Identity, Privilege and Compliance on Red Hat Systems

Centrify got our start in the security and identity business many years ago by starting in the datacenter and focusing on the problems of too many identity silos, disparate privilege management policies, and difficulty in tracing activity back to individuals. We saw back then that identity would be a key element of an IT strategy as system environments continued to get more diverse and deployed in more dynamic ways.

We started by enabling customers to leverage identity infrastructure they already own (Active Directory) so that they could consolidate identities and create consistent policies for those identities (an easy example is common password change policies). On top of that, we provided a roles-based access control model for consistent privilege management, and we also integrated session auditing and activity capture, so that all identity privilege management could be logically centralized. And, over the past ten years, Centrify has developed and tested support for more than 450 different operating system variations. This way we provide support for the heterogeneous and varied deployments across most potential real-world customer deployments.

So what does this have to do with Red Hat Linux systems? Well, Red Hat clearly accounts for a large number of systems that we see in customer environments. In fact, if you look at industry data, Red Hat has approximately 80 percent of the paid Linux market. This is a significant number of systems that needs to integrate or co-exist with numerous other OSes within a typical IT environment. Just as any good platform provider, Red Hat strives to offer core infrastructure services that help make their platform the platform of choice for customers. In many cases, this requires providing options that may be duplicative in many environments, but are helpful in initial, small, or homogeneous environments. For example, you can pretty much expect to have an option to install a DNS server on any OS you may choose to deploy; although, more than likely, you will not need to.

idm server

To address the some of the identity and privilege management challenges that I mentioned above, Red Hat provides what they call Red Hat IDM (or often just referred to as “IPA” – the community version of this is called FreeIPA). Essentially IPA is Red Hat’s version of Active Directory and related services. It is an alternative to a Microsoft AD-based infrastructure that is built using the 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag certificate system, and a set of modules called SSSD (System Security Services Daemon). IPA creates a Linux-based and Linux-controlled domain that provides management for Linux domains only. There is no management integration for AD/Windows, but it can synchronize data with an Active Directory domain to allow integration with Windows servers. If a customer requires scale and/or other platform support, then Red Hat recommends using both Red Hat IDM (IPA) as well as Microsoft Active Directory.   In this case, the logical question is why run parallel infrastructures when you can unify all your platforms on a single infrastructure?

direct vs indirect intergration- red hat

So what about this Red Hat SSSD? System Security Services Daemon is a freeware set of modules from Red Hat that is optimized to work with RedHat IDM (IPA). It has basic AD-integration capabilities like the ones found in Likewise Open, Samba-Winbind and Centrify Express. Is this a good option for integrating Red Hat systems with Active Directory to address the privilege management and compliance concerns of your organization? Well, recall that a sound identity and security strategy requires secure authentication, privilege management, and monitoring and traceability for individuals. SSSD allows a customer to authenticate with Kerberos, but it lacks key capabilities for enterprise deployment.

  • Limited OS version support (RHEL 7) vs more than 450 platforms/versions across multiple versions of AD that is supported by Centrify
  • Lacks legacy migration, e.g. support for NIS maps is limited
  • Cannot centrally manage different UID/GID namespaces across systems
  • As opposed to Centrify Zones, SSSD does not provide granular, centralized access controls
  • SSSD cannot pre-validate or limit cached credentials for offline mode
  • Untested at scale – Centrify has customers with deployments of close to 30,000 servers
  • Not extensible to Mac, mobile, SaaS, etc., ala Centrify
  • Does not offer packaged Kerberized/AD-ized third party tools such SSH, Samba, PuTTY, etc.
  • Does not provide robust pre-install check, deployment tools, reporting, etc.
  • Privilege management (only with IPA) uses “sudo in LDAP”
  • Raises questions around scale and reporting (e.g. who has access to what?)
  • No user-level auditing capability, cross-platform support (e.g. Windows), etc.

When you look at the best solution for securing your Red Hat and other platform identities and privileges, it’s always good to remember that there typically are tradeoffs to what we consider “free.” As the saying goes, “Free – like a free puppy.”

Here are a number of reasons that I think Centrify is best positioned to help with not only your Red Hat identity challenges, but also with your identity challenges on hundreds of types of systems, including mobile and access to SaaS applications.

  • Better platform coverage: Centrify has a heterogeneous approach that supports 450+ OSes (and includes Windows privilege management) vs. Red Hat-centric platform approach.
  • Cloud and mobile support: Centrify has support for mobile devices (iOS, Android, Samsung KNOX) vs. no support.
  • Robust privilege management: Role-based model with inheritance and customization vs common, shared sudo configuration via LDAP.
  • Time to value: Centrify offers deployment, migration and management tools vs. no deployment manager equivalent.
  • Third party tool support: Centrify offers pre-packaged versions of OpenSSH, Kerberos tools, Samba, PuTTY.
  • No new points of failure: Centrify leverages Microsoft Active Directory (infrastructure you already have) with host-based clients to ensure availability of authentication, privilege management and session monitoring. Red Hat creates a parallel infrastructure to AD (LDAP, Kerberos, DNS, NTP and policy services have to be maintained). Centrify reuses Active Directory since it already provides an LDAP repository, Kerberos, DNS/Time, a policy engine (GP), and Certificate Services.
  • Application single sign-on support: Centrify offers deep support for single sign-on to SAP, Web apps (Windows and UNIX) and DB2, in addition to IDaaS for single sign-on to cloud applications.
  • Ability to isolate sensitive information and services (e.g. PCI related data): Centrify enables server isolation and data-in-motion encryption across Linux, UNIX and Windows servers.
  • Expertise and focus: Centrify has a large dedicated team of software engineers, knowledgeable sales engineers, and award-winning global 24×7 technical support all focused on Identity Privilege Management.
  • Integrated Authentication, Authorization and Auditing: Centrify provides a single architecture and “single pane of glass” for identity, privilege management and auditing vs. disparate technologies that are non-AD centric.
  • Cross-platform activity auditing: Centrify audits activity across *nix and Windows.Cross Platform