Govern Privileged Access to Critical Systems via ServiceNow Advanced Workflows.
Centrify has teamed up with ServiceNow to unlock the synergies of both companies’ solutions.
Privileged accounts are becoming the focal point for external attackers and malicious insiders, increasing the risk of security breaches. Reduce this risk by minimizing the attack surface with temporary, time-bound privileged access to on-premises and cloud-based infrastructure.
Centrify Privileged Access Request for ServiceNow is a self-service feature enabling IT administrators to request brokered login or password checkout rights within Centrify Vault Suite or a Zone role for Centrify Privilege Elevation Service. In a least privilege model, when an administrator needs additional rights to run privileged applications or commands, they can request temporary (time-bound) access, just-in-time.
As an alternative to Centrify’s built-in request and workflow, a request can instead be issued from ServiceNow’s Service Catalog. The approver can similarly review the request and associated context and grant or deny all from within ServiceNow. If the approver grants access, ServiceNow workflow uses a Centrify-developed application to provision the necessary Centrify roles. Once the time limit has expired, Centrify automatically revokes the roles to re-establish a secure, low-privilege state.
Benefits for Joint Customers
Available in the download section of Centrify’s Support Portal, the Centrify External Credential Storage Plugin for ServiceNow allows customers to:
- Improve security posture and comply with regulations and industry standards by centralizing system and network device privileged credentials in Centrify Vault Suite by avoiding multiple identity silos, thereby reducing your attack surface.
- Improving IT and operational efficiencies through automation, entrusting password management functions to Centrify Vault Suite. For all system accounts used by ITOM applications.
- Automatically generating unique passwords for full audit accountability.
- Automatically rotating them, and
- Automatically reconciling sync issues if a user manually changes a password on the endpoint.
IT no longer needs to deal with manual credential configuration, manual password updates, or help desk calls when a local account password changes and breaks the ITOM application.
Reduce the Risk of Compromised Credentials by Externalizing ServiceNow MID Server Credential Management
ServiceNow IT Operations Management (ITOM) applications, such as ServiceNow Discovery, ServiceNow Orchestration, and ServiceNow Service Mapping, rely upon the ServiceNow Management, Instrumentation, and Discovery (MID) Server to provide the accounts and passwords they need to function.
For example, ServiceNow Discovery helps maintain a single system of record for IT. It scans the network to find Linux, UNIX, and Windows servers, as well as network devices. Then it logs in to obtain asset and configuration data, which it populates into the ServiceNow Configuration Management Database (CMDB). To log in, ServiceNow Discovery obtains privileged accounts (such as “root” and local “administrator”) from the ServiceNow MID Server. Such accounts are a prime target for attackers since they typically have the highest privileges. If compromised, they give the attackers carte blanche access — the proverbial keys to the kingdom.
To mitigate such risks, improve security, and improve operational efficiency, store these highly sensitive account passwords in a place designed to protect and manage them — Centrify’s hardened vault, the Centrify Vault Suite. Simply deploy the Centrify External Credential Storage Plugin for ServiceNow to your ServiceNow MID Server to enable it to checkout passwords from the Centrify vault instead of locally. This is transparent to your ITOM apps, which continue to request credentials from the ServiceNow MID Server as usual.
Available in the ServiceNow Store, the Centrify Privileged Access Request for ServiceNow application allows customers to:
- Leverage the ServiceNow Service Catalog to provide manager-based approval (or self-service auto-approval) for infrastructure session access, shared account password checkouts, and Centrify Zone roles for privilege elevation.
- Address the issue of “required documented approval” for change control or privileged activity.