Often that word is used positively as a major enterprise business objective that all departments must align their respective initiatives to support. However, if you’re in IT management, GROWTH can have some pretty nasty side effects.
This is the second blog in a series that explores key use-cases of the Centrify Privileged Service (CPS). In this blog, we’re taking a look at one facet — secure remote access — that has become very challenging due to the aforementioned, especially in support of outsource IT functions.
I’m not sure if there’s a collective noun for “a group of perplexed IT managers and execs,” but there’s one in almost every organization. Their concern is the potential risk of data breaches or accidental system compromise vs. the business need to share a growing number of privileged account passwords with a growing number of administrators across a growing number of servers, network devices, and applications…oh, and in a growingly diverse ecosystem (on-premises, cloud, SaaS, IaaS, mobile, internal IT as well as outsourced IT…). That’s a lot of growth (and possibly a brand new adverb).
The best-practice response to such challenges is delivered by our Centrify Server Suite (CSS) offering. Here, we have Theresa login using her unprivileged unique user ID. If/when she needs to run a command as root, local admin, or some other privileged ID — she requests elevated privileges vs. logging into those accounts explicitly. If her request is granted via roles and policy, the command is executed with privilege and we get to tie that activity back to her real user ID instead of an anonymous ID — for full accountability and the delight of auditors.
This “least privilege” approach by CSS coupled with privilege elevation satisfies the vast majority of such situations. However, it doesn’t cover the roughly 10%-20% where logging in with a shared privileged account is essential. This may be for emergency troubleshooting (e.g., the “break glass” scenario we covered in Part 1 of this blog) or logging into legacy applications and network devices that only support full-blown privileged accounts. Even non-IT accounts such as enterprise social networking logins to Twitter, Facebook, and LinkedIn fall into this category — they’re all so privileged and sensitive, they too can result in major compromise to the business if abused.
This is where Centrify Privilege Service (CPS) comes into play. It provides a secure alternative for those scenarios where CSS is not ideal. Instead of handing Theresa the keys to the kingdom, though, you put them into the custody of CPS. CPS puts them in its highly secured password store and assumes the role of custodian. It can then automatically log Theresa in without revealing the password (assuming she’s validated).
What to do? Take the traditional path of forking over the password to a “trusted” short-list of users? Hope they don’t inadvertently reveal the password or worse — abuse it themselves or pass it to someone looking to monetize your sensitive data?
CPS is the industry’s first SaaS-based Shared Account Privilege Management solution. To better accommodate remote access situations as the business embraces the cloud, it also implements a secure VPN-less remote access capability that works transparently to your users. This obviates the need for a VPN connection, establishing a direct secure session from the user to the server exposed through the user’s browser.
So, with CPS you’re able to provide secure remote privileged account login for both internal users as well as external (e.g., outsourced IT) without the hassles of VPN implementation, poking holes in firewalls, and exposing more of the network than necessary for the job at hand.
In the video below, we demonstrate a simple remote login use case. Picture this being used by a 3rd-party who needs access to a specific server for their contracted job function. As you watch, keep in mind the simplicity, lack of VPN, and know that CPS is also video recording the session for bulletproof auditing (the subject of Part 3 of this blog series).
Once you’re done, please check out related blogs and accompanying video demos, where I walk through other CPS use-cases such as remote server login without password reveal and session recording for compliance.
You can learn much more about the Centrify Privilege Service here. Take it for a test drive and see how easy it can be achieve that balance of strong security with ease of use.