TOM KEMP'S CENTRIFY BLOG

How DirectAuthorize Leverages Active Directory to Enable Privilege Account Management on UNIX/Linux

Friday, October 24, 2008

This is a third in a series of blog posts on our hot new product DirectAuthorize. In my first post on DirectAuthorize I described at a high level what DirectAuthorize does and how it fits in within the other products that form our Centrify Suite. In my second post on DirectAuthorize I discussed the business value of DirectAuthorize as it relates to addressing security and compliance requirements around root and shared account management. In this post I will drill down on the architecture of DirectAuthorize and describe some of its unique architectural features including how it uniquely leverages Active Directory. For those that want more details on the DirectAuthorize architecture than what is provided in this blog post, you can watch this 30 minute video chalktalk on DirectAuthorize's architecture.

How DirectAuthorize Works

DirectAuthorize, like the other products in the Centrify Suite, leverages the scalable and robust DirectControl architecture that enables non-Microsoft systems to "join" a Windows domain and allow users to login to those systems using their Active Directory credentials. DirectControl also provides legacy directory (e.g. NIS) migration and interoperability capabilities, broad application support beyond generically supporting Kerberos (including Active Directory Federation Services support), group policy capabilities as well as our patent-pending Zone technology which provides granularity on what systems a given user can log into. In other words, DirectControl can control who can login to which systems.

DirectAuthorize takes the access control capabilities of DirectControl a step further by allowing organizations to centrally control how and when users can access UNIX & Linux systems and can control exactly what commands they can run on those systems with what elevated privileges.

DirectAuthorize does this via roles and rights. A role is a logical job function (e.g. backup operator, DBA, web developer, application administrator, etc.) that carries with it specific rights that are needed to perform duties within a role.

Rights describe both access methods and privileges, specifically:

• PAM (Pluggable Authentication Module) Access rights identify the specific PAM-enabled interfaces and applications the user can access, such as FTP, Telnet, SSH, or Informix.

• Privileged Commands identify specific commands the user can run and whether those commands can be run under the user's own account or as another user account. On the UNIX and Linux system, these privileged commands are run via the command line "dzdo," which operates similar to and replaces "sudo." The dzdo command acquires its policy from Active Directory only, and this is cached for offline enforcement.

• Restricted Environments provide strictly controlled access to a defined subset of commands in a DirectAuthorize shell (sash). In effect, this grants users access to whitelisted applications only, and automatically grants privilege execution where authorized.

Roles are defined for a DirectControl Zone, which is a logical collection of DirectControl-managed systems. Active Directory users or groups can be assigned to one or more roles. A role assignment can apply to all computers in a Zone, or to a specific computer. For example, in the Engineering Zone the user Fred could be assigned the system administrator role for all computers, and also be assigned a DBA role for a single database server. Thus, roles are a flexible and scalable method for defining users' access methods and privileges for a specific set of systems.

Roles can be active and available for use during specific hours of the day or days of the week. For example, you can specify that a backup operator role is available only on Wednesdays and Fridays between the hours of 5:00 p.m. and 9:00 p.m. Users and groups in that role are allowed to perform the operations associated with the role during the days and times you have defined.

An individual user or group role assignment can be given an effective starting date and time, an expiration date and time, or both. For example, if the user Jane needs to be a database administrator temporarily for four weeks in August, you can assign this user to the database administrator role with a start date of Monday, August 4th, and an expiration date of Friday, August 29th. Or, a patch role might be assigned to user Fred for a short time while he works on a trouble ticket.

Unique Capabilities of DirectAuthorize and its Architecture

As I look at DirectAuthorize and compare it to the legacy solutions that exist in the market for UNIX privilege management and root access control, I see a number of significant differentiators. Let me rattle of at least four that come to mind.

First, DirectAuthorize leverages your existing Active Directory infrastructure for role-based entitlement management without the need to deploy additional servers or infrastructure.

Like DirectControl, DirectAuthorize is tightly integrated into Active Directory, which means you do not need to deploy, test and manage additional servers or infrastructure to use DirectAuthorize. DirectAuthorize stores its role and rights data in Active Directory Authorization Manager's existing rights-based logical model and data storage schema found in Windows 2003 and above. This means no Active Directory schema extensions are required to install and use DirectAuthorize. You can manage DirectAuthorize from within the Centrify Console, or you can leverage Authorization Manager (AzMan) APIs to access DirectAuthorize's roles and rights data. With its use of a modern LDAP directory to centrally store and manage authorization data, and its ability to leverage an existing Active Directory infrastructure, DirectAuthorize represents next-generation technology compared to older, proprietary solutions that require separate servers and infrastructure to operate.

Second, DirectAuthorize is a modern role-based solution as opposed to a complex script-driven product.

DirectAuthorize provides an easy-to-use framework to simplify granting users rights to services and applications by allowing organizations to centrally define logical roles (backup operator, DBA, web developer, application administrator, etc.) that carry with them the specific rights — and only the rights — needed to perform duties within a role. DirectAuthorize's modern, role-based approach to UNIX privilege management has been designed with compliance in mind, delivering a solution that is both easier to administer and more robust compared to older products with complex and proprietary scripting languages that can only approximate the rich modeling available via Active Directory. In addition, DirectAuthorize's unique Restricted Environment feature and its ability to control users' access to systems via PAM-enabled interfaces go well beyond the capabilities of older legacy products.

Third, DirectAuthorize has been designed to work well in a networked environment and does not require changes to your UNIX and Linux systems.

Like DirectControl and DirectAudit, DirectAuthorize provides a local caching mechanism that enforces authorization and privilege management even if a system cannot temporarily talk to the network. And also like DirectControl and DirectAudit, DirectAuthorize is non-intrusive and does not require any changes to the underlying UNIX operating system. By contrast, older products can only generally work if there is a constant network connection and require proprietary changes to the underlying UNIX kernel.

Finally, DirectAuthorize is implemented as part of an integrated authentication, authorization and auditing architecture — and is a fraction of the cost of alternative solutions.

DirectAuthorize is built on top of the robust DirectControl architecture, e.g. the DirectAuthorize user interface is integrated with the DirectControl Administrator's Console and the DirectAuthorize rights enforcers are integrated into the DirectControl Agent. You just turn on DirectAuthorize once you install DirectControl, so there is additional software deployment that is required, and no dealing with a Windows interface for authentication and a completely separate and non-integrated web interface for authorization. Similarly, DirectAudit is built on top of the DirectControl, so with Centrify to get integrated authentication, authorization and auditing there is just a single architecture to deploy.

Not only are the products built using the same architecture thereby making it easier to deploy and use, but are delivered to the market packaged together to make it easier to purchase. For example, DirectAuthorize is delivered alongside DirectControl as part of the Centrify Suite Standard Edition. And these two products combined in this suite that deliver authentication + access control + authorization is priced dramatically below what you would pay for a single, older point product that just delivers privilege management. The Centrify Suite Enterprise Edition also includes DirectAudit, i.e. adds + auditing to the standard edition, and again at a price below what you might pay just for an auditing product alone. Better and more modern architecture, real product integration, more functionality, more affordable, etc. and all of this leveraging our Active Directory-centric approach — no one wonder our customers are so excited about what we are doing and where are going!

In my next blog post I want to compare and contrast DirectAuthorize to what most of our customers use today for delegation of root privileges — sudo.

< Previous Article: How DirectAuthorize Addresses Root and Shared Account Management in UNIX/Linux Environments
> Next Article: How DirectAuthorize Compares to sudo for Root Access Control