Get control over your cross-platform identity management issues

According to the Gartner 2010 CIO Survey, identity management is the No. 1 IT security priority through 2011. This will be an ongoing concern well beyond 2011 as companies grapple with increasingly complex and disparate infrastructures and a multitude of new mobile access devices. New tools offer help in gaining control across heterogeneous platforms, even into the cloud.

According to the Gartner 2010 CIO Survey, identity management is the No. 1 IT security priority through 2011. I expect this will be an ongoing concern well beyond 2011 as companies grapple with increasingly complex and disparate infrastructures and a multitude of new mobile devices accessing enterprise resources on-premise and in the cloud.

All of the following trends are adding to the complexity of identity and privilege management:

• Critical business applications are moving beyond the corporate data center and into the cloud.

IT SEMINAR HIGHLIGHTS: How to deal with 3 big corporate security concerns

• A variety of third-party users, including partners, contractors and vendors, need access to an organization's business applications and data.

• Access devices, many of which are privately owned, are growing exponentially.

• Environments are growing more heterogeneous in terms of operating systems and management tools in use.

• Compliance standards are getting more prescriptive and enforcement stronger.

I'm preaching to the choir when I tell you that data center platforms are becoming more hybridized. The classic monolithic Windows infrastructure is giving way to a heterogeneous environment that is more difficult to manage and potentially less secure.

Managing and controlling privileges and security policy across this ever-changing landscape is like herding cats. For example, an organization that has a stable of Mac desktop computers might be challenged by enforcing a policy for password changes that is consistent with policies for Windows-based PCs. And for the Unix or Linux servers in the data center, the challenge might be in managing the privileges of what administrators can do based on their job roles and making sure those activities are logged and auditable events. It sure would help to be able to use one consistent toolset to cage these cats and manage all of these identity management issues.

This is the market space that Centrify addresses. From a Mac desktop to servers and applications based on-premise or in the cloud, Centrify is able to make today's heterogeneous identity management environment more efficient by leveraging existing infrastructure, established policies and a standard knowledge base. Companies can leverage their existing Active Directory (AD) infrastructure and extend that to their non-Windows environments. In doing so, Centrify provides identity consolidation with a commonality of cross-platform authentication, authorization and audit. It captures in detail all the activities of these managed users, which improves access governance.

Centrify built its solution on top of AD in two distinct ways. First, Centrify extends AD's reach to non-Microsoft systems and applications. This is performed with a software agent that is a plug-in to an operating system or an application, enabling the non-Microsoft resource to dynamically join the AD domain. That helps provide the benefits of single sign-on, a single policy engine and a single point of control where an organization can easily provision and de-provision who has access to what.

Second, Centrify manages the issue of "who can do what" at a more granular command level, and it audits what the individual users are doing. The company says this added functionality above what AD provides yields more granular control and security for users, especially privileged users. This is especially important for regulatory compliance in stances such as PCI DSS areas 7, 8 and 10.

Recently the Institute for Cancer Research (ICR) in Bracknell, U.K., converted from Novell Netware to Microsoft Windows Server, leading to a corresponding migration to AD to manage its user base, including its growing population of Macintosh users. According to Rob Hall, the ICR assistant manager of desktop services, the organization had a growing need to have a centralized mechanism to administer and control their disparate platforms and user base.

They researched the cross platform identity market and selected Centrify to join all the Mac systems to their AD domain. Hall says they have been able to centralize authentication and access control of their entire user base. They use Microsoft Group Policy to centrally configure and set user and computer policies for all staff, no matter their computing preference. U.S. companies would find that this centralization simplifies compliance efforts around HITECH and HIPAA.

For enterprises that want to test-drive Centrify's tools before deployment, or for smaller organizations that never really saw a need for centralized identity access management, there is Centrify Express. This is a free suite of Active Directory-based integration solutions for authentication, single sign-on, remote access, file-sharing, monitoring and cloud security for cross-platform systems.

Centrify Express is composed of entry-level versions of five of Centrify's products including:

• DirectControl Express -- Active Directory integration for Unix, Linux and Mac systems that provides a single sign-on capability for users.

• DirectManage Express -- Centralized management combined with automated analysis and deployment.

• Centrify Open Source Tools -- Open source tools designed to help administrators manage environments in a secure way.

• Centrify Insight -- A Splunk-based module that provides operational intelligence reporting, dashboards from system applications, security devices and Security Incident and Event Monitor (SIEM) integration.

• Centrify CloudTools -- Security and management for cloud solutions that ensure identity and access control policies are applied dynamically as a new server instance is brought online.

With CloudTools, Centrify has expanded its AD centralization for organizations that are deploying servers on Amazon's EC2 or Rackspace. CloudTools allows these servers to be tied back into the customer's AD to secure these cloud instances from a policy perspective, but also control who can log on to them. With Centrify, the enterprise can centrally control users both on- and off-premise, and in the cloud, via their AD investment.

When developing CloudTools, Centrify partnered with RightScale to allow organizations to define templates for their cloud-based servers. Think of it as Opsware or Bladelogic but for the cloud. CloudTools has these templates that facilitate the ability for organizations to spin up Linux systems on EC2 and have the non-Microsoft systems join the enterprise AD domain, therein having security enforcement as part of the system being spun up on Amazon.

The cross-platform identity management space is certain to grow as enterprise environments grow more complex and diverse. No wonder it's a top of mind issue for CIOs.

Brian Musthaler is a principal consultant with Essential Solutions Corporation. You can write to him at


About Essential Solutions Corp:

Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.

Learn more about this topic

Brocade's virtualization strategy: We use everything

The accidental revolution: How Apple's iPhone transformed enterprise IT

Centrify takes to the cloud

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.