Wouldn’t it be nice for a change to deploy an IT security solution that doesn’t sacrifice usability and productivity for security?
I’m sure many of you have had the experience of introducing a new security product that, while solving a real security problem, just makes life hell for users. These can create new hurdles, introduce complexity, and generally take a toll on uses’ day-to-day productivity. Maybe you’re a user on the receiving end, not sure why IT has ‘decided’ to make your life hard. Then again maybe you’re the administrator more aware of the security benefits, but nonetheless, you are impacted by a demanding daily care and feeding regimen.
This is the reason we love security at Centrify. Because it’s hard. It’s hard to get right. But when done right, it’s a wonderful thing – solving a real set of compelling business problems without driving down productivity. And with a 90 percent customer satisfaction rating and 97 percent retention rate, we believe we’re on the right path.
Aside from excellent customer service, our product development philosophy is not purely technology-driven. We pay special attention to the user experience. We solve for that then figure out the best way to develop it. That’s how we maximize the balance between strong/effective security and user productivity.
One example of how we’ve achieved this is with Privileged Identity Management. This is a squirrelly subject where, frankly, it’s easy to get that balance wrong. The key business problems we’re solving go back to one of the foundational tenets of security:
Least privilege – the ability to apportion system privileges based on business function.
By enforcing this, our aim is to limit damage resulting from malicious attacks, accidents or human error. This is critical for all our customers, especially those in regulated industries where auditors can levy high penalties for non-compliance. Regulations and penalties aside, many customers strive to meet these goals anyway, because it’s good practice and they want to protect their high value assets such as design specs, chemical formulas, and competitive strategies.
At Centrify, our main approach is to avoid the need to login with a privileged account (such as “administrator” or “root”). Aside from having the keys to the kingdom, such users are anonymous and hard to track down. No surprise they’re top on the agenda list for hackers to exploit.
Instead, users must login using their own non-administrative account. That creates full accountability; all activities are tied back to a real user. Then, on an as-required basis in scope for their job function, users can request elevated privileges from Centrify for a particular task. No need to login as a local or domain Admin, no need to expose the administrative password. Again, all logged (or further – session-recorded for stronger forensic evidence) and with zero anonymity.
Going back to Centrify’s philosophy, our solutions avoid changes to standard user behavior. For end-users as they access corporate resources, and admins as they manage accounts and privileges across Windows, *nix, and Macs.
Probably the biggest gain from a productivity perspective is effectively overcoming decentralization. For example, with dozens if not hundreds of *nix systems, managing accounts and access policies across them all is a massive headache. There are a number of facets to that so we’ll break them down.
With that said, what kinds of productivity challenges are typical, and how do we address them? Below is our top-10.
- Managing /etc/password and /etc/group silos is effort intensive and prone to error. We enable centralized management of *nix user accounts within MS AD, effectively turning each system into a managed AD client.
- Similarly, managing user privileges via the sudoers mechanism is distributed and painful. If all you want to do is more efficiently sync sudoers files, then we provide the best way to do that using sudo-specific MS AD Group Policies. However, the power that sudo promises (and doesn’t deliver) is available via our own implementation, “dzdo”. This centralizes privilege management in AD and avoids manual syncing of sudoers files across machines. All in all, great for admins, great for auditors.
- Not to pick on sudo but another challenge is, struggling to create more advanced access policies in sudoers for tight security. The complexity of the policy language is defeatist resulting in a higher risk of security issues and more work for admins when issues arise. We provide a familiar Windows UI and simple policy language that encourages fine-grained policy management and reduces admin overhead.
- In AD, you can manage Windows users centrally. When *nix enters the mix, things get tricky. A user may have a different profile on different machines – different UIDs, GIDs, home directories, and shells. Further, the user may require specific privileges on one set of machines and a different set on another. AD doesn’t help you with all this. Centrify’s patented Zone technology does. Segregate logical collections of UNIX or Linux computers into Centrify Zones within AD. Computers can be organized by any grouping that makes sense for a particular organization, including department, geography, function, and system type. This will save you time and effort by being able to quickly and easily manage rights across all systems in a zone.
- A byproduct of #4 is the ability to enforce segregation of duties. Traditionally in Windows, a domain admin has full access rights on every machine. With Centrify Zones, it’s really easy to put a container around your PCI machines and prevent domain admins from accessing them. You can grant admins the privileges they need only on the zones that include the computers they need to manage without elevating their privileges for other computers or zones.
- It’s nice that Centrify can centralize and automate user configuration and policy enforcement for Windows and *nix systems but Macs are increasing in the enterprise and bring similar management challenges to the table. Not to be left out in the cold, Mac systems also benefit from this same model. You can leverage the same capabilities such as Zones. Admins can use familiar Windows Group Policy tools to set a wide array of Mac security and configuration settings. The Mac footprint is growing in the enterprise so managing these the same way you do Windows and *nix machines will only make your lives a lot easier.
- During investigations and audits, dissecting multiple system logs to associate anonymous account (e.g., “root”) activities to a real user is incredibly time consuming and error prone. Our approach ensures full accountability, tying privileged actions to a real user ID. It also provides searchable recordings of user sessions for bulletproof visual forensic evidence (keyboard loggers don’t cut the mustard, especially in a Windows point-and-click environment).
- Conflicting *nix UIDs can be problematic. We can normalize UIDs across systems and automatically change ownership of all related user files and folders to the new UID.
- Security issues due to NIS limitations and challenges maintaining and distributing NIS maps. We enable rapid migration from NIS to MS AD for better security and ease of management.
- Users may have accounts across lots of systems – Windows, Unix, Linux, and Mac OSX. The familiar problem of having to login to each one manually is a big productivity impact as well as a security concern in regards user password management. Consolidating your multiple user identities in AD brings the convenience of using the same username and password. An added benefit for all users is that once authenticated to AD, you can be automatically logged into your Unix systems (SSO) thanks to the magic of Centrify and Kerberos. Centrify also provides AD-based SSO for intranet and extranet applications running on SAP, Apache, and popular J2EE servers.
Oh, there’s more but 10 is a nice round number.
In conclusion, you really don’t have to sacrifice ease of use and user productivity for strong security. With the Centrify Server Suite, you are armed with a toolset that gives you the best of both worlds.
So, if the Top-10 above resonates and you’ve been pulling your hair out trying to come up with a solution, we’d love to chat with you.
How does your company balance privileged user access controls with user productivity? Please share your thoughts in the comment section below