Why All The Emphasis On Insider Threats? Three Reasons:

Centrify Logo1. Insider security risks are more prevalent and potentially more damaging.

According to a study conducted by the Ponemon Institute, 34% of data breaches in the U.K., come from malicious activity, including criminal insiders, and 37% of breaches come from employee negligence. A previous Ponemon study indicated that a third of malicious attacks come from criminal insiders. Further, a Forrester study revealed that 75% of data breaches were caused by insiders, most often due to employee negligence or failure to follow policies. The most-often cited incidents were lost devices, inadvertent misuse of sensitive information and intentional theft of data by employees. The impact of data breaches and downtime, whether caused by insider malice or negligence, can cripple an organization, exposing it to lost revenue, significant brand damage and increasingly onerous regulatory fines and penalties.

2. User identity “blind spots” are causing audit failures.

Many organizations are failing audits because of blind spots in their identity infrastructures. Blind spots can occur when identities and entitlements are managed in disparate silos or on local servers rather than centrally. For example, one of the biggest identity challenges for companies — and a major cause of failed audits — is a lack of visibility into local administrator accounts on Windows. This is akin to the root account on a Linux/Unix system. Failed audits can be particularly damaging in today’s environment, in which regulations related to data loss and data protection are becoming more rigorous around the world. Companies that conduct business globally have to be in compliance with a wide range of rules and regulations to satisfy audit requirements.

As such, organizations must be able to provide proof that users who have access to certain servers and applications are actually authorised users. They must also be able to deliver an auditable trail of what each user has done within the server. These requirements mean organizational policies need to apply the principle of “least privilege access,” whereby users log in as themselves and have only those privileges needed to do their jobs. If they need to have their privilege elevated for some reason, that is an explicit action.

3. Organizational complexity is posing a growing challenge.

Managing employee identity used to be relatively easy: A user was typically sitting at a desktop with a single machine connected to an enterprise application through a single wire. Ah, but things have changed. Users are now mobile and using a wide range of devices, some of which may be unsanctioned or undocumented personal devices. And mobility is only one aspect of the heightened complexity. IT infrastructures are increasingly diverse and heterogeneous, with multiple silos defined by departments, applications, operating systems or other characteristics that set them apart from one another. The proliferation of virtualization and cloud services adds additional layers of complexity to the IT environment. Without a solution to unify user identities, organizations face the prospect of having too many identities, thus raising too many identity-related risks — including data loss, data breaches, application downtime, failed audits and an inability to identify and rectify internal security problems before they escalate.

Savvy IT and security managers are recognizing that the most cost-efficient and effective way to address these challenges is to incorporate a solution that provides insiders with a unified identity across all platforms. By linking access privileges and activities to specific individuals, the IT organization can establish the control needed to minimize security risks, along with the visibility required to achieve compliance.

© 2013 Centrify Top 3 Reasons to Give Insiders a Unified Identity. 

Centrify is a PathMaker Group partner providing advanced privileged access management, enterprise mobility management, cloud-based access controls worldwide.  The Centrify Identity Service provides a SaaS product that includes SSO, multi-factor authentication, enterprise mobility management and seamless application integration.  The Centrify Privilege Service provides simple cloud-based control of all privileged accounts and provides extremely detailed session monitoring, logging and reporting capabilities.  The Centrify Server Suite provides the ability to leverage Active Directory as the source of privilege and access management across your Unix, Linux and Windows server infrastructure. Centrify is a Leader in The Forrester Wave, Q3 2016.


Recertification Health Check – 6 Steps

The regulatory push toward formal recertification of entitlements and privileges finds many enterprises in new compliance territory. PathMaker Group Chief Architect Jerry Castille shares six critical best practices to ensure strong governance.

1) Identify Target Applications: Collecting an inventory of applications that fall within the scope of a certification campaign’s requirements is the first step in a successful certification process. This inventory will detail application information relevant to the execution of your campaign.

2) Gather Accounts & Grants: For each application identified, I work with your team to determine the optimal approach for the extraction of accounts and group/role memberships from each target. If necessary, we will work with your team to develop a process for the normalization of this data into machine consumable output.

3) Entitlement Definition Workshop: Using our guided workshop format, we will work with your team of application and business process owners to define the set of entitlements within each application that will need to be certified. At the end of these workshops, your team will be enabled to define and maintain an inventory of items within each application that require access certification.

4) Gather Authoritative User Data: At this step of the process, PathMaker works with your organization to identify the individuals that will be included in the certification process. This includes individuals whose access is being certified, individuals approving access, as well as system owners that will be approving accounts that can not be directly associated with a human user (orphan and service accounts.)

5) Import Campaign Data: All of the work up to this point has been to develop a reusable set of processes that can be re-used to facilitate the adoption of a robust enterprise governance product. During this step,  import the data gathered during previous exercises into the PMG Certification Toolkit for analysis. Upon completion, execute your certification campaign.

6) Execute Campaign: Using the parameters defined during our workshop, a good toolkit will produce actionalble analytics for approvers and system owners within your organization. Participants will then “Certify”, “Revoke”, or “Modify” each entitlement that requires their approval. Once an approver completes their certification tasks, the data is imported back into the toolkit.

7) Measure Results: After importing analytics into the toolkit, a report is generated with any entitlements that will need to be revoked or modified. This report can be used by your organization to drive administrative activities required to remove any unnecessary entailments from your user population.

Compliance or Agility? (Why Not Both?)

The increasing number of disclosed security breaches has recently shifted the public’s attention away from compliance. While no longer a hot topic in the news, compliance is still a major focus for enterprises. However, most CIOs aren’t measured on how compliant the business is – their success is measured in how much value they bring to the organization. But no matter how much revenue they generate or operational savings they find, CIOs are well aware of the catastrophic fallout that can result from compliance missteps. Unfortunately, compliance often includes putting processes and controls around the same initiatives that enable companies to grow and adapt – initiatives that result in the measurable value that position CIOs for success. So how do you choose between compliance or nimbleness? And should you even have to?

Often, a choice between two options requires a compromise. The difficulty lies in either choosing to lose money to compliance violation fines (regardless of the time and resources then spent to become compliant) or improve revenue by building a business intended for growth? Identity governance helps with both.

Controlling and managing identities empowers the company to easily achieve compliance while providing a foundation for business growth and agility.

The Power of Automation

Compliance presents a challenge to enterprise CIOs in two ways. The first is obvious: today’s enterprise ecosystem is complex. You have a growing amount of digital assets in various locations. Users are added every day, with many operating as contractors and other types of users that are external to the organization. Keeping tabs on all these elements can be overwhelming.
Many organizations have cobbled together manual or semi-automated controls in an attempt to gain the visibility required to address regulatory requirements. While it gets the job done, the management and administration costs to run these programs can be exorbitant.

Simply put, compliance is expensive and time-consuming. But you must do it, even if it doesn’t do much to advance the business. In fact, the cost and resources required to manage user access – a key metric in regulatory reviews and audits – can actually divert attention from initiatives that will empower the business.

To make compliance a strategic enabler for the business, you must automate it. Taking it off your plate saves measurable amounts of time and money that can be applied to more business-driven initiatives. The only way to automate compliance is with identity governance. See all the applications, users and systems in your ecosystem. Know, at a glance, who has access to what. Manage user access based on roles or functions without requiring human intervention. Reduce the risk of human error. Get valuable hours back in your day.

The Power of Simplicity

If automated identity governance is good, simplified identity governance is better. Cloud-based identity governance multiplies the benefits of automation by making it easy. There’s no hardware to buy, no software to upgrade and no maintenance of any kind to be done by your IT team. In addition to saving hours per month by automating compliance processes, you can save even more time by eliminating the management of your identity governance solution.

Furthermore, in order for IT to become a tool for business empowerment, CIOs are streamlining their teams. They are hiring business-savvy workers with a broader skill set versus a deep bench of technical knowledge. Moving your identity governance into the cloud and removing the burden of managing the solution means that these teams can put their focus on initiatives that drive the business forward.

SailPoint’s Cloud-based Identity Governance Can Help

Cloud-based identity governance simplifies the process of automating compliance activities so that business can get back to what they do best – running their business. SailPoint’s IdentityNow enables you to achieve complex compliance requirements with a powerful identity governance solution that requires zero maintenance, upkeep or technical management. With IdentityNow, you no longer have to compromise between focusing on compliance or building an agile business.

© 2016 SailPoint Technologies, Inc. All rights reserved. SailPoint, the SailPoint logo and all techniques are trademarks or registered trademarks of SailPoint Technologies, Inc. in the U.S. and/or other countries.
All other products or services are trademarks of their respective companies.

Top Six Things to Consider with an Identity-as-a-Service (IDaaS) Solution – Conclusion

Centrify LogoAn IDaaS solution can prove to be a tremendous time saver,  improve user satisfaction and IT productivity and addresses many of the shortcomings associated with password sprawl. When considering an IDaaS solution, partner with a vendor that can deliver on all of the top IDaaS considerations discussed in this paper and select an IDaaS solution that can centrally authenticate users with their Active Directory identity without replicating to the cloud, that unifies mobile and app access management, is ready for your enterprise globally and one which gives IT valuable insight into which applications and how devices are used and when — restoring lost visibility and control. In doing so you will reap many important benefits including:

Centrify uniquely unifies cloud app and mobile engagement.

  • Improved user productivity and satisfaction:  Make users productive day one without extensive manual checklists and time consuming helpdesk calls. Reduce the number of times a user has to remember and self-manage passwords, and make it easier to self-service access to all of their apps, devices and identity.
  • Reduced helpdesk costs:  Return value in improved productivity and as much as a 95% reduction in app account and password reset calls.
  • Lower app lifecycle costs:  Through turnkey provisioning for apps and by tightly integrating with Active Directory the delivery of app single sign-on and mobile security is more cost efficient because IT uses existing technology, skillsets and processes that are already in place.
  • Improved security:  IT can remove users’ access to all business-owned cloud and on-premises applications by simply disabling their Active Directory account, which is already a common practice at the time an employee leaves the company. And unlike other solutions, it does not duplicate your existing identity data into the cloud and out of your control — it remains secure inside your corporation.
  • Reduced compliance costs:  IT can remove users’ access to all  business-owned cloud and on-premises applications by simply disabling their Active Directory account, which is already a common practice at the time an employee leaves the company. And unlike other solutions, it does not duplicate your existing identity data into the cloud and out of your control — it remains secure inside your corporation.


Top Six Things to Consider with an Identity-as-a-Service (IDaaS) Solution – Blog 6 of 6

6. Built for Global Enterprises

When it comes to Identity and Access Management as a Service (IDaaS), enterprises and government organizations should look at young start-ups with a healthy dose of skepticism. Whether your corporate identity is in the cloud, on-premises, or a hybrid of both, you want assurance that you can trust the provider as a stable, long-term partner. As key metrics, you should look for a company that has been around for at least 10 years, has an established base of customers among major enterprises, such as the Fortune 50 and is proven to support global
enterprises and major government entities.

You should also look for other signs of an enterprise-class provider, such as a worldwide network of redundant and secure datacenters. This is particularly important when doing business in places such as some European countries that have tough and unique privacy laws. Also look for global capabilities, such as localization into major languages and 24×7 global support. Finally, an enterprise-class partner should provide only solutions that comply with SSAE 16 SOC 2, TRUSTe, and EU Safe Harbor.

Centrify’s zero-downtime architecture delivers
regional datacenter preference and automatic
support for 15+ local languages.

Top Six Things to Consider with an Identity-as-a-Service (IDaaS) Solution – Blog 3 of 6

Centrify Logo3. Complete App Access Lifecycle Management

When a user is new to the organization or takes on a different role within the company, an IDaaS solution should make it easy — and automatic — for you to provision users to cloud or on-premises apps with automated account creation, role-based license and authorization management, single sign-on, mobile app client management and automated account deprovisioning. This automation frees up your precious few IT resources and empowers the user to be productive sooner than through existing and often manual onboarding checklists.

Full app access lifecycle management offers key benefits, enabling IT organizations to save time and money by automatically creating user accounts across cloud apps for new employees. Provisioning can eliminate helpdesk calls by allowing you to deploy the right apps — with the right access — the very first time. Provisioning eliminates any follow-on tasks by IT for enabling the user, and also eliminates user confusion. Automatic identity federation provides single sign-on to those apps, without requiring multiple passwords that can be easily lost, stolen or forgotten. Role-based licensing and authorization management for key apps such as Office 365, Salesforce, Box, and more further reduces your IT burden and allows you to quickly get users productive. The same capabilities make it possible to offboard users automatically (disabling or removing users from a group triggers user account de-provisioning) ensuring security and compliance by removing access immediately, removing mobile client apps and their data, instantly deactivating app accounts, and freeing up app licenses.

Centrify manages the complete lifecycle for
app access including account provisioning,
federation for SSO, mobile app management,
centralized visibility and complete deprovisioning
when the users changes roles

Top Six Things to Consider with an Identity-as-a-Service (IDaaS) Solution – Blog 2 of 6

2. Identity Where You Want It

An IDaaS solution also needs to be flexible, providing robust access to corporate identities managed on-premises (e.g., Active Directory or LDAP), a directory service in the cloud for non-AD users such as partners or customers, and when appropriate, a hybrid of the on-premisesand cloud directories. This is in stark contrast to other startup IDaaS vendors who only allowyou to store identity data in their cloud directory. In order to leverage user data stored andmanaged in Active Directory, they first require that a portion of this data be replicated to their cloud and out of your control.

This cloud-only approach may not appeal to some organizations that — rightly or wrongly —
have concerns about losing control of the proverbial keys to the kingdom. Organizations may
also have reservations of creating another silo of identity to manage, unique security or privacy
concerns, or legitimate concerns about the long-term viability of the vendor.

To enable this “identity where you want it,” a well-engineered IDaaS solution should deliver
robust integration with on-premises Active Directory or LDAP, should support cloud-only
deployments consisting of non-Active Directory or LDAP -based user identities, as well as a
hybrid of Active Directory, LDAP, and / or cloud deployment.

Active Directory support should offer built-in integrated windows authentication (IWA) without
separate infrastructure and should automatically load balance and failover without any
additional infrastructure or configuration. Most importantly, it should not replicate Active
Directory data to the cloud where it is out of the organization’s control — even if you choose to
manage some of your users via a cloud model.

The diagram below shows the deployment options an IDaaS solution should support. As you
can see, this hybrid approach gives you the best of both worlds in terms of flexibility.

Contact Us for more information on your IDaaS or Centrify Solutions. 

Top Six Things to Consider with an IDaas Solution – Blog 1 of 6

1. Single Sign-On

Single Sign-On (SSO) is the ability to log into an app (cloud-based, on premises, or mobile app)
every time using a single/federated identity. For consumers this identity can be their social
media identity, such as Facebook or Google, while an enterprise identity is typically the user’s
Active Directory ID. Without SSO, users need to remember complex passwords for each app.
Or worse, they use common or easily remembered (i.e. weak) passwords. For users, the result
is a frustratingly fragmented workflow, which can include signing into dozens of different apps
during the workday. For IT, the problems of too many passwords, or insecure passwords, are
obvious—with a costly data breach ranking at the top among concerns. A properly architected
SSO increases both user productivity and corporate app security.
So what should you look for when deploying SSO? At the simplest, a solution should enable
you to improve end-user satisfaction and streamline workflows by providing a single identity
to access all business apps — whether the apps reside in the cloud, or on-premises behind
your firewall. It also needs to unify and deliver access to apps from all end-user platforms—
desktops, laptops and mobile devices.
In a properly architected system, once users authenticate by logging in with their enterprise ID
(e.g., Active Directory) they should enjoy one-click access to cloud, on-premises or mobile apps.
Remote access to on-premises apps should be just as simple as accessing cloud apps: without
requiring VPN hardware or client software. This type of SSO — using standards like SAML — will
not only reduce user frustration and improve productivity but also enhance security. Federated
SSO is better because it does not transmit the user name and password to the app over the
network, but instead sends a time-limited and secured token verifying that the user who
is attempting access is known and trusted. In addition, by eliminating the use of passwords
and their transmission across networks, you can reduce the likelihood of users locking their
accounts and calling the helpdesk, eliminate password risks such as non-compliant and usermanaged passwords, and make it possible to instantly revoke or change a user’s access to apps
without an admin having to reach out to each and every app.

Contact Us for more information on your IDaaS or Centrify Solutions.


5 Things to Consider with Multi-Factor Authentication

Chris Fields, VP of Security Strategy


Multi-factor authentication (MFA) is becoming a mandatory component of a secure identity and access management landscape.  You know you need to implement MFA and are contemplating where to start and what other considerations need to be evaluated.  Below are 5 things to consider on your MFA journey that will 1) save you time, 2) prevent rework and 3) avoid frustrating end users:

1. MFA Server

The MFA server is the “brain” that drives all policy decisions and functionality.  Think of it as the horse you choose to ride on your journey to the MFA finish line.  Flexibility to provide multi-factor (something you know, have or are), risk-based, step-up or other advanced access capabilities are key.  This “brain” should have broad out of the box integrations to various endpoints to maximize use of its capabilities in all facets of your identity and access management landscape. The MFA Server should be accessible to your on-premise and cloud applications, services and servers. The placement and mix of those endpoints may even determine whether you select an on-premise or cloud MFA server.

2. MFA Clients

The MFA clients are the various devices that end users use to interact with the MFA server for proper authentication vetting.  A capable MFA server will support myriad MFA client devices and identification techniques including desktops, laptops, tablets, mobile phones, grid cards, smart cards, RFID cards, key fobs (OTP), hard tokens (OTP), soft tokens (OTP) and biometric readers (to name a few). Mobile phones are becoming a very popular option because they not only are ubiquitous but also support many of the identification techniques that normally require deployment of additional hardware, especially one-time password (OTP) & biometric options.   Be sure to confirm support for all the client devices that are most common in your organization to minimize challenges with leveraging your MFA server before you make your selection.  Also, make sure you select the right identification techniques based on your user populations and factor in the deployment time and complexity.

3. VPN Integration

Remote access is typically the first use case out of the gate for MFA integration.  Most companies already have a VPN gateway in place so it becomes the first “stake in the ground” for making your MFA server decision.  Ideally you would pick your MFA server first, to maximize the capabilities I described in the MFA Server and MFA Client considerations, but reality isn’t always so neat and clean.  You may be lucky to have had your VPN software long enough to be at an inflection point, where the current technology is due for an upgrade or replacement and it makes sense to re-prioritize your VPN selection based on your MFA selection.  This is where going with a capable MFA Server yields the benefit of a wide range of out of the box integrations with popular VPN platforms.

4. PIM Integration

Privileged Identity Management (PIM) integration is typically the next integration point for MFA.  VPN integration ensures that the user and device are vetted properly to connect to the network remotely, but once on the network, both internal users and external users need to strengthen their authentication to servers for privileged access.   Instead of integrating each server individually with your MFA solution, integrating through a Privileged Identity Management gateway is becoming a more popular alternative.  Similar to the VPN integration scenario, ideally you would select your MFA solution first and maximize integration options with popular PIM solutions.

5. Access Management Integration

Application Access Management integration is usually the next integration point for MFA.  Having an access management solution in place is a best practice for managing access to applications, especially web applications.  Integrating your MFA solution with an access management solution provides an efficient mechanism for providing MFA capabilities at the individual application level. Since access management solutions form the authentication and authorization backbone for internal and external applications, this essentially extends your MFA capability to internal and external users in a very efficient manner.


Taking these 5 considerations into account when you are looking at your MFA solution will lead to a much less bumpy road for your administrators and end users.  The end result will be a consistent MFA end user experience for your users across the enterprise and a sound technical approach to solving the most common MFA use cases.

Request additional information here. 

Start With The End In Mind: Blog #7 – Lower the Cost of Compliance

SailPoint logo(Source: SailPoint Technologies, Inc. Identity and Access Management Buyers Guide)

Compliance can be complex and difficult — and as a result, costly. Meeting industry and regulatory mandates requires organizations to regularly review and certify user access privileges. This leaves many companies constantly battling with error-prone and inefficient processes such as manually generating access reports and manually remediating inappropriate user access privileges. Signs that show you need to cut compliance costs include:

  • Building or leveraging multiple, homegrown solutions to handle audit and compliance needs
  • Hiring full-time staff or consultants to handle compliance projects like access certifications and SoD policy enforcement
  • Using inefficient tools like spreadsheets and email to drive manual compliance processes
  • Treating high-risk and low-risk users the same, where insufficient attention is given to high-risk users, or too much time and effort is spent on low-risk users.

To gain better control of your identity and access data, including centrally defining policy and risk and automating your access certification process, you need to replace expensive paper-based and manual processes with automated tools. By doing so, not only can you significantly reduce the cost of compliance, you can also establish repeatable practices for a more consistent, auditable, reliable and easier-to-manage access certification effort. If you struggle to effectively implement compliance processes and integrate them into your systems and infrastructure, a governance-based identity and access management solution is the launching pad you need to improve your effectiveness and reduce the costs of sustainable compliance.

Check back for blog #8, Salvage or Replace an Existing Provisioning System

Visit SailPoint Technologies, Inc. here.

Learn more about PathMaker Group IAM MAP here.