At Centrify, we believe it is essential for our customers to stay abreast with the latest developments — be it product- or company related. Our ‘What’s New’ section provides you with complete details on recent product releases and announcements.
June 28, 2019
What’s New in Centrify Privileged Access Service 19.4
New Features -Centrify Privileged Access Service
Enhancements for an easy onboarding experience
Improvements to the existing Quick Start wizard, which include a Getting Started wizard for easy onboarding. System administrators will be guided through Connector installation and an import of up to 20 systems.
- Allows for a quick discovery of Active Directory-joined Windows servers
- Supports the option to discover and manage the local administrator accounts
Improved VMWare Support
We are improving our support for VMWare VMkernel systems and accounts. In this release, we will add the functionality of managing local accounts for VMKernel on ESXi hypervisor versions 5.5 and higher.
- Enables shared account password management on VMWare VMkernel systems
- Allows remote login access to VMWare VMkernel systems with account credentials and SSH keys
We are also enhancing the VMWare vSphere client desktop application. This will allow login to VMWare vSphere via vaulted account credentials and SSH keys using the desktop application.
Improved Database Performance
Performance at enterprise scale is a feature. Improved PAS architecture and queries for PostgreSQL enable fast page loads and queries for enterprise scale resource and account loads.
- Orders of magnitude improvements for page loads and database queries
- Scales to large enterprise deployment scale
- Requires upgrade to version 19.4 database
If you are a customer using Centrify cloud service, no action is needed. These enhancements will be part of the 19.4 deployment.
For customers who are using on-premises deployment, please follow:
https://centrify.force.com/support/Article/KB-11818-How-To-Enable-FastDB-on-Customer-Managed-Privilege-Access-Service-PostgreSQL-Database to enable the feature.
The return of minutes in windowed workflow requests
The ability to specify windowed workflow requests in intervals of minutes instead of hours is coing back to the Privileged Access Service. This will allow users to specify their just-in-time login and checkout access requests down to the minute for granular time selection.
19.4 Workflow – Windowed Login Request by Minute
19.3 Workflow – Windowed Login Request by Hour
Extended support of account soft locks for Active Directory and LDAP
In order to prevent Denial of Service (DOS) attacks, we are extending the account lock capabilities of our Centrify Directory Users to Active Directory (AD) and LDAP Users. This feature will set a soft lock in the Privileged Access Service for an account that has attempted to login more than a set number of invalid attempts. This will prevent the account that is locked from accessing Centrify services. The number of maximum consecutive bad password attempts, capture window, and lockout duration before a password re-attempt is allowed can be customized to be a policy level below the AD or LDAP policy threshold.
Enhanced support for Federated Login
Light Federation allows for federated users to be mapped to existing non-federated directory users in a Centrify tenant. Federation can now be configured to make account mapping disabled, optional, or required for users that are coming from an external source directory (A Federated Centrify Directory, A Federated Idaptive Directory, A Federated Active Directory). This feature will enable users to be provisioned with access rights into the Centrify Privileged Access Service (PAS) before they login for the first time. With the enhanced Light Federation support, customers will receive the following:
- Support for granting PAS administrative rights to federated users by giving those rights to an existing mapped directory service account.
- Support for optionally creating a Centrify Directory user when there is no existing account to map.
- Support for synchronizing federated user attributes with a mapped user’s attributes.
- Support for adding existing mapped users to federated groups.
- Support for access policies that control multi-factor authentication (MFA).
- Support for OAuth credentials for non-interactive federated authentication, which is primarily a feature that is used for Centrify PAS Client authentication.
New Centrify Privileged Access Service (PAS) Client for Windows
The new Centrify Client for Windows works with the PAS platform to provide brokered authentication to Windows systems. By using the common code of the Centrify Client for Linux, we are able to achieve synergy between PAS clients. This client is lightweight, easy to deploy, and ideal for customers that have IaaS or DMZ use cases. The following benefits will be provided with the client for Windows:
- Multi-directory support (AD, LDAP, Google, and Centrify Directories)
- Conditional Access
- Multi-step and Multi-factor Authentication
- Password-less login with “Use my Account”
- CLI Tooling to interact with PAS
- Local Group Mapping
April 16, 2019
What’s New in Centrify Privileged Access Service 19.3
Privileged Access Request application update for new ServiceNow releases
The ServiceNow integration for PAS comprises support for access request to PAS systems, PAS accounts and Zone roles in an Active Directory domain using a ServiceNow workflow. This release updates the certification of the integration for recent ServiceNow releases.
Centrify Integration for ServiceNow is now certified on:
- ServiceNow London release
- ServiceNow Madrid release
March 8, 2019
What’s New in Centrify Privileged Access Service 19.2
PAS Integration with SailPoint IdentityIQ PAM Module
Combining role-based access control with attestation and remediation from the industry leaders – Centrify and SailPoint
SailPoint IdentityIQ is the industry-leading IAM application focusing on attestation and remediation, access request, and user provisioning.
Centrify’s integration with SailPoint enables organizations to accelerate the adoption of crucial governance and compliance processes for identity and access management.
- Provisioning users into Centrify PAS Roles or Sets
- SailPoint PAM Module containers map to Centrify PAS Roles and Sets
- Provision users into Centrify PAS Roles
- Grant user permissions on Centrify PAS Sets
- Attestation of user rights and permissions from PAS
Use and manage secrets in an RBAC hierarchy
Role-based access control is the proven methodology for managing distributed access to critical information. Centrify adds an RBAC hierarchy to file and text secrets.
- Define who can edit and use Secrets within a Secret and folder hierarchy
- You control:
- The hierarchy (‘Secret and folder’)
- Who can edit/use Secrets in which folder
- Who can create/delete new folders in the hierarchy
- Who can move Secrets and folders
- Virtually unlimited namespace for Secrets
- Standard for managing Secrets in DevOps
- Secure API access to hierarchy and Secrets
SailPoint IdentityIQ connector integration enhancements
For customers who enable self-service for their users within SailPoint IdentityIQ, the Centrify Connector Integration offers unique value for self-service access request to systems and accounts managed by PAS.
The connector integration is enhanced to enable access request to Centrify Zone roles, in addition to resources and accounts managed by PAS.
Access request from within SailPoint IIQ to:
- Centrify Zone roles
- Writes new Zone information to Active Directory
- User access updates based on agent settings
New UI for system and account tiles in old User Portal
The new Centrify PAS user interface puts a laser focus on managing your IT infrastructure. IT system and account logins for low privileged users (such as Help Desk) now appear in a user Workspace.
User Portal tiles for PAS systems and accounts are migrated into a new Workspace user interface.
- New “My System Accounts” table in the user Workspace
- Automatically migrates existing tiles
- Portal Login permission is changed to Workspace Login
- Accounts with this permission will appear in the user Workspace
- Enables users without PAS administrative rights to access systems and accounts
- Minimizes user interface for these users
New Features - Centrify Infrastructure Services
The 19.2 release of infrastructure services contains enhancements to use the LDAP proxy to access NIS Netgroups from RFC2307 data in Active Directory and some Kerberos enhancements.
January 28, 2019
What’s New in Centrify Privileged Access Service 19.1
Force rotation of account passwords
Security incidents may require an immediate update to all, or a selection of, an organization’s managed account passwords.
- Enable PAS administrators to rotate managed account passwords on demand.
- Select from Managed Accounts list
- Starts password rotation job immediately
- Email notification when job is complete
- Activity and job history status of all password rotations
- Independent of scheduled password rotation policy
Escrow encrypted password catalog
Secure, encrypted catalog for operational recovery of infrastructure supporting the solution.
In parallel with HA/DR, keep an optional daily backup of your passwords.
- Encrypted file (CSV)
- All account passwords
- Intended for highly privileged administrators
- OpenPGP key
- Encrypted file e-mailed on a periodic daily schedule
- Configured through the REST API
December 18, 2018
What's New in Centrify 18.11
NEW CENTRIFY INFRASTRUCTURE SERVICES FEATURES:
Linux and UNIX
- The Centrify SMB stack has been upgraded to support SMBv3. This enables the agent to retrieve group policies or files from SMB shares configured with that level of encryption.
- New mechanisms to prevent forged host ticket (aka. "silver ticket" attack).
- New extended support for the NSS mail aliases on zone enabled AD users.
- Enhanced the Multi-Factor Authentication performance to prefer connectors in the same subnet and then in the same Active Directory site.
- Solaris improvements
- Alternate password hash for Solaris disabled users are now supported.
- MIT Kerberos commands or programs linked with MIT Kerberos library (release 1.13 or above) to inter-operate with Centrify KCM service on Solaris.
- Improvements to Audit Trail
- New Centrify-enhanced sudo audit trail events for dzdo command execution starts/ends.
- New Kerberos audit trail events for KCM Kerberos credential access.
- Improvements to CLI tooling (adinfo, adjoin, adleave).
- Added the support in zone property pages to allow users to specify the domain prefix IDs to improve entropy for UID and GID generation.
Centrify Agent for WindowsTM
- Justification for Privilege Elevation and ITSM Validation.
- New capability to specify an alternative Centrify Zone user for Privilege Elevation (Run with Privilege/New Desktop).
- YubiKey is now supported as a second factor for offline login.
- New integration with McAfee Endpoint Drive Encryption software that enables features such as Auto Pre-boot and Password Synchronization.
- Enhanced the Multi-Factor Authentication performance to prefer connectors in the same subnet and then in the same Active Directory site.
- Diagnostics are now accessible diagnostics from the Centrify systray.
- Improved tooling (dzinfo.exe, dzleave.exe).
- New system platform affinity allows for the separation of Windows or UNIX session and event data into different audit stores.
- The default database shipped with the product has changed to Microsoft SQL Server Express 2016.
Centrify Cloud Agent for WindowsTM Preview
- Leverage connected directories (Active Directory, LDAP, Google Directory or Centrify Directory) to provide brokered authentication to stand-alone Windows systems.
- Multiple access methods: Direct, Gateway-based via RDP Client, Gateway-based using Web Client.
- Password-less Web RDP access with “Use My Account” feature.
- Multi-step/Multi-factor authentication policy.
- Conditional Access Rules.
- Role to Windows Group Mapping.
Utilities and Open Source Components
- LDAP Proxy utility extended to support the critical extension flag “!” to allow for paged results.
- Centrify Reports now can deploy pre-canned reports onto any accessible SQL Service Reporting Services.
- Updates to Centrify OpenSSL (now based on OpenSSL 1.0.2o) and Centrify cURL (now based on cURL 7.61.1).
NEW CENTRIFY INFRASTRUCTURE SERVICES FEATURES:
- Better support for just-in-time access with a new control to disallow permanent grant of permissions in the access request workflow
- Update to SSH library for improved security
NEW CENTRIFY APPLICATION SERVICES FEATURES:
- Box de-provisioning. Option to transfer content to admin account in addition to previously supported de-provisioning options.
- Password Complexity Settings. Adhere to NIST standard (NIST 800-63B)
- ADFS MFA Plugin (Beta only). Centrify’s MFA plugin for ADFS 3.0,
- SCIM server APIs. CRUD for user/group resources.
- Custom MFA Phone Messages. Allows the customer to customize the audio messages for phone calls related to MFA
- Mandatory Setup of MFA (require end users to set up MFA). Allows administrators to force and ensure end users have setup required MFA factors at first portal login
NEW CENTRIFY ENDPOINT SERVICES FEATURES:
- iOS - Show a custom message on Lock screen: Device lock MDM command (Lock Screen action) supports custom message (both iOS/Mac) and Phone number (iOS).
November 12, 2018
What's New in Centrify 18.10
What's New in Centrify
Privileged Access Service 18.10
BETTER SUPPORT FOR JUST-IN-TIME ACCESS AND APPROVAL
Many organizations are moving to a model of just-in-time access and approval. Centrify supports this model with new controls to prohibit permanent entitlements in the request and approval process.
Disallow approvers the option to grant permanent entitlements.
- Applies to all access request and approval processes
- Password checkout or SSH key retrieval
- Remote management sessions
- Approvers can grant only time-bound access to accounts and systems
- Global switch applies to all approval processes
- Simple to enact and prove to auditors
REMOTE SESSIONS AT SCALE FOR CUSTOMER-MANAGED INSTALLATIONS
Distributed connector architecture and direct-to-target session brokering ensures performance at enterprise scale.
Enable the use of local SSH/RDP clients and disallow session streaming through the Web tier.
- Forces remote management session data path direct from user workstation to connector to target system
- Removes the Web tier from the data path
- Scale management sessions by adding connectors
- Global switch disallows use of browser-based SSH/RDP and brokers session out of the Web tier
- Logging and auditing fully supported
SYSTEM, APPLIANCE AND DATABASE SUPPORT FOR SHARED ACCOUNTS
Continuous improvement in coverage of local account management for systems, appliances and databases, and secure remote access for systems and appliances.
- Manage database account password on Oracle Database 12c multi-tenant architecture
- Standalone database only
October 25, 2018
What's New in Centrify 18.9
New Centrify Privileged Access Services Features:
Manage connections and passwords for desktop apps
For organizations who require external controls on desktop application and database clients, Centrify controls the accounts and target connections the client can access.
Control the users and accounts that can access your systems and databases through thick clients such as TOAD.
Thick clients — Windows desktop applications — run on a secure proxy.
- Who can log into the proxy
- What thick client application they can run
- What the client can connect to
- What account the client uses to connect
Sessions are audited (recorded)
Users can create custom templates for apps that:
- Support running in Windows Remote Desktop Services for Windows Server 2012R2 and 2016.
- Allow command line parameters for account credentials and, optionally, target systems (such as databases).
Pre-defined templates are provided for:
- Microsoft SQL Server Management Studio
- TOAD for Oracle
- VMware vSphere Client Network-based discovery of local privileged accounts
Managing local privileged accounts can be a challenge for even the best IT teams. New discovery features help you find local privileged accounts and manage their passwords.
Use Centrify to automatically find, import, and manage local privileged accounts.
- Find and scan systems for local privileged accounts by network subnet
- Uses the same robust architecture and features as network system discovery
- Automatically import local accounts
- Take local account passwords under management
- New bulk selection, i.e. “multi-select”
Discovered local accounts are automatically placed into sets. Accounts that are members of a Windows built-in/Administrators group (local administrator) can optionally be added to a separate set, making it easy to discover and view Windows local accounts that have very high privilege.
System and device login using SSH keys
For organizations who use SSH keys for access to systems, Centrify supports storing and using SSH keys for login.
Control the users and accounts that can access your systems through SSH keys.
- Any account can use either a password or an SSH key (exclusive)
- Access request to accounts using SSH keys is fully supported
- PAS supports PEM for private keys and the following key algorithms:
Time stamps were added to the log output of the diagnostic PowerShell scripts in customer-managed installations.
For customer-managed installations, a new process for obtaining the APNS certificate ensures that these customers will receive a unique CSR from Centrify, and a unique APNS certificate from Apple.
A change to the SailPoint IdentityIQ integration with PAS enables the creation of a tile on the PAS User Portal after an access request has been approved within IIQ.
New Centrify Application Services Features:
- MFA Redirect Phase 1: Allows admins/users with multiple accounts potentially in different domains to ensure that he or she can use MFA from one account
- CBE Improvements: We now provide extension for all 4 browsers to access apps easier
- SAML script editor: The editor now includes inline hints, autocomplete, and onscreen help to make it easier for customers to write SAML scripts
- DevOps applications category: This new applications category in the apps catalog enables customers to easily set up SSO for popular DevOps CI/CD apps
- AWS CLI Utilities: We now offer Python and PowerShell CLI utilities for both admins and users to access Amazon Web Services (AWS) by leveraging Centrify Identity Services
- Time-based workflow for mobile and desktop: Customers can now reduce risk by requesting and granting access to apps only during a given time window
New Centrify EndPoint Services Features:
- Delegated Administration: Customers can now implement policy sets for endpoints and mobile devices ensuring that endpoints / mobile devices are being added to and removed from sets dynamically, based on changes to the attributes of the device.
- O365 conditional access: We now provide an exchange (o365) / MDM administrators the ability to ensure that no one can get access to company mail from a mobile device unless that mobile device is enrolled in MDM with our Centrify MDM solution.
For details see Centrify Cloud 18.9 Release Notes.
OCTOBER 9, 2018
Centrify to Focus on Zero Trust Privilege, Spins out IDaaS Business as Idaptive
Centrify announces the spinout of its IDaaS business into a new company called Idaptive to better serve its customers and partners.
Centrify and Idaptive will operate as independent, affiliated companies beginning in January 2019. This strategy doubles down on two distinct areas of enterprise security – Privileged Access Management and IDaaS – with dedicated resources to optimize focus, efficiency and growth.
- Centrify is sharpening its strategic focus on redefining the legacy approach to Privileged Access Management (PAM) with cloud-ready Zero Trust Privilege to stop the leading cause of breaches – privileged access abuse.
- Idaptive will deliver Next-Gen Access to protect employees, partners and customers with its market-leading IDaaS solution, securing access everywhere with an Intelligent Access Cloud that constantly learns from and adapts to login context and risk in a way that protects companies.
We’re committed to clearly and consistently communicating this news to our customers, partners, and employees, so there are a lot of communications going out starting today:
- The press release issued this morning can be found here: https://www.centrify.com/about-us/news/press-releases/2018/centrify-spins-out-idaptive/
- We’ve also posted a public external FAQ to the Centrify web site, which should answer many of your questions about this news and what it means to you: https://www.centrify.com/centrify-idaptive-faq
- Emails have started going out to all Centrify customers and partners this morning. Please check your spam folders if you are a Centrify customer and do not receive an email.
- A Centrify Zero Trust Privilege education page is online at https://www.centrify.com/education/what-is-zero-trust-privilege/
- Tim Steinkopf, who was named CEO of Centrify effecting January 1, has posted a blog about the company’s new focus: https://blog.centrify.com/centrify-zero-trust-privilege/
- Idaptive’s social media channels are now live! Please go follow the new company on Twitter and LinkedIn!
For details, please contact your Centrify Account representative.