A.05.80 HP Insight Remote Support Advanced and Remote Device Access Security Overview (October 2012)
Security Overview
Chapter 2: HP Insight Remote Support Advanced
Outbound Security
Because HP SIM and Insight Remote Support Advanced collect event information from all monitored
servers inside of the customer’s IT environment, external firewalls only need to be configured to allow
outbound HTTPS connections between the CMS and the HP data center. Details of the connection
requirements are provided later in this document. Both remote device monitoring and remote data
collection establish an outbound connection to HP using SSL/TLS over HTTPS, providing both
confidentiality and integrity of the information being transmitted tio HP.
Inbound Security
HP Remote Device Access requires an inbound connection from a Secure Access Server at HP to a
customer-designated access server (CAS) on the customer corporate network. HP understands that
security policies can vary significantly by customer and even by organization or network compartment
within the customer enterprise. Therefore, HP offers a number of remote access solutions (depending on
the service level agreement) that are designed to meet most customer’s security requirements. All HP
RDA solutions use standard techniques that include one or more of the following services: SSH, IPSEC
and HTTPS. HP offers both hardware and software based remote access solutions that can be configured
to ensure that the customer always has control of the connection. HP also has an option that allows the
customer to actively view and monitor a support specialist’s activities during a remote access session.
All HP support specialists engaged in a remote access session, must adhere to the same standard of
business conduct as onsite HP engineers. Remote engineers must have a valid business need and
customer approval prior to engaging in a remote access session. Access to the HP Remote Access
infrastructure is restricted to HP Employees providing remote support services directly to customers.
Access to a specific customer can be further restricted to subset of support personnel within HP, based
on country, region, job function or on a white-list of named HP support personnel. HP requires two factor
authentication for all users accessing the remote access infrastructure inside of HP. Only authenticated
users that are granted permission to access a specific customer connection will be allowed to initiate a
connection with that customer. All connection attempts (successful and unsuccessful) are logged by the
HP Remote Access infrastructre.
Data Security
HP maintains the availability of the Insight Remote Support Advanced infrastructure and collected data
with highly-available servers housed in redundant data centers. Configuration and Event data is stored in
the Remote Support Data Center. Specific data elements in the event and configuration data sent to HP
that may contain potentially sensitive configuration information such as IP address and full hostname as
well as administrator contact information are encrypted using AES encryption with a 192-bit key in the
database and on backup media. This data may be extracted and temporarily stored in an unencrypted
database in a secure HP Datacenter facility while analysis is being performed. Only authorized HP
personnel can access the data stored in the HP Datacenter.
Data Collection and Privacy
As part of HP Mission Critical Support, customer information and event data may be transmitted to and
stored at HP for the purpose of delivering contractual services and support.
HP Insight Remote Support Advanced and Remote Device Access (A.05.80)Page 14 of 97