Top 3 PAM features for Centrify's
Zero Trust Infrastructure Services
Release Date: 13/07/2020
Author: Ben Marrable
The key about zero trust is to build trust up from the bottom for every login and access request made to the platform. Think presenting your passport at customs each time you access a country, except this whole process is made as seamless and straightforward to the end user as possible. Here are the key features of Centrify’s zero trust privilege from their infrastructure suite of services.
1. Granularity of Access
In a typical environment, sysadmins have access to all servers in order to not restrict their day to day tasks. This access methodology provides a “juicy” target for malicious attackers and widens the possible attack surface when these accounts are compromised.
Controls to mitigate this scenario are running MFA at login, but sysadmins wouldn’t like that to interfere with their job, so step up authorisation when these sysadmins access systems that they don’t tend to regularly, would be an appropriate and acceptable control. Additionally, ask yourself, should these sysadmins have quite so much access? Do they regularly use all the access they are granted? Perhaps the approach should be to provide a simple workflow for access allowing system administrators to request access to services and applications, where a secondary member of the team is required to approve the access. This will narrow the attack surface considerably and require hackers to compromise 2 distinct different accounts to gain the access they are after.
Secondly, IT staff administering machines tend to have full administrative privileges in order to do their job. However, administrators tend to conduct only a small subset of elevated privileges from day to day, be that changing network settings, restarting services etc. So why do we continue to provide users with full administrative access over hosts, every time they log on to do a simple job?
Centrify provides a granular level of administrative access for both access to systems (for both Windows and Linux/UNIX systems) and privilege controls, allowing users to request via workflow and to then be granted the specific access and permissions they require to do the job at hand.
2. MFA Anywhere
Is it sufficient to simply ask for a secondary factor on initial logon at the start of the day? Would it make more sense to ask for multi-factor authentication as and when a user requests some level of privilege or when a user acts outside of their normal day to day expected behaviour?
Whatever multi-factor authentication requirements meet your business, you need a solution that can provide them wherever and whenever necessary. Centrify provides multi-factor authentication anywhere, whether that’s at initial login at the start of the day, logging on to secure servers or applications or simply when elevating privileges. At any point where authentication occurs, Kerberos or otherwise a request for multi-faceted authentication can be facilitated.
3. Host Based Auditing
Consider this, I’m a malicious employee working in IT. I know how the Auditing solution works within the business, only auditing when accessing systems via a vaulting or proxy solution. So I conduct my work outside of that route and go directly to the host that I’m after.
Alternatively, consider that the proxy or vaulting solution proves cumbersome. I find it easier and quicker to get the job done by going direct, but I make a simple mistake and I’m unsure exactly what I did.
Wouldn’t it be great to have a solution that audits in both of these scenarios, Centrify provides host based auditing whether that’s on Windows or Linux/UNIX with searchable metadata around actions taken on each device.
If you’d like to learn more about Centrify’s capabilities, you can catch Ben’s upcoming Centrify webinar on the 28th August, as he discusses how to effectively implement credential tiering using Centrify’s Zero Trust Privilege, in order to help mitigate the risk of credential-based attacks.