Homage: Active Directory Bridging

January 21, 2020

Who knew that a key component to Just-in-Time privileged access management  (PAM) was established 15 years ago? That was when Centrify brought Active Directory (AD) bridging to the masses in 2004.

The ability to provide identity-centric PAM to isolate potential breaches across legacy or cloud footprints, and to reduce overall attack surfaces would have never been possible without Active Directory bridging.

That single development was the catalyst in building Centrify Zero Trust Privilege services. After 15 years of rock-solid Active Directory bridging success with thousands of customers in hundreds of industries, it’s time to pay homage.  

You may be asking, “How in the world can Active Directory bridging lead to all of that?” The simple answer: Centrify’s Active Directory bridging solution is all grown up! It has become a mature solution that spans well beyond being a bridge between your Active Directory and UNIX/Linux access.

Back in 2004, the business world faced many challenges, and AD bridging delivered an inside-the-perimeter solution for many of these core challenges which included identity consolidation for non-Windows (i.e. UNIX) system access.

Today, the business world presents challenges around compliance measures and diverse transaction requirements. Mobile workforce demands continue to rise, presenting unique threats from always-connected personal devices with unprecedented social media and data protection concerns. Disaster recovery models are shifting to multi-tenant cloud architectures, built-in high availability, and adoption of Internet of Things (IoT)-capable appliances, which present even more security challenges.

Modern Threatscape

Traditional perimeter-focused security with methodologies reliant upon a password vault were not designed to address these broadened attack surfaces. As technologies evolve, the predominant threat for exploitation continues to be compromised credentials.

Centrify’s Active Directory bridging approach specializes in addressing these very issues. Industry analysts including Gartner, Forrester, and KuppingerCole have identified Centrify as a leader in the PAM space, a clear indicator of what Centrify’s Active Directory bridging capabilities have brought to privilege management.  

The lightweight architecture and speed of enablement is very different from the complex physical vault architecture approach. When you combine the historical success Centrify’s Active Directory bridging has garnered inside established security perimeters, it is understandable that not everyone is aware of the broader capabilities customers are using to address other critical business needs.  

The ability for non-Windows systems to be administered centrally from within Active Directory is no less relevant today than it was 15 years ago, but expanding to a directory brokering solution with security architecture around identity consolidation and Just-in-Time privileged access has become a vital piece of the cybersecurity ecosystem to address growing attack surfaces.

History helps to clarify this point. Initially, the standard in security was to build a really strong perimeter. The ability to move around freely within the perimeter was always a risk, but it was considered minimal. As remote connectivity became a competitive advantage, the perimeter was broadened to include customized remote access allowing the same freedom within the internal security perimeter. This was perceived to be an increase in risk, but it was considered minimal when compared to the overall productivity it allowed. VPNs and other hardware and software security silos were added to the equation over the years, and each maintained their database of security secrets.

The biggest risk with all of these measures is complexity. A lot of that complexity is based primarily on one thing - your password. Think of the smartest and most accomplished person you know, and then think about the other end of the spectrum. All of this complexity around keeping people out relies on the strength of their password and their sensitivity to social exploits.

Many enterprises have multiple security silos with sensitive data and complex backup operations that access these critical data silos. Security silos typically run inside a Windows domain. When you add the human fallibility factor of taking the path of least resistance, multiple risks exist around these security silos designed with a perimeter security approach that places all risk mitigation into the execution of a password.

Administrators often have persistent privilege to do ANYTHING across the enterprise. A perimeter-based security approach of supplying a password is the only defense measure in far too many environments. Hectic business demands, increased workload, limited resources, mergers, pressures around profitability, each provide a vulnerability in the attack surface and is ripe for a breach.

Ease of administration for the sake of convenient operations will circumvent risk mitigation at every turn.

Active Directory bridging has allowed us to build a solution to these broad attack surfaces that delivers a process-based approach for Just-in-Time privilege with multi-factor capabilities, session reporting, and analytical intelligence with real time session management capability. That security architecture reduces the overall attack surface from evolving cyber threats.

Industries are capitalizing on the speed, scalability, and security potential of the digital framework the cloud provides. The same legacy perimeter approach of administrators having the golden key to configure and manage access carries the same risk, if not more. The traditional design flaw and risk to security initiatives with limited password-based perimeters have wreaked havoc caused by compromised credentials and malware-based loss of sensitive data.

Today’s security models and cyber threat roadmaps must have the ability to identify if a breach has occurred, isolate the suspected or validated breach, and eradicate the bad actor.

For those of us who work in the challenging world of cybersecurity, it is important to understand the value of Active Directory bridging and what it brings to privileged access management today.

Introduced as a solution to a 30-year-old problem in 2004, Active Directory bridging is no longer a tool that simply allows users to log into non-Windows systems with their Active Directory credentials. It has evolved to provide customers with Active Directory brokering and PAM for their Zero Trust roadmaps.

That critical component changed an industry 15 years ago and is the most deployed Active Directory bridging solution in the world. Centrify Active Directory bridging: a bridge well built!

This is written by the individual author in his/her personal capacity, and the opinions, views and/or thoughts expressed herein are solely the author’s own. They are not intended to and may not necessarily reflect the official policy or position, or the opinions or views of ThycoticCentrify or its affiliates, employees, or any other group or individual.