private network—without exposing the network to the security vulnerabilities and costs associated with modems, VPNs, or other changes to your network or security infrastructure. Unlike networkconnectivity solutions alone, Axeda ServiceLink is a fully integrated platform with a suite of browser-based applications for providing secure collaboration between manufacturers, service providers, and enterprises. As a result, enterprises can lower operating costs while better managing security risks and optimizing the operation of mission-critical equipment. Finally, Axeda ServiceLink is also the only VeriSign® security certified remote service platform in the industry, providing IT organizations with the protection, control, and regulatory compliance required for managing a multi-vendor services community. The following table outlines how Axeda ServiceLink for Data Centers enables enterprises to achieve their top-line goals by overcoming the barriers and challenges that current network-connectivity solutions cannot address.  Secure remote Vendor AcceSS to the enterpriSe dAtA center Goal Manage Risk Barriers/Challenges • Undisciplined remote access and support process promotes random, anonymous activities that are difficult to detect and control. • Organization may be at risk to security vulnerabilities without controls and policies. Axeda ServiceLink for Data Centers Solution • Provides connection to external vendors and service providers directly to the equipment that they support. Reduce Costs • Excessive time and effort dedicated to reviewing, approving, and provisioning third-party access. • Existing tools and technologies are expensive and cannot solve the remote access and support challenge. • Reduces the number of costly onsite visits to repair and maintain your equipment, which can cause business disruptions and security risks for your data center. • Eliminates expensive dial-up or leased phone lines associated with modems. • Includes a suite of browser-based applications for vendors to resolve problems more quickly. Improve Operations • Internal resources spend too much time troubleshooting and solving complex device problems. • Service and support processes that require external assistance are cumbersome and disruptive to the business. Achieve Compliance • External and internal compliance requirements are driving the need for improved visibility and control over third-party access. • Current technologies do not provide the granular detail to demonstrate effective controls are in place. • Provides complete control and auditing capabilities that ensure you comply with regulations, such as Sarbanes-Oxley. • Enables you to monitor vendor activities without exposing your network to their computers or networks. • Features an enterprise-class analytics engine and key performance indicator (KPI) management capabilities that allow you to monitor all your service metrics easily and effectively. • Includes easy-to-use yet powerful graphing and charting capabilities for quickly creating intuitive dashboards and reports that show how your organization’s internal and external KPIs are tracking to your established SLAs for all your service metrics. Track Service Levels • Lack visibility into third-party activities and return on investment of service and support dollars. • Unable to properly review service-level metrics achievement. • Business decisions on service and support contracts are based on anecdotal evidence rather than factual data. Secure, Proven Remote Service and Support Platform As the pioneer in remote service software, Axeda enables top storage vendors, such as EMC, Quantum, NetApp, and Egenera, to provide secure, proactive remote service to their customers. Axeda ServiceLink has the built-in security features, such as customer policy control and auditing, to drive acceptance in highly secure locations, including banks, hospitals, laboratories, and government facilities.  Secure remote Vendor AcceSS to the enterpriSe dAtA center With Axeda ServiceLink for Data Centers, Axeda brings our proven experience in remote service solutions to the enterprise, providing secure, audited access for all your vendors and service providers. Axeda ServiceLink for Data Centers Vendor 1 Vendor 2 ServiceLink Service Provider Internal IT Enterprise Data Center External Service & Support Figure : Axeda ServiceLink enables secure collaboration between manufacturers, service providers, and enterprises to optimize the operation of mission critical data center equipment. No Changes Required to IT or Security Infrastructures Axeda’s Firewall-Friendly™ technology provides two-way communication based on Web Services standards including Hypertext Transfer Protocol (HTTP), Simple Object Access Protocol (SOAP), and eXtensible Markup Language (XML). No changes to your IT security infrastructure are required to support remote monitoring and diagnostics. In addition, all communication between the data center of the manufacturer or service provider and the customer site is encrypted using Secure Sockets Layer (SSL) up to 168 bits. Establish and Enforce Device Security and Data Privacy Policies Axeda ServiceLink enables authorized IT administrators to establish and enforce the privacy policy for all of your IT equipment in a single place. Axeda ServiceLink includes a software application that resides on your network, providing a comprehensive and granular set of permission settings that continuously governs behavior. This includes which kinds of data and files can leave the equipment, and which activities the vendor or service provider can conduct on the device. This control applies to every kind of Axeda ServiceLink activity, including handling remote diagnostics, retrieving log files, running sessions, and executing commands and scripts. Control can be automatic, based on the set policy, or configured to notify you that an action request is pending. Secure Communications and Data Confidentiality Much of the information that travels across the public Internet uses plain text encapsulated within standard HTTP messages. Hackers can gain access to the network at a  Secure remote Vendor AcceSS to the enterpriSe dAtA center point close to the source or destination of the message and then capture and view the text of these HTTP messages with readily available tools. Axeda supports the same standard SSL encryption as banks use for online transactions. SSL supports key length up to 168 bits and mutual authentication using certificates. Axeda ServiceLink can also enable secret key AES 256-bit message encryption, which may be used with SSL to encrypt data beyond the Demilitarized Zone (DMZ). VeriSign Security Certification Axeda is the only remote service solution provider to receive security certification from VeriSign. Unlike other technology companies that limit validation to application security, Axeda partners with VeriSign to conduct a comprehensive examination of our entire security program. The VeriSign assessment involves three primary areas of evaluation: • Application Architecture Design Analysis – a review of security in how Axeda ServiceLink was architected • Application Code Review – a review of Axeda ServiceLink source code for known security flaws and vulnerabilities • Application-Level Assessment – detailed testing for known security vulnerabilities in Web-based applications Meeting the Remote Service Needs of the Enterprise Data Center Axeda ServiceLink is the next-generation secure remote service and support platform that enables enterprise data centers to meet their remote service objectives. Lower Service-Related Costs With Axeda ServiceLink, you can rely on a standard and secure method of providing network connectivity to your external vendors and service providers. As a result, you can free up valuable IT resources to work on other high-priority projects and reduce the number of costly onsite visits required to repair and maintain your equipment, which can cause numerous business disruptions and security risks for your data center. Finally, because Axeda ServiceLink uses a secure Internet connection, you have a more cost-effective connection than expensive dial-up or leased phone lines associated with dial-up modems as well as a suite of browser-based applications that vendors can use to resolve problems more quickly. Manage Security and Risks As the only remote service management solution to receive a security certification from VeriSign®, Axeda ServiceLink meets the most stringent industry security requirements. By providing user and data authentication, secure and direct person-todevice connectivity, and complete logging of all remote activity, Axeda ServiceLink  Secure remote Vendor AcceSS to the enterpriSe dAtA center also provides complete control and auditing capabilities that ensure you comply with regulations, such as Sarbanes-Oxley, and monitor vendor activities without exposing your network to their computers or networks. Most importantly, because this solution does not require you to modify your firewall or add network appliances to control security, you can feel at ease in maintaining your current security network and security architecture. Improve the Operation of Mission-Critical Equipment On top of providing secure and auditable connection to equipment, Axeda ServiceLink includes a complete set of zero-footprint applications that enable you and your vendors to monitor equipment and compare the performance against the factoryrecommended maintenance schedules for planned downtime. Track Vendor Compliance with Service-Level Agreements Axeda ServiceLink features an enterprise-class analytics engine and KPI management capabilities that allow you to monitor all your service metrics easily and effectively. Using easy-to-use yet powerful graphing and charting capabilities, you can quickly create intuitive dashboards and reports that clearly show how your organization’s internal and external KPIs are tracking to your established service-level agreements for all your service metrics. Business rules can also alert you immediately when your KPIs fall outside of acceptable SLA parameters, enabling you to take immediate corrective action. Achieve Regulatory and Internal Compliance Maintaining and demonstrating control over your critical systems and data is extremely important in today’s age of government and industry regulations. Enterprises are now required to ensure that remote partners comply with corporate and regulatory policies before they can access devices remotely. Legacy technologies, such as modems or VPN appliances, do not provide the granular level of control or auditing to satisfy increasingly more stringent regulations. Axeda ServiceLink provides complete control and detailed audit capabilities to meet even the most demanding regulations. Summary Enterprises with large data centers that require high-availability and maximum uptime need better and more secure collaboration within their service ecosystem of external vendors, partners, and service providers. Current network-connectivity solutions are no longer sufficient in providing an adequate means of remote access and support. To maintain IT spending while achieving high availability of their data centers, enterprises require a centralized, secure, and easy-to-manage platform that enables third-party service providers to provide proactive, secure remote service and support. Axeda ServiceLink for Data Centers is the next-generation platform to help enterprises achieve those objectives.  Secure remote Vendor AcceSS to the enterpriSe dAtA center About Axeda Axeda Corporation delivers secure remote service and support capabilities to some of the world’s leading manufacturing companies and large enterprises. Its award-winning ServiceLink solution helps companies, including Abbott Laboratories, Diebold, and EMC, proactively service and support products to drive optimal uptime at the lowest possible cost, while enabling enterprises to effectively secure, control, and track all remote access to critical data centers. In 2006, Axeda became the first and only remote service application provider to receive the prestigious VeriSign® Security Certification. Axeda Corporation is a privately held company headquartered in Foxboro, Mass. and can be reached at www.axeda.com. 25 Forbes Blvd. Suite 3 Foxboro, MA 02035 USA t +1.508.337.9200 f +1.508.337.9201 www.axeda.com Copyright © 2004-2007 Axeda Corporation. Axeda is a registered trademark of Axeda Corporation. Axeda Agents, Axeda Applications, Axeda Policy Manager, Axeda Enterprise, Axeda Access, Axeda Software Management, Axeda Service, Axeda ServiceLink, Axeda Usage, and Firewall-Friendly are trademarks and Maximum Results and Maximum Support are servicemarks of Axeda Corporation. All other trademarks are either property of Axeda Corporation or property of their respective owners.