ForestSafe Security

The system has several security levels. Some teams may require constant remote access to a known list of servers. Another team may want infrequent access to any server driven by a change record.

The system is designed to give audited control to enable any access to be established.

User Validation is the doorway to the remote access.

All ForestSafe users must exist as Windows domain users. Access is via a Web Page either by credential entry or Single Sign On.

Segregation of roles is focused on by COBIT and Sarbones-Oxley Act. It is vital that partitions exist between the various functions of a system so employees in one section cannot interfere with the work of others.

Every ForestSafe function can be added or removed from the ForestSafe Administrators desktop using Administrator Role Management. Access to system functions is completely granular.

Access Approval is available to apply an extra layer of authority between users and the hosts that are allowed to access remotely.

A ForestSafe approval can to be configured immediately or in the future, and set to terminate at given time. During this period the Administrator requiring Approval has view of the approved target.

Access Control Lists define which hosts Administrators are allowed to access, and also which user accounts they logon with.

ForestSafe is configured to create hierarchicys of “Host Containers”. Administrator Roles are mapped against any container in the hierarchy and will inherit any hosts present in the sub-containers. The ForestSafe Administrator is presented with a restricted list of choices based on either their current approvals, or if approval layer is not enabled, the contents of the host container associated with their Administrator Role.

Target Identity ratification is a final security check, before allowing a remote access, that the host being accessed is the real host and not a “Man in the Middle”.

Every ForestSafe host configured for via SSH, requests a public key or fingerprint from the host on discovery. This key is stored against the host record and compared every time a remote access takes place.

Remote Access Validation is the final doorway to remote system.

Remote terminal validation is either by credential entry or Single Sign On. If Single Sign-on is disabled, the Administrator can be given access to the self service password vault to also retrieve the password.

click to enlarge

Terminal Access
Audited, Identity Managed Terminal Access to your remote systems via single sign-on or account cr