Teal and the Managed Service

Since 2021, we have been offering our customers not only pure IT security consulting, but also a fully comprehensive managed service for our products. Above all, we have focussed on the topic of system hardening with the Enforce Administrator product.

System hardening of servers and workstations is an essential building block for a secure environment, and our service enables us to provide professional, real-time support for the products we implement in our customers’ environments. This not only enables us to respond promptly to any problems that may arise, but also gives the customer the security of knowing that the systems they are using are always working perfectly.

Since the introduction of our Managed Service, we have therefore been working continuously on simplifying system processes without jeopardising security, improving transparency for the customer and simplifying scalability for small, medium-sized and large companies. – True to the motto: Keep it short and simple – but secure.

How do we make ourselves better and safer?

To be able to provide the managed service securely, we always need secure access to the customer environment. There are two points here that we have paid particular attention to when finding a solution.

1. 1. 1. It is not always possible for the customer to provide all the prerequisites for a secure connection.
      2. In addition, a standardised solution guarantees uniform and secure access to the respective customer environment. As we all know, the devil is in the detail, which is why the solution should be as simple as possible. We were looking for a solution that meets our own high standards of security and manageability. With the BeyondTrust® PAM solution, we have found a system that fully fulfils our expectations.

We recommend that all our customers introduce a tiering model to separate administrative from control activities. This also includes the use of dedicated workstations (PAW) exclusively for administration. We therefore access the BeyondTrust solution exclusively via a dedicated PAW for the managed service.

Enforce Administrator & Managed Service

The example of FBPro’s Enforce Administrator in conjunction with the PAM solution from BeyondTrust® perfectly demonstrates what a scenario can look like for the customer.

Among other things, we offer system hardening via the Enforce Administrator in our portfolio. This involves us hardening the systems in consultation with the customer in accordance with various standards, thereby reducing the attack surface. Rolling out system hardening is one thing, but providing professional support afterwards is another. And this is where our Managed Service comes into play.

After a successful implementation, the monitoring and maintenance of the Enforce administrator and the hardened systems is transferred to our Managed Service. Here, the system is checked at regular intervals agreed with the customer to ensure that it is up-to-date, functional and accessible. We also ensure that systems that have already been hardened remain compliant. With our service, we not only take over the complete administration of the system, but also take care of updates, analyse the changelogs and are in direct contact with the developers of the Enforce administrator. This allows the customer to utilise resources elsewhere without taking a security risk. Our Managed Service provides the customer with a detailed report on the current status of the hardening at regular intervals and, if necessary, provides an update of the system.

Beyond Trust Privileged Access

In order to be able to support and analyse the customer’s systems, our managed service employees must have access to the system environment.

The customer environment is accessed via the BeyondTrust® appliance on a host provided by the customer. Security is increased by the fact that only port 443 is required for the entire data exchange. No other open ports, host names or IP addresses are required. All data traffic is encrypted.

That wasn’t enough for us, we wanted to make it more secure. Firstly, all employees from the Managed Service use a hardened PAW (Privileged Access Workstation), which is available exclusively for the administrative part of the Managed Service. Over 700 hardening settings are set here so that the PAW is hardened according to the current “CIS Microsoft Windows 11 Enterprise Benchmark”, the “SiSyPHuS Recommendations for Telemetry Components” and the “SiSyPHuS Recommendations for Logging”, among others. By using PAW, we have ensured that the separation between the administrative environment and our office environment is maintained at all times.

We also use two-factor authentication to log in to the BeyondTrust® environment, making unauthorised access considerably more difficult. Only selected employees from the managed service team are assigned to a specific customer via group assignments within the BeyondTrust® appliance. This ensures that only employees who are familiar with the customer have access to the relevant environment. Every connection to the customer is logged in an audit-proof manner so that both we and our quality management team, as well as the customer, can transparently trace at any time which employee has carried out access. All these standardised processes are continuously analysed, documented and improved by us.

Conclusion

We have made it our mission to make IT environments in companies more secure. However, without an ongoing process in which this security is constantly checked, everything is just a snapshot. With our managed service, we offer customers the opportunity to outsource this process and place it in our professional hands.

It is important to us that we not only show the customer how to set up a secure system environment, how to work in this environment and how to keep the environment up to date. We also adhere to our own guidelines in all our processes and workflows. This is the only way we can recognise at any time where there is a need for optimisation or where there are still gaps that can be closed. Standardised processes that are optimally documented are the cornerstones on which everything can be built in a controlled manner.

With the BeyondTrust® Privileged Access solution, we make the data traffic between the customer environment and our environment secure and stable – a perfect all-round carefree package.

We would be happy to discuss in person how we can not only secure an environment, but above all keep it secure in the long term.