SlideShare a Scribd company logo

Centrify Access Manager Presentation.pptx

Download as PPTX, PDF
J
johncenafls

Centrify Server suite PPT

Technology
1 of 43
Centrify Centralizing the Control, Security and Audit of UNIX, Linux and Mac Systems
SLIDE 2 Agenda • Introduction • The Centrify Vision • Access Governance and Centralisation • Automated Security Enforcement • Protect Systems • Authorize Privilege • Audit Systems • Centrify Solutions
The Centrify Vision Control, Secure and Audit Access to Cross-Platform Systems and Applications Centrify the Enterprise Leverage infrastructure you already own – Active Directory – to: Control Secure Audit What users can access User access and privileges What the users did
Identity Management Today Active Directory Windows PC’s and Servers Exchange Server SLIDE 4 Unix / Linux / Mac / Enterprise & Web Applications
Identity Management with Centrify Active Directory Windows PC’s and Servers Exchange Server Centralised Identity and Access Management with Centrify • ALL identity and privilege information stored, managed and audited in Active Directory • No Additional Identity Store or Server, therefore no synchronisation of identities • Leverage existing infrastructure and Best Practices in AD SLIDE 5
Banking and Finance – We’ve done it before… SLIDE 6 • Very large and time-sensitive projects • Touching systems that contain critical and strategic information assets – the ―Crown Jewels‖ • All customers undertook a deep and comprehensive competitive and technical evaluation with Centrify winning on each occasion due to our technical superiority, ease of deployment and simplicity. • “During our technical evaluation and score-carding process involving 6 vendors, Centrify came top in 14 out of 15 technical score-card categories. The vendor ranked second was a considerable way behind Centrify both technically and from an ease of deployment perspective due to Centrify’s unique zoning capabilities” • “We were able to deploy and join to Active Directory up to 500 systems per night with Centrify once our architectural design was complete.” • “During our PoC, it was very evident that Centrify Suite is built on a common architecture and code base, whereas other solutions we tested were clearly a bunch of acquired technologies loosely glued together with the only integration points being marketing !”
Recurring Regulatory Requirements and Audit Points • Common recurring Regulatory Requirements and Audit Points we are helping our customers address: • Sharing of generic *nix accounts with powerful (very often root) privileges, by a number of individuals, resulting in a lack of accountability due to the use of shared passwords • Password aging is typically not enforced on many privileged and non- privileged user accounts in a *nix environment • Password complexity checks are very rarely implemented on *nix systems resulting in insecurities from a system access perspective • Activities undertaken by IT Staff as the ―root‖user (as well as other privileged users; DBA’s etc) are typically not logged or captured resulting in a lack of audit trail resulting in failed audits as they relate to regulatory and compliance requirements DirectControl DirectControl DirectAudit DirectControl DirectControl SLIDE 7
Recurring Regulatory Requirements and Audit Points • Common recurring Regulatory Requirements and Audit Points we are helping our customers address: • Privileged users will typically be assigned privileged accounts which very often lack any control over what commands or actions they are allowed to undertake on the *nix systems • The ability to undertake account recertification as well as a process to enforce account recertification is typically not implemented but is a requirement for audit and regulatory compliance • Where a separate directory has already been implemented for the management of identities in the *nix environment, synchronization of accounts and creation and deletion of accounts on *nix servers does not always complete successfully or in a timely manner, thus resulting in inconsistences in relation to system access. DirectAuthorize DirectControl DirectAuthorize DirectControl SLIDE 8
Access Governance Starts with Centralization Centralize Security, Identity and Access Management within Active Directory Protecting Systems. Authorizing Privileges. Auditing Activities. • De-duplicate identity infrastructure • Get users to login as themselves / SSO • Single security policy definition • Single point of administrative control Identity Consolidation Privileged Access Management • Associate privileges with individuals • Enforce ― least access & least privileges‖ • Audit privileged user activities • Isolate systems & encrypt data-in-motion Active Directory-based Security Infrastructure root Unix Profiles User Roles Security Policies Groups Users SysAdmin dba websa DBAs SLIDE 9
Centralized Management Presents Challenges Centralization Goals • Centralized UNIX Identities • Establishing a global namespace • Limited access granted where needed • Locked down privileged accounts • Privileges granted to individual users • Audit privileged activities Corresponding Challenges • Legacy namespace is complex and different across many systems • Individual system differences make centralization difficult • Access rights are typically granted too broadly • Granting privileges requires a simple way to create and manage the policies • Integration with existing management processes SLIDE 10
Infrastructure as a Service Brings More, New Challenges SLIDE 11 Adoption of IaaS is growing in the Enterprise • Yankee Group says 24% are using IaaS, 60% are planning to use in 12 months • Adoption trends are first in Development, then QA/Test, eventually to Production Security remains the primary issue blocking Enterprise use • Cloud Security Alliance identified 7 threats to cloud computing • Gartner identified privileged user access as the #1 cloud computing risk The Challenges to Enterprise-use inexpensive public IaaS are very familiar • Cloud server security is left to the customer • Cloud server templates have common privileged accounts and passwords • Cloud servers are typically deployed on public networks with dynamic IP addresses • Access controls and activity auditing are left to the customer • Applications hosted on these servers don’t enable end user single sign-on access
By Leveraging Active Directory as the centralized security infrastructure Protect Systems • Group Policy enforces system security policies • IPsec based network protection policies • AD management of privileged accounts Authorize Privileges • AD-based unique identity • Role-based access and privilege • AD enforces separation of duties Audit Activities • Audit all user activity • Report on access rights and privileges Resulting in automated security for the Enterprise The Solution is to Automate Security Enforcement SLIDE 12 Protect Authorize Audit
Leverage Active Directory to Automate Security Enforcement PROTECT SYSTEMS SLIDE 13
Active Directory-based Computer Identity Active Directory services provide the foundation for Enterprise security • Highly distributed, fault tolerant directory infrastructure designed for scalability • Supports large Enterprises through multi-Forest, multi-Domain configurations • Kerberos-based authentication and authorization infrastructure providing SSO Computer systems join Active Directory • Establishing individual computer accounts for each system • Automatically enrolling for PKI certificates and establishing Enterprise trust • Enabling authorized Active Directory Users to login, online & offline • Controlling user authentication for both interactive and network logins HR Field Ops SLIDE 14
Security Policies Auto-Enforced by Group Policy Consistent security and configuration policies need to be enforced on all Windows, UNIX, Linux and Mac systems • Group Policy is automatically enforced at system join to Active Directory • Group Policy defines standard baseline and periodically reapplies it • User Group Policy is enforced at user login Group Policies enforce: • System authentication configuration • System Banner settings • Screen Saver & Unlock policies • SSH policies control remote access security • Firewall policies control machine access • Mac OS X specific policies control the system and user’s environment SLIDE 15
• IPsec Transport Mode isolates the entire enterprise, preventing access by rogue or untrusted computers and users — reducing the attack surface • Network-level access controls are much more important when: • Enterprise network boundaries become porous as they include wireless and grow exponentially • Users’ work becomes more virtual, accessing corporate resources from mobile / remote locations • Software- and policy-based approach lets you avoid an expensive VLAN and network router ACLs approach Trusted Corporate Network Prevent Data Breaches from External Threats Rogue Computer Managed Computers Managed Computer SLIDE 16
Isolate Sensitive Servers & Protect Data-in-Motion IPsec authentication policies logically isolate sensitive servers independent of physical network location • Sensitive information systems are isolated based on PKI identities and AD group membership IPsec encryption protects data-in-motion without modifying older applications • Enforce peer-to-peer, network-layer encryption for applications that transport sensitive information Encryption Each packet is encrypted preventing attackers from seeing any sensitive information Authenticated Encrypted IP Header AH Header ESP Header Protected Data ESP Trailer SLIDE 17
Leverage Active Directory to Automate Security Enforcement AUTHORIZE PRIVILEGES SLIDE 18
Unix Command Line Interface Active Directory Centralizes Account Management • UNIX Account administration leverages centralized Active Directory processes and automation • Account and authentication policies are enforced on all systems Active Directory Users and Computers MMC Admin Console Provisioning APIs/Tools Existing Identity Management Solutions Active Directory-based Security Infrastructure SLIDE 19
Centralize The Most Complex UNIX Environments Zones uniquely simplifies the integration and centralized management of complex UNIX identity and access permissions into Active Directory • Only solution designed from the ground up to support migration of multiple UNIX environments and namespaces into a common Directory • Zones provides unique ability to manage UNIX identity, UNIX access rights and delegated administration Centrify supports native AD delegation for separation of duties • Zones create natural AD boundaries for delegated UNIX administration of a group of systems through AD access controls on UNIX Zone objects Seamlessly integrate administration into existing IDM systems • AD Group membership controls the provisioning of UNIX profiles granting access and privileges • IDM systems simply manage AD Group Membership in order to control the environment Engineering Finance HR Retail Active Directory-based Security Infrastructure SLIDE 20
Ensure Separation of Administrative Duties Separation of AD and Unix Admins • User’s Unix profile are stored independent of AD User object • Unix Admins don’t need rights to manage AD User objects, only Unix profiles Separation of Unix Departmental Admins • Each Zone is delegated to the appropriate Unix Admin • Unix Admins only need rights to manage Unix profiles within their own Zone Fred Joan Active Directory UNIX Administrator AD & Windows Administration HR Zone Administration Zone SLIDE 21
Active Directory Least Access is Enforced Through Zones • System Access is denied unless explicitly granted • Access is granted to a Zone (a logical group of systems) • Users’ UNIX Profiles within a Zone are linked to the AD User Fred AD Users, Computers & Groups Joan fredt UID = 10002 fthomas UID = 31590 jlsmith UID = 61245 joans UID = 4226 One Way Trust joans UID = 200 HR Zone Administration Zone Accounting Zone Field Ops Zone SLIDE 22
Active Directory-based User Login Smartcard login policies are also enforced • DirectControl for OS X supports CAC or PIV smartcard login to Active Directory granting Kerberos tickets for SSO to integrated services • Users configured for Smartcard interactive login only are not allowed to login with a password, however Kerberos login after smartcard is allowed Kerberos provides strong mutual authentication to Servers after desktop smartcard login SLIDE 23
Lock Down Privileged Accounts Lockdown privileged and service accounts within Active Directory • Online authentication requires AD-based password validation • Offline authentication uses the local cached account • Passwords are synchronized to local storage for single user mode login Leverage role-based privilege grants to eliminate risks exposed by these accounts • Eliminating need to access privileged accounts • Enables locking down these account passwords UNIX_root Active Directory root root SLIDE 24
Associate Privileges with Named Individuals Centralized role-based policy management • Create Roles based on job duties • Grant specific access and elevated privilege rights • Eliminate users’ need to use privileged accounts • Secure the system by granularly controlling how the user accesses the system and what he can do Unix rights granted to Roles • Availability – controls when a Role can be used • PAM Access – controls how users access UNIX system interfaces and applications • Privilege Commands – grants elevated privileges where needed • Restricted Shell - controls allowed commands in the user’s environment Roles Backup Operator Backup Operator Rights Availability • Maintenance window only PAM Access • ssh login Privileged Commands • tar command as root Restricted Environment • Only specific commands Resources HR Zone SLIDE 25
Grant Privileged Commands to Users via Roles • Web Admins are assigned root privileges for specific Apache management operations SLIDE 26
Role Assignments Ensure Accountability Role Assignment • Active Directory Users are assigned to a Role, eliminating ambiguity, ensuring accountability • Active Directory Groups can be assigned to a Role, simplifying management • User assignment can be date/time limited – enabling temporary rights grants Assignment Scope • Roles apply to all computers within a Zone/Department • Users within a Role can be granted Rights to Computers serving a specific Role (DBA -> Oracle) • Assignment can be defined for a specific Computer Roles Backup Operator Backup Operator Rights Availability • Maintenance window only PAM Access • ssh login Privileged Commands • tar command as root Restricted Environment • Only specific commands AD Users & Groups Fred Joan Backup Resources HR Zone SLIDE 27
Leverage Active Directory to Automate Security Enforcement AUDIT ACTIVITIES SLIDE 28
Local and AD User Accounts Authentication Attempts Centrify Zone and Role Assignments Centrify Health and Configuration Config files System Logs and Events Provide Visibility Metrics and Alerts Dashboards and Reports I want to see all failed login attempts. Are there any newly created local accounts on my server? Who zone-enabled this user? Show me accounts not used in last 90 days. Are there any systems where Centrify is not connected? How long was a user in a role? /etc/passwd Active Directory Data *NIX Syslog • Shows changes in AD, *nix login attempts, Windows login attempts, Centrify agent health, etc. • Syslog rollup brings in operational intelligence from other systems, apps, SIEM, security devices, etc. SLIDE 29
High Definition Visibility Provided by Session Recording • Establish User accountability • Tracks all user access to systems • Centrally search captured sessions SLIDE 30
Reporting Simplified with Centralized Management Authorization and Access Reports can be centrally created:  Reporting on user account properties  Detailing user role assignments and privilege command rights  Showing user access rights to computers Active Directory based reporting  Reports are generated on live, editable AD information  Administrators can take snapshots of a report SLIDE 31
Centrify Solutions and the Challenges They Address
Centrify Products… Delivered as the Centrify Suite Single Sign-On For Applications With all editions you can purchase SSO modules for: • Apache & J2EE web apps • SAP NetWeaver & GUI • DB2 Centrify-Enabled Open Source Tools All editions also include free, Centrify-enabled versions of: • OpenSSH • PuTTY • Kerberized FTP and Telnet • Samba EXPRESS STANDARD ENTERPRISE PLATINUM DirectSecure Server Isolation and Protection of Data-in-Motion DirectAudit Detailed Auditing of User Session Activity for Windows, UNIX & Linux DirectAuthorize Role-based Authorization and Privilege Management DirectControl Consolidate Identities and Centralize Authentication DirectManage Centralized Management and Administration
OX /JSOX PCI DSS FISMA HIPAA ...? Basel II. FFIEC Meet Strict Security & Audit Req’s Enforce system security policies S Enforce ― least access‖ Lock down privileged accounts Enforce separation of duties Associate privileges with individuals Audit privileged user activities Protect sensitive systems Encrypt data-in-motion Solutions that Centrify Delivers Compliance and Audit • Auditing and reporting (SOX, PCI, FISMA, HIPAA, Basel II, etc.) Security • Risk mitigation & security of users with privileged access Operational Efficiency • Leverage existing architecture • Leverage investments in Active Directory tools, skill sets and processes • Consolidate ―islands of identity‖ • Deliver single sign-on for IT and end-users • Enable new computing models such as virtualization, cloud and mobile Microsoft Active Directory + Centrify
 Enforce system security policies  Enforce ―least access‖  Associate privileges with individuals  Lock down privileged accounts  Enforce separation of duties  Audit privileged user activities  Protect sensitive systems  Encrypt data-in-motion Basel II. FFIEC Information Security Booklet Payment Card Industry Data Security Standard Health Insurance Portability and Accountability Act Sarbanes-Oxley Act Section 404 Federal Information Security Management Act National Industrial Security Program Operating Manual Centrify Solutions Enforce Security Best Practices SLIDE 35
Centrify Mastering Compliance, Auditing & Security Securing UNIX, Linux and Mac Using Active Directory
• Evolving regulatory climate • Concern over insider threats • Adoption of cloud computing platforms • Consumerization of IT • Can I manage what users can do? • Can I verify for auditors what users did? • Can I manage personal devices?
• Auditors require that organizations show steady progress toward a well managed infrastructure • Fragmented enterprise is difficult to secure in a consistent manner
SLIDE 4 © 2004-2012 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. Unified Access Management Leverage infrastructure you already own! Microsoft Active Directory • Control • Who can access what • Secure • User access and privileges • Audit • What the users did Centrify
Active Directory On-premise Cloud Personal Devices Mobile Devices Hosted Systems SaaS Servers Apps Centrify the Enterprise SLIDE 5 © 2004-2012 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
 Enforce system security policies  Associate privileges with individuals  Lock down privileged accounts  Enforce separation of duties Security Best Practices © 2004-2010 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.  Audit privileged user activities  Protect sensitive systems  Encrypt data-in-motion SLIDE 6
Why Customers Choose Centrify • 4000+ enterprise customers • Single architecture based on AD • Comprehensive suite • Proven success in deployments • Non-intrusive Centrify is the “right vendor to choose" for Active Directory integration: Centrify’s solution is “mature, technically strong, full featured, and possess(es) broad platform support.” – 2009 “We recommended that clients strongly consider Centrify … its products can fit well within a multivendor IAM portfolio.” – 2010
Thank You

Recommended

DSS - ITSEC conf - Centrify - Identity Control and Access Management - Riga N...
DSS - ITSEC conf - Centrify - Identity Control and Access Management - Riga N...DSS - ITSEC conf - Centrify - Identity Control and Access Management - Riga N...
DSS - ITSEC conf - Centrify - Identity Control and Access Management - Riga N...Andris Soroka
 
W982 05092004
W982 05092004W982 05092004
W982 05092004Sumit Tambe
 
Presentation database security audit vault & database firewall
Presentation database security audit vault & database firewallPresentation database security audit vault & database firewall
Presentation database security audit vault & database firewallxKinAnx
 
CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...
CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...
CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...CloudIDSummit
 
Bright talk mapping the right aut solution for you 2014 final (1)
Bright talk mapping the right aut solution for you 2014 final (1)Bright talk mapping the right aut solution for you 2014 final (1)
Bright talk mapping the right aut solution for you 2014 final (1)Sectricity
 
Dakotacon 2017
Dakotacon 2017Dakotacon 2017
Dakotacon 2017Blue Teamer
 
The New Assure Security: Complete IBM i Compliance and Security
The New Assure Security: Complete IBM i Compliance and SecurityThe New Assure Security: Complete IBM i Compliance and Security
The New Assure Security: Complete IBM i Compliance and SecurityPrecisely
 
Material best practices in network security using ethical hacking
Material best practices in network security using ethical hackingMaterial best practices in network security using ethical hacking
Material best practices in network security using ethical hackingDesmond Devendran
 

Recommended

DSS - ITSEC conf - Centrify - Identity Control and Access Management - Riga N...
DSS - ITSEC conf - Centrify - Identity Control and Access Management - Riga N...DSS - ITSEC conf - Centrify - Identity Control and Access Management - Riga N...
DSS - ITSEC conf - Centrify - Identity Control and Access Management - Riga N...Andris Soroka
 
W982 05092004
W982 05092004W982 05092004
W982 05092004Sumit Tambe
 
Presentation database security audit vault & database firewall
Presentation database security audit vault & database firewallPresentation database security audit vault & database firewall
Presentation database security audit vault & database firewallxKinAnx
 
CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...
CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...
CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...CloudIDSummit
 
Bright talk mapping the right aut solution for you 2014 final (1)
Bright talk mapping the right aut solution for you 2014 final (1)Bright talk mapping the right aut solution for you 2014 final (1)
Bright talk mapping the right aut solution for you 2014 final (1)Sectricity
 
Dakotacon 2017
Dakotacon 2017Dakotacon 2017
Dakotacon 2017Blue Teamer
 
The New Assure Security: Complete IBM i Compliance and Security
The New Assure Security: Complete IBM i Compliance and SecurityThe New Assure Security: Complete IBM i Compliance and Security
The New Assure Security: Complete IBM i Compliance and SecurityPrecisely
 
Material best practices in network security using ethical hacking
Material best practices in network security using ethical hackingMaterial best practices in network security using ethical hacking
Material best practices in network security using ethical hackingDesmond Devendran
 
dtechnClouologyassociatepart2
dtechnClouologyassociatepart2dtechnClouologyassociatepart2
dtechnClouologyassociatepart2Anne Starr
 
gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2Anne Starr
 
AWS Summit Nordics - Security Keynote
AWS Summit Nordics - Security KeynoteAWS Summit Nordics - Security Keynote
AWS Summit Nordics - Security KeynoteAmazon Web Services
 
AWS Summit Benelux 2013 - AWS Cloud Security Keynote
AWS Summit Benelux 2013 - AWS Cloud Security KeynoteAWS Summit Benelux 2013 - AWS Cloud Security Keynote
AWS Summit Benelux 2013 - AWS Cloud Security KeynoteAmazon Web Services
 
Chapter08
Chapter08Chapter08
Chapter08Muhammad Ahad
 
Cloudtechnologyassociatepart 1
Cloudtechnologyassociatepart 1Cloudtechnologyassociatepart 1
Cloudtechnologyassociatepart 1Anne Starr
 
Cyber security series administrative control breaches
Cyber security series administrative control breaches Cyber security series administrative control breaches
Cyber security series administrative control breaches Jim Kaplan CIA CFE
 
IBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Sverige
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the CloudSecurity Innovation
 
Security Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsSecurity Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsTechcello
 
Geek Sync | Handling HIPAA Compliance with Your Data Access
Geek Sync | Handling HIPAA Compliance with Your Data AccessGeek Sync | Handling HIPAA Compliance with Your Data Access
Geek Sync | Handling HIPAA Compliance with Your Data AccessIDERA Software
 
Introductorytocomputing
IntroductorytocomputingIntroductorytocomputing
IntroductorytocomputingAnne Starr
 
IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant Saravanan Purushothaman
 
Data Leakage Prevention
Data Leakage PreventionData Leakage Prevention
Data Leakage PreventionMicrosoft TechNet - Belgium and Luxembourg
 
Wallix Admin Bastion: Introduction
Wallix Admin Bastion: IntroductionWallix Admin Bastion: Introduction
Wallix Admin Bastion: IntroductionChris Pace
 
gkkCloudtechnologyassociate(cta)day 1
gkkCloudtechnologyassociate(cta)day 1gkkCloudtechnologyassociate(cta)day 1
gkkCloudtechnologyassociate(cta)day 1Anne Starr
 
Cloud Security at Netflix
Cloud Security at NetflixCloud Security at Netflix
Cloud Security at NetflixJason Chan
 
Your Biggest Systems Management Challenges – and How to Overcome Them
Your Biggest Systems Management Challenges – and How to Overcome ThemYour Biggest Systems Management Challenges – and How to Overcome Them
Your Biggest Systems Management Challenges – and How to Overcome ThemQuest
 
Security architecture best practices for saas applications
Security architecture best practices for saas applicationsSecurity architecture best practices for saas applications
Security architecture best practices for saas applicationskanimozhin
 
System Center Configuration Manager-The Most Popular System Center Component
System Center Configuration Manager-The Most Popular System Center Component System Center Configuration Manager-The Most Popular System Center Component
System Center Configuration Manager-The Most Popular System Center Component C/D/H Technology Consultants
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 

More Related Content

Similar to Centrify Access Manager Presentation.pptx

dtechnClouologyassociatepart2
dtechnClouologyassociatepart2dtechnClouologyassociatepart2
dtechnClouologyassociatepart2Anne Starr
 
gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2Anne Starr
 
AWS Summit Nordics - Security Keynote
AWS Summit Nordics - Security KeynoteAWS Summit Nordics - Security Keynote
AWS Summit Nordics - Security KeynoteAmazon Web Services
 
AWS Summit Benelux 2013 - AWS Cloud Security Keynote
AWS Summit Benelux 2013 - AWS Cloud Security KeynoteAWS Summit Benelux 2013 - AWS Cloud Security Keynote
AWS Summit Benelux 2013 - AWS Cloud Security KeynoteAmazon Web Services
 
Cloudtechnologyassociatepart 1
Cloudtechnologyassociatepart 1Cloudtechnologyassociatepart 1
Cloudtechnologyassociatepart 1Anne Starr
 
Cyber security series administrative control breaches
Cyber security series administrative control breaches Cyber security series administrative control breaches
Cyber security series administrative control breaches Jim Kaplan CIA CFE
 
IBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Sverige
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the CloudSecurity Innovation
 
Security Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsSecurity Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsTechcello
 
Geek Sync | Handling HIPAA Compliance with Your Data Access
Geek Sync | Handling HIPAA Compliance with Your Data AccessGeek Sync | Handling HIPAA Compliance with Your Data Access
Geek Sync | Handling HIPAA Compliance with Your Data AccessIDERA Software
 
Introductorytocomputing
IntroductorytocomputingIntroductorytocomputing
IntroductorytocomputingAnne Starr
 
IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant Saravanan Purushothaman
 
Wallix Admin Bastion: Introduction
Wallix Admin Bastion: IntroductionWallix Admin Bastion: Introduction
Wallix Admin Bastion: IntroductionChris Pace
 
gkkCloudtechnologyassociate(cta)day 1
gkkCloudtechnologyassociate(cta)day 1gkkCloudtechnologyassociate(cta)day 1
gkkCloudtechnologyassociate(cta)day 1Anne Starr
 
Cloud Security at Netflix
Cloud Security at NetflixCloud Security at Netflix
Cloud Security at NetflixJason Chan
 
Your Biggest Systems Management Challenges – and How to Overcome Them
Your Biggest Systems Management Challenges – and How to Overcome ThemYour Biggest Systems Management Challenges – and How to Overcome Them
Your Biggest Systems Management Challenges – and How to Overcome ThemQuest
 
Security architecture best practices for saas applications
Security architecture best practices for saas applicationsSecurity architecture best practices for saas applications
Security architecture best practices for saas applicationskanimozhin
 
System Center Configuration Manager-The Most Popular System Center Component
System Center Configuration Manager-The Most Popular System Center Component System Center Configuration Manager-The Most Popular System Center Component
System Center Configuration Manager-The Most Popular System Center Component C/D/H Technology Consultants
 

Similar to Centrify Access Manager Presentation.pptx (20)

dtechnClouologyassociatepart2
dtechnClouologyassociatepart2dtechnClouologyassociatepart2
dtechnClouologyassociatepart2
 
gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2
 
AWS Summit Nordics - Security Keynote
AWS Summit Nordics - Security KeynoteAWS Summit Nordics - Security Keynote
AWS Summit Nordics - Security Keynote
 
AWS Summit Benelux 2013 - AWS Cloud Security Keynote
AWS Summit Benelux 2013 - AWS Cloud Security KeynoteAWS Summit Benelux 2013 - AWS Cloud Security Keynote
AWS Summit Benelux 2013 - AWS Cloud Security Keynote
 
Chapter08
Chapter08Chapter08
Chapter08
 
Cloudtechnologyassociatepart 1
Cloudtechnologyassociatepart 1Cloudtechnologyassociatepart 1
Cloudtechnologyassociatepart 1
 
Cyber security series administrative control breaches
Cyber security series administrative control breaches Cyber security series administrative control breaches
Cyber security series administrative control breaches
 
IBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Security Identity & Access Manager
IBM Security Identity & Access Manager
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
 
Security Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsSecurity Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS Applications
 
Geek Sync | Handling HIPAA Compliance with Your Data Access
Geek Sync | Handling HIPAA Compliance with Your Data AccessGeek Sync | Handling HIPAA Compliance with Your Data Access
Geek Sync | Handling HIPAA Compliance with Your Data Access
 
Introductorytocomputing
IntroductorytocomputingIntroductorytocomputing
Introductorytocomputing
 
IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant
 
Data Leakage Prevention
Data Leakage PreventionData Leakage Prevention
Data Leakage Prevention
 
Wallix Admin Bastion: Introduction
Wallix Admin Bastion: IntroductionWallix Admin Bastion: Introduction
Wallix Admin Bastion: Introduction
 
gkkCloudtechnologyassociate(cta)day 1
gkkCloudtechnologyassociate(cta)day 1gkkCloudtechnologyassociate(cta)day 1
gkkCloudtechnologyassociate(cta)day 1
 
Cloud Security at Netflix
Cloud Security at NetflixCloud Security at Netflix
Cloud Security at Netflix
 
Your Biggest Systems Management Challenges – and How to Overcome Them
Your Biggest Systems Management Challenges – and How to Overcome ThemYour Biggest Systems Management Challenges – and How to Overcome Them
Your Biggest Systems Management Challenges – and How to Overcome Them
 
Security architecture best practices for saas applications
Security architecture best practices for saas applicationsSecurity architecture best practices for saas applications
Security architecture best practices for saas applications
 
System Center Configuration Manager-The Most Popular System Center Component
System Center Configuration Manager-The Most Popular System Center Component System Center Configuration Manager-The Most Popular System Center Component
System Center Configuration Manager-The Most Popular System Center Component
 

Recently uploaded

Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 

Recently uploaded (20)

Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 

Centrify Access Manager Presentation.pptx

  • 1. Centrify Centralizing the Control, Security and Audit of UNIX, Linux and Mac Systems
  • 2. SLIDE 2 Agenda • Introduction • The Centrify Vision • Access Governance and Centralisation • Automated Security Enforcement • Protect Systems • Authorize Privilege • Audit Systems • Centrify Solutions
  • 3. The Centrify Vision Control, Secure and Audit Access to Cross-Platform Systems and Applications Centrify the Enterprise Leverage infrastructure you already own – Active Directory – to: Control Secure Audit What users can access User access and privileges What the users did
  • 4. Identity Management Today Active Directory Windows PC’s and Servers Exchange Server SLIDE 4 Unix / Linux / Mac / Enterprise & Web Applications
  • 5. Identity Management with Centrify Active Directory Windows PC’s and Servers Exchange Server Centralised Identity and Access Management with Centrify • ALL identity and privilege information stored, managed and audited in Active Directory • No Additional Identity Store or Server, therefore no synchronisation of identities • Leverage existing infrastructure and Best Practices in AD SLIDE 5
  • 6. Banking and Finance – We’ve done it before… SLIDE 6 • Very large and time-sensitive projects • Touching systems that contain critical and strategic information assets – the ―Crown Jewels‖ • All customers undertook a deep and comprehensive competitive and technical evaluation with Centrify winning on each occasion due to our technical superiority, ease of deployment and simplicity. • “During our technical evaluation and score-carding process involving 6 vendors, Centrify came top in 14 out of 15 technical score-card categories. The vendor ranked second was a considerable way behind Centrify both technically and from an ease of deployment perspective due to Centrify’s unique zoning capabilities” • “We were able to deploy and join to Active Directory up to 500 systems per night with Centrify once our architectural design was complete.” • “During our PoC, it was very evident that Centrify Suite is built on a common architecture and code base, whereas other solutions we tested were clearly a bunch of acquired technologies loosely glued together with the only integration points being marketing !”
  • 7. Recurring Regulatory Requirements and Audit Points • Common recurring Regulatory Requirements and Audit Points we are helping our customers address: • Sharing of generic *nix accounts with powerful (very often root) privileges, by a number of individuals, resulting in a lack of accountability due to the use of shared passwords • Password aging is typically not enforced on many privileged and non- privileged user accounts in a *nix environment • Password complexity checks are very rarely implemented on *nix systems resulting in insecurities from a system access perspective • Activities undertaken by IT Staff as the ―root‖user (as well as other privileged users; DBA’s etc) are typically not logged or captured resulting in a lack of audit trail resulting in failed audits as they relate to regulatory and compliance requirements DirectControl DirectControl DirectAudit DirectControl DirectControl SLIDE 7
  • 8. Recurring Regulatory Requirements and Audit Points • Common recurring Regulatory Requirements and Audit Points we are helping our customers address: • Privileged users will typically be assigned privileged accounts which very often lack any control over what commands or actions they are allowed to undertake on the *nix systems • The ability to undertake account recertification as well as a process to enforce account recertification is typically not implemented but is a requirement for audit and regulatory compliance • Where a separate directory has already been implemented for the management of identities in the *nix environment, synchronization of accounts and creation and deletion of accounts on *nix servers does not always complete successfully or in a timely manner, thus resulting in inconsistences in relation to system access. DirectAuthorize DirectControl DirectAuthorize DirectControl SLIDE 8
  • 9. Access Governance Starts with Centralization Centralize Security, Identity and Access Management within Active Directory Protecting Systems. Authorizing Privileges. Auditing Activities. • De-duplicate identity infrastructure • Get users to login as themselves / SSO • Single security policy definition • Single point of administrative control Identity Consolidation Privileged Access Management • Associate privileges with individuals • Enforce ― least access & least privileges‖ • Audit privileged user activities • Isolate systems & encrypt data-in-motion Active Directory-based Security Infrastructure root Unix Profiles User Roles Security Policies Groups Users SysAdmin dba websa DBAs SLIDE 9
  • 10. Centralized Management Presents Challenges Centralization Goals • Centralized UNIX Identities • Establishing a global namespace • Limited access granted where needed • Locked down privileged accounts • Privileges granted to individual users • Audit privileged activities Corresponding Challenges • Legacy namespace is complex and different across many systems • Individual system differences make centralization difficult • Access rights are typically granted too broadly • Granting privileges requires a simple way to create and manage the policies • Integration with existing management processes SLIDE 10
  • 11. Infrastructure as a Service Brings More, New Challenges SLIDE 11 Adoption of IaaS is growing in the Enterprise • Yankee Group says 24% are using IaaS, 60% are planning to use in 12 months • Adoption trends are first in Development, then QA/Test, eventually to Production Security remains the primary issue blocking Enterprise use • Cloud Security Alliance identified 7 threats to cloud computing • Gartner identified privileged user access as the #1 cloud computing risk The Challenges to Enterprise-use inexpensive public IaaS are very familiar • Cloud server security is left to the customer • Cloud server templates have common privileged accounts and passwords • Cloud servers are typically deployed on public networks with dynamic IP addresses • Access controls and activity auditing are left to the customer • Applications hosted on these servers don’t enable end user single sign-on access
  • 12. By Leveraging Active Directory as the centralized security infrastructure Protect Systems • Group Policy enforces system security policies • IPsec based network protection policies • AD management of privileged accounts Authorize Privileges • AD-based unique identity • Role-based access and privilege • AD enforces separation of duties Audit Activities • Audit all user activity • Report on access rights and privileges Resulting in automated security for the Enterprise The Solution is to Automate Security Enforcement SLIDE 12 Protect Authorize Audit
  • 13. Leverage Active Directory to Automate Security Enforcement PROTECT SYSTEMS SLIDE 13
  • 14. Active Directory-based Computer Identity Active Directory services provide the foundation for Enterprise security • Highly distributed, fault tolerant directory infrastructure designed for scalability • Supports large Enterprises through multi-Forest, multi-Domain configurations • Kerberos-based authentication and authorization infrastructure providing SSO Computer systems join Active Directory • Establishing individual computer accounts for each system • Automatically enrolling for PKI certificates and establishing Enterprise trust • Enabling authorized Active Directory Users to login, online & offline • Controlling user authentication for both interactive and network logins HR Field Ops SLIDE 14
  • 15. Security Policies Auto-Enforced by Group Policy Consistent security and configuration policies need to be enforced on all Windows, UNIX, Linux and Mac systems • Group Policy is automatically enforced at system join to Active Directory • Group Policy defines standard baseline and periodically reapplies it • User Group Policy is enforced at user login Group Policies enforce: • System authentication configuration • System Banner settings • Screen Saver & Unlock policies • SSH policies control remote access security • Firewall policies control machine access • Mac OS X specific policies control the system and user’s environment SLIDE 15
  • 16. • IPsec Transport Mode isolates the entire enterprise, preventing access by rogue or untrusted computers and users — reducing the attack surface • Network-level access controls are much more important when: • Enterprise network boundaries become porous as they include wireless and grow exponentially • Users’ work becomes more virtual, accessing corporate resources from mobile / remote locations • Software- and policy-based approach lets you avoid an expensive VLAN and network router ACLs approach Trusted Corporate Network Prevent Data Breaches from External Threats Rogue Computer Managed Computers Managed Computer SLIDE 16
  • 17. Isolate Sensitive Servers & Protect Data-in-Motion IPsec authentication policies logically isolate sensitive servers independent of physical network location • Sensitive information systems are isolated based on PKI identities and AD group membership IPsec encryption protects data-in-motion without modifying older applications • Enforce peer-to-peer, network-layer encryption for applications that transport sensitive information Encryption Each packet is encrypted preventing attackers from seeing any sensitive information Authenticated Encrypted IP Header AH Header ESP Header Protected Data ESP Trailer SLIDE 17
  • 18. Leverage Active Directory to Automate Security Enforcement AUTHORIZE PRIVILEGES SLIDE 18
  • 19. Unix Command Line Interface Active Directory Centralizes Account Management • UNIX Account administration leverages centralized Active Directory processes and automation • Account and authentication policies are enforced on all systems Active Directory Users and Computers MMC Admin Console Provisioning APIs/Tools Existing Identity Management Solutions Active Directory-based Security Infrastructure SLIDE 19
  • 20. Centralize The Most Complex UNIX Environments Zones uniquely simplifies the integration and centralized management of complex UNIX identity and access permissions into Active Directory • Only solution designed from the ground up to support migration of multiple UNIX environments and namespaces into a common Directory • Zones provides unique ability to manage UNIX identity, UNIX access rights and delegated administration Centrify supports native AD delegation for separation of duties • Zones create natural AD boundaries for delegated UNIX administration of a group of systems through AD access controls on UNIX Zone objects Seamlessly integrate administration into existing IDM systems • AD Group membership controls the provisioning of UNIX profiles granting access and privileges • IDM systems simply manage AD Group Membership in order to control the environment Engineering Finance HR Retail Active Directory-based Security Infrastructure SLIDE 20
  • 21. Ensure Separation of Administrative Duties Separation of AD and Unix Admins • User’s Unix profile are stored independent of AD User object • Unix Admins don’t need rights to manage AD User objects, only Unix profiles Separation of Unix Departmental Admins • Each Zone is delegated to the appropriate Unix Admin • Unix Admins only need rights to manage Unix profiles within their own Zone Fred Joan Active Directory UNIX Administrator AD & Windows Administration HR Zone Administration Zone SLIDE 21
  • 22. Active Directory Least Access is Enforced Through Zones • System Access is denied unless explicitly granted • Access is granted to a Zone (a logical group of systems) • Users’ UNIX Profiles within a Zone are linked to the AD User Fred AD Users, Computers & Groups Joan fredt UID = 10002 fthomas UID = 31590 jlsmith UID = 61245 joans UID = 4226 One Way Trust joans UID = 200 HR Zone Administration Zone Accounting Zone Field Ops Zone SLIDE 22
  • 23. Active Directory-based User Login Smartcard login policies are also enforced • DirectControl for OS X supports CAC or PIV smartcard login to Active Directory granting Kerberos tickets for SSO to integrated services • Users configured for Smartcard interactive login only are not allowed to login with a password, however Kerberos login after smartcard is allowed Kerberos provides strong mutual authentication to Servers after desktop smartcard login SLIDE 23
  • 24. Lock Down Privileged Accounts Lockdown privileged and service accounts within Active Directory • Online authentication requires AD-based password validation • Offline authentication uses the local cached account • Passwords are synchronized to local storage for single user mode login Leverage role-based privilege grants to eliminate risks exposed by these accounts • Eliminating need to access privileged accounts • Enables locking down these account passwords UNIX_root Active Directory root root SLIDE 24
  • 25. Associate Privileges with Named Individuals Centralized role-based policy management • Create Roles based on job duties • Grant specific access and elevated privilege rights • Eliminate users’ need to use privileged accounts • Secure the system by granularly controlling how the user accesses the system and what he can do Unix rights granted to Roles • Availability – controls when a Role can be used • PAM Access – controls how users access UNIX system interfaces and applications • Privilege Commands – grants elevated privileges where needed • Restricted Shell - controls allowed commands in the user’s environment Roles Backup Operator Backup Operator Rights Availability • Maintenance window only PAM Access • ssh login Privileged Commands • tar command as root Restricted Environment • Only specific commands Resources HR Zone SLIDE 25
  • 26. Grant Privileged Commands to Users via Roles • Web Admins are assigned root privileges for specific Apache management operations SLIDE 26
  • 27. Role Assignments Ensure Accountability Role Assignment • Active Directory Users are assigned to a Role, eliminating ambiguity, ensuring accountability • Active Directory Groups can be assigned to a Role, simplifying management • User assignment can be date/time limited – enabling temporary rights grants Assignment Scope • Roles apply to all computers within a Zone/Department • Users within a Role can be granted Rights to Computers serving a specific Role (DBA -> Oracle) • Assignment can be defined for a specific Computer Roles Backup Operator Backup Operator Rights Availability • Maintenance window only PAM Access • ssh login Privileged Commands • tar command as root Restricted Environment • Only specific commands AD Users & Groups Fred Joan Backup Resources HR Zone SLIDE 27
  • 28. Leverage Active Directory to Automate Security Enforcement AUDIT ACTIVITIES SLIDE 28
  • 29. Local and AD User Accounts Authentication Attempts Centrify Zone and Role Assignments Centrify Health and Configuration Config files System Logs and Events Provide Visibility Metrics and Alerts Dashboards and Reports I want to see all failed login attempts. Are there any newly created local accounts on my server? Who zone-enabled this user? Show me accounts not used in last 90 days. Are there any systems where Centrify is not connected? How long was a user in a role? /etc/passwd Active Directory Data *NIX Syslog • Shows changes in AD, *nix login attempts, Windows login attempts, Centrify agent health, etc. • Syslog rollup brings in operational intelligence from other systems, apps, SIEM, security devices, etc. SLIDE 29
  • 30. High Definition Visibility Provided by Session Recording • Establish User accountability • Tracks all user access to systems • Centrally search captured sessions SLIDE 30
  • 31. Reporting Simplified with Centralized Management Authorization and Access Reports can be centrally created:  Reporting on user account properties  Detailing user role assignments and privilege command rights  Showing user access rights to computers Active Directory based reporting  Reports are generated on live, editable AD information  Administrators can take snapshots of a report SLIDE 31
  • 32. Centrify Solutions and the Challenges They Address
  • 33. Centrify Products… Delivered as the Centrify Suite Single Sign-On For Applications With all editions you can purchase SSO modules for: • Apache & J2EE web apps • SAP NetWeaver & GUI • DB2 Centrify-Enabled Open Source Tools All editions also include free, Centrify-enabled versions of: • OpenSSH • PuTTY • Kerberized FTP and Telnet • Samba EXPRESS STANDARD ENTERPRISE PLATINUM DirectSecure Server Isolation and Protection of Data-in-Motion DirectAudit Detailed Auditing of User Session Activity for Windows, UNIX & Linux DirectAuthorize Role-based Authorization and Privilege Management DirectControl Consolidate Identities and Centralize Authentication DirectManage Centralized Management and Administration
  • 34. OX /JSOX PCI DSS FISMA HIPAA ...? Basel II. FFIEC Meet Strict Security & Audit Req’s Enforce system security policies S Enforce ― least access‖ Lock down privileged accounts Enforce separation of duties Associate privileges with individuals Audit privileged user activities Protect sensitive systems Encrypt data-in-motion Solutions that Centrify Delivers Compliance and Audit • Auditing and reporting (SOX, PCI, FISMA, HIPAA, Basel II, etc.) Security • Risk mitigation & security of users with privileged access Operational Efficiency • Leverage existing architecture • Leverage investments in Active Directory tools, skill sets and processes • Consolidate ―islands of identity‖ • Deliver single sign-on for IT and end-users • Enable new computing models such as virtualization, cloud and mobile Microsoft Active Directory + Centrify
  • 35.  Enforce system security policies  Enforce ―least access‖  Associate privileges with individuals  Lock down privileged accounts  Enforce separation of duties  Audit privileged user activities  Protect sensitive systems  Encrypt data-in-motion Basel II. FFIEC Information Security Booklet Payment Card Industry Data Security Standard Health Insurance Portability and Accountability Act Sarbanes-Oxley Act Section 404 Federal Information Security Management Act National Industrial Security Program Operating Manual Centrify Solutions Enforce Security Best Practices SLIDE 35
  • 36. Centrify Mastering Compliance, Auditing & Security Securing UNIX, Linux and Mac Using Active Directory
  • 37. • Evolving regulatory climate • Concern over insider threats • Adoption of cloud computing platforms • Consumerization of IT • Can I manage what users can do? • Can I verify for auditors what users did? • Can I manage personal devices?
  • 38. • Auditors require that organizations show steady progress toward a well managed infrastructure • Fragmented enterprise is difficult to secure in a consistent manner
  • 39. SLIDE 4 © 2004-2012 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. Unified Access Management Leverage infrastructure you already own! Microsoft Active Directory • Control • Who can access what • Secure • User access and privileges • Audit • What the users did Centrify
  • 40. Active Directory On-premise Cloud Personal Devices Mobile Devices Hosted Systems SaaS Servers Apps Centrify the Enterprise SLIDE 5 © 2004-2012 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.
  • 41.  Enforce system security policies  Associate privileges with individuals  Lock down privileged accounts  Enforce separation of duties Security Best Practices © 2004-2010 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.  Audit privileged user activities  Protect sensitive systems  Encrypt data-in-motion SLIDE 6
  • 42. Why Customers Choose Centrify • 4000+ enterprise customers • Single architecture based on AD • Comprehensive suite • Proven success in deployments • Non-intrusive Centrify is the “right vendor to choose" for Active Directory integration: Centrify’s solution is “mature, technically strong, full featured, and possess(es) broad platform support.” – 2009 “We recommended that clients strongly consider Centrify … its products can fit well within a multivendor IAM portfolio.” – 2010