Helen Chaytor Posted March 4 Posted March 4 We're having an initial look at ITOM, as I'd like to make a case for using this with AD operations. Following ITOM Configuration Guide - Quick Start Guide, we've installed the SIS and paired it with our Hornbill instance. I'm at the point where I've requested the admin account with SeAssignPrimaryTokenPrivilege and SeTcbPrivilege permissions and have run into some concerns from our Security team. I've read through large amounts of Hornbill documentation and believe that I can satisfy the concerns about how data is encrypted in transit and at rest. However, can anyone assist with answering the following? 1. For the admin account stored in KeySafe - can we apply MFA to this account? I'm curious how we would re-authenticate this account and keep workflows functioning. 2. What is the token life for the account? 3. How can we monitor use of the account from within Hornbill to be sure it's only being used as and where expected? Any assistance appreciated.
Graham Posted March 4 Posted March 4 Hello @Helen Chaytor I'll take your questions in turn: 1. You can't apply MFA to this account as it is used non-interactively by the SIS service to connect to the servers and workstations on your internal network, and since it's non-interactive, there's no way to present any MFA prompt or accept a response. 2. I'm not quite sure what you mean by "token life". The account you need is one that is internal to your network, and is typically one in Active Directory, so it can be configured by your organisation with any restrictions that are considered suitable. 3. The use of this account, which is active only on your on-premise network, cannot be monitored from within Hornbill. This account is not used to access Hornbill and is not a Hornbill account in any way. For example, if someone logged on to a on-premise server using this account, no Hornbill system would have any visibility of that action. You could configure account logon auditing within your environment, but that is not an ITOM or Hornbill function. Graham
Helen Chaytor Posted March 4 Author Posted March 4 @Graham - thank you for such a quick and comprehensive response. I'll pass this back to security and hopefully we'll be up and running with ITOM shortly.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now