I am still digging out from the RSA Conference, so have been remiss in blogging that during RSA we announced a major upgrade to our flagship Centrify Server Suite — Centrify Server Suite 2014. New functionality in this release protects heterogeneous servers and applications in the datacenter and cloud from identity-related insider risks and outsider attacks, as well as makes security and regulatory compliance repeatable and sustainable for organizations. In this blog post I want to walk you through some of the major new features at a high-level and drilldown on a few features in detail.
But first let me provide some context behind this release. As we have seen by recent high-profile breaches and the end goal of Advanced Persistent Threats (APTs), access to privileged accounts gives hackers everything they need to steal or siphon off sensitive data from mission critical servers. But let’s not forget insiders … insider threats may be accidental or unintentional, but with the same damaging results. Implementing a least privilege access model, auditing and associating privileged activity to an individual, and providing comprehensive reporting are at the root of reducing threats and cost-effectively addressing regulatory compliance.
Centrify has been able to historically address these identity-related threats by linking all privileged activity back to an individual (as opposed to a shared account) through our DirectControl features. In other words, by getting users to login onto UNIX and Linux and Mac and etc. systems as themselves, i.e. their Active Directory account vs. sharing “root” or “oracle”, we introduce more accountability through “Active Directory Bridging.” Yes that gives users in the data center “single sign-on” but more important gives IT organizations out of bad habits of sharing accounts.
Regulatory compliance is further streamlined with our DirectAuthorize capabilities that enforce a least-privilege security model across Windows, Linux and UNIX systems and applications (aka Privileged User Management), while also enabling enterprise-wide privileged session auditing and compliance reporting (aka Privileged User Activity Monitoring) through our DirectAudit technology as part of our Enterprise Edition. The net net is that organizations also reduce costs and increase productivity with a single, unified solution for identity management and audit that leverages existing investments in identity infrastructure, versus deploying a myriad of single purpose and platform specific products.
In other words, we combine Active Directory Bridging + Privilege Management + User Activity Monitoring in one integrated solution, and are taking this to the next level with Centrify Server Suite 2014.
What’s New Centrify Server Suite 2014
So with that in mind, what have we introduced with Centrify Server Suite 2014? New functionality introduced in Centrify Server Suite 2014 includes streamlined creation and management of administrative entitlements, making it easier to implement least privilege access by delivering new pre-configured rights for Windows Server management consoles that can be used out of the box. New wizards automate the creation of new, complex rights for administrative users and reduce the process to the simple click of a button. Wizards can be used in conjunction with Centrify’s powerful new match criteria that improves flexibility in building a least privilege access model by enabling privileges to be determined based on properties such as a digital signatures.
Centrify Server Suite 2014 also uniquely provides full privileged activity audit trails and video capture that ties all activity back to an individual. With this release Centrify enhances its powerful search capabilities and compliance reporting that combines access controls and the associated activity fully integrated across Windows, Linux, and UNIX platforms. We also have also added a boatload of PowerShell cmdlets (more on that below).
Finally, the Centrify Server Suite now supports more than 450 platforms, the most in the industry. New platform support in this release includes Red Hat Enterprise Linux Server 5.10, 6.0, 6.5; CentOS 5.10, 6.5; Oracle Linux 6.5; Scientific Linux 5.10; Fedora 20; Debian Linux 7.2, 7.3; Linux Mint 16; Ubuntu Desktop 13.10; and Ubuntu Server 13.10.
Centrify Server Suite 2014 is available now for customer download here. Let me drill down on a few features in particular for the remainder of the blog.
Drilldown: New Applications Right Builder
Let’s talks about the new application rights builder in a bit more detail. Application rights enable Windows admins to do their jobs without having to use highly-privileged accounts like local administrator or Domain Admins. Creating and assigning rights to run applications with elevated privilege is critical to the success of a privilege management project. And, you want to make sure that the right you’re creating is definitively tied to the actual application and program file you want the user to run.
The new Application Rights Builder makes it easy to create application rights for your Windows admins. You simply select a program file! The Builder retrieves all match criteria including file paths and command arguments, eliminating mistakes and wasted time. Rights for complex application and argument list combinations such as MMC snap-in consoles are trivial to create. Since match criteria values can be edited at any time, you can also use the Builder to make any application right a template for the creation of additional rights.
You can also select from a list of running processes on the target computer instead of selecting a program file. And, since the Application Rights Builder supports pulling match criteria via remote connections to other computers on the network, you can easily assure that you are granting rights to precisely the correct program regardless of where the program file or process may reside.
Drilldown: PowerShell cmdlets for management and integration
Microsoft’s PowerShell is a powerful and ubiquitous tool for managing Windows Server. It’s the go-forward command line and script environment for Windows admins. Centrify Server Suite 2014 enables you to fully manage all aspects of its DirectManage components through PowerShell. For example, you can automate the creation of Centrify zones and roles, add UNIX profiles for Active Directory user and groups to Centrify-managed computers and zones, or assign UNIX and Windows users and groups to roles, computers and computer zones, all through PowerShell commands and scripts.
Drilldown: Audit Trail Integration with DirectAudit
Some of the new DirectAudit capabilities as part of our Enterprise Edition include:
- Auditing has been enhanced to include a number of different UNIX audit events. These audit events are enforced with role based access control.
- The DirectAudit Audit Analyzer now allows querying of both Windows and UNIX audit events.
- The standard audit reports now query and report data for both Windows and UNIX computers.
- A new group policy has been added to allow global control of whether audit trail events from the Centrify UNIX Agent for Access should be generated and whether they should be sent to syslog and/or DirectAudit.
- A new command-line utility can be used in dzcheck to send audit events with extra customer-defined information such as trouble tickets.
- Centrify OpenSSH audit trail events have been integrated with DirectAudit, starting from Centrify DirectControl version 5.1.3.
Drilldown: Supported Platforms
My final drilldown is a review of the new OSes we have added… as it would not be a new release from Centrify without tons more platforms added! Support has been added for the following operating systems (giving us more than 450 platforms supported — by far the most by any vendor in the industry):
- Red Hat Enterprise Linux Server 5.10, 6.5 (32-bit and 64-bit)
- Red Hat Enterprise Linux Desktop 5.10, 6.5 (32-bit and 64-bit)
- Red Hat Enterprise Linux Server 5.10, 6.0 – 6.5 PPC (64-bit)
- Red Hat Enterprise Linux Server 5.10 Itanium (64-bit)
- CentOS 5.10, 6.5 (32-bit and 64-bit)
- Oracle Linux 6.5 (32-bit and 64-bit)
- Scientific Linux 5.10 (32-bit and 64-bit)
- Fedora 20 (32-bit and 64-bit)
- Debian Linux 7.2, 7.3 (32-bit and 64-bit)
- Linux Mint 16 (32-bit and 64-bit)
- Ubuntu Desktop 13.10 (32-bit and 64-bit)
- Ubuntu Server 13.10 (32-bit and 64-bit)
- Mac OS X 10.9
The complete list of supported platforms is on the Centrify web site at https://www.centrify.com/products/infrastructure-services/system-catalog/.