With 50,000 attendees, over 1,000 breakout sessions and countless sponsors and exhibitors, the 2017 AWS re:Invent conference in Las Vegas was one of the largest events yet. With announcements like server-less containers, managed databases and bare metal compute instances immediately available as a service, enterprises see cloud adoption as a clear choice model to operate. Security to protect infrastructure and workloads in AWS was a hot topic -- specifically in the realm of identity and access management. Enterprises migrating to AWS needed solutions to secure their AWS accounts, secure access to EC2 instances and secure access to their existing on-premises infrastructure. It’s no surprise that Centrify announced an Advanced-tier partnership with AWS and offers the Centrify Identity Services solution in the AWS Marketplace. In this blog, we examine how Centrify secures AWS infrastructure using an identity-centric approach.
Securing The AWS Root Account
Every AWS account has a built-in root account with absolute privileges to billing and all AWS services. AWS strongly recommends using AWS IAM policies for role based access to every AWS service and only using the root account for break-glass emergencies. Centrify secures the AWS root account using the Centrify Shared Account Password Management Service; a service that vaults the AWS root account and can require workflow approval prior to a checkout. Vaulting every AWS root account within Centrify not only improves overall security to AWS, it also promotes accountability with detailed audit trails of every checkout and helps for centralized management of multiple AWS accounts.
Federated Access to the AWS Management Console
With the explosion of cloud services came an explosion of disjoint identity silos. Enterprises found they had to manage, on average, 20 different identities per user in the company. Federation with an identity-as-a-service (IDaaS) provider centralizes authentication and policy enforcement of cloud services, like AWS, to a master user directory of your choosing (e.g. Active Directory). The benefit is single sign-on (SSO) access to all resources for end users and centralized ID management, authentication and policy enforcement for administrators. Announced shortly after the conference was the AWS single sign-on offering – an offering that provides centralized access and permissions management for enterprises with multiple AWS accounts. The offering also provides basic SSO access to AWS and cloud services that support SAML, while leveraging an on-premises Active Directory for authentication. Beyond SSO, Centrify enhances AWS SSO with a zero trust approach to govern access to enterprise resources -- applications, endpoints and infrastructure, based on the legitimacy of the user. By confirming the user’s identity with MFA and factoring other context about the user such as their device, geo-velocity, behavior and more, resources are better protected and less likely to be compromised by an attacker.
Identity Consolidation & Privileged Access Management for EC2
As on-premises workloads migrate to AWS, enterprises also need to extend authentication to EC2 instances from their existing on-premises directory service. Coupled with authentication, role based access based on least privilege, MFA, policy driven access, shared account password management and session auditing should be extended for all Windows, Unix and Linux servers -- whether they are in an on-premises datacenter or in AWS. Centrify makes it easy to deploy host based privileged access management capabilities on EC2 and on-premises infrastructure, while leveraging an existing on-premises directory service for centralized identity management.
It's evident that cloud is here to stay, and with cloud service providers like AWS enabling enterprises to run completely in the cloud, securing access to cloud and on-premises services is essential. Centrify helps enterprises achieve an optimal identity maturity model through identity consolidation, federated access, role based access based on least privilege, adaptive MFA with policy driven access controls, shared account password management and granular auditing, monitoring and reporting capabilities. While there are many access management solutions, each designed for specific use cases such as securing cloud applications, securing mobile devices and workstations or securing cloud and on-premises infrastructure, Centrify offers a solution to address all three use cases in an integrated platform.
Centrify’s award winning capabilities position the company as the only vendor to achieve a distinction in all three categories – Identity-as-a-Service, Privilege Access Management and Enterprise Mobility Management.