Outsourced IT Part Deux

Let’s continue our purely fictional story from last time, where we stepped into the shoes of our IT consultant, Tony. You may recall he works for ACME Consulting who provides outsourced IT services to Banzai.

In a nutshell, we showed how easy it can be for Banzai to improve security, reduce risk, increase visibility, and provide secure access from anywhere, leveraging Centrify’s Privilege Service and Server Suite. Let’s peek inside Banzai’s IT world for an update from the IT Director, Tom:

Well, the results came in and it’s safe to say (no pun intended) that our expectations were fully met with the Centrify solutions. The combo of Server Suite plus Privilege Service has layered a solid security blanket around our assets without making it difficult for our outsourced partners. Mission accomplished.

While my IT team was patting its collective self on the back for a job well done, however, Centrify smacked us about the head with…<dramatic pause for effect> MORE BENEFITS!

You see, that’s one of the big reasons we chose Centrify. Modern cloud-based technology built ground-up for the modern, hybrid enterprise. It’s something you just don’t get from the long-in-the-tooth old guard. What’s it called again? Oh right. Agility.

To quote the OED, agility is the “Ability to move quickly and easily.” So, just a short few months after subscribing to their SaaS service, we’re now able to gleen yet more benefits without the typical 12-18 month wait or the on-prem hassles of our former product (painful upgrade, change control issues, outages, user impact, infrastructure upgrades, cost…). We can continue to enjoy new features approximately every 4-6 weeks.

So, What’s New?

The new feature list is extensive, but let’s continue our theme and talk about a few key ones in the context of ACME and securing outsourced partner access.

Once of the big ticket items we were looking forward to is SAML-based federated login. Centrify Privilege Service 15.12 has obliged. It’s now trivial for us to configure trusted federations with ACME and other partners who act as their own Identity Provider (IDP) and who are capable of supporting outbound federation. So now, Tony logs into his IDP (ACME) when he gets into work, browses to the Banzai Privilege Service URL, and through the power of SAML and our trusted federation partnership, is immediately logged in without being challenged for ID and password.

Great for Tony & ACME (seamless SSO). Great for IT (we no longer need to manage ACME identities!) Great for risk and compliance (SAML is more secure than passwords, ensures greater privacy, and the partnership is trusted). This is a coup for us since Centrify is the only SaaS-based service of its kind and the only vendor to support multiple federated partnerships.

Diags-2So, with Tony logged into the Privilege Service via SAML-based federation, Centrify now gives us greater role-based control over what resources he’s allowed to log into and what passwords he’s allowed to checkout.

This is delivered through a new feature called workflow-based access requests. This accommodates the scenario where some accounts on some servers are more sensitive than others. So rather than give Tony the ability to login or checkout the password on these accounts, we insist that he request access and provide a reason for why he needs it. This gives us much greater levels of control, oversight, and accountability.

Diags-3With the click of a button, an approver is notified of the request and can easily grant or deny. Access can be granted permanently or temporarily (with the password being reset after the specified time period).

This also eliminates access request calls to the Help Desk and improves productivity through self-service and automation. Win-win.

Moving on, Centrify has further leveraged common capabilities of its Identity Platform. What does that mean? It means access to shared services such as multi-factor authentication (MFA) and better integrations such as the Server Suite’s ability to leverage user profiles, policies, and mobile devices enrolled in the Cloud Service.

For Banzai, this means we can now centrally create policies that enforce use of a 2nd factor to: login to the Privilege Service portal (e.g., for our own internal IT);  login to Linux servers;  and to elevate privilege on those servers as well.

Diags-4Back to Tony our ACME consultant, this means when his remote VPN-less session is created during resource login, we can ask him for a 2nd authentication factor. This gives us much higher identity assurance and greater security, helping to prevent breach attempts from cyber attackers, malware, and  bots.

Diags-5Further, once Tony is logged in and he requests privilege elevation using the Server Suite “dzdo” command or within a restricted shell, we can enforce step-up authentication by prompting for a 2nd factor.

Diags-6Using Authentication Profiles defined in the Centrify Cloud, we can easily configure which 2nd factors are presented such as phone call, mobile authenticator, or SMS message and whether to issue 1 or 2 challenges. No other vendor can do all this.

So, for Banzai, this is phenomenal. Consistent, policy-based MFA across both solutions, enforced locally and centrally managed in the cloud. “MFA Everywhere” is what Centrify calls it.

Another thing I want to mention is script-based automation. Tony has setup a number of batch scripts on various servers that perform tasks either on-demand or automated “cron” jobs. Risk and compliance has been concerned for a long time about the risk of embedded passwords in those scripts.

For example, Tony has setup a daily overnight batch process to do a secure copy of files from one server to another. The script embeds a remote server privileged account password. Cyber attackers, bots, and malware will quickly and easily exploit this to move laterally to the other server and further infiltrate our environment.

Diags-7To mitigate these risks, the new Centrify solutions include application to application password management allowing ACME to replace the embedded passwords with an API call to the Privilege Service to retrieve the necessary password on the fly. Further, since the passwords are managed by the Privilege Service, it can rotate them routinely for greater security without impact to the scripts or to ACME.

Last but certainly not least is their new Reporting Services. Our (Banzai IT’s) customers (e.g., IT management, risk and compliance, audit) are now much better served by this offering. We’re able to report on the activities of ACME, our other partners and our internal admin users. Reporting Services leverages SQL Server Reporting Services (SSRS) to give us tremendous flexibility in creating our own high level and detailed reports customized to each audience. We also benefit from report scheduling, publish and subscribe, web-accessible reports, and dozens of built-in security and compliance reports (e.g., PCI and SOX).

So in summary, Centrify continues to evolve and innovate rapidly, keeping pace with our own corporate growth plan and need for the best privileged identity management.  With compromised passwords featuring weekly in the press and many breaches originating through outsourced partners, Centrify is the only solution capable of mitigating these risks across our entire hybrid enterprise.

<Fade out to the tune of The Empire Strikes Back theme…>

For more information about Outsourced IT and privilege management, read Forrester’s insightful study – Managing Privileged Access Security in a Hybrid IT World