U.S. Government Defense Agency Addresses Critical Security Controls Using Centrify’s Privileged Access Management (PAM) Solution
The US Department of Defense has a rich and successful history of securing its infrastructure, largely due to the early adoption of strong authentication. But when it was discovered that an integral area had been overlooked, a key agency within the department turned to Centrify to help them address critical control gaps and strengthen the overarching security posture with centralized authentication and privileged access management. Read Case Study
In the late 90s, the Department of Defense (DoD) adopted a Common Access ID Card outfitted with a computer chip that supported public key infrastructure (PKI) credentials as its standard identification credential. In 2005, the department began to replace usernames and passwords with these “tokens” for strong authentication.
“We successfully updated our systems to include initial user authentication and user workstation authentication across the entire network, including web-based applications,” says the former CTO of a major agency within the Department of Defense. “We accomplished that using PKI encryption and the certificates that were stored on the card. However, in the process of rolling it out, we overlooked privileged user authentication.”
Agency administrators and other employees would log into workstations and then elevate privilege as necessary to accomplish various management activities. That elevation of privilege was done through the use of plain text usernames and passwords.
“There was significant concern that we had so many privileged user accounts, we couldn’t even get an accurate tally. They were all being audited with spreadsheets, there was no standardized approach to managing them, and it was clear that the lack of control could lead to a compromise in the infrastructure,” says the former CTO. “There was a paper form that was used to grant privilege, but no process to remove it when an employee left the job, and that was creating additional risk exposure.”
When the DoD audited the process and found that privileged user authentication and privilege elevation were still being done with usernames and passwords, and that was creating privilege sprawl across the department, alarm bells went off. US Cyber Command issued a communications tasking order that identified the issue, described the actions required to address it, gave a deadline for completion, and began the process of implementing a reporting structure to ensure compliance.
“It became a major imperative because it was a huge risk,” he says. “If an adversary penetrated any of the administrative workstations used to manage operations in the data center, they could mount a “pass the hash” attack, escalate privilege, and move laterally into the main server ecosystem.”
While pass the hash attacks have been significantly mitigated with Windows 10, variants still exist today. And, unlike a corporation, a government entity has adversaries willing to spend hundreds of millions of dollars and thousands of hours to exploit any control gap they find in the system. A quick and effective solution was required.
A group tasked with designing cybersecurity solutions for the agency partnered with the engineers who designed and developed the management infrastructure for computing centers, and together they devised a high-level architecture to solve the problem.
One of the most critical requirements was to centralize all the account information associated with authentication. The team performed a survey of the commercial market to identify potential solutions. At the time, the agency found only a few could provide the required functionality — with Centrify being one of them.
After an evaluation that involved extensive functional and security testing both in the lab and the infrastructure, the agency selected Centrify.
We based the decision on functionality, maturity, existing familiarity with the product, and assurances and accolades from other DoD agencies using it. It was also important that Centrify provided support for our Common Access Card and other tokens, as well as PKI-based authentication., U.S. Department of Defense
The implementation was smooth and fast; the Centrify product performed well and the agency met the tight deadline. “Our engineers worked directly with Centrify engineering teams for design and implementation. It was rolled out and right away it met our functional and security requirements,” he says.
As an expert with decades of security experience, the former CTO is frequently asked about the most important elements in securing an environment. “I tell both government agencies and private corporations facing similar security challenges that user identification, authentication, and privileged access management are probably the most important aspects of cybersecurity, and they should be prioritized accordingly. If you don’t understand who’s accessing your systems, if you don’t have strong authentication, or if you don’t have good audit capabilities, you don’t have a chance.
“The audit capabilities are possibly the most important feature when they’re properly utilized. Too many organizations collect audit data but then ignore and eventually delete it. That data needs to be fed into analytics tools to look for network anomalies that allow you to detect and prevent unauthorized privilege. It must be part of your day-to-day defense,” he says.
“Equally important is just-in-time privilege. Admins should be given the potential of having very specific privileges based on their roles so that when they need to accomplish a specific task, they simply request activation of the necessary privileges. As soon as the task is completed, the privileges are removed,” says the former CTO.
Professional Services help ensure you’re identifying and solving the problem you came to solve in the most direct way. Leverage them., U.S. Department of Defense
Prior to Centrify, the agency had dozens of disparate Microsoft® Active Directories as well as local account stores in many systems, and an entirely separate infrastructure designed to support Linux servers. When someone wanted privilege on any one of those systems, a new account, username, and password were created. Because administrators need access across multiple systems, the result was identity sprawl. Today, the department has made significant upgrades to its entire infrastructure, including an online, automated approach to privilege.
“We once had massive numbers of poorly audited, poorly controlled accounts. Identity sprawl prevented us from understanding the extent of privileged user access,” he says. “We used Centrify to combine the disparate Active Directories into one centralized, bridged Active Directory. That became the single location for storing privileged user accounts and it enabled authentication for our Linux servers as well, further reducing the number of privileged accounts.”
Today, agency employees are provisioned into Active Directory once. If they require elevated privileges, they’re provisioned and de-provisioned quickly and easily with minimal human intervention. While the main driver was security, automating privileged access management has resulted in considerable cost savings.
“Centrify helped us to quickly solve a significant security problem. The side effect was that the infrastructure became far more cost-effective to operate and maintain because it was so much easier to control and audit privilege. We eliminated the manual processes of puzzling through giant spreadsheets, figuring out who did and did not need privileged access, and manually granting and removing it,” he says.
The response by administrators to Centrify technology has been extremely positive. It has replaced multiple accounts, usernames, and passwords with a single account and a single authentication methodology. Tasks can now be performed without the complexity, risk, and waiting time. That has simplified day-to-day operations and made access to the system much more transparent.
“Prior to Centrify, the best practice we had in terms of managing privilege was a spreadsheet. The worst practice was a physical file cabinet full of access permission forms filled out by admins, printed, and signed by a manager. With Centrify, we got clear insight into exactly who has what privilege at all times,” he says. “Centrify has redefined best practices when it comes to privileged access management.”
More recently, the DoD has updated its infrastructure to include identity synchronization, where the authentication infrastructure connects to master personnel databases that contain all military, civilian, and contractors associated with the department. The day anyone leaves for any reason, the database is immediately updated and synchronized to Active Directory, which immediately and automatically eliminates all of their privileged user entitlements.
In the near future, the department plans to adopt a Zero Trust architecture, further leveraging Centrify technologies like just-in-time privilege to reduce the risk associated with granting privilege.
“Centrify was selected to be part of the agency’s Zero Trust initiative, aimed at delivering a next-gen architecture built around Zero Trust for the entire DoD. It will include advanced capabilities like just-in-time provisioning of privilege and audit,” says the former CTO. “Moving forward, I expect to see the capabilities already being exploited further enhanced by the many new features Centrify has brought to the market.”