A.05.70 HP Insight Remote Support Advanced and Remote Device Access Security Overview (October 2011, 5900-1735)
2.3.1 Application Security
HP Insight Remote Support Advanced is a plug-in component that utilizes an existing customer server (known
as the Central Management Server or CMS) with HP Systems Insight Manager (HP SIM) installed. Since the
CMS is customer-owned and installed, it can be installed and configured according to the customer’s IT
security policy. It is important that the integrity and authenticity of the Insight Remote Support Advanced
software is maintained to prevent unauthorized changes. HP's Remote Support Software Management solution
allows customers to choose how they wish to manage the software applications for Insight Remote Support
Advanced. These options include,
automatic on-line updates
(install all updates during a predetermined
maintenance window),
manual on-line updates
(notify the administrator when updates are available, and
let the administrator choose when to install them), and
do not use automatic software management
(this
option requires the administrator to periodically install updates manually from the HP Software Depot). All
updates downloaded by the HP SIM software update mechanism are digitally signed and verified before
they are executed.
2.3.2 Outbound Security
Because HP SIM and Insight Remote Support Advanced collect event information from all monitored servers
inside of the customer’s IT environment, external firewalls only need to be configured to allow outbound
HTTPS connections between the CMS and the HP data center. Details of the connection requirements are
provided later in this document. Both remote device monitoring and remote data collection establish an
outbound connection to HP using SSL/TLS over HTTPS, providing both confidentiality and integrity of the
information being transmitted tio HP.
2.3.3 Inbound Security
HP Remote Device Access requires an inbound connection from a Secure Access Server at HP to a
customer-designated access server (CAS) on the customer corporate network. HP understands that security
policies can vary significantly by customer and even by organization or network compartment within the
customer enterprise. Therefore, HP offers a number of remote access solutions (depending on the service
level agreement) that are designed to meet most customer’s security requirements. All HP RDA solutions use
standard techniques that include one or more of the following services: SSH, IPSEC and HTTPS. HP offers
both hardware and software based remote access solutions that can be configured to ensure that the customer
always has control of the connection. HP also has an option that allows the customer to actively view and
monitor a support specialist’s activities during a remote access session.
All HP support specialists engaged in a remote access session, must adhere to the same standard of business
conduct as onsite HP engineers. Remote engineers must have a valid business need and customer approval
prior to engaging in a remote access session. Access to the HP Remote Access infrastructure is restricted to
HP Employees providing remote support services directly to customers. Access to a specific customer can be
further restricted to subset of support personnel within HP, based on country, region, job function or on a
white-list of named HP support personnel. HP requires two factor authentication for all users accessing the
remote access infrastructure inside of HP. Only authenticated users that are granted permission to access a
specific customer connection will be allowed to initiate a connection with that customer. All connection
attempts (successful and unsuccessful) are logged by the HP Remote Access infrastructre.
2.3.4 Data Security
HP maintains the availability of the Insight Remote Support Advanced infrastructure and collected data with
highly-available servers housed in redundant data centers. Configuration and Event data is stored in the
Remote Support Data Center. Specific data elements in the event and configuration data sent to HP that may
contain potentially sensitive configuration information such as IP address and full hostname as well as
administrator contact information are encrypted using AES encryption with a 192-bit key in the database
and on backup media. This data may be extracted and temporarily stored in an unencrypted database in
a secure HP Datacenter facility while analysis is being performed. Only authorized HP personnel can access
the data stored in the HP Datacenter.
2.4 Data Collection and Privacy
As part of HP Mission Critical Support, customer information and event data may be transmitted to and
stored at HP for the purpose of delivering contractual services and support.
2.4 Data Collection and Privacy 17