MANAGE YOUR SHARED ACCOUNTS AND PASSWORDS SECURELY
While today’s threatscape is leaning towards individual identities rather than shared accounts to achieve increased assurance levels as mandated by newer legislation and industry best practices, there will still be shared passwords in many organizations. Thus, it’s vital in a first step to discover and register all machines and then vault all shared, alternate admin and service accounts. Access to those accounts is then brokered for users, services and applications.
Reduce Risk When Sharing Privileged Accounts
Automatically discover systems and service accounts for subsequent management.
Enforce centralized control over who can access credentials and audit administrator activity — including securing third-party access.
Simplify and automate shared account password management for super user and service accounts.
Single location for emergency access to super user passwords for all on-premises and cloud-based systems and network infrastructure.
Step-up authentication and secure access to infrastructure without knowing privileged account passwords.
Secure storage of encrypted privileged account credentials in Centrify Privileged Access Service or a key management appliance on-premises (or in the cloud).
Automatically Discover Systems and Service Accounts
Windows, and domain-joined Linux and UNIX systems and their associated service accounts are automatically discovered in Active Directory and taken under management. Domain accounts used to launch Windows services and scheduled tasks on infrastructure and endpoints are also discovered and managed. For resources not in Active Directory, Centrify’s port scanning discovery method can discover network devices, Windows, Linux and UNIX systems, as well as local accounts.
Secure Checkout of Account Passwords
Authorized IT, whether internal or outsourced, and third-party vendors can check out passwords for shared accounts, including service, application and database accounts for a limited duration. Centrify provides the option to take passwords under its full control, where it automatically changes the password after the checkout expires or simply stores the password for future access without changing it.
Session Establishment Without Disclosing Passwords
Authorized users can access resources using shared accounts without knowing the passwords and Centrify will not expose the passwords. IT admins can use shared accounts without encountering the risk of password sharing or unauthorized access.
Streamline Secure Privileged Access for Local Clients
Risk-Aware Policies for Checkouts and Privileged Sessions
Identify anomalous behavior while it is happening by enforcing risk-aware policies for users who are initiating a privileged session or checking out a password. Combining risk-level with role-based access controls (RBAC), user context and multi-factor authentication (MFA) enables intelligent, automated, real-time decisions on whether to grant privileged access or block it. These dynamically enforced access policies grant the user access, prompt for a second factor of authentication or block access completely.
Break-Glass Access to Passwords from a Mobile Device
Get controlled, emergency access to privileged account passwords from your mobile device enrolled in the Centrify Zero Trust Privilege Services. Secured password checkout requires a PIN or fingerprint validation. Checkout automatically times out based on per-resource policy.
Government-Grade, Secure and Encrypted Storage for Your Data
Your data is securely stored using the Centrify Zero Trust Privilege Services for all user, resource, account, password and secrets information. Centrify also supports SafeNet KeySecure key management appliances from Gemalto as an alternative for encrypted storage of account passwords and secrets.
See Centrify Privilege Access Service in Action
Centrify Automatic Discovery of Systems and Service Accounts
Watch this video to learn how Centrify Privilege Access Service automatically discovers Windows, Linux and UNIX systems and their associated service accounts.
Centrify Break-Glass Access to Passwords
Watch this video to learn how to get controlled, emergency access to privileged account passwords from your mobile device.
Tony Goulding: OK, here we are on my iPhone and you see here we have the Centrify native app that provides an alternative way of accessing Windows, UNIX, and Linux servers or network devices under Centrify management.
Tony Goulding: In this scenario, I need to checkout the root password for a server that's in single user mode and off the network. Further still, the network is down so I'm unable to use my laptop to browse to the Centrify Privileged Access Service vault portal to checkout the password. But since I still have cellular access, I can leverage this app.
Tony Goulding: So let's open the app. Since the app gives access to administrative functions, I'm prompted to validate my identity. I’ll use the Face Scan.
Tony Goulding: The landing page shows the various managed systems I can access.
Tony Goulding: In the list we see a windows domain controller and member server, and a few Linux boxes including the Red Hat Linux server I'm interested in. Tapping the FM-Red Hat 1 entry takes me to a list of accounts I can access based on my Centrify roles. I'll click the Checkout button for the root account. Note again that since this is a privileged operation inside the Centrify app, I'm validated again with my Face ID.
Tony Goulding: The app retrieves the password from the Centrify vault and I'm able to write that down, walk up to the Linux console and login to begin diagnosing the issue.
Tony Goulding: Navigating back you can see various account passwords I have checked out and once I'm done fixing the Linux box, I can check the password back in. Under the covers, the Centrify Privileged Access Service will rotate the password to prevent any subsequent misuse.
Tony Goulding: So there we see the convenience of using a native mobile application available on iOS and Android, to checkout passwords in emergency break-glass scenarios, even when the regular network is not available.