Centrify and the SANS Top 20

I know a very successful high school wrestling coach who has this running bit he does all the time at social events, cocktail parties, and random water cooler conversations.  When asked why his teams are consistently good year after year, he always responds with, “I’ve discovered the ancient secret to staying extremely physically fit.” After a bit of egging on, he’ll reluctantly divulge this long lost tidbit of knowledge he stumbled upon while reading some ancient scrolls. “The secret to staying extremely physically fit,” he begins, always followed by an over-the-top dramatic pause, “is to eat right and exercise.” Just…

Another Breach! Security Controls Shouldn’t be that Hard!

I just read an interesting article in NetworkWorld about a breach at a major financial institution. The article pointed out that breach resulted from a lack of deploying adequate security controls on the corporate servers. The article goes on to state, “Strong access management policies and network segmentation are key to limiting the extent of damage that attackers can do once they gain a foothold inside a network. However … implementing uniform security controls across their vast networks can be difficult because they often have to integrate large numbers of new systems with different levels of security as a result of acquiring other companies.”

Compliance to the DHS CDM Program with Centrify

My first years out of college were spent as a Unix administrator, during which time I learned many amusing acronyms, such as sed, NAWK, and PEBCAK. One of my favorites was Yacc, which stands for Yet Another Compiler Compiler. After many years now in IT Security I’ve created my own ‘YAC’:  Yet Another Compliance. It seems there’s a new compliance mandate hiding around every corner, with most offering little in terms of new insights and existing merely to waste time and resources proving the same thing in a different way. But every now and then a promising new compliance program…

Using Centrify for NIST 800-53 Compliance

There’s a humorous saying I often hear in IT Security circles that goes something like this: “If a CISO has the choice between being compliant or being secure, compliance always wins because that’s what will keep them out of prison.” The reality is that most organizations need to increase both as efficiently as possible, and this is where Centrify can help. The Centrify Server Suite leverages your existing Active Directory to secure your systems from identity related risks and attacks. Additionally it helps with compliance for a large number of federal and industry standard security controls, such as those found…

Identity, Privilege and Compliance on Red Hat Systems

Centrify got our start in the security and identity business many years ago by starting in the datacenter and focusing on the problems of too many identity silos, disparate privilege management policies, and difficulty in tracing activity back to individuals. We saw back then that identity would be a key element of an IT strategy as system environments continue to get more diverse and deployed in more dynamic ways.

Five Reasons Traditional Enterprise Security is no Longer Good Enough

Targeted attacks and security breaches continue to steal the headlines on a daily basis, and no person or organization is immune to the threats. Instances in which personal information is compromised have now become commonplace, as security threats have become increasingly complex, sophisticated and targeted. Unfortunately, with today’s mobile culture and BYOD workforce the threat landscape has broadened. And while the nature of attacks and threat vectors are evolving, traditional security is no longer a match for these attacks. IT departments do not have the resources to address each and every threat as it arises. As such, new technologies provide the…

HeartBleed and Passwords

Once more the evil of passwords is demonstrated. This time it’s the HeartBleed bug that can expose chunks of data known by a web server to hackers. Passwords – and their ability to gain access to anything they protect – are the most obvious target. Technical aside: for those of you that don’t have the time to read the cert advisory (https://www.us-cert.gov/ncas/alerts/TA14-098A), here is a summary. The current version of the security library used by many web servers (OpenSSL) has a flaw that allows an attacker to send an information request (TLS heartbeat) to a server that reads way more…

Identity Where You Want It … And Now Policy Too

Back in November I blogged about “Enterprise Identity Where You Want It”, which discussed how Centrify had enhanced its Cloud Service to allow customers to store identity data in the cloud or on-premise in Active Directory or a combo of both. The point was while customers really want centralized identity management for the cloud and mobile resources that they are deploying, they also wanted flexibility regarding where they could store their identity data (cloud, on-premise and/or in both places). Fast forward a few months, and I am now pleased to announce we are extending this innovative and flexible “hybrid” approach that we have with identity to policy as well with our recent update to the Centrify Cloud Service. Let me explain what we are delivering in this blog post vis a vis Centrify delivering a fully cloud-based policy solution.

Introducing Centrify Server Suite 2014

I am still digging out from the RSA Conference, so have been remiss in blogging that during RSA we announced a major upgrade to our flagship Centrify Server Suite — Centrify Server Suite 2014. New functionality in this release protects heterogeneous servers and applications in the datacenter and cloud from identity-related insider risks and outsider attacks, as well as makes security and regulatory compliance repeatable and sustainable for organizations. In this blog post I want to walk you through some of the major new features at a high-level and drilldown on a few features in detail.

MAS Guidelines Require Auditing and Least Privilege

Monetary Authority of Singapore (MAS) is the regulatory authority for all financial and insurance organizations that do business in Singapore.  They require regular audits of user activity on critical systems and implementation of the “least privilege” principle for user access.  MAS guidelines are likely to affect most if not all global financial and insurance companies.  Are you prepared to meet MAS guidelines? The MAS publication Technology Risk Management Guidelines defines the internal IT practices that must be implemented by all financial and insurance organizations that do business in Singapore.  You can find the document here:  http://www.mas.gov.sg/~/media/resource/publications/consult_papers/2012/20%20June%202012%20Technolog…  Section 11 “Access Control” of the TRMG…