DirectAuthorize Simplifies User Role Definition

 
 
By Frank Ohlhorst  |  Posted 2012-09-06
 
 
 

Centrify Unifies User Sign-On Control Across Multiple Platforms, Devices


Centrify Suite 2012 Enterprise Edition tames user-access problems by centralizing user-account management across multiple platforms and devices.

The product, which began shipping July 25, offers a single-pane-of-glass view for user accounts and automatically synchronizes user-account metadata and credentials across multiple security schemas. This allows users to enter the same credentials across multiple networks and operating systems, while supporting multiple endpoints, ranging from Windows clients to Linux desktops to OS_X- (Mac-) based devices.

Priced at $825 per server and $65 per workstation, costs can quickly add up on enterprise networks; however, a decent return on investment is all but guaranteed, thanks to the time the product saves network administrators, reductions in help desk calls and the secure integration of multiple endpoints into an enterprise.

What's more, the product includes extensive auditing features, as well as reporting and control features that enable administrators to meet compliance requirements and plug account-security holes before the network is affected. Auditing also provides forensics capabilities, assisting in determining if data leakage has occurred, while supporting investigative chores.

The Enterprise Edition of Centrify Suite is actually a mash-up of several Centrify products. Included in the suite are DirectManage, DirectControl, DirectAuthorize and DirectAudit. The DirectManage product integrates Unix, Mac and Linux systems into Microsoft's Active Directory, allowing for centralized management of user accounts, entitlements and security policies.

DirectControl brings support for Active Directory authentication, Windows Group Policies and single sign-on to Linux, Unix and MAC systems. Direct Authorize further strengthens security by bringing role-based privilege management to Unix and Linux systems, further centralizing the security of multiple platforms across heterogeneous networks. DirectAudit adds real-time auditing of Windows, Unix and Linux systems to the mix.

The company also offers suites that have fewer products, as well as more. However, the Enterprise Edition is the most popular suite that the company offers and contains the features needed by the majority of enterprises supporting heterogeneous networks.

For testing, I set up a Windows Server 2008 R2 as the primary network server, with Active Directory. I then added a Red Hat Enterprise Linux 6 server and an Ubuntu 12.04 LTS Linux Server. For client systems, I added a MacBook, Ubuntu System and a Windows 7 system to the mix.

Working With Integrated Centrify Products


My testing focused on the administration of users, management of systems and the end-user experience, as well as the enhanced capabilities provided to network managers. Installation of the suite was straightforward and presented no real surprises, and the included documentation and support smoothed over any issues that arose, which were related more to the particular environment I was working in than to the product itself.

As mentioned before, Centrify Enterprise Suite consists of several integrated Centrify products. Management takes place from a centralized console, which provides access to all the various features. In other words, I did not have to individually launch the products; I could access them all from the main console.

The DirectManage component provides centralized management and administration and uses a logical progression to manage and administer several critical capabilities. I found that DirectManage provided easy-to-use tools to create roles for users, as well as define zones for auto provision. I used DirectManage to create specific roles for the access and administration of Linux and other systems.

However, I was most impressed with the product's ability to discover systems and deploy software to Unix and Linux clients. Centrify calls the technology "Deployment Manager." Using Deployment Manager consists of discovering a machine, registering that machine with the system and then integrating that machine into Active Directory. The product automatically queries the system, figures out all of the users, the software installed and so on, to integrate the new system into Active Directory.

The product offers several options during integration into Active Directory. For example, I was able to choose a zone, a container and other objects to bring the system into Active Directory. Once the system was joined to Active Directory, I was able to create a single-sign-on (SSO) paradigm for the users.

While SSO benefits the end users, the real power of the product is the centralized management paradigm, where Active Directory becomes the primary repository for account information and machine inventory and OS-specific chores can be accessed centrally, instead of requiring an administrator to log on to each server individually.

DirectControl is another key component of the suite. With DirectControl, I was able to centralize account administration, including user rights, policies and settings. DirectControl works by incorporating Unix/Linux/Mac users into Active Directory and then extending it to support those accounts.

The product makes those once-alien systems part of Active Directory. With DirectControl, I was able to quickly define the rights and policies associated with a particular user, regardless of what system the user wanted to access. Simply put, DirectControl extends Active Directory capabilities to Unix/Linux/Mac systems, allowing administrators to centrally control user access.

DirectAuthorize Simplifies User Role Definition


DirectAuthorize brings additional granular control to administrators, especially those looking to use a roles-based administration paradigm. With DirectAuthorize, I was able to define roles for users, allowing me to assign users to particular zones and creating customized rights sets for users that were members of the roles. I found the roles-based administration capabilities were comprehensive, almost to the point of providing too much detail. Roles can also be applied to groups and other objects, which allowed me to create roles specifically meant for member Linux systems and also to create global rights for root- (or administrator-) level accounts.

DirectAudit is another key piece of the Centrify Suite 2012 Enterprise Edition puzzle. DirectAudit is primarily used to capture historical user activity. Simply put, DirectAudit records user activity, so that it can be reviewed at a later date. Using the DirectAudit auditor console, I was able to select sessions to view.

Recorded sessions are listed on the console and can be filtered, sorted or selected based upon a number of criteria, including dates, zones, groups, users and systems. Predefined queries help to keep sessions in order and I was able to create my own custom queries as well. The nice thing about DirectAudit is that it captures more than just a video of user activity.

The product also captures metadata, session activity and system events. That allowed me to filter the captured information even further. For example, I was able to quickly find Unix log-on events using filters and then just focus on what happened around those particular events. That proves to be a big time saver; I did not have to watch a complete video session to identify log-on or log-off events.

While Centrify does an excellent job in the user-management and rights-control consolidation game, it is not the only company out there than can get the job done. Quest Software offers Quest One Identity Suite, which is tuned more toward single sign-on and account management on homogeneous networks.

Fischer International is another player in the centralized user-management field, offering an identity-management suite that is designed to work with native directory systems and leverage the cloud as a service paradigm.

NetIQ is another player in the consolidated identity-management arena, offering both cloud-based and on-site systems that bring single-sign-on, user management and heterogeneity networking support into the management picture. Ensim Unify Enterprise Edition is another premise-based product that stitches directories together and unifies user management. Ensim Unify also offers support for smartphones and other devices as well, moving it into the bring your own device (BYOD) market, a critical new area that many identity-management vendors need to tackle.

Centrify aims to bring BYOD support to their products in the near future, which should transform the Centrify Suite into a one-stop solution for user and heterogeneous credential management.

Rocket Fuel