Unique Zone Technology
Whether you need to manage a few workstations or tens of thousands of Windows, Linux, and UNIX servers, Centrify's patented Zone technology enables you to quickly centralize management of these resources within Active Directory while not compromising on security or manageability. Centrify Zones provide:
- The fastest and most efficient means of consolidating a set of complex and disparate non-Windows identities into Active Directory
- The most flexible solution for creating least-access and least-privilege security models for a diverse set of users, systems and roles across Windows, Linux, and UNIX systems
- The most secure means of managing user privileges in a highly granular manner
What Is a Centrify Zone?
A Centrify Zone is a collection of attributes and security policies that define the identities, access rights and privileges shared by a group of users. A small organization might need only a single Zone to manage their users and desktops. A large organization may need a hierarchy of Zones to manage users who need access to thousands or tens of thousands of Windows, Linux, and UNIX systems that are used as everything from end-user workstations to web application servers.
Zones provide a flexible means of managing a set of users and computers that all need to share a common set of policies and access controls. For example, you could create a Zone for users and their computers, regardless of where they are located geographically or what department they work for. You could create a Zone for an engineering department whose users must all share access to a set of UNIX development systems, whether located in a data center or in the cloud. Or you could create a Zone for a branch office that has its own set of administrators tasked with managing all the Windows, Linux, and UNIX systems in their location. A user can be in multiple Zones, enabling you to create identity management, access control, privilege management and delegation solutions that are as simple or as sophisticated as you need them to be for your particular environment.
At minimum, a Zone contains a set of users that need to be managed as a group for efficiency or security reasons. Although some organizations will have Zones that contain only users (in particular, a Global Zone, described later), most Zones also contain:
- A set of UNIX management data that defines policies for those users' UNIX profile, such as how users' home directories are assigned (note: "UNIX profile" refers to management data for any Linux, UNIX or Mac system)
- The set of computers or devices to which these users can be granted access
- An inventory of the access rights that users in that Zone need, and the discrete tasks that they can perform
- A set of computer roles that characterize the function of a subset of computers
- A set of user roles that specify the rights (access and privileges) granted to users in that role
- Role assignments that associate Active Directory users or groups with the user roles
This approach enables you to manage your heterogeneous server environment by tying the rights a user has on a Windows, Linux or UNIX system with a single, definitive identity centrally stored and managed in Active Directory. In so doing, you enjoy a variety of both efficiency and security benefits. Need to give a new employee rights to administer web servers scattered across your enterprise? Assign them to an Active Directory group for web developers. Need to ensure a reassigned system administrator can no longer access any system within her previous department? Remove her from the Active Directory group for that department's admins. Managing your cross-platform environment in Active Directory means you can use Centrify management tools to easily generate regulatory compliance reports for auditors, assessors, and internal staff that illustrate specifically who has access to which systems, what they can do on those systems, along with who granted the access controls.
What Makes Zones Unique and Powerful: Hierarchy and Inheritance
While small organizations can efficiently manage a single Centrify Zone that contains all their users and computers, most organizations will benefit by first setting up a Zone hierarchy that starts with a top-level Global Zone. As a best practice, a Global Zone contains all of the Active Directory users who will need access rights on a system or device. Each user can optionally have a UNIX profile that defines their unique user ID (UID) and other attributes. The Zone can be configured to define how new users and computers are assigned UIDs, home directories, and so on.
Under the Global Zone, you can then create any number of Child Zones. A Child Zone can inherit the users and any associated UNIX profiles from the Global Zone. But often you will need to override one or more properties on a Zone by Zone basis to fit the requirements of that particular Zone. Child Zones can be nested to achieve the level of management granularity you need.
As your management and security needs become more sophisticated, you will set up computer roles, user roles, and role assignments to more granularly control access to Linux and UNIX systems and to granularly manage the privileges users have on Windows, Linux, and UNIX systems. Centrify's unique hierarchical Zones enable you to define roles and role assignments at any level within your Zone hierarchy, and specify whether those properties are inherited or overridden at any individual level. This powerful inheritance model is not only an efficient way to manage users of non-Windows systems and manage privileges on Windows, Linux, and UNIX, but also has a variety of security benefits:
- Least-access security. Adding users to a Zone does not automatically grant them access rights to a computer or device within their Zone. Users get access only when you assign them into a role that grants access.
- Least-privilege security. In the same vein, granting login access to a computer does not automatically grant the user privileges on that system. For each role, you also define the specific rights granted to users in that role, giving you tight control over your least-privilege security model.
- Delegation. Within a Zone, you can create a variety of roles in order to control delegation of privileged tasks. For example, you could create one role that enables a web developer to restart the web service on a computer, and another role enabling a database administrator to create a copy of a database file for backup. The database and web service could be running on the same computer, with users in different roles being able to login and perform only the set of tasks necessary to their jobs. You can create a highly privileged IT administrator role at the Global Zone so they can access all computers within your environment, while defining a similar role at a Zone level for system admins in that Zone.
- Separation of duties. Centrify's Zone technology takes advantage of Active Directory's own delegation model to ensure separation of duties. For example, corporate IT staff can retain the privilege to create Active Directory users and computers. Administrators of Centrify Zones need only the authority to change the Centrify Zone data within Active Directory.
Enabling Rapid Migration of UNIX Identities into Active Directory
Centrify's hierarchical Zone technology provides the industry's only solution for quickly and easily migrating UNIX identities from multiple sources into Active Directory. Organizations often have multiple identity stores across which a single user has different UIDs. Other solutions force you to reassign users a consistent UID across all of the computers they need to access as a prerequisite for managing the user's UNIX profile in Active Directory.
Instead, Centrify enables you to import each identity store as they currently exist into a Centrify Child Zone and map a user in that Child Zone to the correct user in the Global Zone. Your Zone hierarchy can contain a mix of Child Zones in which the same user's UID may be inherited from the Global Zone or may be overridden with the UID he has among the computers in a particular Child Zone. A Centrify Zone can also contain NIS maps that associate a user's identity in a NIS domain to their Active Directory account. In cases where computers were locally managed one by one, you can even create a Computer Zone where the user has a unique UID.
Centrify provides migration tools to automate the consolidation of UNIX identity stores into Active Directory.
Without Centrify Zones, organizations can't even begin the process of integrating non-Windows systems with Active Directory until they complete the arduous task of rationalizing their UNIX namespace so that each user has a single, consistent UID across all systems — a process that could take weeks or months, or may not even be practical at all. With Centrify Zones, the process literally takes days.
Computer Roles Provide Unique Management and Security Advantages
Another unique and powerful Centrify feature is the Computer Role, which enables a computer to effectively be a member of multiple Zones, one of the most commonly requested capabilities from our customers. A Computer Role is a collection of computers that share a common set of management and security requirements. For example, you might create a Computer Role for web servers and a user role for web developers. The web developer role grants access to the web server Computer Role and defines a limited set of privileges. Membership in the web developer role could then be controlled using an Active Directory group. Giving a web developer consistent access rights and privileges to web servers throughout your enterprise is then as simple as adding them to the Active Directory group. They do not get privileges to other computers in the Zones where the web servers are located.