9.25pm…Sunday…Santa Clara, U.S…
Exhausted. Been working looooong hours all weekend in the corporate NOC, tag-teaming with Frank and his team in our Bracknell, U.K. facility. Finally on the road home. Just enough time to hit my favorite coffee shop, sink into a sumptuous leather sofa, and unwind for half an hour with a luxuriant flat white and an almond croissant.
Then my mobile phone rings. Argh! I could ignore it, but have assigned a special ring tone for emergency calls. This was the bat signal. The panic call that meant disaster had struck. I pulled over and answered it. It was Frank.
Frank was managing the implementation of a new MPLS network to support our growing U.S., EMEA, and Hong Kong operations. It had gone live an hour earlier and when I left, our NOC dashboard was a sea of green icons–everything stable and “operating within established normal parameters.”
In IT, a LOT can happen in the space of an hour. Predictable really.
Frank was in a panic and speaking a mile a minute. It was hard to fully comprehend what was going on, but the proverbial fan was involved. It was bad. Some network segments were out and a bunch of critical servers were also down.
His team needed my help to get them “break glass” direct login access to some of the servers and network devices. I would also need to remotely login to others and triage. Not ideal sitting in the parking lot of Antigua Tazza D’Oro Coffee House.
“Frank, why can’t you login to the password server and have that automatically log you in to those servers?”
At our company, we have two privileged account password management options. One is our incumbent on-premises product, the other is a new SaaS service in the cloud we have been evaluating – Centrify Privilege Service (CPS).
“Raun, we can’t get to the production password manager. It’s on a segment that’s down, so we can’t use it to remotely login or checkout any admin passwords. Any chance that next-gen solution you’re evaluating can help?”
“No problem. I can easily set up accounts for you and your team as easily as adding you to an AD group. You’ll also be able to access the service through the cellular network on your mobile device if WiFi is out. But in the meantime, what servers and what accounts do you need?”
Frank rattled them off. From my car, I opened the companion Centrify app on my iPhone. Under the “Resources” section, I navigated to each server and checked out the password for each admin account. Since CPS is in the cloud, the issues with our local systems had zero impact. The process to checkout six privileged account passwords took just over a minute, even with MFA prompts to scan my fingerprint for access to the app itself and to checkout each password.
“There you go, Frank – these are good for 60 minutes which should be enough time for your team to login on the console and sort things out. For my systems, there’s an internet terminal here at the coffee house. I’ll use that to remotely login and run diagnostics.”
“But there’s no VPN client installed on it?”
“I don’t need one.”
From the internet terminal, I opened a browser and navigated to CPS. I entered my credentials and was prompted for a second factor since the terminal was unrecognized (untrusted) by CPS. I selected “Mobile Authenticator” from the list (other options include email, voicemail, and security question).
Once in, it took less than 20 seconds to locate a server, select the root or administrator account, and be logged in through a browser-based VPN-less secure session. Had the process required a VPN, I would have been hosed.
Frank’s team was able to manually login to the servers and network devices to fix things at their end. I was able to resolve issues remotely from the internet terminal at Antigua—and get my flat white—all in the space of 30 minutes before it closed.
The speed of access, convenience of a SaaS-based password management solution, no dependence on remote VPN connections, strong MFA, and mobile-device support. All this translated to massive business benefits that ultimately resulted in the on premises solution being decommissioned in favor of the CPS cloud-based solution.
I finished off my flat white, bid the barista a good night, and headed home to my bed a few hours kip before the “real” work week begins.
Check out this video snippet to see how I used the Centrify app on my iPhone to checkout a privileged password.