Granular Access Control
Achieve your security goals with granular access control
IT security teams are challenged with a double-edge sword: They have to protect sensitive data while enabling users across the organization to maintain productivity. Core Privileged Access Manager (BoKS) enables you to bridge this gap with granular privileged access management.
As a result, your organization can become more secure, simplify your approach to meeting compliance requirements, and increase overall operational efficiency.
Core Privileged Access Manager (BoKS) improves your security posture by enabling you to implement fine-grain security controls across your Linux/Unix infrastructure.
- Define and enforce who is granted elevated privileges, when, from where, and how
- Control which commands can be executed by privileged users, (“SUDO”) and audit privileged activity
- Implement granular assignments for who can switch sessions ("SU”)
- Assign groups of commands instead of giving open root access to all commands
- Use policy to define which SUDO sessions are keystroke logged based on risk and user
- Remove the need for distribution of sudoers files with configuration management solutions or scripts
Access Control Types
Core Privileged Access Manager (BoKS) provides separate access policy control choice definitions for the following access types
- Console login
- Secure shell (SSH)
- Secure file transfer (SFTP)
- Secure command execution (SSH Exec)
- Secure remote command execution (SSH REXEC)
- SSH proxy
- SSH tunneling
- SSH X11
- Privileged switch user (SU)
- Privileged command execution (SUEXEC)--a functional equivalent of SUDO
The solution also features legacy support for unsecure access types, to be enabled with control mitigations
- Serial Port login
Access Control Constraints
All granular access control rules include the ability to put constraints in place for each rule based on how they operate
- Which host group or host to connect to
- From which host or network the user can attempt to connect from
- Time of day range
- Day of the week range
- Which authentication method(s) should be in place to verify the user
- The depth of keystroke logging, if applicable
Core Privileged Access Manager (BoKS) can be used with a wide variety of authentication methods. However, not all methods apply to all access rule types.
- User password
- Password of target account (e.g., when using SU or SUEXEC)
- SSH user key
- SSH host key (secure and auditable)
- SSH X.509 user certificate authentication
- SSH X.509 host certificate authentication
- Kerberos session key authentication
- X.509 certificate authentication (soft token)
- PKI certificate-based authentication with SMART CARD or USB token
- Biometric API authentication unlocking PKI SMARTCARD token
- Radius user password/pin authentication
What Granular Access Controls Means to You
Meet Compliance Quickly
Quickly meet the access/authorization regulations required by SOX, HIPAA, GLBA, PCI DSS, FDCC, and FISMA.
Reduce Admin Overhead
Achieve efficiency and scalability in how your team assigns access controls.
Access Control definitions must be explicitly defined in policy, otherwise access attempts will be blanket-denied and terminated in a Core Privileged Access Manager (BoKS) domain.