Tom Kemp's Centrify Blog

Hello: Centrify Suite 2013

Wednesday, January 30, 2013

Centrify is very pleased to announce the release today of Centrify Suite 2013. Centrify Suite 2013 builds on the core enhancements Centrify introduced in Suite 2012 by extending DirectAuthorize to Windows, providing tighter integration between DirectAudit and DirectAuthorize, making migration from legacy "sudo" environments to DirectAuthorize fast and simple as well as adding many newly supported operating systems. All this makes Centrify Suite 2013 the industry's easiest and most scalable solution for unified identity and privilege management and detailed user auditing across UNIX, Linux and now Windows systems.

In this blog post I will drill down on some of the new features. But first, what were some of the factors driving the features we put in Suite 2013?

Well, in today's heterogeneous IT environments, achieving security best practices and compliance by linking access privileges and actions to named users is a complex task. Managing user privileges for Windows, UNIX and Linux systems can be difficult to implement since identities and privileges often reside in disparate silos (e.g. /etc/passwd, sudo'ers files, etc.) or are managed locally system by system. Point solutions exist for privilege management of Windows systems or UNIX and Linux systems, but no solutions exist that span across both Windows and UNIX/Linux that utilize a unified architecture leveraging existing directory infrastructure.

We felt that historically with the Centrify Suite we did a great job of doing privileged user management for the hundreds of variants of UNIX and Linux that we supported, but the types of problems we solved on *nix were not being adequately addressed for Windows servers and there would be need for a single cross-platform solution that could span equally across Windows and *nix. We had previously came out with DirectAudit for Windows, and Windows itself already provides the AD authentication and policy that DirectControl provides on *nix, but there was a big need for robust authorization and privilege management for Windows. As Gartner notes

"...there is a need for the organization to have more granular control over and visibility into the way that these privileges are granted and used. Super User Privilege Management (SUPM) tools offer a flexible method for granting and/or limiting these privileges in a way that matches the organization's needs." (Source: "Hype Cycle for Identity and Access Management Technologies, 2012," by Gregg Kreizman, et al, July 23, 2012.)

Hence we released DirectAuthorize for Windows as part of Centrify Suite 2013, a major new product of ours that has many unique features including

  • Secure delegation of privileged administration for Windows Servers. DirectAuthorize eliminates wide-open privileges of Windows and Domain administrators and grants privileges to only the roles, rights and resources required for each administrator's job function. It also allows administrators to easily elevate privilege without having to re-enter passwords or know an administrative password.
  • Granular authorization and enforcement of administrative functions. DirectAuthorize goes beyond capabilities found natively in Windows by time limiting privileges for any user, restricting the access rights of high-privilege roles to specific systems, services or applicationsecure delegation using Centrify's patented Zones technology that provides the necessary flexibility and granularity for administrative functions.
  • Seamless integration with user-level auditing. DirectAuthorize integrates with Centrify DirectAudit to easily add user-session capture, search and playback, and can automatically trigger high-value session recording based on user, role, system or privilege elevation.
DirectAuthorize Privilege Elevation tools

Centrify DirectAuthorize for Windows lets users elevate privilege using a one-click Centrify Tray Application to create a new desktop for an assigned administrative role or use ‘Run as Role' for privilege elevation for a single application.

In addition, while we had this great DirectAuthorize for *nix solution, we found that customers needed some help migrating from the old way of doing things (sudo) to the next generation privilege management technology — DirectAuthorize. Hence in this release we have come out with a "sudo migrator" much like we have always provided a migration tool to migrate from /etc/passwd, NIS, etc. (i.e. user account information) to Active Directory. This new import wizard uses Centrify Deployment Manager to retrieve remote sudoers files and import and process them for enforcement via DirectAuthorize. In addition, the "dzdo" command line interface now supports local users, run as single user and remote host command execution.

We also wanted to better integrate DirectAuthorize and DirectAudit together, hence another new feature in Centrify Suite 2013 is the ability for DirectAudit policies to now be able to trigger auditing sessions for specific user, computers and DirectAuthorize roles.

Finally, it would not be a Centrify Suite released without additional UNIX and Linux platform support. Already supporting the most platforms in the industry, the new solution now supports more than 400 platforms, applications and devices, including new platforms such as Fedora 18; Red Hat Enterprise Linux 5.8, 5.9 and 6.3; CentOS 5.8, 5.9 and 6.3; Scientific Linux 5.8, 5.9 and 6.3; Oracle Linux 6.3; Ubuntu 12.10; Linux Mint 13 and 14; Mandriva One 2012; and OpenSuSE 12.2 and 12.3. Click here to see all the platforms supported by Centrify Suite 2013.

The net net is with Centrify Suite 2013 we offer you a comprehensive approach to identity management that includes integrated authentication, access control, privilege management, policy enforcement and compliance — all based on a single, unified architecture that leverages Microsoft Active Directory. For more information on Centrify Suite 2013 visit this webpage to download whitepapers, datasheets, etc. regarding what's new with Centrify Suite 2013. In future blog posts I will drill down in more detail on DirectAuthorize for Windows and some other new features in Suite 2013.

< Previous Article: The Need for Privileged Identity Management
> Next Article: Mitigating "Pass the Hash" Attacks via Least Privilege