Presentation is loading. Please wait.

Presentation is loading. Please wait.

Trust but Verify Leveraging Active Directory to Secure and Audit Access to On-premise and Cloud-based UNIX, Linux, and Mac Systems Centrify Corporation.

Published byAliya Cheevers Modified over 10 years ago

Similar presentations

Presentation on theme: "Trust but Verify Leveraging Active Directory to Secure and Audit Access to On-premise and Cloud-based UNIX, Linux, and Mac Systems Centrify Corporation."— Presentation transcript:

1 Trust but Verify Leveraging Active Directory to Secure and Audit Access to On-premise and Cloud-based UNIX, Linux, and Mac Systems Centrify Corporation (408)

2 Trust but Verify In order to establish organization and protect our IT assets: Define Rules for the controlled environment Identify those who the Rules will apply to Authorize a set of Privileges to those to be trusted Monitor the use of those Privileges Take action on any misuse of those Privileges These Rules can take many different everyday forms such as: Kids are allowed to use the internet – with software and parents monitoring We use freeways with speed limits – but Policemen and cameras monitor Passports grant access to other countries – Border patrol monitor activities © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

3 Regulations Establish The Rules for IT
Information Assurance Security Controls are based on the same principles: rules, identity, authorization grants and monitoring The Rules are well defined: Establish separation of duties Enforce system security policies Enforce network access policies Encrypt data-in-motion Enforce “least access” Require smartcard user login Lock down privileged accounts Grant privileges to individuals Audit privileged user activities Federal Information Security Management Act NIST Special Publication Homeland Security Presidential Directive 12 Department of Defense Directive Federal Desktop Core Configuration National Industrial Security Program Operating Manual © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

4 NIST 800-53 Provides Detailed Security Requirements
There are five identity and access management specific control families which we will look at more closely Identity & Authentication (IA) Uniquely identify and authenticate users Employ multifactor authentication Access Control (AC) Restrict access to systems and to privileges Enforce separation of duties and least-privilege rights management Audit & Accountability (AU) Capture in sufficient detail to establish what occurred, the source, and the outcome Configuration Management (CM) Develop/maintain a baseline configuration Automate enforcement for access restrictions and audit the actions Systems & Communications (SC) Boundary Protection Transmission Integrity and Confidentiality Cryptographic Key Establishment and Management including PKI Certificates NIST describes 17 control families which are categorized as either: Management - Operational Technical And these requirements are further defined in 3 different levels of security depending on the systems’ classification. However, we will focus on the requirements in 4 of the technical categories related to Identity and Access Management © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

5 PCI-DSS Requirements to Protect Cardholder Data
Requirement 1 – Install and maintain a firewall configuration to protect cardholder data Requirement 2 – Do not use vendor-supplied defaults for system passwords and other security parameters Requirement 4 – Encrypt transmission of cardholder data across open, public networks Requirement 7 – Restrict access to cardholder data by business need-to-know Requirement 8 – Assign a unique ID to each person with computer access Requirement 10 – Track and monitor all access to network resources and cardholder data © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

6 Centrify’s Proven Solution for Access Governance
Centralizes Security Identity and Access Management within Active Directory Identity Consolidation De-duplicate identity infrastructure Get users to login as themselves / SSO Single security policy definition Single point of administrative control Privileged Access Management Associate privileges with individuals Enforce “least access & least privileges” Audit privileged user activities Isolate systems & encrypt data-in-motion Active Directory-based Security Infrastructure dba SysAdmin Unix Profiles root DBAs Security Policies Systems & Users Inherit Appropriate Policies Instead of managing (eg) 2000 users across 1000 places (ie systems), manage 2000 users in one place. websa Users Groups User Roles Protecting Systems. Authorizing Privileges. Auditing Activities. © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

7 Extend “Governance” Out to Cloud & Mobile
Automated Security in the Cloud Enterprise-centric and automated security framework Role-based access and privilege control Single sign-on for applications Audit all user activity for on-premise and cloud systems federated identity Dynamically scalable system access controls creating Identity-based Trusted Virtual Networks Now Available! iPad / iPhone & Android Protecting Systems and Devices. Authorizing Privileges. Auditing Activities.

8 Centralized Management Presents Challenges
Centralization Goals Corresponding Challenges Legacy namespace is complex and different across many systems Individual system differences make centralization difficult Access rights are typically granted too broadly Granting privileges requires a simple way to create and manage the policies Integration with existing management processes Centralized UNIX Identities Establishing a global namespace Limited access granted where needed Locked down privileged accounts Privileges granted to individual users Audit privileged activities © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

9 Cloud Computing Brings New Challenges
Adoption of IaaS is growing in the Enterprise Yankee Group says 24% are using IaaS, 60% are planning to use in 12 months Adoption trends are first in Development, then QA/Test, eventually to Production Security remains the primary issue blocking Enterprise use Cloud Security Alliance identified 7 threats to cloud computing Gartner identified privileged user access as the #1 cloud computing risk The Challenges to Enterprise use inexpensive public IaaS are very familiar Cloud server security is left to the customer Cloud server templates have common privileged accounts and passwords Cloud servers are typically deployed on public networks with dynamic IP addresses Access controls and activity auditing are left to the customer Applications hosted on these servers don’t enable end user single sign-on access Yankee Group Survey Summary “Is IaaS Moving Beyond Just Cloud Fluff?”: © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

10 Centrify Solution Automates Security Enforcement
Leverages Active Directory as Centralized Security Infrastructure Protect Systems Group Policy enforces system security policies IPsec based network protection policies AD management of privileged accounts Authorize Privileges AD-based unique identity Role-based access and privilege AD enforces separation of duties Audit Activities Audit all user activity Report on access rights and privileges Automating Security for the Enterprise Protect Audit Grant access only where business need-to-know Grant explicit elevated privileges where required Authorize © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

11 SECURE AND MANAGE MOBILE DEVICEs
Leverage Active Directory for control of smart phones and tablets SECURE AND MANAGE MOBILE DEVICEs © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

12 The Centrify Vision: Unified Access Management
Control, Secure and Audit Access To Your On-Premise and Cloud-based Infrastructure Centrify the Enterprise Mobile Devices Personal Devices Centrify Mgmt Platform Now Available Servers Apps Leverage infrastructure you already own – Active Directory – to: Control Secure Audit What users can access User access and privileges What the users did © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

13 Consumerization of IT & BYOD Brings New Challenges
Consumer devices merge personal and business activities End users bringing their mobile devices to work increasingly want to use them for business, such as corporate Users want to carry one device for phone, , camera, and music Mobile devices are finding new use cases within Enterprise Complementing laptops/desktops with tablets for existing users Empowering a new class of end users to access electronic information Increasing the number of endpoint devices that need to be managed Results in security enforcement challenges for the Enterprise Mobile devices operate outside the scope of existing security infrastructure Lost or stolen devices exposes company confidential information Compliance regulations do not allow exceptions for mobile devices © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

14 Centrify: A Differentiated Approach to Mobile Security
First deep integration of devices (iOS/Android) with Active Directory Leverage Active Directory existing infrastructure, knowledge and support procedures Enforce Group Policy-based security settings (e.g. passcode policy, restrictions, security settings, etc.) Cloud-based service Over-the-air policy integration with Active Directory; even if device off network Non-intrusive architecture; no open ports or additional infrastructure in DMZ First and only unified platform for BYOD that supports mobile devices AND 300+ versions of UNIX/Linux and Mac OS X Systems First and only FREE mobile device management solution — Centrify Express for Mobile No limitation on number of devices managed Given fixed MDM capabilities by mobile vendors (e.g. Apple MDM API), functionally on par with what other MDM vendors offer for their paid solution © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

15 Centrify for Mobile: AD-based Administration
Active Directory-based management of Mobile devices Group Policy-based management of Security Settings ADUC User Properties for David McNeely ADUC Computer Properties for David McNeely’s iPad Group Policy Management Editor for Mobile Devices Active Directory © CENTRIFY CORPORATION. CONFIDENTIAL. ALL RIGHTS RESERVED.

16 Simplified Mobile Security & Access Management
End user self-service enrollment and provisioning process Enrollment App and Web Page enable end user login to initiate the join process Detection of “Jailbroken” or “Rooted” devices, enabling IT to control enrollment Association between User and their Devices is made inside Active Directory Passcode policy is immediately enforced, protecting device from unauthorized access IT centrally manages security policies and manages devices using existing Active Directory environment Using Group Policy Object Editor, any changes are auto-distributed and enforced Helpdesk can easily remote wipe lost units by looking up User/Device and issuing Remote Wipe command from ADUC console End user termination triggers auto de-provisioning of the device User AD account termination triggers the termination of the device Termination of the device removes policies and data and revocation of device certificates and computer account © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

17 Centrify Mobile and Cloud Architecture
© CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

18 Product DemoNSTRATION

19 Why Centrify for Mobile Security and Management?
Easiest product to deploy Leverages existing Active Directory infrastructure and skill sets Cloud Service eliminates need to deploy & manage on-premise infrastructure Does not require firewall configuration changes, appliances or stuff to be deployed in DMZ Not just a point solution for mobile devices Centrify also supports Mac and Linux devices Free offering makes getting started easy Supports unlimited number of devices Online/community support Provides immediate solution while you consider your mobile strategy © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

20 Leverage Active Directory to Automate Security Enforcement
Protect Systems © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

21 Active Directory-based Computer Identity
Active Directory services provide the foundation for Enterprise security Highly distributed, fault tolerant directory infrastructure designed for scalability Supports large Enterprises through multi-Forest, multi-Domain configurations Kerberos-based authentication and authorization infrastructure providing SSO UNIX/Linux systems join Active Directory Establishing individual computer accounts for each system Automatically enrolling for PKI certificates and establishing Enterprise trust Enabling authorized Active Directory Users to login, online & offline Controlling user authentication for both interactive and network logins DirectControl’s most basic function is to join systems into an Active Directory Domain in order to establish AD as the authoritative Network Name Service Providing uniquely identified users’ with authentication both online and offline as well as interactive on the machine and over the network Since many Federal environments will require users to login with a smartcard (DoD CAC cards or HSPD-12 required PIV cards) Mac users can now use a CAC or PIV or .NET smartcard to login to AD with DirectControl Windows users who log in with a smartcard can also gain SSO access over the network to UNIX systems UNIX systems will refuse to login a user without a smartcard if their account is configured to require smartcard for interactive login The end result is that AD sets up Kerberos as the common security infrastructure where all systems identify and encrypt session traffic using their Kerberos credentials - Both system to system and system to AD HR Field Ops © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

22 Automated Security Configuration Management
Group Policy provides a platform to define standard baseline security settings to be enforced on all systems DirectControl expands Group Policy usage to UNIX, Linux and Mac OS X systems Mac Group Policies enable central system configuration Eliminating the need for OD & Workgroup Manager Group Policy Management Console provides security baseline management Backup/Import Settings Modeling & Reporting on Policies On UNIX systems, DirectControl enables that same GP infrastructure to define and manage the baseline security policies On Mac there are several additional policies used to control the environment eliminating the need for Open Directory or Workgroup Manager And the GPMC enables IT to also run reports, backup and import settings © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

23 Security Policies Enforced by Group Policy
Consistent security and configuration policies need to be enforced on all Windows, UNIX, Linux and Mac systems Group Policy is automatically enforced at system join to Active Directory Group Policy routinely checks the system for compliance, updating as required User Group Policy is enforced at user login Group Policies enforce: System authentication configuration System Banner settings Screen Saver & Unlock policies SSH policies control remote access security Firewall policies control machine access Mac OS X specific policies control the system and user’s environment Group Policy is enforced on Unix systems in the same way as for Windows machines - You just have more policies you can define… © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

24 Prevent Data Breaches from External Threats
IPsec Transport Mode isolates the entire enterprise, preventing access by rogue or untrusted computers and users — reducing the attack surface Network-level access controls are much more important when: Enterprise network boundaries become porous as they include wireless and grow exponentially Users’ work becomes more virtual, accessing corporate resources from mobile / remote locations Software- and policy-based approach lets you avoid an expensive VLAN and network router ACLs approach Trusted Corporate Network Establish secure communications through group affiliation, ensuruing onlu trusted systems communicate to each other. This is an extremely cost effective solution compare to VLAN and routers with ACLs. Rogue Computer Managed Computers Managed Computer © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

25 Isolate Sensitive Servers & Protect Data-in-Motion
IPsec authentication policies logically isolate sensitive servers independent of physical network location Sensitive information systems are isolated based on PKI identities and AD group membership IPsec encryption protects data-in-motion without modifying older applications Enforce peer-to-peer, network-layer encryption for applications that transport sensitive information Authenticated Encrypted IP Header ESP Header Protected Data ESP Trailer AH Header Encryption Each packet is encrypted preventing attackers from seeing any sensitive information © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

26 Leverage Active Directory to Automate Security Enforcement
Authorize Privileges © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

27 Active Directory Centralizes Account Management
UNIX Account administration leverages centralized Active Directory processes and automation Account and authentication policies are enforced on all systems Existing Identity Management Solutions Active Directory Users and Computers If we leverage a Directory for Account and Access controls we can leverages existing Automation and support processes Most importantly, account controls such as terminations are immediately enforced across all joined systems, both Windows and UNIX/Linux And since Active Directory is now authoritative for user logins, it will be able to enforce account lockout on consecutive invalid login attempts as well as to provide Kerberos SSO credentials for a successful login. As you can see however, administration can take place from any authenticated interface into the directory CLI for Unix admins MMC for helpdesk Web for roaming admins Provisioning tools MMC Admin Console Provisioning APIs/Tools Unix Command Line Interface Active Directory-based Security Infrastructure © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

28 Centralize The Most Complex UNIX Environments
Zones uniquely simplifies the integration and centralized management of complex UNIX identity and access permissions into Active Directory Only solution designed from the ground up to support migration of multiple UNIX environments and namespaces into a common Directory Zones provides unique ability to manage UNIX identity, UNIX access rights and delegated administration Centrify supports native AD delegation for separation of duties Zones create natural AD boundaries for delegated UNIX administration of a group of systems through AD access controls on UNIX Zone objects Seamlessly integrate administration into existing IDM systems AD Group membership controls the provisioning of UNIX profiles granting access and privileges IDM systems simply manage AD Group Membership in order to control the environment Engineering Finance HR Retail Active Directory-based Security Infrastructure © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

29 Ensure Separation of Administrative Duties
Separation of AD and Unix Admins User’s Unix profile are stored independent of AD User object Unix Admins don’t need rights to manage AD User objects, only Unix profiles Separation of Unix Departmental Admins Each Zone is delegated to the appropriate Unix Admin Unix Admins only need rights to manage Unix profiles within their own Zone UNIX Administrator Administration Zone HR Zone The Zone model also establishes Administrative boundaries to separate the duties between AD and UNIX admins UNIX admins do not need modify rights on Users in AD, only to the objects held within their Zone As well as between UNIX admins - Only the UNIX admin with rights to his Zone can manage the access control policies for the systems within his Zone Active Directory Fred Joan AD & Windows Administration © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

30 Least Access is Enforced Through Zones
System Access is denied unless explicitly granted Access is granted to a Zone (a logical group of systems) Users’ UNIX Profiles within a Zone are linked to the AD User AD Users, Computers & Groups Active Directory Administration Zone Accounting Zone HR Zone Field Ops Zone Centrify introduces a logical grouping system called Zones to establish security and administrative boundaries Users can have multiple UNIX accounts mapped to their single AD account regardless of location (helpful in federated environments) Users can only access systems where they both have a valid AD account AND have an active Zone Profile granting access fredt UID = 10002 fthomas UID = 31590 jlsmith UID = 61245 joans UID = 4226 joans UID = 200 Fred Joan One Way Trust © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

31 Active Directory-based User Login
Smartcard login policies are also enforced DirectControl for OS X supports CAC or PIV smartcard login to Active Directory granting Kerberos tickets for SSO to integrated services Users configured for Smartcard interactive login only are not allowed to login with a password, however Kerberos login after smartcard is allowed Kerberos provides strong mutual authentication to Servers after desktop smartcard login DirectControl’s most basic function is to join systems into an Active Directory Domain in order to establish AD as the authoritative Network Name Service Providing uniquely identified users’ with authentication both online and offline as well as interactive on the machine and over the network Since many Federal environments will require users to login with a smartcard (DoD CAC cards or HSPD-12 required PIV cards) Mac users can now use a CAC or PIV or .NET smartcard to login to AD with DirectControl Windows users who log in with a smartcard can also gain SSO access over the network to UNIX systems UNIX systems will refuse to login a user without a smartcard if their account is configured to require smartcard for interactive login The end result is that AD sets up Kerberos as the common security infrastructure where all systems identify and encrypt session traffic using their Kerberos credentials - Both system to system and system to AD © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

32 Lock Down Privileged Accounts
Lockdown privileged and service accounts within Active Directory Online authentication requires AD-based password validation Offline authentication uses the local cached account Passwords are synchronized to local storage for single user mode login Leverage role-based privilege grants to eliminate risks exposed by these accounts Eliminating need to access privileged accounts Enables locking down these account passwords Active Directory UNIX_root root © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

33 Associate Privileges with Named Individuals
Centralized role-based policy management Create Roles based on job duties Grant specific access and elevated privilege rights Eliminate users’ need to use privileged accounts Secure the system by granularly controlling how the user accesses the system and what he can do Unix rights granted to Roles Availability – controls when a Role can be used PAM Access – controls how users access UNIX system interfaces and applications Privilege Commands – grants elevated privileges where needed Restricted Shell - controls allowed commands in the user’s environment Roles Backup Operator Rights Availability Maintenance window only PAM Access ssh login Privileged Commands tar command as root Restricted Environment Only specific commands Backup Operator Resources HR Zone © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

34 Grant Privileged Commands to Roles
Web Admins need root privileges to manage Apache Services © CENTRIFY CORPORATION. ALL RIGHTS RESERVED. 34

35 Role Assignments Ensure Accountability
AD Users & Groups Role Assignment Active Directory Users are assigned to a Role, eliminating ambiguity, ensuring accountability Active Directory Groups can be assigned to a Role, simplifying management User assignment can be date/time limited – enabling temporary rights grants Assignment Scope Roles apply to all computers within a Zone/Department Users within a Role can be granted Rights to Computers serving a specific Role (DBA -> Oracle) Assignment can be defined for a specific Computer Fred Joan Backup Roles Backup Operator Rights Availability Maintenance window only PAM Access ssh login Privileged Commands tar command as root Restricted Environment Only specific commands Backup Operator Resources HR Zone © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

36 Example: Privilege Access in Current Environment
Web Admin editing the httpd.conf requires root permissions ~]$ su root Password: twilson]# vi /etc/httpd/conf/httpd.conf twilson]# /sbin/service httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ] twilson]# User Session Oct 26 10:13:27 test-rhel5 sshd[1786]: pam_unix(sshd:session): session opened for user twilson by (uid=0) Oct 26 10:14:45 test-rhel5 su: pam_unix(su:session): session opened for user root by (uid=10004) Security Log (/var/log/secure) © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

37 Example: Rights Dynamically Granted at Login
~]$ id uid=10004(twilson) gid=10001(unixuser) groups=10001(unixuser) ~]$ adquery group -a "Web Admins" centrify.demo/Users/Tim Wilson centrify.demo/Users/David McNeely ~]$ ~]$ dzinfo Zone Status: DirectAuthorize is enabled User: twilson Forced into restricted environment: No Role Name Avail Restricted Env Web Admin Role Yes None PAM Application Avail Source Roles ftpd Yes Web Admin Role sshd Yes Web Admin Role Privileged commands: Name Avail Command Source Roles vi httpd Yes vi /etc/httpd/conf/* Web Admin Role httpd Yes service http* Web Admin Role start-stop-rest art © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

38 Example: Privileged Access with Centrify Suite
Web Admin editing the httpd.conf using DirectAuthorize privilege elevation ~]$ dzdo vi /etc/httpd/conf/httpd.conf ~]$ dzdo /sbin/service httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ] ~]$ User Session Oct 26 10:25:42 test-rhel5 sshd[1786]: pam_unix(sshd:session): session opened for user twilson by (uid=0) Oct 26 10:26:03 test-rhel5 dzdo: twilson : TTY=pts/5 ; PWD=/home/twilson ; USER=root ; COMMAND=/bin/vi /etc/httpd/conf/httpd.conf Oct 26 10:28:27 test-rhel5 dzdo: twilson : TTY=pts/5 ; PWD=/home/twilson ; USER=root ; COMMAND=/sbin/service httpd restart Security Log (/var/log/secure) © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

39 DEMO © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

40 Leverage Active Directory to Automate Security Enforcement
Audit Activities © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

41 System Logs and Events Provide Visibility
Show me accounts not used in last 90 days. Syslog rollup brings in operational intelligence from other systems, apps, SIEM, security devices, etc. Are there any systems where Centrify is not connected? How long was a user in a role? Metrics and Alerts Data Active Directory Config files Local and AD User Accounts Authentication Attempts Centrify Zone and Role Assignments *NIX Syslog /etc/passwd Centrify Health and Configuration Dashboards and Reports I want to see all failed login attempts. Shows changes in AD, *nix login attempts, Windows login attempts, Centrify agent health, etc. Are there any newly created local accounts on my server? Who zone-enabled this user? © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

42 For Monitoring and Reporting of Logged Changes
© CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

43 High Definition Visibility Provided by Session Recording
Establish User accountability Tracks all user access to systems Centrally search captured sessions © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

44 Reporting Simplified with Centralized Management
Authorization and Access Reports can be centrally created: Reporting on user account properties Detailing user role assignments and privilege command rights Showing user access rights to computers Active Directory based reporting Reports are generated on live, editable AD information Administrators can take snapshots of a report And since UNIX security is often associated with the rights users may have, we can also provide Reports from the Directory to show which users have these elevated privileges. © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

45 Reporting Simplified with Centralized Management
© CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

46 Leverage infrastructure you already own – Active Directory – to:
Centrify’s Vision Control, Secure and Audit Access to Cross-Platform Systems and Applications Centrify the Enterprise Increasing heterogeneous environment Systems, apps, mobile devices, cloud 2. Increasing # of consituetents/users requiring appropriate level of access to stay safe, productive & compliant 3. You already own 50% of the solution (AD) and you already have a staff that know how to use it (systems, processes, skills, etc) Leverage infrastructure you already own – Active Directory – to: Control Secure Audit What users can access User access and privileges What the users did © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

47 Reduce Costs Through Identity Consolidation
“Islands of identity” need to be managed and secured Locally managed etc/passwd file Legacy NIS or hand-built scripting High cost & inefficient to maintain With Centrify: Consolidate disparate UNIX and Linux identity stores into AD Implement least-privilege security Centrally enforce security and configuration policies across UNIX, Linux and Mac systems Instantly terminate access to all systems and applications centrally End user productivity and satisfaction Completely missing account and password policies Weak password security Lack of stringent user authentication and access controls Limited privilege management Syslog auditing is limited, lacking accountability You can think of dozens of legitimate reasons why this has happened: Each platform was chosen for its fitness for a particular purpose, but often without regard to a long-term view of efficient administration Different departments or lines of business were independently funded and managed, and thus made different decisions Obviously, maintaining multiple identity stores is inefficient in many obvious ways in terms of needless licensing fees, and too many man-hours spent on simple tasks like provisioning. But they also rob you in other ways: Lost productivity from key staff. Even simple tasks such as resetting a lost password may require a system admin’s time Complex systems are fragile systems that force you into a constant reactive state. Instead of solving business problems and being seen as contributing to business agility and competitiveness, you’re viewed as a cost center. Centrify looked at this landscape and saw a simple and elegant approach that could meet organizations’ needs to enhance regulatory compliance initiatives, strengthen security, and yet do so in a cost-effective way that can actually simplify your IT infrastructure, streamline IT processes, and reduce costs. © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

48 Mitigate Risks & Address Compliance
HR Administrator Finance Administrator Evolving threat landscape and regulatory environment Shared “root” password compromises security & exposes intellectual property Anonymous access… Audits require reporting that ties access controls and activities to individuals With Centrify: Associate privileges with individuals Lock down privileged accounts Enforce separation of duties Isolate sensitive systems Protect data-in-motion Audit all activity Active Directory HR Finance Zone Virtual Server Farm Zone Virtual Server Administrators Fred Joan Active Directory Administrators © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

49 Addressing NIST 800-53 for UNIX
NIST SP Requirement Leverage Active Directory to: Identity & Authentication (IA) Uniquely identify and authenticate users Employ multifactor authentication Link entitlements and actions to a centrally managed user identity in AD Support smartcard authentication for Mac Workstations Access Control (AC) Restrict access to systems and to privileges Enforce separation of duties and least-privilege rights management Enforce centralized policies for Role-based access and privilege rights Enforce administrative separation of duties Audit & Accountability (AU) Capture in sufficient detail to establish what occurred, the source, and the outcome Capture all interactive sessions on audited systems, attributing the actions to the accountable person Provide search and session replay Configuration Management (CM) Develop/maintain a baseline configuration Automate enforcement for access restrictions and audit the actions Automatically enforce a baseline security policy Continuously enforce/update the security policy Systems & Communications (SC) Boundary Protection Transmission Integrity and Confidentiality Cryptographic Key Establishment and Management including PKI Certificates Enforce domain and group-based isolation policies to protect sensitive assets Encrypt data in motion between systems Automate PKI management and validation on protected systems © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

50 Addressing PCI-DSS for UNIX and Linux Systems
PCI-DSS Requirement Centrify Suite Requirement 1 Install and maintain a firewall configuration to protect cardholder data Group Policy enforces a consistent firewall policy on all systems DirectSecure enforces IPsec-based network authentication & authorization policies Requirement 2 Do not use vendor-supplied defaults for system passwords and other security parameters Group Policy enforces corporate system security policy on all systems Centralize privileged account password & authentication management Requirement 4 Encrypt transmission of cardholder data across open, public networks DirectSecure enforces IPsec-based encryption of data-in- motion between trusted systems Requirement 7 Restrict access to cardholder data by business need-to-know DirectControl enforces least access security policy DirectAuthorize grants access and privileges based on Roles DirectControl Zones ensures separation of administrative duties Requirement 8 Assign a unique ID to each person with computer access DirectControl centralizes user account management in AD DirectControl requires user to login with their individual AD account Requirement 10 Track and monitor all access to network resources and cardholder data DirectControl enforce time synchronization with AD DirectControl proves accountability linking UNIX login to AD Users DirectAudit records and replays all user access sessions © CENTRIFY CORPORATION. ALL RIGHTS RESERVED.

51 Why Customers Choose Centrify
Centrify is the “right vendor to choose" for Active Directory integration: Centrify’s solution is “mature, technically strong, full featured, and possess(es) broad platform support.” – 2009 “We recommended that clients strongly consider Centrify … its products can fit well within a multivendor IAM portfolio.” – 2010 Experience & Expertise The Best Solution Single architecture based on AD Comprehensive suite Proven success in deployments Non-intrusive 3500+ enterprise customers Largest dedicated team Unparalleled 24x7 support Record growth and profitable Industry Awards Industry Certifications

52 Learn More and Evaluate Centrify Yourself
WEB SITE FEDERAL SOLUTIONS TECHNICAL VIDEOS & MORE SUPPORTED PLATFORMS REQUEST AN EVAL FREE SOFTWARE CONTACT US PHONE Worldwide: +1 (408) Europe: +44 (0)

Download ppt "Trust but Verify Leveraging Active Directory to Secure and Audit Access to On-premise and Cloud-based UNIX, Linux, and Mac Systems Centrify Corporation."

Similar presentations

Symantec 2010 Windows 7 Migration Global Results.

Symantec 2010 Windows 7 Migration Global Results.
Polycom Unified Collaboration for IBM Lotus Sametime and IBM Lotus Notes January 2010.

Polycom Unified Collaboration for IBM Lotus Sametime and IBM Lotus Notes January 2010.
Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
© 2004-2012. Centrify Corporation. All Rights Reserved. Evolving Enterprise Identity: From the Data Center to Cloud and Mobile Centrify Corporation www.centrify.com.

© Centrify Corporation. All Rights Reserved. Evolving Enterprise Identity: From the Data Center to Cloud and Mobile Centrify Corporation
© Tally Solutions Pvt. Ltd. All Rights Reserved Shoper 9 License Management December 09.

© Tally Solutions Pvt. Ltd. All Rights Reserved Shoper 9 License Management December 09.
© SafeNet Confidential and Proprietary Administering SafeNet StorageSecure Smart Card Module 3: Lesson 5 SafeNet StorageSecure Storage Security Course.

© SafeNet Confidential and Proprietary Administering SafeNet StorageSecure Smart Card Module 3: Lesson 5 SafeNet StorageSecure Storage Security Course.
Version 1.0 digitaloffice.intel.com Intel ® vPro Technology Intel ® Active Management Technology Setup and Configuration HP Laptop – Compaq 6910p Small.

Version 1.0 digitaloffice.intel.com Intel ® vPro Technology Intel ® Active Management Technology Setup and Configuration HP Laptop – Compaq 6910p Small.
ACT User Meeting June 2011. Your entitlements window Entitlements, roles and v1 security overview Problems with v1 security Tasks, jobs and v2 security.

ACT User Meeting June Your entitlements window Entitlements, roles and v1 security overview Problems with v1 security Tasks, jobs and v2 security.
Chapter 1: Introduction to Scaling Networks

Chapter 1: Introduction to Scaling Networks
Enable Bring Your Own Device with SCCM 2012 David Caddick Solutions Architect, Quest Software WCL315.

Enable Bring Your Own Device with SCCM 2012 David Caddick Solutions Architect, Quest Software WCL315.
Security for Mobile Devices

Security for Mobile Devices
November 14, 2012 Securely Manage your devices, applications and data. Deploy your corporate policies on smart devices. Comply with Regulatory Laws. Detroit.

November 14, 2012 Securely Manage your devices, applications and data. Deploy your corporate policies on smart devices. Comply with Regulatory Laws. Detroit.
Copyright © 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Mobile Content Strategies and Deployment Best Practices.

Copyright © 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Mobile Content Strategies and Deployment Best Practices.
Service Manager for MSPs

Service Manager for MSPs
Employee & Manager Self Service Overview

Employee & Manager Self Service Overview
Sophos Mobile Control SophSkills Session Name: Thomas Lippert – Product Management DPG Date: 17-Feb-2011.

Sophos Mobile Control SophSkills Session Name: Thomas Lippert – Product Management DPG Date: 17-Feb-2011.
SLP – Endless Possibilities What can SLP do for your school? Everything you need to know about SLP – past, present and future.

SLP – Endless Possibilities What can SLP do for your school? Everything you need to know about SLP – past, present and future.
2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.

2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.
GEtServices Services Training For Suppliers Requests/Proposals.

GEtServices Services Training For Suppliers Requests/Proposals.
By CA. Pankaj Deshpande B.Com, FCA, D.I.S.A. (ICA) 1.

By CA. Pankaj Deshpande B.Com, FCA, D.I.S.A. (ICA) 1.

Similar presentations

Ads by Google