Identity consolidation and privileged access management across Windows, Linux, and UNIX serversEnterprise Edition
Detailed auditing of privileged user sessions on Windows, Linux and UNIX systemsPlatinum Edition
Dynamically segment and isolate cross-platform systemsApplication Edition
Secure, centralized single sign-on to on-premise business applications
Single sign-on and unified management for cloud and mobile apps and devicesMac Edition
Centralized security and management for Macs and mobile devicesPremium Edition
SaaS and Mac Editions combined with mobile security managementCentrify for Samsung KNOX
Enterprise management of SSO, MCM and MDM for Samsung KNOX
Whether you need to manage a few workstations or tens of thousands of Windows, Linux, and UNIX servers, Centrify's patented Zone technology enables you to quickly centralize management of these resources within Active Directory while not compromising on security or manageability. Centrify Zones provide:
A Centrify Zone is a collection of attributes and security policies that define the identities, access rights and privileges shared by a group of users. A small organization might need only a single Zone to manage their users and desktops. A large organization may need a hierarchy of Zones to manage users who need access to thousands or tens of thousands of Windows, Linux, and UNIX systems that are used as everything from end-user workstations to web application servers.
Zones provide a flexible means of managing a set of users and computers that all need to share a common set of policies and access controls. For example, you could create a Zone for users and their computers, regardless of where they are located geographically or what department they work for. You could create a Zone for an engineering department whose users must all share access to a set of UNIX development systems, whether located in a data center or in the cloud. Or you could create a Zone for a branch office that has its own set of administrators tasked with managing all the Windows, Linux, and UNIX systems in their location. A user can be in multiple Zones, enabling you to create identity management, access control, privilege management and delegation solutions that are as simple or as sophisticated as you need them to be for your particular environment.
At minimum, a Zone contains:
Although some organizations will have Zones that contain only users (in particular, a Global Zone, described later), most Zones also contain:
This approach enables you to manage your heterogeneous server environment by tying the rights a user has on a Windows, Linux, or UNIX system with a single, definitive identity centrally stored and managed in Active Directory. In so doing, you enjoy a variety of both efficiency and security benefits. Need to give a new employee rights to administer web servers scattered across your enterprise? Assign them to an Active Directory group for web developers. Need to ensure a reassigned system administrator can no longer access any system within her previous department? Remove her from the Active Directory group for that department's admins. Managing your cross-platform environment in Active Directory means you can use Centrify management tools to easily generate regulatory compliance reports for auditors, assessors, and internal staff that illustrate specifically who has access to which systems, what they can do on those systems, along with who granted the access controls.
While small organizations can efficiently manage a single Centrify Zone that contains all their users and computers, most organizations will benefit by first setting up a Zone hierarchy that starts with a top-level Global Zone. As a best practice, a Global Zone contains all of the Active Directory users who will need access rights on a system or device. Each user can optionally have a UNIX profile that defines their unique user ID (UID) and other attributes. The Zone can be configured to define how new users and computers are assigned UIDs, home directories, and so on.
Under the Global Zone, you can then create any number of Child Zones. A Child Zone can inherit the users and any associated UNIX profiles from the Global Zone. But often you will need to override one or more properties on a Zone by Zone basis to fit the requirements of that particular Zone. Child Zones can be nested to achieve the level of management granularity you need.
As your management and security needs become more sophisticated, you will set up computer roles, user roles, and role assignments to more granularly control access to Linux, and UNIX systems and to granulary manage the privileges users have on Windows, Linux, and UNIX systems. Centrify's unique hierarchical Zones enable you to define roles and role assignments at any level within your Zone hierarchy, and specify whether those properties are inherited or overridden at any individual level. This powerful inheritance model is not only an efficient way to manage users of non-Windows systems and manage privileges on Windows, Linux, and UNIX, but also has a variety of security benefits:
Centrify's hierarchical Zone technology provides the industry's only solution for quickly and easily migrating UNIX identities from multiple sources into Active Directory. Organizations often have multiple identity stores across which a single user has different UIDs. Other solutions force you to reassign users a consistent UID across all of the computers they need to access as a prerequisite for managing the user's UNIX profile in Active Directory.
Instead, Centrify enables you to import each identity store as they currently exist into a Centrify Child Zone and map a user in that Child Zone to the correct user in the Global Zone. Your Zone hierarchy can contain a mix of Child Zones in which the same user's UID may be inherited from the Global Zone or may be overridden with the UID he has among the computers in a particular Child Zone. A Centrify Zone can also contain NIS maps that associate a user's identity in a NIS domain to their Active Directory account. In cases where computers were locally managed one by one, you can even create a Computer Zone where the user has a unique UID.
Centrify provides migration tools to automate the consolidation of UNIX identity stores into Active Directory.
Without Centrify Zones, organizations can't even begin the process of integrating non-Windows systems with Active Directory until they complete the arduous task of rationalizing their UNIX namespace so that each user has a single, consistent UID across all systems - a process that could take weeks or months, or may not even be practical at all. With Centrify Zones, the process literally takes days.
Another unique and powerful Centrify feature is the Computer Role, which enables a computer to effectively be a member of multiple Zones, one of the most commonly requested capabilities from our customers. A Computer Role is a collection of computers that share a common set of management and security requirements. For example, you might create a Computer Role for web servers and a user role for web developers. The web developer role grants access to the web server Computer Role and defines a limited set of privileges. Membership in the web developer role could then be controlled using an Active Directory group. Giving a web developer consistent access rights and privileges to web servers throughout your enterprise is then as simple as adding them to the Active Directory group. They do not get privileges to other computers in the Zones where the web servers are located.