Introducing Centrify DirectAuthorize - Cerberis
12.07.2015 Views
Share Embed Flag

Introducing Centrify DirectAuthorize - Cerberis

Introducing Centrify DirectAuthorize - Cerberis

Introducing Centrify DirectAuthorize - Cerberis

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
cerberis.com

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

START NOW

Regulations Require Authorization ControlsRegulationSarbanes-OxleySection 404Specific Authorization and Privilege Control Requirements... (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, ofthe effectiveness of the internal control structure and procedures of the issuer forfinancial reporting.Payment CardIndustry DataSecurity StandardHealthcareInsurancePortability andAccountability ActFederalInformationSecurityManagement Act of20027.1 Limit access to computing resources and cardholder information only to thoseindividuals whose job requires such access.7.2 Establish a mechanism for systems with multiple users that restricts access based ona user’s need to know and is set to “deny all” unless specifically allowed.SUMMARY: This rule includes standards to protect the privacy of individually identifiablehealth information.Section 164.508 describes the uses and disclosures for which an authorization isrequired.Title III - Information Security’s purpose is to provide a comprehensive framework forensuring the effectiveness of information security controls over information resourcesthat support Federal operations and assets.The combination of Federal Information Processing Standards (FIPS) documents and thespecial publications SP-800 series issued by NIST to define the standards and guidelinesrequired to support implementation and compliance with FISMA requirements.National IndustrialSecurity ProgramOperating Manual© 2004-2009 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.8-606. Access Controls (Access). The IS shall store and preserve the integrity of thesensitivity of all information internal to the IS.8-607. Identification and Authentication (I&A). A) Requirements. Procedures thatinclude provisions for uniquely identifying and authenticating the users. B) An I&Amanagement mechanism that ensures a unique identifier for each user and thatassociates that identifier with all auditable actions taken by the user.SLIDE 5

Challenge #2 – Enforcing Least Access• Consistently enforcing “least access” to business systems• UNIX accounts typically grant an “all access pass” to any interface and applicationrunning on the system• User access to UNIX systems is usually only required for specific interfaces• Locking down privileged accounts• This can be difficult when IT staffs need to run some operations that require privilege• Existing tools to manage privileged execution are difficult to create policies andimpossible to report on privilege grants• Gartner notes: Unlike the Windows platform, UNIX lacks a “simpleand scalable model for administrative delegation”“… the larger and more complex the organization, the greater the number of peoplewho will sometimes need privileged access, increasing the likelihood of mistakes anddeliberate attacks” which “is likely to draw the attention of the external audit”© 2004-2009 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.SLIDE 6

<strong>Introducing</strong> <strong>DirectAuthorize</strong>

<strong>Introducing</strong> <strong>DirectAuthorize</strong> …Centralized, role-based entitlement management for UNIX & LinuxRole-BasedPrivilegeManagement• Grant fine-grained privilege where actually needed• Eliminate the need for access to privileged accounts• Simplify user execution of privileged commands• Lock down sensitive systems with fine-grained, rolebasedaccess controlsRole-BasedAccess Control• Centrally manage date- and time-based access controlsfor individual roles• Control access to commands and applications based on arole© 2004-2009 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.SLIDE 8

… A New Member of Our Product Family …IAM OptimizationDirectAuditDetailed Auditing of User Activity• Audit in detail what users do on UNIX & Linux systems• Report on user sessions and monitor for suspicious activity<strong>DirectAuthorize</strong>Role-Based Authorization and Privilege Management• Control how and when users can access UNIX systems• Specify exactly what commands they can runDirectControlCentralized Authentication and Access Control• Control who can log into which systems and applications• Enforce security policies and consolidate user accountsSystemsApplications© 2004-2009 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. SLIDE 9

… That Is Part of a Comprehensive IAM SuiteIAM OptimizationDirectAudit<strong>DirectAuthorize</strong>ENTERPRISE EDITIONStandard Edition+ DirectAuditSTANDARD EDITIONDirectControl, <strong>DirectAuthorize</strong>,OpenSSH & Kerberos ToolsAPPLICATIONEDITIONEnterprise Edition+ Application ModulesDirectControlSystemsApplications© 2004-2009 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. SLIDE 10

<strong>DirectAuthorize</strong> – Enterprise RBAC for UNIX• Centrally manage and enforce role-based entitlements for fine-grained useraccess and privilege rights• Secure systems by controlling how users access the system and what they can do• Eliminate users’ need to use privileged accounts, allowing them to be locked down• Centrally manage <strong>DirectAuthorize</strong> policy withinActive Directory• Roles and rights are managed within DirectControl Zones• No additional servers or infrastructurePAM AccessPrivilegedCommandsRestrictedEnvironment• Leverages Microsoft Authorization Manager• Policy enforcement modules control UNIX rights<strong>DirectAuthorize</strong>DirectControlPAM AccessPrivileged CommandsRestricted EnvironmentControl access to UNIX interfaces & applicationsDelegate admin privilege where neededControl allowed commandsActive Directory& AuthorizationManager© 2004-2009 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.SLIDE 11

<strong>DirectAuthorize</strong> Roles• Roles enable rapid rights assignment based on job function• Roles can have limited availability to specific time windows• Roles are granted a set of rights• Roles are assigned to one or more users or groups• Roles are created within a Zone• Rights are granted for specific actions• PAM (login) Access rights• Privileged Commands rightsAD Group• Restricted Environment rights• Role assignments• Users or groups are assigned to roles• Assignment can be for a specific computer• Assignment can be restricted by a start and end date/time© 2004-2009 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.Role AssignmentDBA Rights AssignedPAM Access• ssh loginPrivileged Commands• tar command as rootDBARoleRestricted Environment• Only allow specific commandsSLIDE 12

<strong>DirectAuthorize</strong> Rights – PAM Access• Control a user’s access to UNIX system interfaces and applications• Access rights can be granted for built-in services, including SSH, FTP& GDM• Access rights can begranted for otherapplications that callPAM for userauthentication, suchas Informix© 2004-2009 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.SLIDE 13

<strong>DirectAuthorize</strong> Rights – Privileged Commands• <strong>DirectAuthorize</strong> simplifies the policy definition to grant fine-grained privilege• Delegates right to run commands with elevated privileges where authorized• The dzdo command executes commands with privilege similar to sudo butleveraging the <strong>DirectAuthorize</strong> policy backend, cached for offline© 2004-2009 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.SLIDE 14

<strong>DirectAuthorize</strong> Rights – Restricted Environment• <strong>DirectAuthorize</strong> Restricted Shell, sash (based on BSD /bin/sh)controls the allowed commands a user can execute• Runs only allowed commands; you must grant rights to any commands theuser needs• Simplifies privileged execution for lower level admins• Privileged commands are automatically run with privilege via dzdo© 2004-2009 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.SLIDE 15

<strong>DirectAuthorize</strong> Controls More Than Sudo AloneAuthorization Features sudo <strong>DirectAuthorize</strong>Control user access to privileged commands onspecific machinesCentralized policy managementYes, with GroupPolicy using DCPolicy stored securely within Active Directory No additional infrastructure required Time-based privilege authorization limits Temporary rights assignment Control all commands (privileged or not) Control access to PAM applications (ex. FTP, SSH) Automatically run privileged commands as the correctuserInheritable roles and assignments with override Yes, but tough (Zone to Computer)Policy can be applied to members of an ActiveDirectory groupSession activity audit Requires DirectAudit© 2004-2009 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. SLIDE 16

<strong>DirectAuthorize</strong> Real-World Usage ScenariosControllingBackupOperatorsBackup Operators• Log in during maintenance window only• Execute backup commands with enough privilege that all files can bebacked up• Should not log in or switch to the root userManagingSys AdminContractorsContract System Administrators• Should not log in or switch to the root user• Log in via secured interfaces to perform admin duties; ex. SSH• Should only have a reduced set of privileged commands grantedSimplifyingDBA’s PrivilegedEnvironmentDBAs• Should not log in or switch to the root user• Log in via secured interfaces to perform DBA duties; ex. SSH• Should be able to run only DB-specific commands as the DB account© 2004-2009 CENTRIFY CORPORATION. ALL RIGHTS RESERVED.SLIDE 17

Demo

Why Customers Choose <strong>Centrify</strong>Best-in-class solution that offers quicker time-to-value• Market Leadership. Over 1000 enterprise customers, including 38% of Fortune 50.• Industry Recognition. Burton Group: <strong>Centrify</strong> is a right vendor for Active Directory integration:“mature, technically strong, full featured.” Major awards from both Linux and Windows press• Complete “3A” Identity & Access Management Solution. <strong>Centrify</strong> goes beyond Active DirectorybasedAuthentication to deliver Access Control (via our patent-pending Zone technology inDirectControl), Authorization (via <strong>DirectAuthorize</strong>) and Auditing (via DirectAudit)• Single architecture. All <strong>Centrify</strong> Suite components are next-generation technology, built on acommon architecture that makes them quick-to-deploy, easy-to-manage, and cost-effective• Deepest platform and application support. Centralized Active Directory integration for over 190versions of UNIX, Linux and Mac, plus centralized SSO for all major web platforms, SAP and databases• Non-intrusive. No changes required to Active Directory schema; no additional server infrastructureHighly focused company that is your best partner for cross-platform IAM• Engineering. More R&D personnel working on this problem space vis-à-vis other vendors• Support. No call centers; product specialists answer the phones• Services. Regionally located consultants have helped customers meet regulatory compliancemilestones on tight deadlines; experienced with deployments involving thousands of servers© 2004-2009 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. SLIDE 19

How to Contact UsCOMPANY WEB SITETECHNICAL VIDEOS & MORESUPPORTED PLATFORMSREQUEST AN EVALEMAILwww.centrify.comwww.centrify.com/resourceswww.centrify.com/platformswww.centrify.com/trialinfo@centrify.comPHONE Worldwide: +1 (408) 542-7500Europe: +44 118 902 6580© 2004-2009 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. SLIDE 20

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!