Centrify DirectControl Frequently Asked Questions

Who is Centrify?

Founded in March 2004, Centrify is a leading provider of Microsoft Active Directory-based access control and identity management solutions for UNIX, Linux, Mac, J2EE and web platforms. With DirectControl, organizations can improve IT efficiency, better comply with regulatory requirements, and move toward a more secure, connected infrastructure for their heterogeneous computing environment. The leadership team at Centrify includes CEO Tom Kemp, who previously co-founded systems and security management vendor NetIQ; VP of Engineering Adam Au, former executive at Novell and Computer Associates and founder of storage management vendor Netreon, Inc.; CTO Paul Moore, formerly of Microsoft (where he led the integration of print services into Active Directory as a Program Manager for Windows 2000), Netreon and Computer Associates; and VP of Field Operations Jim Chappell, formerly of Legato, where he helped grow the company's annual revenues from $3M to $250M. Headquartered in Mountain View, California, the company also has field offices throughout the United States and a European Headquarters in Reading, UK. Centrify is funded by top-tier venture firms Mayfield, Accel Partners, INVESCO and Sigma Partners.

What is Centrify's vision for identity management?

Delivering centralized identity and access management is one of the top security challenges facing IT departments today. Corporate officers are requiring their IT managers to closely manage and audit who has access to key systems and to put policies and reporting in place to prove it. This task is frustrated by the fact that their environment consists of a diverse set of Windows, UNIX, Linux and Mac systems and applications with access controlled through multiple identity stores, inefficient processes, and ineffective or non-existent policy enforcement. At the same time, budgetary pressures are forcing them to look for ways to do even more with less.

Unfortunately, existing solutions that can help these organizations consolidate and centralize their identity and access management are highly proprietary, very costly to deploy, and require painful changes to their existing IT infrastructure. Centrify's vision is to tie these disparate systems and applications into a secure, connected computing infrastructure with Active Directory at its center. Active Directory is a standards-based, enterprise-class directory that most companies already own — in fact the Garter Group projects that by the end of 2010, at least 90 percent of midsize and large enterprises will have deployed Active Directory in their internal infrastructure.

What products does Centrify provide?

Centrify's solution for secure access control and centralized identity management is the DirectControl suite. The suite consists of the DirectControl Agent, which is available for more than 150 different versions of the most popular UNIX, Linux and Mac systems. The Agent provides authentication, access control, and Group Policy services for these host systems through Active Directory. Optional modules that snap seamlessly into the DirectControl Agent provide additional services, such as web single sign-on and Samba integration.

What key business problems does Centrify DirectControl address?

Customers who have chosen Centrify are typically experiencing problems in three key areas:

• Security. They have multiple identity stores, with a single user having five or more accounts. These identity stores are not integrated or are relying on expensive and complex synchronization schemes that have failed to scale with their needs. Some of these identity stores rely on technology that is not secure. As a result, issues such as inconsistent security policies and the existence of orphan accounts pose major security risks.
• Compliance. Without a central, definitive source for user accounts and permissions, they have no reliable means of controlling access to key systems. That in turn leads to an inability to report on and audit user access to key systems.
• Efficiency. Administrators manage too many systems with different tools. There are frequently long waits for provisioning new accounts and having routine account updates done. And a high volume of password reset requests drains resources.

What are the key benefits of Centrify DirectControl?

Centrify DirectControl enables organizations to realize benefits in three major areas:

• Cross-Platform Security. They are able to eliminate insecure identity stores and adopt Active Directory as their single, definitive source for user account administration and security policy. Active Directory provides a platform that is highly secure and scaleable.
• Improved Compliance. DirectControl's unique Zone feature enables them to enforce granular "need to know" access control. And they can use the built-in reports to verify who has access to what.
• Enhanced Efficiency. Administrators can now use a single set of Active Directory tools and processes, which enables them to quickly provision new accounts and respond quickly to account updates. The reduced volume of password resets frees up their time for higher-value tasks.

How does Centrify DirectControl work?

The Centrify DirectControl Suite consists of several key architectural components. You install the Centrify DirectControl Agent on each UNIX, Linux and Mac system you want to integrate with Active Directory, which enables you to secure that system using the same authentication, access control and Group Policy services currently deployed for your Windows systems. You can install optional modules on DirectControl-managed systems to enable additional services such as web single sign-on or applications running on that system, or for Samba integration. The DirectControl Management Tools include extensions to standard Microsoft management tools, an administration console, out-of-the-box reporting, and an account migration wizard.

What is unique about Centrify DirectControl?

In general most identity management solutions force customers to utilize their own proprietary infrastructure and technology and simply synchronize data with Active Directory, thereby keeping the existing silos of redundant identity stores intact. When compared to commercial or open source solutions that provide some levels of interoperability with Active Directory, Centrify differentiates itself by delivering a seamlessly integrated solution that provides tighter integration with Active Directory, including support for Active Directory's robust policy management capabilities across a heterogeneous environment. In addition, Centrify DirectControl does not require costly and intrusive changes to a customer's Active Directory and Unix/Linux environments. For example, DirectControl does not require changes to the Active Directory schema or require rationalization of an organization's Unix UIDs but instead allows administrators to map multiple Unix UIDs to a single Active Directory account via Centrify's patent-pending Zone technology.

Finally, Centrify DirectControl provides centralized management and reporting tools that get administrators out of the trap of having to "manage the management tool."

What kinds of organizations need DirectControl?

Centrify provides solutions to organizations that are grappling with the identity management challenges inherent in large, diverse IT environments. These companies have large numbers of Windows, UNIX, Linux and Mac systems as well as a variety of J2EE- and web-based applications. They use Active Directory to manage Windows user accounts, but they also have a variety of identity stores that control access to UNIX, Linux and Mac systems, and J2EE and web applications — identity stores that may be only loosely integrated, or un-integrated, with each other and with Active Directory.

Does DirectControl require schema extensions to centrally store UNIX/Linux identity information within Active Directory?

No. Centrify DirectControl stores all UNIX identity information centrally within Active Directory, even if a user is required to have different UNIX profiles (that is, unique UID, group ID, home directory, shell, etc.) on different sets of systems. DirectControl gives you several options to store UNIX identity information within Active Directory (see the next question for details). Somes methods leverage Microsoft-provided schema extensions. Another method leverages Microsoft-provided Active Directory APIs. None of these methods rely on proprietary changes to your Active Directory schema. Centrify's enterprise customers frequently cite our range of options as one reason why they choose DirectControl.

Then what are my options for storing Unix/Linux identity information in Active Directory?

The first option is to use Microsoft's RFC 2307-compliant schema for UNIX identity data, which Microsoft introduced with its Windows Server 2003 R2 release. DirectControl's support for R2 includes the ability to store UNIX identity data using this R2 schema, and it can do so while providing the ability to map multiple UNIX IDs to a given Active Directory account and without any additional schema modifications.

If you have not yet deployed R2, DirectControl gives you a choice: store UNIX identity data in Active Directory using the Services for UNIX schema extension, or store the data in standard attributes within Active Directory using the container that Microsoft provides precisely for third-party extensions — without having to extend the Active Directory schema.

Whichever option you choose, and irrespective if you have deployed R2 or not, the UNIX account data that Centrify stores within Active Directory is easily accessible using off-the-shelf, industry-standard tools such as ADSI and LDAP. For example, because DirectControl stores data using non-proprietary conventional LDAP data representations, you can use simple and conventional LDAP searches to access the UNIX data that DirectControl stores in Active Directory.

Bottom line: Centrify gives you the freedom to store and easily access UNIX data in a way that best meets your needs while supporting industry standards such as RFC 2307, ADSI and LDAP, and without requiring proprietary changes to Active Directory itself. And DirectControl does this while delivering the only solution that is also certified for Windows Server 2003.

What is RFC 2307, and do you support?

Yes, we support RFC 2307.

RFC 2307 is a "Request for Comment" document from the Internet Engineering Task Force (IETF). Among other things, it describes a proposed schema for mapping a UNIX user's account information in a Lightweight Directory Access Protocol (LDAP) directory. Centrify DirectControl supports RFC 2307 at either the Windows 2000 or Windows 2003 forest levels.

The Windows Server 2003 R2 UNIX attributes are based on RFC 2307, and prior to that Microsoft Services for UNIX (SFU) provided Active Directory schema properties based on RFC 2307. DirectControl supports both the R2 and SFU UNIX schema. (See Centrify's Support for Windows Server 2003 R2 for details).

If RFC 2307 compliance is important for you, DirectControl fully supports it. However, you can also take advantage of DirectControl's unique ability to store UNIX identity data without extending the schema. With Centrify, you have the flexibility to choose the option that makes the most sense for your enterprise.

Do you store information in a "proprietary opaque format" in Active Directory?

Of course not. The data is stored in standard attributes within Active Directory. We'd be glad to show you how it works. Just request a DirectControl trial, and during our initial demo, if you're interested, we can show you how easy it is to access the data.

How does a specific version of an operating system or application make it onto your "supported platforms" lists?

Our lists of supported platforms for DirectAudit, DirectControl for Systems and DirectControl for Web Applications contain operating system and application versions that are available for immediate evaluation. A specific version is listed as "supported" only after it has passed a series of QA tests; versions in development or still undergoing QA are listed as "coming soon." Priorities in supporting new platforms are heavily driven by customer requirements. If you don't see something you need on the list, let your Centrify sales representative know what you need.

Can Microsoft Identity Integration Server, third-party provisioning products, and corporate developers access or manipulate the information that DirectControl stores?

Yes. Centrify's solution was designed with extensibility and integration in mind. See our white paper, Integrating Centrify DirectControl with Identity Management Systems, for more details. The bottom line is you can access DirectControl's data through industry standards such as ADSI and LDAP.

DirectControl seamlessly works with provisioning products such as Microsoft Identity Integration Server (MIIS). MIIS provides robust provisioning capabilities that automatically populate multiple identity stores (such as a personnel database, Active Directory, and other identity repositories) based on business policies. For example, as a user is added to an HR database, and is assigned to a group, MIIS captures that information, applies certain rules to give that individual access to different systems, and communicates with the various identity repositories. The DirectControl MIIS Management Agent acts as one of those repositories and uses the MIIS business policies to populate the UNIX/Linux user IDs in Active Directory, and uses the DirectControl Suite to provision the new user on the designated UNIX/Linux systems.

The DirectControl MIIS Management Agent exploits the fact that only Centrify DirectControl includes patent-pending Zone technology that associates an Active Directory user with multiple UNIX identities stored in Active Directory. It also supports Microsoft's Services for UNIX (SFU) schema. In these ways it allows organizations to continue consolidating multiple non-Windows user IDs in Active Directory with the additional benefit of being able to provision these users through the established processes and business-defined policies in MIIS. Centrify is in fact the first vendor to deliver an MIIS Management Agent leveraging the MIIS Management Agent SDK introduced in MIIS 2003 Service Pack 1.

How can I manage my Zone and UNIX/Linux user information within Active Directory?

Centrify provides a properties tab in the Active Directory Users and Computers Microsoft Management Console (MMC) application. In this tab you can configure and manage the UNIX/Linux properties associated with Active Directory users and groups. In addition, Centrify provides our own easy-to-use Administrator Console that combines all of the functionality of the MMC application with features unique to DirectControl, including the ability to create and manage Centrify Zones, and to produce reports that give you a view of your entire UNIX/Linux identity space.