AndyGilly

thanks @James Ainsworth and @Daniel Dekel I will make sure we do that config

thanks @Bob Dickinson

Afternoon, I have read a couple of other company home links posts but don't seem to be able to quite find the answer Is it possible to remove the 'company home' link from domain pages? We do not plan to use company home because we have a company intranet thanks Andy

Morning All, Wessex are going through a large re-structure which will impact the subscription model Does anyone have any advice on how to implement large scale service subscription changes? thanks Andy

thanks @Gerry, will have a watch

I have had an enquiry from our Info Sec tea to whether the Hornbill Security area can help with vendor security risk management functionality ? Similar to OneTrust, Prevalent/3GRC, ThirdPartyTrust platforms? Any information would be great thanks Andy

no issues, thanks @Gerry for the info. There is a chance I will be back with a couple of Info Sec questions while the environment is being built thanks Andy

Hi @Gerry can you please confirm where I can find the server spec and firewall port requirements for the integration server? thanks Andy

We would like to test the sending of encrypted email from hornbill but without impacting the current email configuration Can anybody suggest the best way to add test outbound mail route to allow us to configure this are TLS?? We will then look to implement those settings on the live mailbox once proven many thanks Andy

@Gerry thank you,

Hi @Gerry Are you still accepting people onto the preview for ITOM?? We would like to have a look at the automation part. Do you have a requirements/ implementation document?? thanks Andy

@Steve G really appreciated. This is a really positive step in allow us to progress our CMDB discovery capability

Hi Team We are looking at process Automation and think the ITOM Active Directory Libraries would really help us. Is there likely to be any long term cost implication of us using ITOM without using asset discovery?? thanks Andy

@Victor thanks for noticing and updating. reminder received and noted

Morning @Gerry apologies a couple more requests from security below in green: 1)Who has access to the Wessex Water instance private key, who generated it and where is it held ? The key is generated by our systems as part of the instance provisioning process, it is stored in our CMDB in encrypted form. Only our cloud operations team have access to this key. Does this mean that the cloud operations team could utilise the private key to unencrypt credentials held in the customer’s KeySafe ? If yes, are there plans to allow customers to generate/maintain their own private key in future ? Can it be confirmed that our instance is only hosted in Europe and not North America ? 2) Please can I see a copy of the most recent test results/summary and any agreed remediation actions and timescales ? We do general service penetration testing and under NDA I can make this report available to your security folks, please PM a contact email and I can organise getting an NDA sent out for signature. However, I would note the original question related to specific testing of KeySafe functions, there is no specific testing of KeySafe other than there is edge security and access controls that prevent access to the system in the first place. I would like to review the PT report , my contact details can be used for sending the NDA over..thanks <information removed by forum admin> thanks Andy

@Deen really appreciate the info, will take a look

Morning All, has anyone know if it possible to send encrypted email from the hornbill platform?? had a look on the Wiki without success thanks Andy

@Steve G thank you

thanks @Gerry

Morning @Steve G thanks for coming back In our scenario the relationship is being mastered in a dataset outside of hornbill. Therefore, we just need the ability to pass a request to asset management to remove as per the suggestion in option 1 Do you think this is something you could help with?? thanks Andy

Morning @Gerry a couple more questions from the security team in red below. Appreciate it if you could help with the answers (1) How are keysafe stored credentials protected from unauthorised access? Every instance has a secret private key, credentials put into keysafe are stored in the a database table, but they are encrypted using both a random nonce and the instance private key, using AES256 encryption. This means that an encrypted key stored on an instance is inaccessible without the corresponding instance private key. You can only create/change/delete and use credentials if you are an administrator and are given the appropriate rights to do so. Who has access to the Wessex Water instance private key, who generated it and where is it held ? (3) what activity audit logs for keysafe operations are available Keysafe provides limited logging, in the EspServerService.log of your instance, under the [security] type. No credentials information is ever written to any log file. Can we see details/spec of what gets recorded in EspServerService.log under [security] ? (4) what independent report of assurance/testing of key-safe security can be provided ? (pentest summary, SOC2 Type 2 etc) Unfortunately none at present. I will add to our list of thing to review to see what viable options we have with regards to independent assurance options OK, noted that the website FAQs state: “…As well as frequent tests undertaken by Hornbill we utilise external security companies to validate our results and services at least annually. Results of tests are available on request~. Please can I see a copy of the most recent test results/summary and any agreed remediation actions and timescales ? Further to that, one other thing we have paid very close attention to is how we apply the use of credentials. Obviously once we need a credential, lets say for ITOM to run a job on a remote computer. The credential is read from the keysafe store and into the servers memory, once there is considered "in flight". All credentials data remains encrypted until the very last moment of use. Credential data is never stored or written to any file on any computer system, they are simply transported on the wire, and passed to the relevant API at the point of use, and then discarded. Can we have separate AD credentials created in KeySafe, for the purpose of separate types of operations ? EG a credential specific for automating group permissions (for auto sw install/deinstalls) a different credential for the purpose of automating user permissions (for user creation, suspension, deletion). many thanks Andy

Hi Team, we would like to delete relationships via the asset relationship import tool. Would it be possible to add this functionality?? thanks Andy

thank you @Gerry, appreciate the responses

Hi Team, we would like to start using the integrations in our instance but our security has some questions about Keysafe : (1) How are keysafe stored credentials protected from unauthorised access? (2) how are credentials destroyed (3) what activity audit logs for keysafe operations are available (4) what independent report of assurance/testing of keysafe security can be provided ? (pentest summary, SOC2 Type 2 etc) I wonder if someone could help us get our internal security approval by helping us work through the above?? many thanks Andy