Basics: Centrify User Suite

Background

Centrify has two product lines.  Server Suite and User suite. With the release of Suite 2014.1, we are starting to see some synergy between product lines and since the blog has focused exclusively on server suite, we figured we need to expand, but first, let's explore this product.

What is Centrify User Suite?

Well, let's see:

• It's a cloud-based Identity Provider
• It provides access and SSO to on premise and cloud apps
• Provides Mobile Device, Application and Container Management
• It provides self-service capabilities (device enrollment, management, self-service password reset)
• Provides a catalog of over 2500 templates for fast publishing of Web, SaaS (SAML, WS-Fed, etc) and Mobile Apps.
• Provides Multi-factor Authentication
• Provides AD-based, Cloud-based or Mixed Identity
• Works with Active Directory in a non-intrusive (no directory duplication) and secure way
• Provides a policy engine for the directory
• Provides Role-Based Access for Application access and Privilege Management
• Provides multi-geography, shared or dedicated hosting
• Provides an interface that
• Provides access in rich (web) and mobile clients
• Provides tenants with their own publicly-rooted certification authority
• Provides access to apps can be via a self-service portal (provider-initiated) or application initiated.
• Extensible by way of an SDK, customizations and branding.
• Recognized by Gartner as a visionary in the 2014 IDaaS MQ.
• Continues to add capabilities at a near monthly rate

Where's the value?

In my opinion, the biggest value of user suite is that in the same spirit of server suite, for any organization with AD, provides the fastest, most efficient and secure way to adopt SaaS applications, it does it without breaking the bank and without aspiring to become the organization's directory of record.  The mobile, directory and hybrid identity and policy services are the cherry on top.

Here's what you don't need to do with user suite:

• Deal with servers in the DMZ
• Deal with understanding on premise federation technologies
• Deal with understanding app authentication or federation patterns
• Deal with publicly rooted certificates
• Pay for expensive MDM solutions
• Pay for 2-factor authentication solutions
• Worry about geographically located solutions
• Worry about language and branding
• Worry about having a split strategy for mobile devices

This translates to tighter control, time to market, added capabilities, etc.

What you must know and have:

• What are the different Cloud IdPs and their pros and cons.
• A policy for cloud-based access controls
• A plan for service availability

We'll explore topics related to cloud in Security Corner.

User Suite Tour

Labs and User Suite

Updated labs logo

We will keep things practical expect a lot of labs, howto's, etc.  We will be using Office365, Google Apps and Salesforce as our key apps given that they either provide a free or cheap version.  As we can find trial apps we will explore them.  As it relates to mobile, we will use iOS, Android and OS X.

Basics: What constitutes a cloud identity?

Hola!! from Panama City.  At Centrifying we are tasked to represent Centrify in the ISACA Latin America CACS 2014.
We had a chance to educate the attendees in the challenges and concepts of cloud identity and SaaS access controls security.

Background

This new series focuses on Identity as a Service (IdaaS).  As you probably know by now, Centrify has two product lines Server Suite and User Suite.  The first basic topic is to understand what constitutes a cloud identity.  At a basic level, the identity that supports a SaaS application can be as simple as a unique identifier and a password; However, that doesn't translate into a very valuable app.

So what's the problem with SaaS apps as it relates to Identity?

Since SaaS apps extend the IT boundaries beyond the on premises data center over the Internet the most basic issues are around timely provisioning.  Once a user leaves the company if the offboarding process is not timely and efficient, the organization is exposed to a potential data loss.  Unfortunately, just like the issue with the  heterogeneous datacenter, the solution sets today promote capability and process fragmentation and here's where Centrify can help.  Furthermore, let's explore the problem by at further length.

The typical cloud IdaaS providers may make you think that the issue is just Cloud Identity and SSO (federation), but the problem goes beyond that.  Let's explore some aspects:

• License assignment:  this topic impacts the bottom-line.  How does your process makes sure that the user is properly licensed (no more than what they need), and that licences are administered accordingly.  

  

  Timely license management has cost implications

• Role, Profile or Group management:  Depending on the application, entitlements determine what the user can do within the application. This is key for sound security.
   

  

  Salesforce provides access to different functions based on the user's profile

• Multi-factor Authentication (MFA) and 2-Step-verification:  These capabilities are increasingly a must because they are the foundation for different types of policies.  The recent consumer services data-breaches illustrate that need.

  

  MFA and 2-step verification are a must nowadays, the issue is - how to standardize.

• Policies:  Each SaaS provider has a different way to deal with policies.  Would it be nice to do it in a single management framework? and wouldn't it be nice if it's enforceable across all endpoints including mobile devices?

  

  Different SaaS providers provide different policy frameworks

• Support for Mobile Device Management (MDM) Mobile Application Management (MAM) and Mobile SSO:  This capability is also a must;  as phones and tablets become more powerful, mobile computing is a big tool in the information worker arsenal.

  

  MDM has become commoditized, MCM is looking for a standard, but MAM and Mobile SSO are growing

Is there a Unified Solution out there that is friendly to Active Directory?

So the question is - What if there's a solution out there that allows you to use an existing infrastructure (AD) to solve all these issues without the need of additional infrastructure or the need of complex Identity synchronization?   

YES!

That is what Centrify User Suite is all about! The next posts will focus on the service and 3 apps: Google Apps, Office 365 and Salesforce.  The first post will explore what Federation is and isn't.  Look for the Cloud-labeled articles.