Zero Trust Based Privileged Access Management powered by Centrify
Securing access to those that need it, when they need it!
Ensuring secure and appropriate access to IT resources and data is a broad and complex subject which is addressed within the Frontier Data Security and Management Framework.
Most organisations will have mature and well understood platforms such as multi-factor authentication, password vaults and perhaps also Privilege Access Management (PAM). PAM ensures that users such as system admins who often hold the “keys to the kingdom” with open access to key systems and confidential information only actually have access to the systems they actually need at the time they need it to fulfil their role. This page goes on to discuss this subject in greater depth and introduces developments to the concept of privilege access management to address today’s ever widening threat landscape.
Why Do You Need Zero Trust Privilege?
This diagram shows the differences between traditional privilege access management solutions and Frontier’s cloud-ready zero trust privilege approach:
VIDEO: Andy Smith; Vice President of Marketing at Centrify in InfoSecurity 2019 – 0.28
VIDEO: Zero Trust Based Privileged Access Management For Today’s Hybrid IT Infrastructure powered by Centrify – 3.18
How We Deliver Cloud-ready Zero Trust Privilege
VERIFY WHO: Today, identities include not just people but workloads, services, and machines. Properly ‘verifying who’ means leveraging enterprise directory identities, eliminating local accounts, and decreasing the overall number of accounts and passwords to reduce the attack surface.
CONTEXTUALISE REQUEST: For each access request, it’s important to know why someone (or something) is performing a privileged action. To do this, you must understand the context behind the request, and then review and approve the request based on the context provided.
SECURE ADMIN ENVIRONMENT: When connecting to servers with privileged access, you don’t want to enable malware infection during the session. Privileged access must only be permitted from a “clean” source. Thus, avoid access from user workstations that also have to Internet and email, which can be all too easily infected with malware.
GRANT LEAST PRIVILEGE: Just enough privilege to get the job done. Just-in-time privilege based on temporary access through a simple request process and limiting lateral movement by only granting access to the target resources needed and no more.
AUDIT EVERYTHING: Audit logs are critical for evidence of compliance and are used in forensic analysis. The best practice for privileged sessions is also to keep a video recording that can be reviewed or used as evidence for your most critical assets. Multiple regulations including PCI-DSS for payment card data specifically require this level of auditing.
ADAPTIVE CONTROL: Modern machine learning algorithms are now used to carefully analyse a privileged user’s behaviour and identify anomalous and therefore risky activities. Controls include alerting as well as active response to incidents by killing sessions, adding additional monitoring, or flagging for forensic follow-up.
Shared Account & Password Vault
Application Passwords & Secrets Vault
Secure Remote Access
Secure Administrative Access via Jump Box
Access Request & Approval Workflow
MFA at Vault
Active Directory Bridging
Machine Identity & Credential Management
Local Account & Group Management
Centrify Zone Technology
Group Policy Management
MFA at System Login
PRIVILEGE ELEVATION SERVICE
Delegated Privilege Role & Policy Management
Time-Based Role Assignment
MFA at Privilege Elevation
AUDIT & MONITORING SERVICE
Session Recording & Audition
Gateway Session Monitoring & Control
Host-Based Session Auditing, Recording & Reporting
PRIVILEGE THREAT ANALYTICS SERVICE
Adaptive Multi-Factor Authentication | User Behaviour Analytics
- We can now offer automated Pentest, this Pentest focus on internal system and can carry out Pentests automatically based on a pre-defined schedule and criteria. It will give you an idea of potential impact should the ‘hacker’ be somewhere in your network (either managed to get onto someone’s PC, server or physically).
- This is a single sign on, authentication and identity tool with many additional security and auditing features. E.g.
- the password login to the device will get change constantly without user intervention
- controlling and grant relevant user permission on each device
- record user activity upon login to the device
- ability to search the recording based on what you want to see
- logging all login activity and search.
We also have a video for this, please let us know if you’d like to see the demo.
Talk to Frontier Technology about:
Eliminating breaches caused by compromised credentials. Malicious and unauthorised users, possibly disgruntled employees and contractors have succeeded too many times in obtaining the “keys to the kingdom” which once in the hands of the wrong people expose your organisation to massive and unacceptable risk.
Reducing operational costs, adopting the Zero Trust Privilege approach will help reduce the downtime for IT personnel including waiting for manual grant of access to systems and applications, password resets and more. It will assist with data breach investigations, reduce effort required for the cause to be determined, downtime from a mis-configured system or changing authorisations and production of audit reports.
Managing shared accounts and passwords securely. While today’s threatscape is leaning towards individual identities rather than shared accounts as mandated by legislation and industry best practices, there will still be shared passwords in many organisations. Therefore it is vital securely vault all shared, alternate admin and service accounts. Access to those accounts can then brokered for users, services and applications.