Wednesday, August 19, 2015

Centrify's Value Proposition - Part 3: Privileged User/Identity Management with Least Priviliege

In the third part of this series, we'll discuss how Centrify provides solutions for privileged user/identity management and maintains these principles:
a) Eliminates identity silos
b) Implements strong access controls without interfering with the user experience
c) Use what you have: infrastructure, processes, knowledge (less IT fragmentation)
d) Promotes operational efficiency
e) Provides strategic value, rather than tactical solutions

Organizations come to Centrify for privileged identity management or privileged user management because of combinations of the following challenges or circumstances:
  •  Overall: They want to increase accountability and implement strong privileged user identity and access controls based on a common identity repository.
  • They have Active Directory and multiple platforms, but primarily for UNIX, Linux and Windows
  • They have a traditional (on-premise only) or hybrid (public/private cloud) enterprise
  • They want to eliminate the use of shared credentials or persistent administrative accounts (root, administrator, “-a”, etc)
  • Their existing solution does not provide flexibility on grouping systems based on a security governance model
  • They might have chosen to implement a password-centric approach as their unique strategy and they’ve come to realize that their users are less productive (or supportive), that they’ve duplicated identity silos and that ultimately, their systems (the main goal) aren’t protected by it.
  • On UNIX: They understand that using sudo/sudoers, although it’s mature may not be enough for high-risk, highly-regulated enterprises; they are tired of the complexities of managing a sudoers file and want more granularity and flexibility
  • They want a higher-degree of control on how their users access systems (beyond just granting/denying access) cross platform.
  • On Windows, they want to eliminate the problem of the Local Administrator, are conscious of the “pass the x” attacks and want to eliminate the “camping” issue with “-a” accounts.
  • They need to provide separation of duties (operational rights vs governance rights)
  • They need timely reporting of who has access to what system(s), what are their privileges, and what granted them access to do this.
  • They don’t want to deviate from existing processes or realized that by implementing point solutions or “best of breed” they ended-up fragmenting their IT in the context of processes.
  • They have regulatory requirements that they need to meet or exceed.  These may be SOx, PCI DSS, HIPAA, NERC, FERC, etc.
  • They want to solve the Shared Account Password issue, but they want a solution that reflects the state of modern trends (they hybrid datacenter, IaaS, mobile-first, etc)
  • They have high-security requirements like FIPS, solutions common-criteria certified, perhaps they rely heavily on Smart Cards.
  • They want log aggregation that is simple to their native tools (ARCSight, LogLogic, Splunk, etc)
  • They may need to go beyond the traditional security operations and provide session capture and replay from anywhere (remote or via console) because today they don't have that capability, are required to have it or simply, they might have gone the "jumpbox" route to realize that they are missing crucial sessions.
  • They hate having to invest in multiple solutions to enforce the same basic security principles.  Each time they do, this may mean:
    - Evaluate a product
    - Invest or procure new hardware or software
    - Add additional infrastructure
    - Train or hire specialist
    - Maintain the solution down the road
    - Manage the vendor relationship
Here's a technical demonstration on how Centrify delivers this value:


The key differentiation areas are:

  • AD Orientation - implemented in more of 90% of enterprises, users use a unique identity.
  • Centrify Zones - unique patented way to create groups of systems in Active Directory
  • Granularity of Access Controls - control HOW users log in to systems
  • Granularity of Privileges - no need to know the privileged account password.
  • Simple privilege elevation:  sudo-like tool in UNIX/Linux, shell and command line on Windows.
  • No proprietary magic on how events are stored: no need to have a central system just to know who did what and when - need to rely on a central system to correlate who had a privileged account.
  • Quick attestation and robust reporting - the data is in AD.
  • Separates the operational tasks versus the governance tasks - to enforce SoD
  • Works in multiple core platforms:  UNIX, Linux and Windows
  • Protects your systems: Provides end-to-end enforcement of the rules as well as session capture and replay.
Finally, the end user experience is not affected, no identity silos are created  and your AD infrastructure, processes and technology are reused.  We propose that the "least access/least privilege" approach to Privileged Identity/Super User Privilege Management should be used at least in 80% of the use cases.

In the next post we're going to talk about the next 20%, this includes Shared Account Password Management, Proxied/Brokered/JumpBox initiated sessions (what gartner calls Privilege Session Management).

No comments:

Post a Comment