Back in November I blogged about “Enterprise Identity Where You Want It”, which discussed how Centrify had enhanced its Cloud Service to allow customers to store identity data in the cloud or on-premise in Active Directory or a combo of both. The point was while customers really want centralized identity management for the cloud and mobile resources that they are deploying, they also wanted flexibility regarding where they could store their identity data (cloud, on-premise and/or in both places). Fast forward a few months, and I am now pleased to announce we are extending this innovative and flexible “hybrid” approach that we have with identity to policy as well with our recent update to the Centrify Cloud Service. Let me explain what we are delivering in this blog post vis a vis Centrify delivering a fully cloud-based policy solution.
Before I begin, I should state that we believe that Centrify is taking a unique approach to the identity problem for cloud and SaaS by seamlessly integrating mobile management into our offering. We are doing that as we believe that mobile is becoming the de facto end point to access cloud-based resources, and in order to ensure secure access, IT needs to ensure the underlying device itself is secure and that the appropriate mobile applications are deployed to the user’s devices. In addition, end users don’t want to mess around with typing in a plethora of passwords on their mobile devices (who has time for that especially given the form factor), and that a solution is needed that not only can provide “Zero Sign-On” for web apps but for rich mobile apps as well. And finally the mobile device is going to be the best “something you have” for multi-factor authentication when accessing SaaS and other apps. Hence a comprehensive Identity-as-a-Service (IDaaS) solution must be mobile-centric, and that’s what the Centrify User Suite is all about — merging cloud and mobile management.
Our initial approach was to build the Centrify Cloud Service as a cloud-based identity broker or gateway to an on-premise Active Directory. As discussed above, we have evolved the Centrify Cloud Service to also support storing identity in the cloud and allowing a customer to mix and match where their users’ identity data resides. Specific to policy management, historically the Centrify Cloud Service applied policies (e.g. to mobile devices) by use of Active Directory Group Policy, so the policy store we utilized was in effect on-premise. This gave customers the ability to leverage an existing tool that they already know (AD GP) and be able to apply policies to mobile devices (e.g. Mac, iOS, Android, etc.) using the same familiar management tools and processes that they used to manage Windows desktops.
Centrify was in fact the first vendor to deliver GPs for the Mac platform many years ago, and was the first (and still only) vendor to deliver iOS and Android GPs. The net net was that you could, as an IT person, lockdown your mobile devices like you lock down your Windows and Mac desktops and laptops using the very same tools. Pretty cool!
But even though Active Directory usage is over 95% for all large, medium and small enterprises, and the use of Group Policy is widespread, we do understand some customers may not want to use Active Directory as either their identity store and/or their policy engine.
For example, a newly formed enterprise may be trying to be “cloud only,” meaning they may not have Active Directory. Or the organization may want to supplement access to SaaS apps for users who may not have accounts in AD, e.g. partners or contractors or customers. Having that data stored outside AD and in the cloud gives them flexibility they may not otherwise have.
Similarly, a customer may want to use Active Directory for their source of identity, but they may want to have the IT people who are responsible for managing the mobile device use their own policy engine to manage the mobile devices that is separate and distinct from Group Policy. This may be due to internal political reasons, or it just may be faster or easier organizationally to use a separate cloud-based system.
The good news is that the latest release of Centrify Cloud Service now provides Policy Services without the need for Active Directory. This means that you can now define both Users and Policies within the cloud service to enable both device configuration policy management as well as application single sign-on for your users. So in looking at that architectural diagram above, if you want to go all cloud for identity and policy there is no need for the Centrify Proxy Server or any on-premise components at all.
So how does this new cloud-based policy management capability work? [hat tip to David McNeely for providing me content in this part of the blog post]
The Centrify Policy Service enables you to define a Policy and apply it to all of your users or to users within a specific Role. The Policy contains all the same device policies that are available via Centrify’s Group Policy extension to enable full device management for iOS, Android, Mac OS X and Samsung devices.
In order to use this new feature, you simply have to turn it on by logging into Cloud Manager and going into Settings, then select Device Policy Management. Here you will see the 2 options for either Active Directory Group Policy or Centrify Policy Service, just select Centrify Policy Service to use this new capability.
To enable cloud-based policy you just need to create a policy set so that you can define the policies that will be applied to the devices of users who this policies applies to based on the user’s role assignments. This is easily accomplished by clicking on Policy in the Cloud Manager console, then click on Add Policy Set and give it a name.
To assign the policy to a user you just need to click on the Applies to menu and select which users the policy applies to. You leave it set to apply to all users to select a Role for this policy to apply. As an example, you could create a role called BYOD Mobile Users to enable your users to enroll their devices and have these policies applied to their devices.
Last but not least you can define the policy by simply clicking on Policies, then Mobile and select the category of policies that you want to define for your user’s devices such as the common passcode settings policy.
With that done, now end users can enroll their devices in order to enable management and application single sign-on. You can either have your users login to the user self-service portal, click on devices and Add Devices to get instructions for enrolling their devices, or they can simply download the Centrify app from the Apple App Store or Google Play and enroll their devices. That’s it!
Finally you may be asking yourself what is the right approach to store enterprise identity and/or policy? In our opinion it is giving enterprises the flexibility and option to store identity and enable policy on-premise, in the cloud, and/or in both places. This is in stark contrast to some vendors who only allow you to store identity data in their cloud directory. This cloud-only approach may not appeal to some organizations who, rightly or wrongly, have concerns about losing control of the keys to the kingdom, or have security or privacy concerns, or flat out concerns about the long term viability of the vendor. We on the other hand think choice and options are good, because one approach does not fit all. And of course we also uniquely provide the important mobile management and policies capabilities to our SaaS management capabilities that other vendors don’t provide.