Centrify Unveils Client-based Password Reconciliation to Strengthen Admin Password Availability and Integrity

Market-first capability revolutionizes unspoken Achilles’ heel of password vaulting, resulting in increased availability of services and a reduced attack surface

July 23, 2020

SANTA CLARA, Calif. ― July 23, 2020Centrify, a leading provider of Identity-Centric Privileged Access Management (PAM) solutions, today announced Client-based Password Reconciliation, now included in version 20.3 of Centrify Privileged Access Service. By enabling organizations to automate password reconciliation through the Centrify Client to ensure business application availability, Centrify users can reduce risk and rely on their password vault as the single source of truth for reliable, consistent access to privileged account passwords.

When an administrator, application, or service checks out a password from a vault in order to authenticate, that password needs to be correct. Otherwise that authentication will fail, which in some cases, can have far-reaching impacts on the business if that application, machine, or service is very critical. For example, if it’s part of a financial services app, it could potentially cost millions of dollars if the availability or repair-ability isn’t instantaneous and reliable. The password vault must be the source of truth.

Historically, organizations have relied on vault-initiated password rotation to ensure local passwords are in sync with the password vault. However, if someone were to change the password of a target asset locally, the vault and that machine will become out of sync, and the next privileged access request will fail. This is especially troublesome if the person who changed the password on a target asset is a malicious user or threat actor. It is further exacerbated by the reality of modern IT environments, which may require thousands of applications, machines, or services to have reliable access to each other in real time.

To improve both the availability and security of privileged authentication, Centrify customers can now automate password reconciliation by taking advantage of the distributed Centrify Client, which runs as a secure service on target host machines. This empowers the password vault to do a real-time check with the Client to ensure the local password is in sync. If not, the password vault can then change or reset the local password directly, instantaneously reconciling the issue without requiring a root, local administrator, domain administrator, or custom privileged master account. The authentication request can then be granted without requiring a backdoor privileged account or intervention by a human using a root or superuser account.

“The Centrify Client is really what makes this first-of-its-kind innovation possible, since it creates the trust bond between the vault and the target, whether it’s a server, database, application, or microservice,” said Nate Yocom, CTO, Centrify. “This is a capability that our customers requested from Centrify, knowing we are uniquely capable of leveraging this approach to solve this pain point in a better way than traditional password rotation. The result is better availability, higher integrity, fewer privileged accounts, and reduced risk because the vault and the Centrify Client have the connection to reconcile passwords in real time.”

Centrify’s Client-based approach also eliminates the need for persistent administrative rights on a server, reducing the overall number of privileged accounts and enforcing a Zero Standing Privileges posture. Users benefit from increased availability and can reconcile out-of-sync passwords in real time, ensuring successful authentication by stakeholders. The Client can also reconcile locked-out accounts (e.g., due to failed login attempts) to further ensure availability.

“Privileged Access Management is a top priority for information security professionals, especially as modern attack surfaces enter the IT estate as part of digital transformation,” explained Paul Bedi, CEO, IDMWORKS. “As our customers embark on or continue PAM journeys, we’re seeing many begin with vault-centric approaches where password reconciliation can be an Achilles’ heel that undermines enterprise PAM security efforts. Centrify Privileged Access Service’s Client-based Password Reconciliation provides users with seamless access to privileged accounts - a significant improvement over existing approaches, through automation.”

For further information about this new capability included in Centrify Privileged Access Service, please download the complimentary white paper, “Implement Password Reconciliation to Ensure Business Application Availability,” and watch a demo video at https://www.youtube.com/watch?v=ySlfu-1c_F8.

About Centrify
Centrify is redefining the legacy approach to Privileged Access Management by delivering multi-cloud-architected Identity-Centric PAM to enable digital transformation at scale. Centrify Identity-Centric PAM establishes trust, and then grants least privilege access just-in-time based on verifying who is requesting access, the context of the request, and the risk of the access environment. Centrify centralizes and orchestrates fragmented identities, improves audit and compliance visibility, and reduces risk, complexity, and costs for the modern, hybrid enterprise. Over half of the Fortune 100, the world’s largest financial institutions, intelligence agencies, and critical infrastructure companies, all trust Centrify to stop the leading cause of breaches – privileged credential abuse.

®Centrify is a registered trademark of Centrify Corporation in the United States and other countries. All other trademarks are the property of their respective owners.

Ready to Protect Against the #1 Attack Vector?

Register for a 30-day trial of Centrify's Privileged Access Management (PAM) software to minimize your attack surface and control privileged access to your hybrid environment.

Free Trial