Tom Kemp's Centrify Blog

Introducing DirectAuthorize and the Centrify Suite

Tuesday, October 21, 2008

It has been a month since I last blogged, but I have been purposely saving up for some big announcements that we are making this week. The big news for today from Centrify is that we are pleased to announce a brand new product called DirectAuthorize, a software solution that centrally manages and enforces role-based entitlements for UNIX and Linux systems, and we are also introducing the Centrify Suite, which is a comprehensive solution for cross-platform identity and access management. In this blog post I will give you my take on what DirectAuthorize does and how it fits within our existing product set, and provide you my thoughts on the Centrify Suite.

So what is DirectAuthorize?

Centrify DirectAuthorize centrally manages and enforces role-based entitlements for fine-grained control of user access and privileges on UNIX and Linux systems. According to the analyst firm the Gartner Group, UNIX and Linux systems inherently lack a scalable and simple model for administrative delegation, and organizations that give too many users root permission run unnecessary security risks and will invariably fail audits. By delegating and controlling how and when users can access systems and what they can do (i.e. what commands they can type and whether these commands run with elevated privilege), DirectAuthorize enables organizations to lock down sensitive systems and eliminate uncontrolled use of root accounts and passwords.

DirectAuthorize is I believe the first and only product in the market that leverages Active Directory to enable UNIX/Linux privilege management and root access control, so there is no need to deploy additional servers or infrastructure to enable UNIX authorization management. DirectAuthorize is also integrated and built on top of our DirectControl solution, and is bundled with DirectControl as part of the Centrify Suite Standard Edition (more about that below), thereby making Active Directory-centric authentication and authorization truly go hand-in-hand from an architecture, packaging and delivery perspective. In my next blog post I will go into detail on DirectAuthorize's features and benefits, but if you want more info now you can view this datasheet, view this demo or watch these video chalktalks:
» Introducing DirectAuthorize Part 1: Features &: Architecture
» Introducing DirectAuthorize Part 2: Unique Features

So how does DirectAuthorize fit in with Centrify DirectControl and Centrify DirectAudit?

I think the best way to answer this question is view DirectAuthorize in the context of the two biggest drivers for our solutions: compliance and security. Government and industry regulatory compliance requirements such as SOX, PCI, HIPAA, GLBA and FISMA dictate that users should not share accounts (especially the root and/or a privileged account), but instead should login as themselves, and then only gain privileges based on their role within the organization, and that all administrative actions should be audited. For example, the Payment Card Industry Data Security Standard (PCI DSS) states in Section 8 that and organization must "identity all users with a unique user name before allowing them to access systems components" and in Section 7 asserts that organizations must "limit access to computing resources ... only to those individuals whose job requires such access." Furthermore, the PCI DSS states in Section 10 that "all actions taken by any individual with root or administrative privileges" not only need to be controlled but also audited as well. These requirements are common for other compliance and industry standards such as SOX, HIPAA, GLBA and FISMA.

Centrify DirectControl facilitates compliance by allowing each user to login into a UNIX or Linux system and/or login to an application (e.g. SAP) as themselves using their Active Directory login, i.e. login in as themselves vs. a shared account. DirectControl's patented Zoning feature provides further granular access control by restricting who (i.e. which UNIX-enabled Active Directory user or group member) can login to which set of systems. So think of DirectControl as addressing the questions of who can login on to which systems.

DirectAuthorize provides further granular delegation of what actions can be performed on a given system by a given user, and further controls when they can login and how they access the system. So think of DirectAuthorize as addressing the questions of how a user can login, when can they login, and what they can do. As it relates to how this meets compliance, using PCI as an example it is clear that DirectControl and DirectAuthorize address the PCI requirements found in Sections 7 ("Restrict access to cardholder data by business need to know") and 8 ("Assign a unique ID to each person with computer access")

Centrify DirectAudit builds on top of DirectControl and DirectAuthorize by auditing all actions taken by any individual including those with root or administrative privileges, another key compliance requirement. DirectAudit addresses the issue of accountability by auditing and showing exactly what the users were doing on your systems. Think of DirectAudit as a Tivo or VCR for your UNIX/Linux system, with ability for auditors to quickly see and search on who has been doing what on your mission-critical systems. As an example of meeting compliance requirements, DirectAudit clearly addresses Section 10 of PCI ("Track and monitor all access to network resources and cardholder data").

Introducing the Centrify Suite

Together these three integrated security and compliance solutions form the basis of our newly created Centrify Suite. The goal of the Centrify Suite is to deliver an integrated family of Active Directory-based auditing, access control and identity management solutions that secure your cross-platform environment and strengthen regulatory compliance initiatives.

There are three editions of the Centrify Suite:

We think our suite is pretty unique in the identity management industry. First of all, it goes beyond AD-based authentication services to deliver not only authentication, but also AD-based access control, authorization and auditing - and does so across a wide range of platforms. Second, it is built on the same modern architecture that uses an existing infrastructure you already have, so there is no deploying and using multiple architectures/GUIs/etc. that integrate just at the brochure level and that require additional infrastructure components to be deployed and maintained. And finally, it is cost-effective. For example the Centrify Suite Standard Edition starts at $350 per server, delivering AD-based authentication, access control and authorization. This is stark contrast to other vendors who charge well over $1200 per server just for UNIX authorization management piece alone. I can think about 5 other key "unique" differentiators but I think you get the idea.

In the next few blog posts I will drill down on DirectAuthorize and the Centrify Suite in more detail.

< Previous Article: SAP Certifies DirectControl for SAP on UNIX and Linux
> Next Article: How DirectAuthorize Addresses Root and Shared Account Management in UNIX/Linux Environments