Centrify Your Security

Regulatory Compliance

Establish accountability and advance compliance reporting by recording which users accessed which systems, what commands they executed, with what privilege, and the exact changes they made to key files and configurations

Every major compliance regulation requires organizations to link access controls, role-based privileges, and user activity to named users. In cross-platform environments, establishing this accountability is a complex task given the existence of multiple identity silos such as NIS and LDAP databases, platform-specific proprietary directories, and local config files managed system by system.

Centrify addresses these IT security and compliance requirements with a Unified Identity Services solution: a single, integrated architecture for authentication, access control, privilege management, policy enforcement and compliance. See the topics below for details on how Centrify's unified approaches addresses specific compliance regulations.

Easily establish the authentication, authorization, encryption and audit requirements detailed in the Payment Card Industry Data Security Standard across all platforms

The PCI Council, a consortium of the major card brands, maintains PCI DSS, a rigorous set of standards for protecting cardholder data anywhere it is transmitted, processed or stored. PCI DSS is enforced by the card brands and banks, which can impose stiff fines and penalties, including the suspension of payment card processing privileges. Any business that accepts payment cards or processes card data must validate their compliance with PCI DSS yearly assessment.

Centrify addresses these ongoing challenges by providing a scalable, non-intrusive solution to PCI DSS and other compliance regulations. Centrify Suite ensures that new servers and applications (virtual or physical) are secure and consistently controlled and managed.

Centrify Suite PCI DSS Solution Overview

Suite Edition Products PCI DSS Requirement
Platinum DirectSecure 4. Encrypt transmission of cardholder data across open, public networks
1. Install and maintain a firewall configuration to protect cardholder data
Enterprise DirectAudit
DirectControl
10. Track and monitor all access to network resources and cardholder data
Standard DirectAuthorize
DirectControl
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
2. Do not use vendor supplied defaults for system passwords and other security parameters

Below is an overview of how Centrify addresses the six of the twelve major requirements of PCI DSS that are relevant to corporate IT staff. For a detailed, point-by-point analysis, request our free PCI white paper.

1. Install and maintain a firewall configuration to protect cardholder data

Section 1.2 in particular states that organizations must "Build a firewall configuration that restricts connections between untrusted networks and any system components in the cardholder data environment." Centrify DirectSecure, a server isolation and protection solution, provides organizations with a simpler, software-based approach that dynamically isolates servers subject to PCI audits so that they can communicate only with other trusted computers. Not only is this solution more secure and easier to deploy than traditional firewall-based approaches, it also enables organizations to reduce the scope — and thus the cost — of PCI audits by focusing the audit on just the affected systems and not every system in their environment.

2. Do not use vendor supplied defaults for system passwords and other security parameters

Centrify enforces user authentication with Active Directory credentials, which are managed with password policies configured in Active Directory. This ensures every user authenticates with their own unique credential and cannot access systems with default or weak passwords. In addition, requirement two mandates that all non-console administrative access be encrypted. Using Centrify with OpenSSH provides both secure authentication and single sign-on via Kerberos and network-level encryption of administrative sessions.

4. Encrypt transmission of cardholder data across open, public networks

Centrify's solution for encrypting data-in-motion is particularly cost-effective for retailers who must move customer credit card data from branch stores to a corporate data center. Instead of relying on expensive private lines, they can move data across the Internet using the strong authentication and encryption features of IPsec.

7. Restrict access to cardholder data by business need-to-know

At the heart of many publicly acknowledged PCI DSS infractions is the issue of managing superuser privileges on systems holding customer information such as credit card numbers. With the Centrify Suite, each administrator or other staff member can be granted role-based access and privileges according to a least-privilege security model. For example, a backup operator can be granted the right to log in to a Linux or UNIX database server and perform a backup without being granted other privileges that would, for example, also give them access to customer data. A server or group of servers can have its own unique set of authorized users, administrators, and security and configuration policies.

8. Assign a unique ID to each person with computer access

Corporate IT security administrators can link access rights and privileges to a user's Active Directory account. Those users log in with their individual Active Directory account, not a root or other superuser account, and automatically get the appropriate access rights and privileges.

10. Track & monitor all access to network resources & cardholder data

The Centrify Suite can comprehensively log all user activity on a system and, once again, link it back to a unique Active Directory account.