IT security teams are struggling to prevent data breaches in cloud, mobile and data center environments and compromised user identity is the leading cause of data breaches. Traditional perimeter-defenses do not address users with too many passwords, too much access and too much privilege. Centrify helps customers solve these problems by minimizing the attack surface. This post will discuss how Centrify addresses the recommendations found on page 12 of the M-Trends 2015 report and in many cases provides further capabilities. The below chart shows the mappings between our solutions and the Mandiant (a FireEye company) recommendations, followed by an explanation of how it works and where we exceed the requirement.
Both of the Mandiant Trends Reports in 2015 and 2016 recommend that organizations leverage multi-factor authentication for remote access and jump servers. In general, there is an overall increase in hackers leveraging remote access and Virtual Private Network (VPN) technology to gain access to an organization’s network and assets. This is frequently achieved in cases where user name and password or digital certificates on a compromised endpoint are exploited. Centrify enables multi-factor authentication for remote access to resources (servers and network devices) via Centrify Privilege Service. Additionally multi-factor authentication is available for authentication to operating systems and on elevation of privileges as well as access to the users’ portal and applications. Multi-factor may be achieved via Centrify’s MFA solution including push notification to a phone and/or an “out of band” OTP delivered in multiple ways, or finally via security questions. Third party MFA solutions are supported as well.
Additionally, with many VPN or remote access solutions today, a user gains access to potentially much more of the network than needed. Centrify Privileged Service (CPS) only allows the user to access to the systems that they have been explicitly granted access temporarily or permanently.
Secondly, the Mandiant report recommends whitelisting technologies for critical systems. Attackers frequently install software that harvests user credentials, Personally Identifiable Information (PII), and / or credit card data etc. Whitelisting technology can significantly limit the value of stolen user credentials, as the user can only execute applications and/or commands that are explicitly granted to them as necessary for their job function. Centrify DirectAuthorize, supports whitelisting and is used by a multinational retailer to enforce least privilege. For example, only certain roles of users can make configuration changes on a system, perform printer management, and install software on thousands of systems at retail locations. The configuration capabilities also support temporary assignment of privileges, enabling access to the systems only when needed. More information on the Centrify DirectAuthorize for Windows approach may by found here.
The report also recommends better management of privileged accounts and specifically a reduction in the number of privileged accounts as well as unique administrator passwords. To address this recommendation, Centrify supports a combination of Centrify DirectAuthorize and Centrify Privileged Service. Centrify DirectAuthorize enables the reduction of privileged accounts as described previously with its support for secure delegation of privileged actions. It enables organizations to restrict an admin to more role-centric privileges without making them a full Domain or Enterprise Active Directory admin or local administrator/root. Also, the actual execution of privilege commands or applications may be configured to require MFA, stopping an attacker in his tracks. Centrify CPS’ Shared Account Password Management (SAPM) features allow for the management of local account passwords such as root, local administrator, etc. The accounts may be checked out only when needed, a complex password is automatically managed for the account, and authorized users may use the privileged account without knowing the password. This ensures the uniqueness of the password as well as other features to further automate the process and protect the account.
And finally, there is the recommendation to Secure Access to the PCI Environment. Within this recommendation are distinct requirements including segregating the PCI network, requiring multi-factor authentication for server access, and limiting outbound traffic to an approved list. Centrify’s MFA capability has been mentioned previously, however with this recommendation we also introduce Centrify DirectSecure. DirectSecure blocks “untrusted” systems from communication with “trusted” systems via its unique, server-based software solution that leverages your Active Directory infrastructure and the native IPsec support in modern operating systems. It extends the Windows IPSec group policies out to the UNIX/Linux platforms. DirectSecure also delivers tiered access by further isolating groups of systems. The result is improved adherence to regulatory compliance initiatives as well as an additional layer of policy-driven protection against network attacks for mixed Windows and UNIX/Linux environments. DirectSecure seamlessly blocks untrusted systems from communication with trusted systems and does so without the need to change your network or applications.
As there are more and more attacks on privileged identities, organizations will be looking to implement these recommendations before they are in the headlines. Centrify is a marketplace leader in Privileged Identity Management (PIM), Identity as a Service (IDaaS), and full support for MFA in accordance with HSPD-12 and with support of OATH and RADIUS.