Handing Over The Keys Without Exposing The Whole Kingdom

scared_womanAre you nervous about the prospect of handing over superuser account passwords to a 3rd party? Have you already outsourced IT functions and reluctantly handed over the keys? If the answer to either one is “yes” then you’re faced with a potentially risky situation.

Of course, you trust your partner. You’ll have performed background checks on individuals, established SLAs and operational best practices that constrain the usage of these privileged accounts. Still, surveys tell us that data breaches by insiders exploiting privileged identities are rampant, so why should we think we’re any safer trusting an external 3rd party where we have a lot less visibly and control?

Outsourced ITWell, that’s the doom and gloom out of the way. Let’s talk about ways to outsource but in a much more secure fashion than the typical MO. What is the typical MO? Well, you provide (e.g.) the “root,” “administrator,” or “oracle” passwords to the outsourcer and set them up with VPN access.

Let’s itemize the pros and cons of this typical approach.

PROS:

  • IT is responding to the needs of the business — reducing costs and IT overhead by outsourcing routine IT functions to a partner.
  • Ummmm. That’s about it really.

CONS:

  • Having to install, configure, and maintain a VPN introduces additional cost and operational overhead for IT and the Help Desk.
  • Once logged in through the VPN, outsourcer has access to the network or a VLAN, increasing your attack surface considerably.
  • The 3rd-party computer is now network-attached and so, IT has to manage it, e.g., NAC, anti-virus, host intrusion prevention, vulnerability assessment.
  • The need for VPN-based remote access limits the types of users who can access resources inside the firewall.
  • VPN clients may not support the range of devices (e.g., mobile) used for business.
  • Your on-premises password management solution can’t easily see/access cloud-based resources.

Frankly, it’s a wonder IT outsources anything at all. You’re handing over the keys to the most privileged accounts on business-critical servers (maybe even regulated such as PCI) and giving these users access not only to your servers, but also your network. They really are the keys to the kingdom. Remember that massive 2013 retail breach where the cyber attack was realized via a 3rd party HVAC contractor being compromized?

There’s a better way!

With Centrify’s new Privilege Service in combination with its flagship Server Suite, you finally have a powerful enabler for outsourced services, one that’s secure and reduces operational overheads.

Centrify Privilege Service is the industry’s first cloud-based password and access management service. Like competitive on-premises alternatives, it can automatically log users into resources without exposing the password. But that’s where the similarity ends, however, and the true benefits begin. So let’s explore these benefits by stepping into the shoes of the outsourced IT administrator “tony.”

  1. Tony opens a browser and navigates to the Centrify Privilege Service portal from his laptop or mobile device such as an iPad.

Being in the cloud, Centrify Privilege Service is ideally suited to such remote access use-cases that traditional on-premises alternatives are not designed for. Being in the cloud also makes it easier to expand our addressable targets – i.e., we can just as easily enable secure remote access to cloud-based resources (in AWS, Azure, Rack Space, etc.) as we can those on-premises.

  1. Based on the user, roles, policies, and context, we know Tony is not internal IT so we can challenge him for a 2nd authentication factor upon login to the Centrify Privilege Service portal.

This adds an extra layer of security for this specific scenario (if required).

  1. Tony then navigates to the list of servers.

Unlike VPN-based network access, we can scope visibility and constrain what Tony can see/access based on his role memberships.

  1. Once the resource (server or network device) is selected, Tony picks the “tonyg” account to login with and is logged into the resource directly without needing to establish a VPN connection.

This surgical placement into the server is clearly more secure but also helps reduce operational overhead and costs associated with VPN implementation and ongoing maintenance/support. (Also note that while Centrify Privilege Service is ideal for remote login to privileged accounts such as “root”, in this outsourced IT scenario, Tony is able to login as himself, with a least-privilege account for reduced risk.)

  1. Having logged into the server with a least-privilege account (i.e., low risk posture), Tony can perform routine activities until such time as he needs to execute a privileged command such as rebooting the server, installing system software, or restarting a service. Then he explicitly requests an elevation of privilege from Centrify Server Suite ONLY for the duration of that command.

Thus we get considerably reduced risk, full accountability, easier audits, and increased productivity.

CPS + CSS

  1. While Tony performs his administrative duties, we video record the session. We have the flexibility of recording the entire session centrally via Centrify Privilege Service or recording only the discrete privilege elevated command activities via Centrify Server Suite on each host server. Choice and flexibility is good. However, the more secure option would be Centrify Server Suite recording on each host machine since it’s much harder to bypass than the proxy-based approach.

This gives us fantastic visibility, accountability, and a strong foundation for continuous compliance monitoring.

So as we can see, for outsourced IT functions, we don’t have to sacrifice security, hassle with VPNs, increase our risk exposure, or stress over “what they’re really up to.” With Centrify Privilege Service in partnership with Centrify Server Suite, supporting outsourced IT functions is as simple as logging into the Centrify Privilege Service portal, picking your server, and elevating privilege when required.

Use-Case-Scenario

Centrify Privilege Service + Server Suite. Better together.

Find out more about Centrify Server Suite and Centrify Privilege ServiceWhy not take them for a test drive and experience the modern approach to privileged identity management for yourself with a free trial here and here.