As a global power technology pioneer, Cummins (China) Investment Co., Ltd. (hereinafter referred to as Cummins China) designs, manufactures, distributes diverse power solutions, and provides service support. The company's products include diesel and natural gas engines, generator sets, alternators, emission treatment systems, turbocharging systems, fuel systems, control systems, gearboxes, braking technology, axle technology, filtration systems, and hydrogen energy manufacturing, Storage and fuel cells and other products.
Founded in 1919 and headquartered in Columbus, Indiana, USA, Cummins is the world's largest independent engine manufacturer with approximately 59,900 employees worldwide. Cummins has more than 10,600 certified distribution outlets and more than 500 distribution service outlets worldwide, providing product and service support to customers in more than 190 countries and regions. In 2022, the company will achieve sales of US$28.1 billion and net profit of US$2.2 billion.
Cummins China's operation and maintenance security audit requirements
As an engine manufacturing company, Cummins China's main requirements for operation and maintenance safety audits include:
1. Waiting for insurance compliance requirements
In order to meet the company's external security compliance requirements, Cummins China urgently needs to use the bastion machine to solve the problem of enterprise data security operation and maintenance. It is necessary to build a complete operation and maintenance security audit platform so that security managers can monitor users and users in the system. Various resources are centrally managed, centralized authority distribution and centralized auditing, and the entire operation and maintenance management system needs to comply with the relevant norms and requirements of information system security level protection in the "Network Security Law";
2. Unified access to assets
The assets of Cummins China are mainly distributed on public cloud platforms such as Amazon AWS and Azure. The network in the office area is connected through a dedicated line. Each business system within the company is independently managed by each department. The access to assets is not unified, and management is very cumbersome. .
In order to facilitate the unified management of assets, Cummins China hopes to build a unified operation and maintenance security audit management platform to form a unified access operation and maintenance entrance for all assets, and realize the unique path of operation and maintenance operations;
3. User system integration to achieve single sign-on
At present, all business systems of Cummins China use OpenID to realize SSO single sign-on. In order to meet the needs of unified management, the company requires the bastion machine to have the docking capability of the identity authentication system and OpenID at the same time, to meet the needs of users for single sign-on, so as to achieve unified and centralized authentication of user identities;
4. Realize the independent management and independent audit of each department
At present, there are multiple departments in the company, and the management of assets and personnel authority of each department is relatively independent. Cummins China wants to realize the unified management of assets and personnel through the bastion machine, which can not only meet the needs of independent management and independent audit of each department, but also meet the requirements of unified management and unified audit at the company level.
Bastion machine selection process
Based on the above requirements, Cummins China began to look for suitable bastion machine products in the market. After multiple comparisons and tests, we finally chose to build a unified operation and maintenance security audit platform based on JumpServer. According to Cummins China, the advantages of JumpServer include:
1. Abundant 4A functions
As a widely used open-source bastion host, JumpServer provides powerful "4A" (Authentication, Accounting, Authorization, Auditing) capabilities, which can help Cummins China build operation and maintenance security that meets the requirements of security and compliance requirements Audit platform;
2. Easy to install and maintain
The installation process of JumpServer is very convenient, it supports online and offline deployment methods, and the maintenance is also very simple. Especially when it comes to issues such as subsequent version upgrades, JumpServer can achieve smooth backward compatibility, and supports online and offline one-click scripted upgrades, truly realizing zero-threshold operations;
3. Good user experience
JumpServer supports B/S and C/S architectures. When users access assets, they do not need to install a client, and they can access assets through a browser, which is truly plug-free. At the same time, JumpServer can meet the access needs of different personnel such as development, operation and maintenance, and DBA (Database Administrator, data administrator), and the operation is simple and convenient.
In addition, at the operation level, the operation interface of JumpServer has a clear layout and simple functional design. For colleagues who have never been in contact with bastion hosts, they can quickly get started with the product in a very short period of time without spending more learning costs. It is easy to learn and use;
4. The structure is flexible and easy to expand
JumpServer adopts a modular design architecture, and the core and nodes are decoupled and deployed, which truly realizes functional decoupling. At the same time, JumpServer supports containerized deployment or deployment and operation within the container platform. Nodes and cores can be infinitely expanded and flexibly expanded with the increase of assets and concurrency.
In addition, JumpServer also has a variety of deployment solutions such as stand-alone, active-standby, active-active, and distributed, which can meet the needs of different business scenarios of the company.
The deployment architecture of JumpServer
In order to ensure high availability of business and provide a good user experience, Cummins China adopts a high availability design architecture to ensure the continuous and stable operation of the company's business and application systems.
The operation and maintenance team also considered the continuous construction process of the company's IT infrastructure in the future, and the scale of IT assets will continue to increase, so the system needs to have the ability to expand horizontally. The high-availability architecture also supports adding front-end application nodes at any time, thereby further enhancing the support capability of the system. The JumpServer deployment architecture of Cummins China is shown in Figure 1.
▲Figure 1 Cummins China JumpServer deployment architecture diagram
This deployment architecture provides a unified domain name to the outside world, distributes user requests through the front-end load balancing device to achieve load balancing, and automatically detects the back-end nodes. In addition to high availability of applications, MySQL and Reids have adopted high availability deployment methods to ensure that database services do not go down and data is not lost. Such a deployment architecture can flexibly cope with the continuous growth of the number of company assets and the number of concurrent users while meeting the high availability of bastion server services.
Practical scenarios of JumpServer
The JumpServer bastion machine mainly has the following high-frequency use scenarios in Cummins China:
■ Based on multi-tenant usage management mode
JumpServer supports multi-tenant management, and isolates resources and permissions between organizations by dividing organizations, so as to realize independent management and independent audit of different organizations. Under the premise of unified management and unified audit, the administrator divides the organization for different business departments of the company, and sets up an organization administrator for each organization separately, and the organization administrator performs asset authorization and authority division for members in each organization, greatly Improve the efficiency of operation and maintenance management;
▲Figure 2 JumpServer's multi-tenant management system
■ Unified management of database assets
In addition to asset management, JumpServer supports direct management of multiple databases such as MySQL, PostgreSQL, Oracle, and SQL Server. It also supports various database connection methods such as Web CLI, Web GUI, and database agent direct connection, which can well meet Different personnel's requirements for different database connections;
▲Figure 3 JumpServer supports multiple database management
■ Unified management of cross-VPC assets
Cummins China's assets are mainly distributed in public cloud environments such as Amazon AWS and Azure. In order to meet business needs, the company has divided multiple VPC environments, but the assets in the VPC environment cannot directly communicate with the JumpServer network. JumpServer supports the function of the network domain gateway, and can connect with the assets of the VPC environment through the proxy method, so as to realize the direct management of the assets in the VPC environment;
▲Figure 4 JumpServer supports cross-VPC resource management
■ Distribute user requests through service endpoint rules
JumpServer also supports rule configuration of service endpoints, which can specify fixed access nodes for specified assets. The service endpoint is the address (port) for the user to access the service. When the user connects to the asset online, the system will select the corresponding service endpoint as the access entry to establish the connection according to the endpoint rules and asset tags, thereby realizing the distributed asset connection.
Note: If there are conflicts between asset IPs under different endpoints, asset tags can be used to implement this function.
▲Figure 5 Configure the JumpServer service endpoint
▲Figure 6 Configure JumpServer endpoint rules
Benefits of using JumpServer
After deploying and using JumpServer, the business value gained by Cummins China includes:
■ It satisfies the requirements of the insurance compliance well. In the event of a security incident, JumpServer can help administrators start the emergency plan for network security incidents at the first time, investigate and evaluate network security incidents, and take corresponding technical measures to quickly eliminate security risks;
■ Unified management of IT assets. Based on JumpServer, it realizes the unified management of cloud servers, Linux servers, Windows servers, and databases, and access management portals for unified operations. At the same time, network access behaviors such as user operations are effectively controlled, preventing users from directly contacting important resources such as target servers, and building a safe and standardized unique access channel;
■ Improve operation and maintenance management efficiency. Under the premise of ensuring the overall security of the system, Cummins China has realized the independent management and audit of assets and authority among various departments through the multi-tenant management mode, and met the requirements of unified management and unified audit at the company level. While improving the overall security of the system, the company's operation and maintenance management mechanism has also been optimized.