Insight Remote Support 7.0.9 Security White Paper
Inbound Security
Remote Device Access requires an inbound connection from HP to a customer-designated access server. HP understands
that IT security policies within organizations vary considerably. Therefore, HP offers a number of remote access solutions
(depending on the service level agreement) designed to meet customer security requirements. All of HP solutions use
standard techniques that include SSH, IPSec, and HTTPS. HP offers both hardware and software solutions which can be
configured to ensure that the customer is always in control of the connection. HP also has options that allow the customer
to view and monitor a support specialist’s activities.
All HP support specialists must adhere to the same standards of business conduct as onsite HP engineers, and are only
allowed to initiate a connection with the customer’s approval and a valid business need. Access restrictions can be placed
on specific connection profiles to limit HP's access to a subset of support personnel. Access restrictions can be restricted
by region and/or country. It can also be restricted to HP support personnel for a specific product platform. Access controls
can also be restricted to specific HP personnel. Access controls can be enforced both at HP (before the connection is
initiated) and again at the CAS (see the vCAS solution). This model ensures that both the HP Account Manager and the
customer administrator can control HP access to the customer network. Internally, HP uses two-factor authentication to
control access through the HP Remote Access Connectivity (RACS). Additionally, all connections, attempted and successful,
to customer systems are logged.
Security Auditing
All attended RDA connection attempts from HP to customers are logged. The acting user, start and stop times of the
connection, and the connection status are logged. The connection status will indicate failures such as improper
authentication and authorization. This tracking information is retained for 13 months.