Posts by Paul Moore

Paul Moore is co-founder of Centrify and serves as its Chief Technology Officer, where he provides the technical vision for its award-winning software and cloud security solutions.

Centrify Perspective

Best Practices for Multi-factor Authentication (MFA)

By , September 7, 2017

These days, it’s pretty clear that to protect systems and data, organizations need to go beyond traditional perimeter defenses. Because most modern cyber-criminals exploit user credentials to get a foot in the door, user identities have become the new perimeter. And leading organizations are turning to MFA to secure their complex, heterogeneous environments. MFA mitigates password risk by requiring additional factors of authentication: something the user knows, has and is. It’s not difficult to implement, but some up-front planning can further enhance security and save a lot of time and effort. MFA is one of the best ways to prevent…

Centrify Perspective

Modernizing Legacy Apps to Boost Security: Part II

By , November 14, 2016

As we discussed in part I of this article, many companies are still in the process of modernizing their legacy apps. There are a number of reasons to do this, but securing your environment is typically the main goal. We’ve already identified that a (software) token-based system as essential. Let’s continue with a couple more best practices. Provide for User Provisioning An application needs user data — not for authentication, but because it needs to know the role and responsibilities of the person logging in so that privileges inside the app can be managed and regulated. Therefore, a database of…

Centrify Perspective

Modernizing Legacy Apps to Boost Security: Part I

By , November 8, 2016

The subject of modernizing apps has been around for years, but while talking to a partner organization recently, I was reminded that there are a number of companies with legacy apps that are just now getting around to dealing with them. What Apps Need Modernization? The commercial apps you’re implementing into your environment today should not need to be modernized. If, however, you’ve developed your own apps or you continue to use legacy commercial apps developed several years back, you may have some work to do. Why Modernize an App? Companies most often modernize apps as a method of improving…

Mobile Frontier

Enterprise Mobile App Challenges, Part 2

By , May 1, 2014

This is a continuation of an earlier post, “Enterprise Mobile App Challenges, Part 1”.

Challenge 3: Connectivity: These apps need to talk to backends. Are these servers inside the corporate network or not. For those services on the Internet connectivity seems pretty simple. But what about those services on the internal network behind the firewall? There are a few choices here: A) Device VPN: The device itself VPNs into the corporate network. This works but presents management and usability problems. We need the VPN to be automatically set up (we cant expect the user to do it), we need it to start on demand and odd things will happen if the user tries to do other things. B) On demand per app VPN: This varies from platform to platform:for example Samsung Knox, ios7. C) Reverse Proxy: Basically a server straddling the firewall that proxies the traffic from the device into the backend server. Many commercial and open source tools exist: Apache. D) Outbound relay / rendezvous: In this case the server calls out to a system on the internet. The app calls the same service and hence they can pass messages. This is by far the most complicated solution to implement but has the advantage of not requiring firewall changes. An example of this type of technology is Azure Service Bus.

Mobile Frontier

Enterprise Mobile App Challenges, Part 1

By , April 15, 2014

First let me say what I mean by Enterprise Mobile App: an app running on a smart phone or tablet that is used by company employees and partners as part of their job. Probably custom built. Probably accessing a mix of existing LOB back-ends, some new back-ends and some commercial services (storage, analytics,…). Back-ends on-prem and in the cloud. I am sure that definition misses some things (I will return to a few obvious ones later) but I am sure that it hits a huge number of projects. So what does it take to build, deploy, manage and maintain an…

It's All About Identity

HeartBleed and Passwords

By , April 6, 2014

Once more the evil of passwords is demonstrated. This time it’s the HeartBleed bug that can expose chunks of data known by a web server to hackers. Passwords – and their ability to gain access to anything they protect – are the most obvious target. Technical aside: for those of you that don’t have the time to read the cert advisory (, here is a summary. The current version of the security library used by many web servers (OpenSSL) has a flaw that allows an attacker to send an information request (TLS heartbeat) to a server that reads way more…

Centrify Perspective

Privacy and Location Data

By , March 25, 2014

I was just reading a post about a Google service and slashdot’s reaction to how they track the location of users for various reasons. This got me thinking about how Centrify’s cloud service uses location data.

Centrify Perspective

Thoughts on 10 Years of Centrify

By , March 17, 2014

As Centrify approaches its ten year anniversary it’s interesting to look at what things have changed in those years. The big shift of course is from (what is now called) on-prem to cloud. That change also led to repurposing of some things. SAML was originally intended as a way of enabling several sets of users to access a single resource. For example two businesses needing to co-operate on a joint project, universities wanting to enable secure access to shared web sites, etc. (aka federation). SAML now mainly used for SAAS applications. These are not federated in the normal sense – they are…

It's All About Identity

Living with Password Policies

By , December 23, 2013

It seems to be accepted wisdom that password policies are a Good Thing™ for IT security. But are they really? A password policy typically consists of two things: Rules about how complicated your password must be Rules about how often they must be changed, reused, etc. A typical policy will say ‘at least one upper case letter, one lower latter, one digit, at least 8 characters’ and ‘must be changed every 30 days’. And the general idea is that although this inconveniences users a bit it certainly increases security. Some web sites have rules for ranking the security of passwords,…

It's All About Identity

IDaaS: Identity as a service, what does it mean?

By , October 31, 2013

Seem like we have Everything as a Service now (Software, Platform, Infrastructure…), so what does one of the more recent ones, ‘Identity as a Service’, mean? Well the ‘as a Service’ tail means that something that you used to build, run, support and maintain in-house is now provided as a utility, in the same way you get electricity, water and phone service. Or for new companies it means starting with these as utilities in the first place. Why has this become popular? Because of the predictable cost and quality of service.