Identity Defined Cyber Security For Dummies Centrify Special Edition

These materials are 2016 John Wiley & Sons, Inc.
. Any dissemination, distribution, or unauthorized use is strictly prohibited.

Securing Enterprise
Identities
Centrify Special Edition
by David Seidl
These materials are 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Securing Enterprise Identities For Dummies, Centrify Special Edition
Published by John Wiley & Sons, Inc. 111 River St. Hoboken, NJ 070305774 www.wiley.com
Copyright 2016 by John Wiley & Sons, Inc., Hoboken, New Jersey
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any
form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise,
except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the
prior written permission of the Publisher. Requests to the Publisher for permission should be
addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ
07030, (201) 7486011, fax (201) 7486008, or online at http://www.wiley.com/go/permissions.
Trademarks: Wiley, For Dummies, the Dummies Man logo, The Dummies Way, Dummies.com,
Making Everything Easier, and related trade dress are trademarks or registered trademarks of John
Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used
without written permission. All other trademarks are the property of their respective owners. John
Wiley & Sons, Inc., is not associated with any product or vendor mentioned in this book.
LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE

NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR
COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL
WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A
PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR
PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE
SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE
PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL
SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT
PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR
SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION
OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE
OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER
ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR
RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET
WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN
THIS WORK WAS WRITTEN AND WHEN IT IS READ.
ISBN 9781119224785 (pbk); ISBN 9781119224792 (ebk)

Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
For general information on our other products and services, or how to create a custom
For Dummies book for your business or organization, please contact our Business
Development Department in the U.S. at 8774094177, contact info@dummies.biz, or
visit www.wiley.com/go/custompub. For information about licensing the For
Dummies brand for products or services, contact BrandedRights&Licenses@Wiley.com.
Publishers Acknowledgments
Some of the people who helped bring this book to market include the following:
Development Editor: Elizabeth Kuball Business Development Representative:

Copy Editor: Elizabeth Kuball Karen Hattan
Acquisitions Editor: Amy Fandrei Production Editor: Antony Sami
Editorial Manager: Rev Mengle
Introduction
F or years, companies have designed networks around a
traditional security model meant to protect local sys-
tems. This network perimeter included layers of firewalls,
intrusion detection systems, and other network security
devices and systems intended to keep data safe against
attack. But today, attackers are focusing on a specific type of
threat compromised credentials. In fact, the leading point
of attack used in data breaches is compromised credentials
and the privileges that go with them.
Attackers know that with the right credentials, they no longer

have to fight through the old perimeter defenses. They now
use stolen credentials to gain access to your critical data, just
like an employee. Your traditional security perimeter is no
longer the strong wall that you once envisioned it to be.
This new world of advanced threats that leverage deep exper-

tise to maintain longterm access to networks and systems
means that you need to move your first line of defense to
the user accounts and privileges that they have the same
things that make them attractive to attackers. Architecting
security using identity can allow you to create a new security
perimeter to keep your identities and, thus, your organization
secure.
Of course, your organization is changing in other ways, too:

Linux and virtualization have invaded the datacenter, and
cloud infrastructure, SaaS apps, mobile devices, and a mobile
workforce mean that traditional ways of securing and man-
aging organizational assets just doesnt work anymore. The
same identity platform that enables you to redefine your
security perimeter can also allow you to secure access to
onpremises and hosted infrastructure and apps from mobile
devices including device management, access monitoring,
compliance, and reporting, all without leaving behind your
existing infrastructure and systems.
2 Securing Enterprise Identities For Dummies, Centrify Special Edition
About This Book

This book explores the role of identity in cybersecurity.
Iexplain how the traditional datacenter defenses are no
longer sufficient and how they need to change to protect
against evolving threats. I show you how an identity platform
is a critical part of a modern security perimeter, and how you
can leverage your existing investments in identity to secure
privileged access, enterprise mobility, and remote access.
Lastly, I discuss how identitybased policy can enhance your
monitoring, compliance, and operational capabilities across
todays hybrid IT environment of cloud, mobile, and on
premises resources.
Icons Used in This Book

The margins of this book use several helpful icons that can
help guide you through the content:
This icon marks tips that can save you time and effort.
This icon is for the technical types who are reading the book.
The information marked by this icon may be geeky, but it can
be useful. too.
If you see this icon, make sure to pay attention youll want
this knowledge at hand later.
This icon marks something that youll want to take note of

because it can cause problems.
Beyond the Book

You can find additional information about Centrifys identity
solutions, including single signon, multifactor authentication,
mobile and Mac management, privileged access security, and
session monitoring at www.centrify.com.
Chapter1
Understanding the Current
Anatomy of Enterprise IT
In This Chapter
Looking at the infrastructure of enterprise IT
Seeing how mobile differs from traditional desktop computing
Considering users and access requirements
T he best way to understand how new threats are changing

where security perimeters have to be defined is to explore
how most organizations currently implement their datacenter
and infrastructure security. In this chapter, I explain t raditional
and software defined datacenters, new models for cloud
operations, user and access requirements, and how those
elements interact.
Looking at Traditional and

SoftwareDefined Datacenters
You probably have a picture in your head of what a traditional
datacenter looks like: a large room filled with rackmounted
servers with hundreds or thousands of LEDs blinking while
the rooms heavyduty cooling system blows cold air to keep
everything from overheating. That traditional datacenter
model has been the standard in one form or another for most
organizations for decades. In fact, most organizations are still
using a traditional datacenter or at least a closet with some

servers stuffed into it somewhere in their building!
Many organizations have also made significant investments

in softwaredefined datacenters based on virtualization. This
is typically done using a product like VMware, Microsofts
HyperV, KVM, Xen, or Docker. Using these tools, various
applications, systems, and network devices can be created in
virtual environments, allowing them to share underlying hard-
ware and network resources while being centrally managed
by the virtualization platform.
Both traditional and software defined datacenters are typi-

cally designed with a layered security approach like the
design shown in Figure11. This design is intended to protect
the organizations critical information and computational
assets from outside attackers. Its built from layers of routers,
firewalls, intrusion detection systems, and other security and
network devices that provide concentric layers of security.
Figure 1-1:The traditional datacenter security model.
Chapter1: Understanding the Current Anatomy of Enterprise IT 5
All these security tools are like locked doors: Theyre only as
strong as the key that unlocks them. Hackers know that trying
to break down the door is very hard. But if you have the key
to the lock, walking in couldnt be easier. That means that
there is always a way past this layered security: the accounts
and remote access systems that administrators use to manage
the systems they protect. Of course, that also means that the
protective devices themselves can be a route in if administra-
tive credentials are compromised. As organizations move to
the cloud and hosted infrastructure, this gets harder because
your boundaries are in many places.
When you consider identity as part of your organizational

security, two terms are very important to remember: AuthZ
and AuthN. These stand for authorization (AuthZ), which is
the set of rights and roles you are provided, and authentica-
tion (AuthN) which is the verification of who you are. Both are
needed to ensure security and usability!
Moving to the Cloud

The past few years have seen the advent of broadly accessible
cloud computing. The cloud provides you with the ability to
outsource software, platforms, or even IT infrastructure itself
to another organization, which typically has a much larger IT
footprint, specialist knowledge, and more staff to handle the
environment than you might. Cloud computing offers some
significant advantages that are driving many companies away
from traditional datacenters, including the following:
Cost savings on physical datacenter facilities (cheaper

space, power, and cooling costs)
Scalability to fit actual usage, rather than in large chunks
by adding a server, storage array, or other large piece of
IT infrastructure
Redundancy and disaster recovery capabilities beyond
asingle building or datacenter
Greater reliability without having to build it inhouse
Faster upgrade and update cycles for software and
systems
These benefits are usually delivered in one of three common

models that you might encounter: Software as a Service,
Platform as a Service, and Infrastructure as a Service. Each
offers a different approach to computing outside of a t raditional
onsite datacenter, with different benefits and considerations to
keep in mind as you consider cloud services:
Software as a Service (SaaS): SaaS is a model that

provides software via the Internet, as a service. SaaS
typically has the least operational overhead because
it relies on the vendor to run all the underlying tools,
systems, and services that make the software function.
Security for SaaS is primarily in the vendors hands
because they control the underlying hardware, software,
and infrastructure, leaving you to provide useraccount
based security and integration with your own systems
and data.
Because SaaS leaves accounts as your primary means of
control, integrating SaaS tools with your central identity
management system can provide both security control
and usability benefits by leveraging centrally managed
credentials and access controls.
Platform as a Service (PaaS): PaaS describes a range of
services that underlie a technology platform or service.
It provides your organization with the platform but
requires more support because you receive the platform
and must configure and support it. Here, the security
model relies more on your organizations configuration
of and use of the platform, as well as how you handle and
integrate identity and access management.
Infrastructure as a Service (IaaS): IaaS provides out-
sourced systems, networks, storage, and other compo-
nents. These are typically provided much like they would
be in a virtualized or softwaredefined environment, but
at a much larger scale by the IaaS provider. Because
this is much more like running your own datacenter
in the cloud, youll have most of the same operational
and security requirements as you would in a traditional
datacenter, with the caveat that they may need to
integrate with your IaaS providers systems.
If your organization finds that cloud services are a good
fit, it probably wont just jump directly to the cloud all
at once, which means youll be partially in a traditional
datacenter or softwaredefined datacenter model while
also using cloud services. These split models are known
as hybrid operating models with a split between on
premises and offpremises software and services.
Looking at the Major Models

for Applications
Whether you run a traditional or softwaredefined datacenter,
or whether you use cloud services, the reason that your data-
center exists is to run the applications that you need to con-
duct your business. As you may expect, there are a few major
models for applications, and each of them has implications for
your security perimeter and operations.
Onpremises applications
For years, most of the applications that your organiza-
tion used were likely onpremises, with local servers and
infrastructure to keep them running. Both traditional and
softwaredefined datacenters host onpremises applications,
and even organizations that have moved a lot of their infra-
structure and applications to the cloud still use onpremises
applications. This means that security operations still need to
account for how existing systems that use Active Directory,
LDAP, or other local accounts can integrate into a hybrid
environment.
Cloud applications
Cloud applications change your identity needs because they
require integration with AuthN (authentication) and AuthZ
(authorization) services. Many cloud applications rely on
technologies like SAML, OpenID, OAuth, or SCIM. Integrating
these with existing onpremises systems can be a challenge if
your current systems arent built to work with the cloud!
These standards can be confusing, so heres a quick overview

of what they are:
SAML is the Security Assertion Markup Language, an

XMLbased protocol for authorization and authentica-
tion, and is frequently used to eliminate the need for text
based passwords, and to provide single signon.
OpenID is often used along with OAuth, where it pro-
vides the authentication layer for integrations.
OAuth is a widely used authorization technology, with
similar benefits to SAML, but a different implementation.
SCIM is the System for Crossdomain Identity
Management. It helps with user management in the
cloud by providing ways to represent users and groups
amongst other features.
Big data
Theres a lot of information in really large datasets, and
analyzing them using big data tools can provide a major
competitive advantage. The same treasure trove of data
and the analysis tools that you need to deal with it can also
create new security challenges. Big data tools like Hadoop
are often run in a nonsecure mode, particularly during
development, and locking them down by requiring AuthZ and
AuthN controls can be challenging. Making big data part of
your identity infrastructure is key to keeping your big data
environment secure.
Mobile applications
Mobile applications add yet another layer of complexity.
Some are native applications for mobile platforms like Apple
iOS or Android, while others are built to work on both
traditional PCs via a web browser and on mobile devices.
Making the applications work with your infrastructure can be
an adventure in much the same way that cloud application
integration can be challenging.
Comparing Mobile and

Desktop Computing
In addition to the move to cloud computing, the growth of
mobile computing has been a major driver for enterprise IT
change. The changes driven by laptops, and now by smart-
phones and tablets, have resulted in a desire to be able to
work anywhere, from any device, at any time.
Traditional desktop computing

Traditional enterprise computing has been built around desk-
top computers and laptops that were often standardized, cen-
trally managed, and which were in predicable locations on a
network owned and managed by the organization. Theres still
a lot of enterprise computing platforms that use this model,
but mobile computing is growing quickly, and that growth
means that the old model of providing security by controlling
your organizationally controlled desktops is changing.
Mobile computing
Mobile computing covers a broad variety of computing that
isnt conducted at a users desk. In very broad terms, mobile
computing is composed of two major groups of devices:
Smartphones and tablets: Smartphones and tablets typi-

cally dont run typical enterprise applications theyre
used to access web and native iOS and Android applica-
tions. In addition, they typically dont provide the same
security controls and visibility that a traditional desktop
does. To make things even more challenging, many of
them are personally owned and yet are still used to
conduct organizational business.
Laptops: Mac and PC laptops, whether theyre personally
owned or are the property of your organization, make up
the other half of the mobile computing movement. The
need to handle personally owned devices in a variety of
locations from the office down the hall to a Starbucks
in another country means that identity, rather than
the computing platform is likely to be your first line of
defense.
VPN and identity

Offsite access can be a security day from his desk. It turned out that
challenge because its hard to prove he was also employed elsewhere
that the user who is logged in is actu- and had contracted those jobs out
ally who they claim to be. In fact, in as well!
2013, the Verizon Risk team reported
This story is just one example of
that they investigated a software
how identity is an important part of
developer in the United States who
security management. In this case,
had outsourced his own job to China!
matching identity to location data
During a normal security audit, a and access logs wouldve helped
users account was discovered to catch the issue far sooner.
be logging in from China every day,
If youd like to read the whole
despite the user being at his desk.
story, you can find it here:
Further investigation showed that
https://securityblog.
he was paying a Chinese contractor
verizonenterprise.
to do his work at a discounted rate
com/?p=1626.
while he himself surfed the web all
Defining Users and Access

Requirements
As computing environments have become more complex, the
number and types of users have increased. At the same time,
the set of rights, roles, and policies that control access have
become even harder to maintain, making automation and
centralization key to success.
The final major element of enterprise IT is the set of users

who use and maintain the IT infrastructure, applications, and
data that it exists to support. There are many types of users
in a typical enterprise, including the following:
Administrators and power users: The most trusted

users, and those who have the most power granted to
them are administrative and power uses. Their accounts
give them greater rights, so theyre likely targets for
attackers.
Privileged accounts: IT administrators have access to a
special type of shared system or application accounts,
which provide access to sensitive data, to change or
grant access or provide the ability to delete or damage
critical systems. These so called privileged accounts,
such as the root account or local administrator account
are the digital equivalent to a master key. Special care
needs to be taken in order to protect these accounts and
their associated privileges, including auditing, monitor-
ing, and logging.
Employees: Typical employees make up the bulk of your
users for enterprise IT systems, and they can create com-
plexity due to the variety of roles and positions they can
hold. Over time, many employees end up accumulating
a broad range of rights if they arent carefully managed,
and even a normal employee account can be useful to
attackers as a way into your systems and applications.
Contractors and outsourced IT: Contractors can create a
unique set of requirements because theyre typically time
limited, but they can require special access to do what
youve hired them to do. A contractor like a developer
or outsourced IT staff member may need system access
or rights and privileges unique to their role, but may not
have the rest of the access that a normal employee does.
In addition, they may work for a period of time and then
stop when their contracts end. Later, they may be rehired,
or be asked to perform further services. This makes tradi-
tional account lifecycles challenging to follow. In addition,
many contractors work from a remote location, making
their identity hard to verify. That means that using iden-
tity management services to audit, monitor, and manage
contractor accounts is particularly important.
Partners: Business partners, both as individuals and as
organizations, often need accounts and rights to access
data and applications that your organizations share to
work together. Partner accounts may require interorga-
nizational coordination and oversight, and may need to
support trust relationships or federation.
Federation allows a user to log in to various unrelated
systems or applications, using credentials from his own
organization. Its accomplished by having a shared set of
policies and practices, as well as supporting technolo-
gies that establish delegated or trusted authentication
between members of the federation.
Customers: Customer account management is sometimes

an entirely separate process from managing internal
accounts and privileges, but many of the challenges are
the same. Customer accounts need to have a lifecycle
and management process that allows them to be easily
handled in a customerfriendly way that also meets your
organizational needs, and supports customer accounts in
an effective way.
Thirdparty vendors: Thirdparty vendors create differ-
ent identity issues than contractors and outsourced IT.
Instead of requiring access to your systems, the challenge
is usually how you can integrate with them. Fortunately,
open standards like SAML, OAuth, and others can help
you build bridges between your identity management
system and standardscompliant vendors, changing what
used to be custom integrations taking days or weeks to a
matter of a few hours of configuration work.
You may find that some (or many!) of your users fit into mul-
tiple categories and roles. That can add a lot of complexity to
your identity management process as you try to track what
access rights they should have. Remember that accumulated
access can be a major risk as your users move around the
organization and acquire rights and roles!
A key part of both the security and usability of enterprise IT is

how you provide and control access. Traditional IT environ-
ments have often relied on access controls that were built and
managed at each individual server or application, resulting in
a massive amount of overhead, as well as a major challenge
when you try to monitor or validate access rights.
Centralization, identity consolidation, privileged access secu-

rity and shared account management, as well as the growth of
single signon and security standards like SAML and multifac-
tor authentication, have resulted in the ability to use identity
management services to control, monitor, audit, and report
on access rights and access usage across all your enterprise
resources.
Chapter2
Exploring the Role of
Identity in Cyber Security
In This Chapter
Identifying todays cyber security challenges
Protecting onpremises and cloud infrastructure
Securing external and mobile users and systems
Expanding your security perimeter when data is everywhere
K eeping your network, systems, and data secure probably

seems like it has become harder over time. New threats
appear daily, and organized attackers are defeating the secu-
rity of major organizations despite their best efforts to stop
them.
In this chapter, I discuss current cyber threats and explain

what a breach can mean to your organization. I also explain
how you can use identity as a key element in your strategy to
secure your systems, applications, and data, including how to
address new trends like mobile devices, big data, cloud com-
puting, and open networks.
Understanding Current Cyber

Security Challenges
There are many current cyber security challenges such as
cyber threats, breaches, hackers, attackers, and advanced
persistent threats. Many of these challenges start because of
compromise credentials and poor security around how user
accounts and rights are created, monitored, and maintained.
Cyber threats
Todays organizations must be protected against a broad
range of cyber threats. These can include things like
Directed attacks focused on your organization, its

operations, and data
Indirect cyber threats like driveby downloads, which
install malware on your PCs and devices
Insider threats, including purposeful attacks, as well as
honest mistakes
If youre thinking about how user credentials play a role in each

of those attacks, youre already ahead of the game: Privileged
credentials often play a big part in cyber attacks like these.
Breaches
It seems like nearly every day you hear news of a new breach.
In fact, large and smallscale breaches have become so
common that theyre a topic of discussion in our daily lives
even for people outside of IT. That doesnt mean that the
impact of a breach isnt significant.
The average cost of a breach according to research con-

ducted by the Ponemon Institute is $3.8 million, a number that
has gone up by 23 percent since 2013. The same study says
thatthe average cost per individual affected is $154, meaning
that even a small breach can quickly add up to significant costs.
Want to know more about the risks you face? Check out
Centrifys State of the Corporate Perimeter Survey. It includes
data on how employees treat credentials, what other organi-
zations are facing, and how leaders are dealing with issues.
You can find it at www.centrify.com/whycentrify/
corporateperimetersurvey.
The leading cause of breaches are compromised credentials.

The 2015 Data Breach Investigation Report from Verizon
concludes that over half of all breaches are caused by com-
promised credentials. And Mandiant states that close to
100percent of breaches it investigates involve compromised
credentials. Clearly, enterprise identities have become a lead-
ing area of risk that needs to be managed and mitigated.
Chapter2: Exploring the Role of Identity in Cyber Security 15
Hackers, attackers, and advanced
persistent threats
The biggest change in cyber security in recent years has been
the appearance of advanced persistent threats (APTs). Attacker
groups use advanced tools and techniques to compromise
and control targeted systems and networks for long periods of
time. When they gain the deepest levels of access, they place
an emphasis on retaining and using their control of their tar-
gets to gather sensitive data including credentials to access
additional systems.
You probably already recognize APT attacks even if you

dont realize it. One of the most recognizable was Stuxnet,
which targeted the Iranian nuclear program. Others include
Operation Aurora which targeted Yahoo!, Symantec, Dow
Chemical, and other major U.S. companies, and Flame which
targeted systems in the Middle East. To see a list of all major
attacks and their relationships since 2007 visit https://apt.
securelist.com.
APTs are scary, but everyday threats like phishing emails and
driveby infections that leverage browser and browser plugin
flaws to compromise PCs and capture credentials in order to
access systems are a big part of the threat your organization
faces, too. Its safe to assume that at least some of the PCs
and devices used in any organization will be compromised
during any given year, and that means that security needs to
presume that the devices and the data they contain could be
at risk.
Providing Security for External

and Mobile Users and Systems
External systems can take on many forms including hosted
infrastructure at remote facilities, Infrastructure as a Service
environments, which provide a home for your systems in the
cloud, and other offsite computing environments. Combined
with the explosive growth of mobile and personally owned
devices, traditional security methods havent kept up.
The old methods of securing onsite servers and desktop PCs

had the advantage of central control: They were usually in a
secure location, on a known network, with a centrally man-
aged operating system and known software and configuration.
The broad range of external and mobile systems means that
doesnt work across the entire enterprise anymore.
Hosted infrastructure
Hosted infrastructure moves your security boundaries out-
side the traditional physical boundaries of your organization.
That means that building a static security infrastructure
around a controlled network wont work. Linking multiple
sites, cloud providers, or other locations can be a challenge if
you dont find ways to securely connect them. Fortunately, as
youll see later in this chapter, identity can provide that link,
as well as helping secure the remote environments.
Mobile devices and

remote workers
Both mobile devices and remote workers bring new cyber
security challenges. Devices that are offsite often require
users to have a higher degree of control over the device
so that they can install applications, change settings, or
perform other actions that enable them to conduct business.
In a traditional desktop IT environment, you might have sent
out an IT staff member to help them. When your users are
mobile, IT staff simply cant reach them, so they may need
more control.
In many cases, mobile devices are personally owned, rather

than companyissued devices. That makes some form of
management even more desirable when it comes to access
to organizational data and applications. This used to be
done by attempting to control the whole device, much like
a desktop, but thats difficult and unwieldy for devices that
need flexibility, or when device owners dont want their
device locked down by IT. Fortunately, much like hosted
and cloud infrastructure, identity can provide greater security
for mobile devices by providing context to the users of those
devices.
The dangers of jailbreaking

Many people choose to break out of were jailbroken phones that had
the controls that their mobile device been compromised by malware now
provides by default. Apple devices known as KeyRaider. KeyRaider
are frequently jailbroken to provide used those stolen accounts to buy
additional functionality that Apple apps and other items from the App
doesnt allow in the App Store. The Store.
same thing happens in the Android
Although this attack didnt target cor-
world where devices are frequently
porate data, it had enough access
rooted to install custom software or
to do so. That means that having a
versions of the Android OS.
way to detect jailbroken and rooted
Jailbreaking can look like a harm- devices can be an important tool in
less way to get more functionality your security arsenal when you need
from your device, but in August 2015, to prevent possibly compromised
WeipTech found more than 225,000 devices from accessing your corpo-
valid Apple accounts stored on a rate resources.
server. The source of those accounts
External users
In addition to mobile devices, organizations are also seeing
an explosion in the number and types of external users they
need to support. From contractors to vendors to outsourced
IT, each additional type of external user brings additional
complexity to the account lifecycle and security models
that you have to maintain. Each of these new users needs
a way to access organizational resources, and the tradi-
tional answer of a single onesizefitsall remote access VPN
doesnt fit.
Fortunately, leveraging identity information can help. Matching

roles and rights and provisioning users to both onsite and off
site systems and infrastructure can help reduce or eliminate
the need for a VPN. In fact, when a VPN is still needed, that
identity information can provide the basis for secure VPN
groups.
Addressing big data challenges

If big data is a tool in your organiza- function requires. Integrating big
tions portfolio, you already know data into your identity management
that keeping it secure is also a big platform ensures nodes, clusters,
deal. Securing big data requires and applications are secured along
enterprisegrade identity and with the rest of your infrastructure.
access management for authen- When that happens, you can simply
tication, implementing least privi- treat compliance, monitoring, and
lege access and auditing to ensure response problems the same way
that administrators and users have you treat any other managed system!
the access and privileges their job
Dealing with a Misplaced

Security Perimeter
Cloud and hosted services, as well as the massive growth in
the use of personally owned devices, greater mobility, and the
diverse user populations that Ive discussed mean that your
traditional security perimeter only surrounds a small part of
your sensitive apps, infrastructure, and data. This means that
you need to provide flexible security where your infrastruc-
ture and users are.
Figure21 shows how new workflows and requirements have

changed most traditional network boundaries into what is
effectively a single, flat network.
Each of the groups needs access to organizational data and

systems in a secure way. Identity can provide that layer of
security for cloud and outsourced systems, mobile devices,
and the wide variety of partners, contractors, and other
users you may encounter. That means that identity can pro-
vide a consistent and effective layer of security where tradi-
tional firewalls and other security infrastructure cant.
Figure 2-1:Access everywhere, at any time, for anyone.
Multifactor authentication
Multifactor authentication (MFA) is a means of authenticating
that requires both something you have and something you
know (or, in some cases, something you are). For example, a
common method of multifactor authentication is a generated
passcode and a password. The generated passcode normally
comes from a keyfobstyle token or from your smartphone
(something you have) and the password is the something
you know. Because there are two elements to this authentica-
tion process, its sometimes called twofactor authentication.
MFA can have a big impact on the security of your services

because it prevents attackers from using a stolen or guessed
password to get in. Unless attackers have both the key fob or
smartphone that can generate the code or authorization, and
the password for an account, they only have half of the key.
MFA is one of the most effective ways to mitigate the risk of

compromised credentials.
The role of authorization and

authentication in breaches
Many breaches in recent history have involved attackers
who gained administrative access to internal networks and
systems. From there, they have been able to acquire sensitive
data which they then extract from the compromised network.
In other cases, attackers have used phishing attacks to get

user credentials or have used malware to compromise sys-
tems belonging to employees of the compromised organiza-
tion. These attacks typically use that access as a foothold to
allow further attacks against key infrastructure and systems,
and then move laterally to gain access to servers and the
sensitive data they contain.
These attacks could be prevented in many cases by better

leveraging authorization and authentication systems:
An attacker who captures a password and uses it to log

in to systems will be stopped by multifactor systems.
Ensuring that users only have the permissions and rights
that they require will help limit the scope of a successful
attack.
Monitoring for user behavior and identifying logins and
access that dont match normal user behavior, can detect
many types of attacks
Maintaining accounts, including deletion of unused
accounts or those belonging to employees who have left
the organization, can make sure that bad guys dont take
advantage of neglected accounts.
Identity has become both one of the most valuable resources

that an organization has and, at the same time, a first line
defense against attackers and misuse.
Identity as a defense mechanism
Fortunately, identity is that next layer of security. Combining
multifactor authentication with a centralized identity manage-
ment system that can track, audit, and manage user authenti-
cation, what a user can do, what the users do, and details of
systems and applications they use can provide both insight
and control. Identity is the common security layer across all
your resources regardless of whether theyre in the cloud,
onmobile, or in your datacenter.
As attacks change from network borne attacks, which focus

on vulnerable services to attacks that use preexisting creden-
tials to penetrate secure networks, identity is the first line of
defense. Attackers who are seeking a foothold only need to
compromise a single account to get access to the more vul-
nerable interior of most networks. That means that identity
has to be considered both a potential way in, and a crucial
defense mechanism. I show you how to use it to secure your
organization in Chapter3.
Chapter3
Architecting Security
Using Identity
In This Chapter
Using identity to provide security
Designing a security perimeter that meets todays challenges
Looking at the services an identity platform should provide
Tackling compliance and auditing with identity platform services
T he way that organizations provide IT services, where and

how they are consumed, and who needs to access them
are undergoing massive changes. Cloud and hosted comput-
ing, big data services and systems, broad adoption of mobile
computing and devices, and diverse user populations mean
new methods of providing security are critical. Identity can
provide a flexible way to secure both new and traditional sys-
tems and data.
In this chapter, I discuss how identity can be used to create a

security perimeter that can support the changes that modern
IT environments are facing. I look at the services and capabili-
ties that an identity platform needs to provide security, and
I explain how to provide compliance and auditing using the
same platform.
Architecting a Modern
Security Perimeter
A modern security perimeter has to combine traditional
perimeter defenses with additional layers that can handle
hybrid infrastructure, new styles of work, and new ways of

connecting. At the same time, both the traditional defenses
and the new layers need to be designed to handle current
threats like targeted phishing attacks, insider threats, and of
course, advanced persistent threats.
A complete security plan will partner the traditional secu-

rity layers like firewalls, IDS and IPS systems, and antivirus
software with an identity platform that can provide user and
privileged accountlevel security, as well as audit and control
over user access and administration of accounts.
Identitybased defenses
Identity can be used both as a separate protective layer and
as a way to enhance traditional perimeter defenses. Here
are a few examples of how identity can be used to provide
protection for your systems and data:
Proof of identity and rights management for mobile and

remote users
Support for multifactor authentication, a key technol-
ogy when you need to protect against compromised
credentials
Rights management to protect against attackers or
insiders leveraging one set of privileges to attack other
systems from a toehold inside your infrastructure
Strong controls for privileged accounts, including moni-
toring, auditing, and tracking to keep your administrators
and other power users from being a threat
Protection against malware and other nonhuman attacks
by requiring user interaction and monitoring how, when,
and even where accounts are used
These and other capabilities provided by an identity solu-

tion can help protect in ways that traditional defenses cant.
Fortunately, those defenses can benefit from being paired
with identity.
Chapter3: Architecting Security Using Identity 25
Traditional perimeter defenses
Layered security is a necessity in cyber security, and tradi-
tional defenses are found in almost every organizations plan.
These defenses were often built under the assumption that all
data could be surrounded by a firewall, and that most threats
will come from outside the organizational network. In some
cases, designs protect critical infrastructure from most users,
but ignore the unanticipated risks originating from admin-
istrators and insiders with privileged access, which raises
threat exposure and the likelihood of failed audits.
Here are a few of the most common traditional perimeter

defenses and details on how they can pair with identity to
create a stronger security perimeter.
Firewalls
Firewalls are normally used to separate network segments,
either to keep a trusted network separate from a lower
security zone, or to provide network separation for differ-
ing groups or systems. Firewalls can help prevent network
attacks from outside by blocking attacks against vulnerable
services, but some traffic is required to be allowed through
for services to work.
If you need to do more than control traffic, look at the more

advanced capabilities many security appliances can provide;
then integrate the firewall with your identity platform to
provide centralized visibility and access control, common
authentication experience, and reduced administrative
burden based on a common definition of user identity and
security group membership.
Intrusion detection and intrusion prevention systems

Intrusion detection systems (IDS) and intrusion prevention
systems (IPS) are used to detect or stop attacks. Integrating
an IPS or an IDS with an identity platform can allow you to
specifically permit traffic for administrative users, or to moni-
tor for specific types of traffic for some groups and not others.
Network devices
Network devices come in many flavors switches, routers,
wireless access points and controllers, and many others.
Most of these devices have some security capabilities, and an
increasing number are designed to provide enhanced security
out of the box. Integration with an identity platform can help
make sure that privileged accounts are secure, and that the
actions taken by administrators are logged and audited. Of
course, the ability to make sure you dont have forgotten or
abandoned accounts lurking on key network devices can be a
big security bonus, too!
Youll also probably want to integrate identity into your

security monitoring and management system. Centrifys
Privilege Service makes this easier by associating all a ctivity
from an individual, making it easier to provide complete
accountability. That also keeps your security staff from
having to invest effort into correlating their activity manually
across many systems or silos of identity.
Exploring the Identity Platform

A capable identity platform can provide additional security
controls while also enhancing the capabilities and security of
your existing traditional security layers. There are a number
of key features found in identity platforms, including single
signon, multifactor authentication, mobile management,
privileged access security, and session monitoring.
Single signon
When users are faced with a multitude of accounts and pass-
words to remember, they often solve the problem by reusing
passwords or by using weak passwords. Not only does single
signon help solve that problem, but it also provides a single
place to enforce strong authentication requirements. Using
single signon also helps reduce the likelihood that forgotten
or abandoned accounts will haunt your organization, since
you can manage accounts centrally rather than on individual
servers or services.
Multifactor authentication
Multifactor authentication is incredibly important when
youre trying to prevent attackers from using compromised
credentials. Passwords are often easy to acquire through
phishing scams, by bruteforce attacks, or because systems
are compromised and user passwords are captured by mal-
ware packages and sent back to their creators.
Multifactor authentication can prevent stolen passwords

from resulting in compromise of your data and systems.
Accounts that are protected with multifactor authentication
cannot be accessed with a compromised password. Users
must provide one or more additional factors, like a code from
a keyfobstyle token or an approval via a smartphone app,
which means attackers who gain access to usernames and
passwords dont have all they need to break in.
Provisioning and lifecycle

management
Provisioning is the creation of user accounts and the roles,
groups, rules, and related settings that allow users to perform
their work. Provisioning also enables users to be productive
on day one with the appropriate access, authorization, and
client configuration across their devices.
The role of provisioning in the identitybased security model

is important because provisioning determines who has what
rights, on what systems and applications. The identity plat-
form needs to provide workflows that support the right users
getting the correct settings in a monitored and auditable way.
IT staff know that accounts are difficult to manage. Employees

are often given more access than they need, and that access
frequently follows them through their careers as they amass
more and more rights over time and as their positions change.
Unused accounts and accounts for employees and other users
who no longer need them also tend to stay around longer than
they should. Thats why centralized account lifecycle manage-
ment is a key identity platform service. The ability to quickly
and easily review rights against what an employees actual
role is, and to ensure that those rights change appropriately

as the employees job and needs change, is crucial to the use
of identity as a defense mechanism.
Management of unused accounts should be as simple as ter-

minating unneeded accounts or changing role membership,
but it can be difficult to tell the difference between an unused
account and a rarely used, but critical account, or one that
belongs to a staff member on vacation, especially if your
human resources department isnt keeping close tabs on the
status of employees. When you add in thirdparty contrac-
tors, vendors, or customers, youll find you have even more
accounts that are a challenge to track. Managing lifecycle
centrally and in a highly visible and accessible way using a
central identity platform can help close those gaps.
No matter how good your identity platform is, bad data and
staff who arent making sure that employee (or other user)
status changes get handled can leave gaps in your security.
Implement automation wherever possible, remember the
people side of security, and make sure you test your pro-
cesses in parallel with your technology!
Mobility and device management

If you polled the mobile device users that you know, how
many would honestly answer that they have a passcode, PIN,
or swipe to unlock setup on their mobile device? Each mobile
device is a potential attack vector for attackers, and that means
that an identity management platform needs to extend to not
only applications, but also to mobile devices. In this way, IT
can secure applications, as well as the devices that access
those apps, and the data that resides on those devices as well.
Secure remote access

Remote access is a necessity with a mobile workforce, but
providing secure remote access can be difficult. Two of the
most common solutions are VPNs and application gateways
(ALGs). VPNs rely on identity to authenticate users and to
place them in appropriate networks based on who they are.
ALGs protect applications by proxying data without provid-
ing broader access to the network and can use identity to
stablish which applications can be accessed by particular
e
users. An identity platform with strong workflow capabilities
and business logic designed to put users in the right groups
with appropriate logging and monitoring can enable secure
remote access management regardless of how many different
ways your organization phones home.
Privileged access management

and security
In many organizations, privileged users log into servers,
applications, network devices, and databases using shared
administrative accounts such as root or local administrator
accounts. These accounts are the proverbial keys to the king-
dom that account for the majority of malicious exploitation
(or unintended misuse) of access to sensitive data, providing
the ability to delete or damage critical systems. Privileged
access security is critical to the defense of cyber threats
in order to verify and protect access to these privileged
accounts.
You can help solve this problem if you invest in an identity

management solution that has the capability to associate
privileged activity with an individual versus a shared account.
You should also focus on solutions that only allow the user
to elevate their privileges specifically for what they need to
do, when they need to do it. Privileged account management
helps to ensure that users use their own accounts most of
the time, and that they only have the rights that they need.
In special cases, like emergency support, or for service func-
tionality, it ensures that access to nonhuman accounts like
service accounts, root, and admin credentials are logged and
passwords automatically changed after use.
Productivity improves when access, privilege, and audit poli-

cies are managed from a centralized point of control. This
can be a lot easier if you use your existing Active Directory
infrastructure, then invest in bridging technologies to manage
a much broader set of systems (Windows, Linux, UNIX), end
points (Windows, Mac, mobile devices) and applications (on
premises, SaaS, mobile) without introducing redundant and
costly new infrastructure.
Privileged session monitoring

The need to monitor what privileged users like system
administrators and other power users do is pretty obvious,
but how to do it can be a challenge. Power users frequently
have sweeping rights to change systems, including the logs
that might capture their accounts being misused. Centralizing
that capability, capturing all details including a full s ession
recording, and using secure, auditable monitoring and
reporting can make it a lot easier to ensure that privileged
accounts are secure.
The other side of privileged account monitoring is tracking

the rights that make an account privileged. If attackers can
add rights to a normal users account that result in it being
able to perform the same actions that an administrator can
without that change being noticed, they can cause major
damage! A strong identity platform should allow you to moni-
tor both how and where privileged accounts are being used,
and how, when, and by whom the rights that make up those
special privileges are being granted.
Consolidating Identity Silos

Many organizations have multiple stores of identity scattered
throughout their infrastructure. Sometimes that means that
individual systems or services have their own identity stores,
but often the differences occur at organizational boundar-
ies or due to differences in systems. These identity silos
represent both complexity and risk.
Consolidating identity silos through a centralized identity

management platform allows a single view of identity
throughout the organization, and thus a single place to
control new users, their access and account lifecycle, and
their eventual removal. Instead of having to account for each
identity individually throughout a diverse infrastructure,
centralization allows time to be spent enabling access and
ensuring that it is secure.
Using Identity Platform Services

for Compliance and Auditing
An identity platform may not be the first thing you think of
when you consider compliance and auditing, but access to
systems and data is often the first thing that you should look
at. Reporting details of who had access to what, and what
they have done with that access, as well as the ability to cer-
tify the technical process and procedures is important when
reporting your organizations status.
Access auditing and reporting

Auditing wont prevent compromises, but it can help detect
both attacks and attempts to exploit access. Identitybased
security relies on auditing and reporting, including the follow-
ing key functions:
Identifying privileged accounts and capturing privileged

access and activity
Providing detailed reporting on rights, groups, and cor-
relation of roles and access
Automated reporting for violations and potential issues
Detecting unused or remnant accounts that should be
addressed
These arent all the audit and reporting features that an iden-
tity platform can provide, but using these features can be
a big part of providing greater security insight by using the
platform.
Continuous compliance
Almost every industry faces some form of compliance require-
ments, whether theyre local, state, national, or international
laws, or theyre part of contractual obligations. The increasing
need for compliance means that being able to prove compli-
ance quickly and easily can be a big win for your organization.
Compliance at a single point in time is necessary to pass

an audit, but implementing security best practices with an
identity management platform will keep you in a continuous
state of compliance and allow you to better protect your
organization against cyberthreats. The idea of continuous
compliance is gaining ground over pointintime certifications,
and a strong identity platform that provides best practice
security services can make the difference between an issue
that is quickly detected and handled and an audit finding or
major compliance issue.
Many organizations have discovered that although they were

regularly tested for compliance, that didnt mean they were
secure! Most compliance checks focus on a pointintime
assessment, and being compliant with a standard like
PCIDSS doesnt mean that you cant be hacked (or havent
been already!). It just means you meet the requirements in
thestandard.
Chapter4
Deploying an Identity
Platform for Security
In This Chapter
Using Identity as a Service
Securing privileged access
Delivering anytime, anywhere access
Avoiding conversion pitfalls
A modern identity platform provides software and ser-

vices to centralize the management of identity and
access across todays hybrid IT environment of the data-
center, cloud, and mobile. An identity platform typically
includes a directory infrastructure for users and resources;
management and enforcement of policy on systems, apps and
devices; and auditing and reporting of access and activity.
In this chapter, I walk you through deploying Identity as a

Service, implementation of privileged access security, deliver-
ing anywhere and anytime access to corporate resources, and
avoiding common pitfalls by partnering with the right vendor.
Introducing Identity as a Service

Identity as a Service (IDaaS) is a cloud service that provides
identity and access management services for users, apps,
systems, and devices. Cloud identity services typically
include capabilities including the following:
User access services: User directory, authentication,

single signon, multifactor authentication, authorization
management, and enforcement.
Support for federation: This allows identification data to

be used between enterprises. Federation can make out-
sourcing easier by removing the challenges of maintain-
ing identity information for thirdparty users.
Enterprise Mobility Management: Mac and mobile
device configuration and security, mobile app manage-
ment, mobile identity, and mobile device selfservice.
Administration and governance services: Provisioning,
business process and policy enforcement systems, as
well as workflow, selfservice, and related services.
Reporting and intelligence capabilities: Logging, report
and alert generation, and compliance functionality.
IDaaS allows you to outsource the work of maintaining an

identity platform for users, apps, and devices, and to focus
those resources on implementation, integration, and support
of identity services. As a cloud service, it can provide scal-
ability, strong business continuity and disaster recovery capa-
bilities, and the ability to more directly control your costs
associated with growth and service lifecycles.
Employees, contractors, partners, suppliers, and even

customers all need secure access to corporate resources,
whether theyre accessed from onpremises or remotely and
regardless of where the resources are located. Delivering
secure anywhere and anytime access to corporate resources
is the key objective for a modern identity platform.
Using a Cloud Identity Platform

A cloud identity platform has a number of key components
as part of the complete identity platform. These include
provisioning, single signon, and multifactor authentication
services layered on top of a central directory, a policy engine,
an authentication engine, and of course, a fullfeatured report-
ing system.
In Figure41, you can see Centrifys cloud identity service archi-

tecture. Note the portalbased design for access, as well as the
connector for onpremise solutions that links them to the cloud
service. That connector allows existing onpremise systems to
integrate with the cloud platform, leveraging data and identi-
ties that may have years of effort already invested in them.
Chapter4: Deploying an Identity Platform for Security 35
Figure 4-1:Centrifys cloud platform architecture.
Cloud directories
If you dont already have an onpremise directory, or want
to centralize existing directory information from multiple
sources like Active Directory and LDAP, a cloud directory is
a key component of a cloud identity platform. If you already
have existing directories, you can still use the cloud directory
for users that arent currently managed such as partners or
customers.
Directory bridging
If you want to use your existing directories with a cloud
identity platform, you need a way to bridge between them.
Aconnector that is aware of Active Directory can enable
single signon and policy management between both the
onpremise and cloud environment while making onpremise
apps and systems available to remote users using the cloud
platform without a VPN.
Some vendors require that you synchronize passwords or

even your entire directory to their service to make it work.
Avoiding that can help you be sure your passwords and
other data are only where you expect them to be properly
secured in your identity platform.
Cloud identities
Many organizations have faced There are a few ways to address
an explosion of cloud and mobile this, such as banning unapproved
applications adopted by their users applications, or requiring mobile
without any approval or review from application management, but in
IT. Cloud services and many mobile todays consumerized technology
applications that rely on a cloud world, saying no typically just
service backend have their own makes users go around approvals.
identities associated with them. If Instead, you can choose to integrate
your users are storing your organi- with cloud services via standards
zations data in services that arent like SAML and by supporting OAuth.
connected to your identity platform, Making your organizations creden-
not only will you lose access to it if tials work in cloud services, and then
they leave the organization, but they making it easy to do so, can be a big
can retain access to the data even win and help slow down the flood of
if you remove their access to central your data heading to cloud services
systems! you cant control.
Authentication engine
An authentication engine validates that a user is who they
claim to be by validating a user with a username and pass-
word, asking for additional factors of authentication, and
applying logic to determine if their access request is valid.
Once validated, addition tokens or credentials may need to be
created to facilitate access to the requested resource such as
a SaaS application or Linux system.
An authentication engine should be able to enforce access

based on who a user is, as well as her attributes. Those can
include things like the time, location, application, or device
shes using and the network she is on.
Policy engine
The business rules that are applied to identity are a major
part of the security provided by identities. A policy engine
with an easytouse interface that helps you build easily
understandable policies to control and manage identity
is a key part of a cloud identity platform. A policy engine
should be able to enforce requirements based on a user; his
attributes; the time, location, or device hes using; as well as
what network or what application hes using.
A policy engine is what powers the provisioning engine, and

ensures that only the proper users and rights are provisioned.
Its also what powers the ongoing monitoring for deviation
from the intended policies.
Reporting and dashboarding

engine
A robust reporting and dashboarding engine should not only
provide dozens of precanned reports and out of the box
dashboards but also allow customization of existing reports,
creation of new reports, and the ability to export data so that
you can integrate it with existing monitoring systems you may
already have.
Privileged Access Security for

OnPremises and CloudBased
Infrastructure
One of the major reasons to consider an identity platform is
to provide strong account, privilege, and role management
for onsite and offsite infrastructure. That can include ways
to integrate your existing directories, removing issues with
siloed identity and accounts, and ensuring that the right
requirements are enforced throughout a complex set of
systems and applications. Fortunately, an identity platform
can help!
Directory integration
Using a single directory platform like Active Directory to
manage nonWindows systems (like network devices, Linux,
and Unix systems) can also be a powerful advantage. If you
use Active Directory, you can save time by using your existing
security groups and policies with a platform that integrates
with what you already have.
If you have an Active Directory infrastructure deployed, you

can make your life simpler by making the most of the effort
you already have invested in it. Because directories are the
core of any identity management system, using your existing
directories can make a big difference in how fast you can get
up to speed with an identity platform. To make things even
simpler, you can select a platform like the Centrify Identity
Platform, which allows you to leverage Active Directory for
your cloud, onpremise, and hybrid environments based on
your needs and organizational requirements.
Active Directory integration can be a big benefit if Microsoft

technologies play a role in your IT infrastructure. Imagine
adding Linux, Unix, and Mac machines to Active Directory,
and using the same credentials between environments.
Expanding existing Active Directory group policies across
diverse platforms can be a challenge, but using your existing
investment to manage nonWindows systems can help sim-
plify the effort.
Identity consolidation
Strong security practices require users to log in as them-
selves, rather than via shared or anonymous accounts.
Unfortunately, organizations with hundreds or thousands
of Unix and Linux systems are often plagued with managing
identity on individual systems. With so many independent
and often overlapping identity silos, consolidating identity
to a single directory can be challenging and time consum-
ing. A modern identity platform can quickly consolidate user
accounts and groups into a single directory and enforce sepa-
ration of administrative duties.
Leastprivilege access
In addition to making sure that users log in as themselves, its
important to implement leastprivilege access (access that pro-
vides the minimum set of rights that a user needs to accom-
plish his job). Using leastprivilege access limits the potential
damage from security breaches and prevents users from
improper or accidental activities.
To get the most benefit out of leastprivilege access, make
sure you control exactly who can access what and when. That
means youll need to configure privileges so that users can
only elevate privileges appropriate for their job function, at
specific times, for a length of time, and on appropriate serv-
ers. A modern identity platform should be able to centrally
manage least-privilege policies in a crossplatform manner
across Windows, Linux, and UNIX as well as network devices.
Securing systems and applications can result in a complex

web of rights and roles, and ensuring least privilege can be a
challenge. It helps to have builtin tools designed to work with
the applications and operating systems you use. Centrifys
Application Rights builder, shown in Figure42, is an example
of how prebuilt rights models can speed up your deployment
and keep complex rights management from being a nightmare.
Figure 4-2:Centrifys Application Rights builder.
Shared account password

management
In an ideal world, we would eliminate all privileged shared
accounts and throw a major wrench into the process for
attackers. However, there are occasions where you cannot

delete or disable a privileged account such as local adminis-
trator, root, legacy application administrative accounts, or
network device accounts. In those cases, limiting risk by using
shared account password management (SAPM) features of the
Identity Platform can make a big difference.
Using a cloud identity platform can make SAPM a lot more

powerful, because it can allow you to use SAPM across hybrid
cloud infrastructures, as well as use cases that onsite SAPM
cant. Make sure your solution can support anytime, anywhere
remote access to onpremises and cloudbased resources,
secure VPNless resource access, outsourced IT and contrac-
tor login, and multiple Identity Provider (IDP) support.
Modern SAPM capabilities should be delivered as a service in

the cloud to extend beyond basic password management to
future-proof your identity and security strategy. In the classic
breakglass scenario explained next, the legacy onpremises
SAPM solution is inaccessible if the network is down. A SAPM
in the cloud is resilient to your network outages and acces-
sible to every valid user, anytime, from any device.
Break-glass scenarios
In the lastditch case where a system is down, no network
access is available and an administrator needs to access a
root password or local administrator account, an identity plat-
form can allow authorized IT users to check out passwords
for system accounts for a limited duration and then automati-
cally change the password after the checkout expires. This
also ensures that youll have an audit trail available to review
after the issue is resolved.
Privileged session monitoring

You can simplify compliance and speed up forensic discovery
by capturing all privileged activity across all your servers.
Privileged session monitoring can record fully indexed ses-
sions, including video of the actions taken, which allows you
to track exactly who did what, when, and on which server
regardless of whether the user is logged in as herself or as
a shared account. Once the sessions have been recorded,
rivileged session monitoring allows you to view session sum-
p
maries or pinpoint specific activity by searching event data
and video capture of sessions on Windows, Linux, Unix sys-
tems, and network devices.
A modern identity platform should be fully integrated with

leastprivilege management to ensure that all privileged activ-
ity is captured and to leverage the session activity to ease the
burden of defining privileged access rules.
Unified IAM, which occurs when an identity service provides

a complete service across both internal and external datacen-
ters, as well as mobile applications and cloud services, can
be a powerful tool. It can provide better security and data
protection, easier compliance, central monitoring, and easier
integration with partners and applications. It can also help
customers and users have a better experience wherever they
use their credentials.
Delivering Anywhere,
Anytime Access
Users including remote workers, contractors, vendors, and
partners all need to access corporate resources outside
the traditional network perimeter. Do you really want to give
them all a VPN connection? An identity platform can facilitate
the access to corporate resources without requiring a VPN
and ensure security through multifactor authentication and
access policies.
Remote access to applications

without a VPN
Increasingly enterprise applications such as SharePoint or
other applications are not only used by employees on the cor-
porate network but also shared with remote workers, contrac-
tors, and partners. An identity platform like Centrifys, which
provides an App Gateway in through the Centrify portal, can
facilitate access to web apps onpremises by proxying the
web app without requiring direct network access via a VPN.
Secure remote session

management for IT
IT administration of servers and network devices is no longer
performed only by inhouse resources. An identity platform
can proxy server sessions through remote desktop protocol
(RDP) and remote secure shell (SSH), without requiring direct
network access over the web, and without any client software
required.
Remotely managing critical resources comes with security

challenges, which means that multifactor authentication
that can understand the context that users are operating in
is important. An identity platform can match authentication
requirements to systems and rights, and can allow you to
watch, and even terminate suspicious sessions. Of course,
using an identity platform also ensures that every session is
recorded for auditing and compliance purposes.
Avoiding Identity Platform

Conversion Pitfalls
Deploying an identity platform can be daunting, so it pays to
consider implementation challenges upfront. Be sure to think
through integration with existing directories, rights and role
management, and how the platform and vendor enables your
migration.
Migration support
Migrating to an identity platform can impact many systems,
and may take a lot of time to execute. If you set out without
strong migration support, you can spend a massive amount of
time building out capabilities you already have. That means
that a platform that provides wizards and migration tools can
be a big part of your success.
Make sure your chosen platform works with the infrastruc-
ture you use, whether that is Windows, Linux, Unix, network
devices, Mac, iOS, Android, SaaS apps, onpremise apps, or
something else. If you leave behind chunks of your user base,
youll quickly find that your users are working around your
unified identity platform.
Automation
When youve moved to your new identity platform, youll be
ready to conduct your daytoday operations. This is where
automation comes in. To make your platform work well for
you, you should:
Identify your most common tasks and processes.

Analyze how those tasks and processes result in
workflows.
Use the platforms automation tools to deal with as
much of the work as possible, freeing you up to spend
time handling special cases, monitoring for and fixing
problems.
Vendor partnership
Identity platforms offer a lot of benefits, but they can take a
lot of time if you dont use their capabilities well. Make sure
you select a vendor who has helped other organizations like
your own make the move. While it may seem obvious, its
still a good idea to make sure to involve your vendor in your
migration even if you have a lot of inhouse talent their
expertise can save you a lot of time and effort! Make sure to
pick a vendor that has a proven track record with strong cus-
tomer references, and make sure those references report high
levels of success and satisfaction.
Chapter5
Ten Things to Look for in
an Identity Platform
In This Chapter
Recognizing ten key features of identity platforms
Understanding what to look for when selecting an identity platform
T heres a lot to contemplate when youre considering an

identity platform. You need a platform that can support
your evolving IT environment while acting as an additional
layer of security for your organization. Identity platforms typi-
cally have a long lifecycle, which means that choosing the
right platform from the right vendor is really important.
Here are ten items that should be at the top of your list of
considerations:
Comprehensive management across servers, devices,

apps, and users: The ability to manage identity both in
the cloud and onpremises, and across all the types of
devices, systems, and software you use, is a big part of
your identity platforms success.
Ease of integration: Look for an identity platform that
makes integrating with your existing and future IT
environment easy. Your chosen platform should have
outofthebox support for your datacenter systems,
applications, cloud services, devices, and other integra-
tion points that matter to you.
Single signon: Supporting single signon makes a big
difference in user acceptance and gives you a central
place for access control. Choose a platform that makes
single signon as transparent to your users as possible,

and youll save time and money on support.
Multifactor authentication: Multifactor authentication is
critical to keeping your organization secure. Look for a
MFA model that will work well for how your staff works,
and is integrated into a single solution across servers,
apps, and devices.
Federation support: If your prime directive is to connect
to your partners to thirdparty services (like SaaS), the
ability to use federated signons is critical. Look for a
platform that can work with federation tools like SAML.
Application access control management: A platform that
makes granular, groupbased, highly usable application
access management a priority is a huge win when youre
facing a multitude of applications that each need access
control managed. Having it built in and easy to use will
help you stay secure and retain usability at the same time.
Mobile security management: As your workforce becomes
increasingly mobile, and as phones and tablets continue
to grow in use for productivity, youll need a solution that
can manage these devices. Pick a solution that leverages
the security posture of mobile devices in the access poli-
cies for applications and resources.
Remote access for apps and servers: When your users
need to get work done remotely, integration with remote
access is key. Look for secure remote access capabilities
that limit the need for a full VPN connection and provide
the ability to monitor and record remote sessions.
Privileged access and shared account management
tools: Your organizations cyber security can rest on its
ability to manage privileged access and shared accounts.
Find a platform that makes visibility and central control
easy and accessible.
Strong vendor partnership and support: A vendor
that wants to see you succeed can make the difference
between a successful rollout and a failed and neglected
implementation. Find a vendor that has great references
and a reputation for carrying through after the sale.
WILEY END USER LICENSE AGREEMENT
Go to www.wiley.com/go/eula to access Wileys ebook EULA.

Identity Defined Cyber Security For Dummies Centrify Special Edition

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Identity Defined Cyber Security For Dummies Centrify Special Edition

Uploaded by

Copyright:

Available Formats

These materials are 2016 John Wiley & Sons, Inc.

. Any dissemination, distribution, or unauthorized use is strictly prohibited.

Centrify Special Edition

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE

ISBN 9781119224785 (pbk); ISBN 9781119224792 (ebk)

Development Editor: Elizabeth Kuball Business Development Representative:

Attackers know that with the right credentials, they no longer

This new world of advanced threats that leverage deep exper-

Of course, your organization is changing in other ways, too:

About This Book

Icons Used in This Book

This icon marks something that youll want to take note of

Beyond the Book

T he best way to understand how new threats are changing

Looking at Traditional and

using a traditional datacenter or at least a closet with some

Many organizations have also made significant investments

Both traditional and software defined datacenters are typi-

Figure 1-1:The traditional datacenter security model.

When you consider identity as part of your organizational

Moving to the Cloud

Cost savings on physical datacenter facilities (cheaper

These benefits are usually delivered in one of three common

Software as a Service (SaaS): SaaS is a model that

Looking at the Major Models

These standards can be confusing, so heres a quick overview

SAML is the Security Assertion Markup Language, an

Comparing Mobile and

Traditional desktop computing

Smartphones and tablets: Smartphones and tablets typi-

VPN and identity

Defining Users and Access

The final major element of enterprise IT is the set of users

Administrators and power users: The most trusted

Customers: Customer account management is sometimes

A key part of both the security and usability of enterprise IT is

Centralization, identity consolidation, privileged access secu-

K eeping your network, systems, and data secure probably

In this chapter, I discuss current cyber threats and explain

Understanding Current Cyber

Directed attacks focused on your organization, its

If youre thinking about how user credentials play a role in each

The average cost of a breach according to research con-

The leading cause of breaches are compromised credentials.

You probably already recognize APT attacks even if you

Providing Security for External

The old methods of securing onsite servers and desktop PCs

Mobile devices and

In many cases, mobile devices are personally owned, rather

The dangers of jailbreaking

Fortunately, leveraging identity information can help. Matching

Addressing big data challenges

Dealing with a Misplaced

Figure21 shows how new workflows and requirements have

Each of the groups needs access to organizational data and

Figure 2-1:Access everywhere, at any time, for anyone.

MFA can have a big impact on the security of your services

MFA is one of the most effective ways to mitigate the risk of

The role of authorization and

In other cases, attackers have used phishing attacks to get

These attacks could be prevented in many cases by better

An attacker who captures a password and uses it to log

Identity has become both one of the most valuable resources

Figure 1-1:The traditional datacenter security model.

Figure 2-1:Access everywhere, at any time, for anyone.

Figure 4-1:Centrifys cloud platform architecture.

Figure 4-2:Centrifys Application Rights builder.