Wyeth Research Bioinformatics Streamlines Identity Management with Centrify DirectControl

Wyeth is one of the world's largest research-driven pharmaceutical and health care products companies. It is a leader in the discovery, development, manufacturing and marketing of pharmaceuticals, vaccines, biotechnology products and non-prescription medicines that improve the quality of life for people worldwide. The company's major divisions include Wyeth Pharmaceuticals, Wyeth Consumer Healthcare and Fort Dodge Animal Health.

The Challenge

By enabling us to centralize identity management, reducing passwords for our users, and eliminating the Sun ONE Directory Server, DirectControl makes our lives a lot easier, and lets us focus more on the research goals of the business.

Dave Kennamer
Manager, Advanced Research Computing
Wyeth Research

The Bioinformatics group within Wyeth Research is at the forefront of pharmaceutical and biotechnology research, and the scientists make extraordinary demands on their resources to support them in their exploration of opportunities to solve health problems for everyone. These special needs require flexibility, resourcefulness, and efficiency from the information technology deployed. They frequently use several days or weeks of cluster computing time to process very sophisticated and complex data analysis. So demanding are the computing needs that the Advanced Research Computing (ARC) group includes engineers and multi-disciplined scientists.

At the same time that it meets the needs of the researchers, the ARC staff must implement and enforce corporate and best practice standard security policies, perform users and systems management, and deliver within its budget.

As their needs increased, the research division added compute and application servers either standalone or in clusters. Users would automatically have a corporate eDirectory account, an Active Directory account, and would then be granted a Sun ONE-based LDAP account for access to those UNIX and Linux servers that supported their activities in the Bioinformatics compute lab. Those servers themselves also had local password files, which required intermittent maintenance. Like many point solutions intended to solve an immediate problem-performance issues on the corporate directory-the Sun ONE server became an established presence, requiring local administration and management. It also meant that users had passwords maintained on yet another directory that had to be reset according to the corporate policy. Also, for corporate compliance, they were subject to regular IT security audits and needed to ensure that any systems they deployed met or exceeded established policies.

The Sun ONE server ultimately reached the end of its effective life and this provided an opportunity for improvement to the environment in the ARC group. In addition, the corporate strategic direction was to reduce the number of directories. Regardless of whether the Sun ONE system was upgraded or replaced, the administrators wanted to reduce the administrative burden, provide authentication and access control for users in a mixed operating environment, strengthen their security profile, and increase the quality of the user experience.

The Solution

Dave Kennamer, a manager in the Advanced Research Computing group, led the team researching the alternatives as they looked to replace the local LDAP server. They considered relying on the corporate directory, but distance and other constraints introduced significant performance delays. For instance, on many occasions jobs running on the Linux cluster can submit many LDAP queries. The delay due to network latency over the WAN, magnified by multiple simultaneous LDAP queries, made the remote directory unfeasible. Because the Wyeth Active Directory had multiple domain controllers in various geographic locations, they looked for a way to leverage the local domain controller server to solve their problem. With all users having an Active Directory account and password reset utilities already available, it seemed clear that extending Active Directory to the Linux and UNIX systems would offload the administrative burden and centralize authorization.

At first they considered piecing together the open source packages that are available, but the implementation preparation and the ongoing maintenance that would be required defeated one of the primary benefits: freeing the local administrators to focus on non-directory issues. They decided they needed a vendor-supported solution that supported a principal requirement - no schema extensions to the existing Active Directory structure.

The only solution that lets Active Directory embrace UNIX, Linux and Macs and doesn't require Active Directory schema extensions is Centrify DirectControl. The Centrify DirectControl Agent effectively turns the host system into an Active Directory client, enabling administrators to secure that system using the same authentication, access control, and Group Policy services currently deployed for their Windows systems. Additional seamlessly integrated modules snap into the DirectControl Agent to provide services such as web and database single sign-on and Samba integration.

The Bioinformatics group within Wyeth Research had established disciplined identity policies. User names and UIDs are uniform across systems, so that, though DirectControl includes wizards that expedite identity mapping, Kennamer's team was able to immediately associate the Linux and Solaris UIDs with their Active Directory counterparts.

The Outcome

After a brief installation period, Kennamer reports that they quickly began to see the benefits. Scientists have one less password to remember and maintain, and the ARC staff no longer has to maintain a separate directory server that would enforce non- Active Directory password policies. While there is no appreciable increase in work for the Active Directory administrator, "We've saved several hours a week in our group that were previously spent doing password resets, directory server maintenance, and other tasks," observed David Kennamer. "We're able to spend that time on improving services and enabling new capabilities for the scientists."

Centrify DirectControl has a unique Zone feature that allows an organization to create logical groups of systems. These groups can then be leveraged to control access and to focus the delegation of administrative rights. Zoning provides opportunities for more granular control in order to streamline administration and increase security. Currently, Wyeth has chosen a broad, matrixed-Zone approach that allows for a flexible, open access for both administrators and users.

Looking further at DirectControl, they discovered other advantages - it had no significant performance impact on their compute cluster nodes; it had a straightforward installation whereby they didn't have to bring down the servers in order to install and join the domain; and the support for Kerberos meant that their SSH client application, SecureCRT, could use their Kerberos tickets for authentication and access, enabling single sign-on.

With the reporting capability that DirectControl includes, the ARC group is able to quickly find out who has access to any given system and reciprocally can as easily find out all of the systems that an individual can access. This simplifies audit reporting and provides important information as personnel leave the company or change roles. In addition, they now have consistent user identity across platforms, which will allow them to easily expand their grid computing capabilities to other groups in the company if needed.

"By enabling us to centralize identity management, reducing passwords for our users, and eliminating the Sun ONE Directory Server, DirectControl makes our lives a lot easier, and lets us focus more on the research goals of the business," said Kennamer.

• Return to Customer Success Stories Page