In this final part of the series, securing the environment is detailed, as well as a write-up on what the advantages are of integrating legacy systems using the agentless approach using LDAP.Read more...
Staff changes are part of organizational life; promotions, job changes, expired contracts, M&A activities, retirements and other causes contribute in IT turnover. In researching this article I saw turnover rates from 17% to 38% in different industries.
As technology deployments mature, managers and subject matter experts will change, for those who inherit new security practices there's no other source of stress than being handed infrastructure that came-in "before my time" - there's a natural impulse to press the "reset" button. Regardless of what your role is (Application Architect, IT Manager, UNIX or Active Directory Lead), you first need to get an understanding of what Centrify products are providing for you today, if you are maximizing the investment, if the current SMEs are trained to support the products, and if the solutions can solve existing or upcoming challenges.
This article provides tips for leads that inherit Centrify Datacenter deployments.
Tip #1: Know your Centrify Representatives
This is a fundamental step. Your Centrify representatives (Regional Account Manager and Systems Engineer) have a lot of information about your account. They understand the original drivers for Centrify implementation and may also know areas for improvement. Here are a few things they can do for you:
- They can onboard your SMEs to the Customer Support Portal
- They can help with escalations if there are outstanding cases
- They can provide briefings about new or existing features
- They can help with commercial topics (business justification, budgets, quotes, etc)
- They can help you understand your maintenance benefits
- They can help you understand the product lifecycle
- They can coordinate roadmap sessions with Product Management leads.
As you can see, staying in touch with your existing representatives can help you maximize your benefits as a Centrify customer.
In an nutshell, Centrify provides 3 solutions:
Tip #2: Make sure all staff has access to the Customer Support Portal and other Resources
Centrify has invested a lot on revamping resources for customers, therefore access to the Support Center is a key asset because you can:
a) Access the KnowledgeBase: This is the first step when encountering an issue
b) Create and Manage Cases/Escalations: Obtain a self-service view of any or all outstanding cases.
c) Documentation Center: All Centrify documentation resources in a single place.
d) Download Center: All current customers with maintenance are entitled to upgrades
e) Security, Support and Lifecycle centers: Read all about security notifications, SLAs and software version support.
f) Centrify community (public): Feel free to leverage the community for questions, issues or enhancement requests.
Tip #3: Internally: Identify your Stakeholders
You and your team need to have a 360-degree view of your stakeholders. Centrify Server Suite is all about re-using Windows Active Directory infrastructure for authentication and privilege identity management, however the reach extends beyond what's obvious:
Architects may look at the authentication methods exposed by Centrify (Kerberos, GSSAPI, SPNEGO, PAM, SASL, etc) and may be using it with applications. This use case goes beyond Operating System authentication and privilege elevation. They also may be counting on Centrify's AD integration in IaaS environments like Microsoft Azure or Amazon EC2. They may also be leveraging the Centrify LDAP Proxy to provide lookup or authentication services for legacy apps.
Security: Security leads may be using attestation data provided by Centrify to answer the proverbial question: "Who has access to these systems and what can they do" or they may be in charge of defining roles/rights, etc. Extra tip: Centrify has invested on a Report Service just for attestation data.
Active Directory: As the underlying infrastructure used by Centrify, you have to be involved in impact assessment and change control for AD. Extra tip: Centrify software is ready for any Domain for Forest functional level, however it is good to know what are the implications.
Other Infrastructure Leads: There are other infrastructure leads (e.g. storage administrators) that may be using Centrify utilities (like the LDAP or NIS proxy) for Windows to UNIX identity consolidation or Mac OS X administrators that have achieved advanced AD integration with Centrify's OS X client/
Tip #4: Know where your deployment is today
This is a key step. You need to understand how Centrify is used today because of compliance alignment or capability reasons.
- Are you using software that is end-of-life?
- Are you over or under-deployed?
- What's your current Centrify inventory?
- Are you missing any activation keys?
- Are you using out of date practices (e.g. Classic zones)?
- Are you submitting deployment reports as per your MSA?
The questions above can be answered by using the Access Manager console or the stand-alone Centrify Deployment Report Utility.
Are your consoles up-to-date?
Although consoles should not be used for day-to-day administration (if you've deployed based on best practices), it's convenient to keep them up-to-date (no worries, they are backwards-compatible). New versions of the consoles come out two or 3 times a year.
Have you implemented privilege management?
A common occurrence in environments with large turnover is that Centrify Standard Edition implementations are not using the software for PIM on UNIX/Linux or Windows; we often see organizations using sudo/sudoers or "-a" or "run as" accounts instead of leveraging the robustness of Centrify software.
"What is DirectAuthorize" http://community.centrify.com/t5/Centrify-Server-Suite/FAQ-What-is-DirectAuthorize-dzdo-dzwin/td-p/2...
"A better way to sudo" by @Gautam: http://community.centrify.com/t5/Community-Tech-Blog/A-Better-Way-to-Sudo-Part-1/ba-p/22282
Have you implemented multi-factor authentication?
Step-up or Multifactor authentication has evolved from a VPN-only capability to a must have in different contexts. Centrify software is ready for this, and with Centrify Identity Service, you can get Push MFA, OTP, OATH, Phone factor, SMS, YubiKey and legacy support for physical tokens like SecurID on UNIX, Linux, Windows, Apps and VPNs.
Have you integrated your filers?
When consolidating Windows and UNIX identity, your heterogeneous client environment can benefit from unified shared folder access and Centrify provides utilities to provide identity data to filers such as Hitachi, EMC, NetApp and others. This ensures that a multi-protocol share (NFS, Apple, CIFS) provides unified access.
Is your deployment in good health? When was the last time the environment was analyzed?
There are several tips to know if your deployment is in good health. Start by using the Analyze Wizard to determine if there are any issues with orphaned objects and poor habits.
On the client side, disconnections and frequent unlatching may be related to issues with DNS, connectivity or domain controller overhead. Use the "adinfo -T" command or the adcheck utility.
Are your DirectAudit stores holding-up as expected (data retention)?
If you are using Enterprise Edition, data retention and DirectAudit storage has to be closely monitored. Centrify provides PowerShell to initiate actions automatically
- How is your UNIX/Linux/Mac onboarding today?
- How do you provision UNX/Linux roles and rights? Is the process manual or automatic?
- How do you attest or report on access/privileges? Is the process manual or automatic?
- How do you manage the lifecycle of servers (build-join-decommission-leave)? Are there areas of optimization?
Remember that technology enables your process, not the other way around.
Tip #5: Set up yourself and your team for success
IT is a service-oriented business, however if there are cognitive gaps, your personnel won't be able to deliver on established SLAs and they will go through unnecessary stress. Ask yourself and your team:
- Are your SMEs trained to support Centrify?
- If you're taking on a re-design, are your SMEs ready?
Centrify offers several training offerings including onsite training, public classes and computer-based training. Learn more here: https://www.centrify.com/services/#training
If you consider AD and Centrify critical and you want to take it to the next level, you can review the certification program.
Tip #6: Assess if you are adhering to current Centrify best practices
The core product of Centrify Server Suite (DirectControl) has been around for 12 years at the time of this writing; most importantly, Centrify has invested heavily on the product with new features, security and maintenance releases. Platforms are added, but most importantly, design guidelines change. The same way Active Directory's design principles have changed since Windows 2000, a similar change has happened with Centrify. The introduction of Hierarchical zones, UNIX/Linux and Windows RBAC, Utilities and MFA have changed drastically the way Centrify implementations are executed. Gone are the days of multiple 'flat' classic zones. Many other different constructs have been introduced for flexibility.
In addition, there are many deployments out there that are not complete. Maybe turnover hit during the project or other priorities pulled your team out of the project before the areas of Privilege Management have been implemented.
There's also the mentality of "if it's not broken, don't fix it" this is completely miss-aligned with the principle of constant improvement.
This is why Centrify includes an upgrade guide with the documentation and also provides PS-led health checks that help identify areas of improvement. There's also a newly-created Centrify+ program for existing customers.
2016 upgrade guide: https://docs.centrify.com/en/css/suite2016/centrify-upgrade-guide.pdf
Centrify Health Check Datasheet: https://www.centrify.com/resources/dsh-en-health-check-centrify-server-suite/
Centrify+ Datasheet: https://www.centrify.com/resources/dsh-en-centrify-for-server-suite/
Tip #7: Embrace automation and DevOps
All Centrify software is ready for your existing automation tool set. Chef, Puppet, Ansible, Satellite, etc, they all support native package deployments. In addition, cloud IaaS (like Amazon OpsWorks) have a framework that makes the launching of instances, automatic joins and the decommissioning very simple.
Windows PowerShell modules provided with DirectManage and DirectAudit extend automation to other levels. This can be combined with orchestration, workflow or ITSM tools like ServiceNOW.
Utilities like the Zone Provisioning Agent can make any traditional IdM or Worflow integration point simple, by performing add/moves or changes of AD security groups.
Tip #8: Are you measuring? You can't manage or improve what you aren't measuring
Metrics are part of your arsenal to develop a baseline and understand your business area and since Centrify is all about Access Control, you should be able to measure:
- Successful or failed authentication attempts to UNIX/Linux or Mac assets by regular users
- Successful or failed authentication attempts to UNIX/Linux or Mac assets by privileged accounts [with or without MFA]
$ dzdo tail -f /var/log/messages | grep dwirth Jun 25 17:13:46 engcen6 adclient: INFO AUDIT_TRAIL|Centrify Suite|PAM|1.0|100|PAM authent ication granted|5|user=dwirth(type:ad,dwirth@CENTRIFYIMAGE.VMS) pid=51511 utc=1466892826753 cent rifyEventID=24100 status=GRANTED service=sshd tty=ssh client=member3.centrifyimage.vms
- Successful or failed privilege elevation events on UNIX, Linux or Windows systems [with or without MFA]
INFO AUDIT_TRAIL|Centrify Suite|PAM|1.0|300|PAM account management granted|5|user=dwirth(type:ad,dwirth@CENTRIFYIMAGE.VMS) pid=51481 utc=1466892756393 centrifyEventID=24300 status=GRANTED service=dzdo tty=/dev/pts/1 client=(none)
- Failed attempts by valid users in unauthorized UNIX/Linux or Mac assets
- Centrified systems that grant more access
- AD users with more Centrified system access
- AD groups with more Centrified system access
- UNIX/Linux systems without Centrify software (unprotected)
- Password change frequency for UNIX-enabled users
- Mean time between access revokation
- Orphaned accounts (computers, users)
Tip #9: Maximize your Centrify Assets
- Unlike other solutions, Centrify is not only Red Hat Linux-centric, it provides support for all commercial Linux, HP-UX, AIX, Solaris and OS X
- Centrify Standard Edition provides Privileged Identity Management for Windows and helps eliminate the issue of widespread local/domain administrator while preventing advanced attacks.
- Centrify Server Suite Enterprise Edition adds session capture and replay for UNIX, Linux and Windows
- Centrify Platinum Edition adds Group Policy-based IPSec/PKI server and domain isolation
- Centrify Identity Service is an industry-recognized IDaaS platform that includes SSO plugins for Apache, Java, SAP, DB2 and others.
- Centrify Priviege Service extends Centrify PIM capabilities providing Shared Account Password Management, Privilege Session Management for systems, devices, databases, directories and more.
- Hadoop: If you have a Hadoop deployment, you can accelerate it by leveraging Active Directory and Centrify.
Tip #10: Ask us for new capabilities or improvements
Tech companies are only as good as their ability to deliver capabilities required by their customers. Let your voice be heard in the community or in the Idea Exchange; feel free to tell us what's next.
At Centrify we focus on helping organizations secure their assets by focusing on the new perimeter: Identity. Our solutions provide operational efficiencies given that they reuse existing infrastructure (e.g. Active Directory) or simply eliminate complexities.