Centrify Your Security

Regulatory Compliance

Establish accountability and advance compliance reporting by recording which users accessed which systems, what commands they executed, with what privilege, and the exact changes they made to key files and configurations

Every major compliance regulation requires organizations to link access controls, role-based privileges, and user activity to named users. In cross-platform environments, establishing this accountability is a complex task given the existence of multiple identity silos such as NIS and LDAP databases, platform-specific proprietary directories, and local config files managed system by system.

Centrify addresses these IT security and compliance requirements with a Unified Identity Services solution: a single, integrated architecture for authentication, access control, privilege management, policy enforcement and compliance. See the topics below for details on how Centrify's unified approaches addresses specific compliance regulations.

Utilities and energy firms can implement a robust security and auditing infrastructure for NERC cybersecurity compliance using Centrify solutions and Active Directory

Energy producers and distributors that make up the bulk electric system for North America have multiple IT security and compliance challenges, which range from protecting consumers' payment card data and complying with the Payment Card Industry Data Security Standard, to adhering to the general internal audit control and disclosure requirements under Sarbanes-Oxley. In addition, utilities and firms that fall under the authority of the Federal Energy Regulatory Commission (FERC) must meet the cybersecurity standards of the FERC's certified Electric Reliability Operator (ERO), the North American Electric Reliability Corporation (NERC). The NERC Critical Infrastructure Protection (CIP) standards for cybersecurity add specific mandates that overlap with other compliance regulations and also add unique controls, monitoring and audit requirements. In order to certify compliance, organizations must establish security controls and maintain auditing and continuous monitoring capabilities across heterogeneous systems in an organization's IT environment, including across Windows, UNIX and Linux systems.

Centrify solutions address many of the core technical requirements for Cybersecurity as outlined in NERC CIP Standards 002-009 by providing the critical authentication, access control, delegation, separation of duties, continuous monitoring and reporting required by the NERC standards and other associated guidance from NERC. Centrify solutions are essential to the security automation that is required to mitigate risk of malicious intrusion and insider threats, and to provide a centralized and robust infrastructure for proof-of-compliance reporting and monitoring. Just as surveillance tools such as video cameras are a critical part of physical security controls under NERC, Centrify provides the critical infrastructure to secure authentication, access control, granular privilege management and continuous monitoring of user activity across UNIX, Linux and Windows systems.

Specific requirements from NERC CIP 005, 004, 007 and 008 taken together establish a clear obligation that all electronic access be audited, monitored and archived in such a way that an organization can reproduce detailed privileged user sessions 24 hours per day, 7 days per week. This continuous monitoring requirement would be difficult to achieve with a combination of manual processes and system-level logs, which often do not tie actions to a unique identity. Centrify Suite — consisting of DirectControl, DirectAuthorize, DirectAudit, DirectSecure and DirectManage — is an integrated suite of solutions that ensures every user has a unique credential and enforces authentication for access so that all their actions can be tracked, monitored and reported on.

Centrify solutions provide tangible benefits for organizations requiring security and compliance to NERC CIP standards, including:

DirectControl

  • Eliminate shared accounts and root password vault approaches with strong authentication and single sign-on to privileged accounts through users' unique Active Directory credential
  • Enforce Group Policy across UNIX, Linux and Mac OS X systems as well as iOS and Android devices
  • Generate detailed reports for NERC compliance showing who has access to what resources, commands and applications. Inventory systems and devices for compliance and asset management

DirectAuthorize and Centrify Zones

  • Quickly establish role-based granular access to systems based on business need-to-know using a dynamic rights model to secure privileged access and command execution
  • Enforce delegated administration and separation of duties so only authorized users are granting secured access to sensitive systems and applications

DirectAudit

  • Continuous monitoring of privileged user activity with critical cyber-security assets and sensitive applications tied to the user's unique identity
  • Spot suspicious activity or improper procedures on critical cyber-security assets in real-time or through analysis of recorded sessions