We visited with David McNeely, VP of Product Strategy at Centrify, to talk about why secure privileged identity management is critical as more of today’s businesses are outsourcing IT functions and relying on vendors to troubleshoot systems and applications.
Centrify recently released a new privileged identity management solution supporting federated privileged access across an organization’s entire security eco-system, including secure outsourcing of IT and application development.
ADM: What is privileged identity management?
McNeely: Privileged identity management reduces the risk of security breaches by minimizing the attack surface. Essentially “the keys to the kingdom,” privileged accounts provide elevated access to an organization’s most critical data, applications, systems and network devices. And as more enterprises embrace the cloud, privileged accounts increasingly lie outside the corporate perimeter and are frequently shared by both internal IT and often remote third parties such as contractors and vendors. Therefore it is no surprise that privileged accounts are top targets for hackers and malicious insiders alike.
Privileged identity management is made up of a set of solutions to enable organizations to control user access and privileges. The first challenge is to consolidate user identities into a centralized identity management platform such as Active Directory. Next organizations should lock down local administrative accounts and their passwords so that you can control who can use this account, also known as shared account password management.
When a user does need privileges to perform their duties, organizations should grant very granular set of rights on specific systems where those privileges are required, also known as super user privilege management. And finally there are other applications or batch jobs that may need to login to another computer or application in order to perform its duties and these passwords should be carefully managed and periodically rotated, also known as application-to-application password management.
ADM: Can you provide an overview of the recent advancements Centrify announced to its privileged identity management solution?
McNeely: Centrify updated its privileged identity management solution to support federated privileged access across an organization’s entire security ecosystem, including secure outsourcing of IT and application development. Centrify is the first vendor in the industry to do this.
Federated identity management enables an organization to establish trusted identity relationships with its outsourcing partners so that employees of the outsourcing partner only need to authenticate to their own company’s identity management system, without requiring them to remember yet another user ID and password for each of their company’s clients.
The company who is contracting services from the outsourcing partner no longer has to create individual accounts for each partner’s employees. They also don’t need to worry about deleting accounts for partner’s employees who leave or change job roles.
Centrify also provides for secure remote access for these outsourcing partners so that they can perform their duties without requiring VPN access. Secure remote access is provided through the Centrify Privilege Service portal, which provides web based access to server console interfaces for both UNIX/Linux as well as Windows, all without requiring any software or plugins to be installed. Application developers can also access internal web based application interfaces through the Centrify portal.
ADM: Why is it critical to govern and secure federated access by outsourced IT, vendors and other third parties?
McNeely: Since more of today’s businesses are outsourcing IT functions and relying on vendors to troubleshoot systems and applications, it is critical that organizations protect privileged access. Recently there have been several high profile breaches that involved third party business partners who were compromised which lead to the data breach.
Centrify recently commissioned a survey and found that every one of the respondents reported that they outsourced at least one IT administrative function as well as one development project. With outsourcing increasing and is expected to be a $335 billion industry by 2019, according to Gartner, it is increasingly important to establish secure processes to enable outsourcing organizations to both authenticate and securely access enterprise resources.
ADM: How does Centrify’s solution differ from traditional privilege identity management solutions?
McNeely: Traditional privileged identity management solutions require organizations to create and manage identities for outsourced IT administrators within their internal environment and grant VPN access. This increases risk as the number of privileged accounts disconnected from an authoritative identity provider grows and more laptops establish VPN connections to internal networks. The result is an expansion of potential attack points for hackers, disgruntled insiders and malware.
Centrify’s approach is unique. It enables an organization to reduce risk by enabling secure remote access through a web-based portal for outsourced IT administrators and outsourced developers to its infrastructure through federated authentication. The outsourcing service retains management of their employee identities, and the customer organization uses Centrify to grant web-based access and privilege for systems and applications.
Privileged access is governed through request and approval workflows, monitoring with optional termination of privileged sessions and reconciliation of approved access versus actual access to critical infrastructure. The solution supports businesses outsourcing to more than one service organization while ensuring identity lifecycle management for outsourced IT administrators and developers remains with their employer, including the disabling of their enterprise identity upon employment termination.
ADM: What are some of the other new product features?
McNeely: There are two other new features that we announced, Multi-Factor Authentication (MFA) for Linux servers and Application to Application Password Management (AAPM). By configuring MFA for IT administrators who access Linux systems and require elevated privileges, organizations can protect against hackers using stolen passwords and credentials.
Centrify enables multi-factor authentication to be applied granularly based on a centralized policy enabling IT to determine if MFA should be applied at login or individually for specific privileged commands, such as every command that requires root or oracle permissions.
Application password management is even more important for developers building multi-tiered applications or applications that run on top of clusters such as in Big Data environments. Centrify provides both the ability to centrally define and locally provision these accounts as well as enable centralized password management. This enables server account passwords to be periodically rotated so that passwords are no longer hard coded within client applications.
The Centrify CLI Toolkit or REST APIs enable a client application to request checkout of a server account password so that it can continue to perform as desired all without having a hard coded password embedded in the application. This helps organizations meet compliance and security policies as well as to protect against cyber threats.
ADM: What are the benefits for enterprises and developers?
McNeely: Centrify’s cloud-based security solution enables organizations to minimize attack surfaces, thwart in-progress attacks and achieve continuous compliance. Centrify makes it easier to provide outsourced IT and developers with access to the systems and applications they need without having to manage the developer’s identity or passwords as well as provide access without having to give out VPN access.
Developers can also use Centrify to manage the relationships they have with their clients making it easier to access each client’s systems and applications without having to remember different accounts and passwords for each one. Developers will only need to login to their own portal with their company credentials in order to see all of their client’s applications and servers.