Manualshelf

7.0.8 Insight Remote Support Security White Paper

ManualsBrandsHP ManualsSoftwareHP Insight Remote Support Next Gen Software
21222324252627282930
30
over the world. See the HP Worldwide Privacy Statement at:
http://welcome.hp.com/country/us/en/privacy/worldwide_privacy.html.
Outbound Security
All HP RDA Solutions are designed to be used for inbound access from HP to customer networks. All RDA solutions, with
the exception of the Virtual CAS, do not initiate outbound connections without direct user interaction. Confidentiality for
outbound connections is provided by the connection service (SSL over HTTPS, SSH, IPSec etc). Authentication
mechanisms can vary from solution to solution, but all solutions are designed to ensure the privacy and security of all
parties. The Virtual Customer Access System (vCAS) initiates outbound connections to VeriSign.com to validate
certificates, using either OCSP to check the CRL status of an individual certificate, or HTTP to periodically fetch the entire
CRL for the HP Class 2 Certification Authority. The Virtual CAS also periodically connects to the HP repository server
using HTTPS to check for and fetch software updates.
Inbound Security
Remote Device Access requires an inbound connection from HP to a customer-designated access server. HP understands
that IT security policies within organizations vary considerably. Therefore, HP offers a number of remote access
solutions (depending on the service level agreement) designed to meet customer security requirements. All of HP
solutions use standard techniques that include SSH, IPSec, and HTTPS. HP offers both hardware and software solutions
which can be configured to ensure that the customer is always in control of the connection. HP also has options that
allow the customer to view and monitor a support specialist’s activities.
All HP support specialists must adhere to the same standards of business conduct as onsite HP engineers, and are only
allowed to initiate a connection with the customer’s approval and a valid business need. Access restrictions can be
placed on specific connection profiles to limit HP's access to a subset of support personnel. Access restrictions can be
restricted by region and/or country. It can also be restricted to HP support personnel for a specific product platform.
Access controls can also be restricted to specific HP personnel. Access controls can be enforced both at HP (before the
connection is initiated) and again at the CAS (see the vCAS solution). This model ensures that both the HP Account
Manager and the customer administrator can control HP access to the customer network. Internally, HP uses two-factor
authentication to control access through the HP Remote Access Connectivity (RACS). Additionally, all connections,
attempted and successful, to customer systems are logged.
Security Auditing
All attended RDA connection attempts from HP to customers are logged. The acting user, start and stop times of the
connection, and the connection status are logged. The connection status will indicate failures such as improper
authentication and authorization. This tracking information is retained for 13 months.