DirectControl's Unique Zone-Based Granular Access Control

Zones provide the industry's only enterprise-class solution for enforcing granular access control for both users and administrators across a heterogeneous environment

Centrify's patent-pending Zone technology was designed with access control and regulatory compliance in mind. Customers can create logical groupings of mixed UNIX, Linux or Mac systems within Active Directory as Centrify Zones. Each Zone can have a unique set of users, a unique set of administrators, and a unique set of security policies and access rights. Regardless of how diverse or distributed an organization's systems may be, IT managers can use DirectControl Zones to bring UNIX, Linux and Mac systems into Active Directory while preserving existing security boundaries and privileges. Centrify's Zone technology leverages the power of Active Directory's access control mechanisms while providing even more granular access control within your mixed environment.

For most customers, the Centrify Zones capability for advanced access control is the "must have" feature that enables them to address their regulatory needs and achieve a secure, connected computing infrastructure with Active Directory at its center.

Read the topics in order for a complete overview, or click a topic to scroll down to a particular item of interest:

How Zones Work

Centrify's Zone technology is built on the access control foundation that is at the core of Active Directory. With Active Directory, only users that are members of a domain can access machines and resources that are also members of the domain. With Zones, customers can create more granular sets of users and computers that can have their own members and access privileges. This allows organizations to secure users and resources into any logical grouping that meets their business needs. More importantly, this allows companies to restrict access to certain groups of systems to a very specific subset of the Active Directory domain user community. In addition, DirectControl allows managers to have a central view into who has access to systems in each Zone - both through a central console as well as through a reporting system.

These capabilities allow customers to meet the regulatory demands of Sarbanes-Oxley, Payment Card Industry (PCI) standards, and other government and industry regulations that require verifiable controls over access to systems with critical business information.

This organization chose to create Zones based on departmental ownership. Alternatively, another organization may have chosen to create Zones by geography, or even by system type.

Zones have these features:

  • A Zone can consist of any mixture of DirectControl-managed UNIX, Linux or Mac computers. You can choose to organize them in any way that fits your organization's needs - by department, geography, system type or some other method.
  • By adding a user or group to a Zone, you enable them to access any computer in that Zone. A single user or group can be a member of any number of Zones. However, they cannot log in to computers in any Zone to which they are not a member.
  • You can delegate administration of Zones. DirectControl builds on Active Directory's delegated administration feature to enable administrators to manage their systems - and only their systems. See Zone-Based Delegated Administration for more about this feature.
  • Zones are optional. If you don't need this level of access control, all systems can simply be added to a default Zone.

The beauty of the Centrify Zones technology is that this granular access control is managed centrally within Active Directory, not locally at each and every system.

A Visual Interface and Built-In Reporting

With the DirectControl Administrator Console you have a visual interface that enables you to easily view and change Zone memberships and access controls. Other products don't offer this ability to easily see who actually has access to what systems and applications within your environment; you need yet another tool to manage permissions, and auditing and reporting are clumsy data aggregation exercises.

With DirectControl, you can address your audit requirements by running the numerous out-of-the box reports that can prove to auditors, on-demand, what systems any specific user can access, and which users can access any specific system.

The DirectControl Reporting Center provides many out-of-the-box reports and has customization features that let you select the data you need and change report formatting.

Zones' Unique Ability to Enable Regulatory Compliance

Most government regulations such as Sarbanes-Oxley and industry regulations such as PCI have several key requirements in common. Centrify's Zone technology is the only solution that has been specifically designed to address these issues.

  • Access to key systems should be granted only to those who need it. Centrify Zones provide the most straightforward and manageable means for centrally controlling who is given permission to log on to specific systems. From a single visual interface you can, with complete assurance, view and change Zone membership. Other products push settings out to individual systems through Group Policy (which itself is not intended as an access control mechanism). These other systems do not provide you with a global view of your access control structure, and updates are thus clumsy and error-prone.
  • There must be a separation of duties between those who manage accounts and those who manage systems. Only DirectControl provides full roll-based delegated administration for non-Windows systems. Central IT staff can control accounts, and the delegated administrator for a Zone can add or remove accounts from the Zone without having any additional privileges to change the accounts themselves.
  • IT managers must be able to prove, on demand, who has access to what systems. Centrify DirectControl provides out-of-the-box reports that can show, among other things, which systems a specific user can access, and which users can access a specific system. Zone-based reporting provides assurance that access controls that follow business needs are in place. Since other products control access at each local system, reporting is time-consuming or non-existent, and without a clear organizing principle such as Zones, auditors will be understandably skeptical that a report is definitive.

DirectControl enables many other compliance-related benefits. For a thorough examination, see the white paper Using Microsoft Active Directory to Address Sarbanes-Oxley (SOX) Compliance in Heterogeneous Environments by the Robert Francis Group.