Exhibit 2 shows the platform architecture.
Exhibit 2: Osirium platform architecture
|
|
|
Osirium’s PxM 6.1.0 platform offers four modules: privileged access management (PAM), privileged task management (PTM), privileged session management (PSM) and privileged behaviour management (PBM). The solution consists of software loaded on to a server (Osirium server) and an application that is loaded onto the desktop of privileged users. The Osirium server is installed as a virtual appliance and acts as a proxy server between the privileged user and the end device. End devices managed by Osirium software include servers, routers, switches, databases, and load balancers. Also available via the desktop client is the web management interface. This is the interface that allows the customer (ie the superadmin) to manage and implement role-based access controls.
Although many customers deploy Osirium’s software on-premise, the company has also made its software available on AWS and Azure for cloud deployment.
Privileged access management (PAM)
Once the superadmin has defined which devices the Osirium software will manage, the Osirium server connects to each of these devices using its library of device knowledge. The software identifies all the privileged accounts associated with each device. This means the superadmin can remove obsolete accounts (eg those belonging to leavers or used for test purposes) and assess whether privileges have been correctly assigned. Via the web management interface, the superadmin can grant privileged access to users.
Exhibit 3: Accessing an end device with or without Osirium software
|
|
Source: Edison Investment Research
|
All passwords for privileged accounts are saved on the Osirium server in the Osirium Keystore. When a privileged user wants to access a device, they must authenticate themselves on the Osirium server using the customer’s preferred method, eg user password or two-factor authentication. The user is presented with a list of all devices for which they have privileged access and under each device they can see which tools and tasks they can access (as Osirium describes it, ‘Identity in, role out’). They then select the device they want to access, and the Osirium server provides the correct password to the device. This is the Osirium virtual ‘air gap’ – the user never actually sees the passwords for the privileged accounts. Instead, as long as the user’s identity is verified by the Osirium server, they can access all their privileged accounts with the passwords never making their way onto the user’s workstation. Analysis by Verizon in 2014 calculated that 86% of passwords are obtained from user workstations, with only 10% via phishing and 4% from brute force (ie repeatedly guessing the password until the correct one is found). If the password is not available on a workstation, this significantly reduces the ability of a hacker to obtain it.
Passwords can be managed by the Osirium server in several ways. Initially, customers often set up the server to use existing passwords and manage the life-cycling of passwords themselves. Once comfortable with using the software, customers often switch to password-management mode, which means the Osirium software takes care of the password life-cycling – this is more secure as no users would know the passwords to any devices.
Integration with ticket management software
To provide an additional level of security, the Osirium Change Management tool requests a change/incident ticket reference and comment before a task or tool is opened by a user. Once the ticket has been opened, all subsequent connections and tasks are tracked under this ticket reference. Multiple tools and tasks can be used under each ticket, and multiple users can work under the same ticket. Admin reports show all connections made under each ticket reference. Osirium can be integrated with ServiceNow to validate ticket references entered into the Osirium Change Management tool.
‘Plays well with’ automatic device enrolment
Each time Osirium engineers encounter a new device they have not seen before, they go through a process to register it so it is compatible with Osirium’s software. It is then automatically added to the ‘Plays well with’ list that contains all devices that can managed by the Osirium server.
Providing security for legacy applications and operating systems
Osirium’s MAP server is an innovative way to enable customers to continue to use devices that rely on legacy applications and operating systems. Companies often have key business processes or devices that rely on software that is no longer supported by the original software vendor. This legacy software could contain vulnerabilities and could therefore be a key target for hackers. Sysadmins often end up installing a variety of different legacy applications and different versions of operating systems either on their own machines, or on dedicated (often shared) desktops, all of which increase the risk of a security breach.
The user loads the legacy software management application onto the MAP server. When the user wants to access a device that uses legacy software, the Osirium server will determine which management tool is required and will project its window onto the user’s workstation. This means that the user is isolated from the legacy software. Instead only the Osirium server is allowed to communicate with the MAP server, effectively isolating it and creating a ‘security cell’ for the legacy software.
The PTM software enables a business to automate frequently performed tasks that require privileged access such as user password resets or switching/closing off firewall ports. This enables companies to delegate the task rather than the privilege, ie the user will be able to perform specific tasks on a device but will not have more general privileged access to the device. We view this is a form of robotic process automation, with the focus on security.
Analysis of the use of task automation by several customers has shown that time savings of up to 98% per task are possible, which has the benefit of freeing up staff to undertake more complex work. By predefining tasks and reducing the amount of user input required, accuracy is greatly increased, which improves both efficiency and security. This is particularly helpful for companies that outsource a high volume of support activity, as it means that third parties do not need to be granted as much privileged access. An MSSP can delegate the top 20 or 30 tasks to first-line support, sure in the knowledge the tasks will be performed securely and accurately. As long as the user is authenticated by the Osirium server, the user will then have access to all their individual delegated tasks.
We understand that the level of task automation enabled by Osirium’s software is well ahead of that offered by other PAM vendors, and was the key reason for Gartner’s inclusion of the company in its Cool Vendor list.
The R&D team develops enhancements to the PxM platform on a continuous basis. Over the last year, this has included further development of the MAP solution for legacy software, introducing Elastic Stack to reduce the processing load on a customers’ infrastructure generated by behaviour analytics undertaken by the PBM module, and adding ‘App-less’ access for third parties (a web access gateway). This provides a web connection between a third party (typically an outsourcer) and the customer’s infrastructure such that the third party does not need to run the customer’s applications on their own infrastructure.
Other significant projects that are underway include:
■
Project OPUS: this is the development of the next generation of task automation. This will add the ability to deal with tasks that go wrong during run-time, eg the expected firewall has been swapped out for a different supplier so the task does not complete. Osirium is working to develop software that would identify the issue and automatically update the task. The company is aware that in many companies, developers are writing their own tasks in a multitude of different languages. The company is developing software that rates the security of this code, and suggests improvements to it to make it more secure and more effective.
■
Endpoint privilege management (EPM). Osirium recently announced a strategic technology partnership with RazorSecure to jointly deliver cybersecurity solutions specifically for the critical national infrastructure (CNI), transport and industrial internet of things markets. RazorSecure develops machine-learning-based endpoint privilege management software – this builds a baseline of ‘normal’ activity to define what processes and applications are expected, how they are likely to use resources and therefore making it easier to identify rogue behaviour. RazorSecure’s technology is used in CNI, in particular in the rail network, where it is able to detect intrusion and generate automated responses on systems that are not always connected. RazorSecure is also going to adapt its EPM software for use by Osirium, who will resell it as part of its PxM platform. EPM functionality has been requested by customers and this relationship will bring it to Osirium’s product range faster than if Osirium were to develop it in-house.
■
Multi-factor authentication. Osirium is working to expand the number of multi-factor authentication companies its software can integrate with.
■
Clustering. The company is developing the ability to cluster instances of Osirium servers together to ensure high availability, based on the concept of a Raft database. This should mean that a much higher number of devices could be managed by an installed instance. The goal is that the servers should be able to communicate with each other to enforce the rule that there is only one instance of an ID at any one time.
In January 2016, the company filed three patents in the area of privileged access and related automation innovation in the UK, Europe and the US; it is hard to predict when the final decision will be made whether to grant the patents – the process can take up to five years from filing.