I am excited to announce that Centrify has added Smart Card login as a core feature of our Cloud Identity Platform
supporting both the Centrify Identity Service
as well as the Centrify Privilege Service
. Smart Cards in physical form (CAC/PIV), derived credentials, virtual smart cards as well as USB PKI Keys (such as Yubikey
or SafeNet eToken Pro
) can now be used to login to your agency’s personalized Centrify cloud portal for access to SaaS applications as well as privileged user access to authorized servers and networking devices.
There are several reasons that our customers are asking for this capability as they are working to meet their security requirements to serve the mission and reduce costs while improving efficiencies. Specifically those drivers include:
- US Federal Cloud First Strategy
- 30-day Cybersecurity Sprint requiring Multi-Factor Authentication
- Smart Card-based identity required by HSPD-12, OMB M-11-11, and OMB CSIP
US Federal Cloud First Strategy is driving the move to cloud services
US Federal agencies are increasingly adopting and migrating to cloud-based applications as directed by the US CIO’s Cloud First strategy
which the GSA Cloud Computing Services Program Office
helps these agencies with the acquisition of cloud services. Most agencies are starting with Email as a Service with offerings such as Office 365 or Google Mail.
30-day Cybersecurity Sprint requires Multi-factor Authentication with PIV Smart Cards
One of the primary deployment challenges with adopting a Cloud First strategy for federal agencies is the renewed requirement to ensure there is strong authentication for each person authorized to access these cloud-based services and applications. Based on the recent cybersecurity incidents
at the Office or Personnel and Management (OPM), US CIO Tony Scott launched a 30-day Cybersecurity Sprint
to increase security posture in order to protect Federal systems and information. Specifically one of those requirements is focused on strong multi-factor authentication, stating that Federal agencies must “Dramatically accelerate implementation of multi-factor authentication, especially for privileged users.”
Smart Cards have long been a requirement and are increasingly important for privileged user access
Smart Card login has long been required form of authentication starting with the Presidential directive HSPD-12
which was reinforced by the OMB M-11-11
and most recently as a part of the 30-day Cybersecurity Sprint. Smart Card login is also being mandated for all privileged user access as part of the OMB Cybersecurity Strategy and Implementation Plan (CSIP)
as defined by OMB M-16-04
Smart Card login to the Centrify Identity Platform
Centrify customers can now define an authentication policies that requires Smart Card PKI Certificates for login access to the Centrify cloud service for environments which require strong authentication.
Users authenticate to the User Portal by having their PKI Smart Card or PKI USB Key plugged into their computer and unlocked with their PIN. At login to the Centrify cloud service, the user will be prompted for their PIN if they have not unlocked the smart card recently and then asked which certificate to use if there is more than one available.
With this addition of Smart Card login, it is now possible to require Smart Cards for access to several of Centrify protected services such as:
- SSO access to cloud-based applications such as Office 365, Service Now, Workday, Dropbox, etc…
- Secure remote access to Internal web apps
- Secure remote access to privileged sessions on Windows, UNIX/Linux Servers and network devices
- Access to checkout a shared account password