Centrify Zone Technology

Quickly consolidate complex and disparate UNIX and Linux user identities into Active Directory with Centrify's patented Zone technology — without having to first rationalize all user identities. Centrify's Zone Technology enables you to manage your heterogeneous environment by tying the rights a user has on a Windows, Linux or UNIX system with a single identity, stored and managed in Active Directory.

Quickly Centralize Management for Windows, Linux and UNIX Servers

What is a Centrify Zone?

A Centrify Zone is a collection of attributes and security policies that define the identities, access rights and privileges shared by a group of users. A small organization might need only a single Centrify Zone to manage their users and desktops. A large organization may need a hierarchy of Centrify Zones to manage users who need access to thousands or tens of thousands of Windows, Linux and UNIX systems that are used as everything from end user workstations to Web application servers.

Centrify Zones provide a flexible means of managing a set of users and computers that all need to share a common set of policies and access controls. For example, you could create a Centrify Zone for users and their computers, regardless of where they are located geographically or what department they work for. You could create a Centrify Zone for an engineering department whose users must all share access to a set of UNIX development systems, whether located in a data center or in the cloud. Or you could create a Centrify Zone for a branch office that has its own set of administrators tasked with managing all the Windows, Linux and UNIX systems in their location. A user can be in multiple Centrify Zones, enabling you to create identity management, access control, privilege management and delegation solutions that are as simple or as sophisticated as you need them to be for your particular environment.

At minimum, a Centrify Zone contains a set of users that need to be managed as a group for efficiency or security reasons.  Although some organizations will have Centrify Zones that contain only users (in particular, a Global Centrify Zone, described later), most Centrify Zones also contain:

  • A set of UNIX management data that defines policies for those users' UNIX profile, such as how users' home directories are assigned (note: "UNIX profile" refers to management data for any Linux or UNIX).
  • The set of computers or devices to which these users can be granted access.
  • An inventory of the access rights that users in that Centrify Zone need, and the discrete tasks that they can perform.
  • A set of computer roles that characterize the function of a subset of computers.
  • A set of user roles that specify the rights (access and privileges) granted to users in that role.
  • Role assignments that associate Active Directory users or groups with the user roles.

This approach enables you to manage your heterogeneous server environment by tying the rights a user has on a Windows, Linux or UNIX system with a single, definitive identity centrally stored and managed in Active Directory. In doing so, you enjoy a variety of both efficiency and security benefits.

Need to give a new employee rights to administer Web servers scattered across your enterprise? Assign them to an Active Directory group for Web developers. Need to ensure a reassigned system administrator can no longer access any system within his/her previous department? Remove him/her from the Active Directory group for that department's admins. Managing your cross-platform environment in Active Directory means you can use Centrify management tools to easily generate regulatory compliance reports for auditors, assessors and internal staff that illustrate specifically who has access to which systems, what they can do on those systems, along with who granted the access controls.

What Makes Zones Unique and Powerful: Hierarchy and Inheritance

While small organizations can efficiently manage a single Centrify Zone that contains all their users and computers, most organizations will benefit by first setting up a Centrify Zone hierarchy that starts with a top-level Global Centrify Zone. As a best practice, a Global Centrify Zone contains all of the Active Directory users who will need access rights on a system or device. Each user can optionally have a UNIX profile that defines their unique user ID and other attributes. The Centrify Zone can be configured to define how new users and computers are assigned user IDs, home directories and so on.

Under the Global Centrify Zone, you can then create any number of Child Centrify Zones. A Child Centrify Zone can inherit the users and any associated UNIX profiles from the Global Centrify Zone. But often you will need to override one or more properties on a Centrify Zone by Centrify Zone-basis to fit the requirements of that particular Centrify Zone. Child Centrify Zones can be nested to achieve the level of management granularity you need.

As your management and security needs become more sophisticated, you will set up computer roles, user roles and role assignments to more granularly control access to Linux and UNIX systems and to granularly manage the privileges users have on Windows, Linux and UNIX systems. Centrify's unique hierarchical zones enable you to define roles and role assignments at any level within your Centrify Zone hierarchy and specify whether those properties are inherited or overridden at any individual level. This powerful inheritance model is not only an efficient way to manage users of non-Windows systems and manage privileges on Windows, Linux and UNIX, but also has a variety of security benefits:

  • Least Access Security: Adding users to a Centrify Zone does not automatically grant them access rights to a computer or device within their Centrify Zone. Users get access only when you assign them into a role that grants access.
  • Least Privilege Security: In the same vein, granting login access to a computer does not automatically grant the user privileges on that system. For each role, you also define the specific rights granted to users in that role, giving you tight control over your least privilege security model.
  • Delegation: Within a Centrify Zone, you can create a variety of roles to control delegation of privileged tasks. For example, you could create one role that enables a Web developer to restart the Web service on a computer, and another role enabling a database administrator to create a copy of a database file for backup. The database and Web service could be running on the same computer, with users in different roles being able to login and perform only the set of tasks necessary to their jobs. You can create a highly privileged IT administrator role at the Global Centrify Zone, so they can access all computers within your environment, while defining a similar role at a Centrify Zone level for system admins in that Centrify Zone.
  • Separation of Duties: Centrify's Zone Technology takes advantage of Active Directory's own delegation model to ensure separation of duties. For example, corporate IT staff can retain the privilege to create Active Directory users and computers. Administrators of Centrify Zones need only the authority to change the Centrify Zone data within Active Directory.

Enabling Rapid Migration of UNIX Identities into Active Directory

Centrify's hierarchical Zone Technology provides the industry's only solution for quickly and easily migrating UNIX identities from multiple sources into Active Directory. Organizations often have multiple identity stores across which a single user has different user IDs. Other solutions force you to reassign users a consistent user ID across all the computers they need to access as a prerequisite for managing the user's UNIX profile in Active Directory.

Instead, Centrify enables you to import each identity store as they currently exist into a Child Centrify Zone and map a user in that Child Centrify Zone to the correct user in the Global Centrify Zone. Your Centrify Zone hierarchy can contain a mix of Child Centrify Zones in which the same user's ID may be inherited from the Global Centrify Zone or may be overridden with the user ID s/he has among the computers in a particular Child Centrify Zone. A Centrify Zone can also contain NIS maps that associate a user's identity in a NIS domain to their Active Directory account. In cases where computers were locally managed one by one, you can even create a Centrify Computer Zone where the user has a unique user ID.

Centrify provides migration tools to automate the consolidation of UNIX identity stores into Active Directory. Without Centrify Zones, organizations can't even begin the process of integrating non-Windows systems with Active Directory until they complete the arduous task of rationalizing their UNIX namespace so that each user has a single, consistent user ID across all systems — a process that could take weeks or months or may not even be practical at all. With Centrify Zones, the process literally takes days.

Centrify Computer Roles Provide Unique Management and Security Advantages

Another unique and powerful Centrify feature is the Centrify Computer Role, which enables a computer to effectively be a member of multiple Centrify Zones, one of the most commonly requested capabilities from our customers. A Centrify Computer Role is a collection of computers that share a common set of management and security requirements. For example, you might create a Centrify Computer Role for Web servers and a user role for Web developers. The Web developer role grants access to the Web server Centrify Computer Role and defines a limited set of privileges. Membership in the Web developer role could then be controlled using an Active Directory group. Giving a Web developer consistent access rights and privileges to Web servers throughout your enterprise is then as simple as adding them to the Active Directory group. They do not get privileges to other computers in the Centrify Zones where the Web servers are located.

Go beyond the vault and properly verify who requests privileged access with Authentication Service.

Centrify Privilege Access Service in Action

Using Centrify Zero Trust Privilege
to Protect Against PowerShell Remoting Attacks

Attackers commonly use PowerShell remoting is means of moving laterally within your network. Centrify Privilege Elevation Service can prevent this, even if the attacker has obtained domain admin rights.

Trusted by over 2,000 Organizations, Worldwide

Ready to Protect Against the #1 Attack Vector?

Register for a 30-day trial of Centrify's Privileged Access Management (PAM) software to minimize your attack surface and control privileged access to your hybrid environment.

Free Trial