KuppingerCole Report
Executive View
By John Tolbert

Centrify Privilege Service

Centrify Privilege Service is a shared account password management and access auditing solution, available as a service or for deployment in the cloud or on-premise.

1 Introduction

Digital identity is a primary vector of attack in nearly all the headline-grabbing data breaches of the last few years. Bad actors, such as fraudsters, state agents, and even malicious insiders or contractors, start by getting access to user accounts, then searching for administrative or service accounts to take over in order to exploit the elevated privileges that they possess. Whether the attackers’ goal is stealing credit card information, health records, or intellectual property, their Techniques, Tactics, and Procedures (TTPs) almost always include capturing and using privileged accounts.

Regulatory compliance is another factor driving adoption of privilege management solutions. For example, in Germany, the “IT-Sicherheitsgesetz” (IT Security Law) requires critical infrastructure operators to adopt a stronger security posture and report security incidents to the government. In the US, federal laws such as Sarbanes-Oxley mandate separation of duties.
Privilege management solutions help organizations meet these requirements. This makes Privilege Management a key concept and mandatory component of modern identity management and cybersecurity architectures.

Historically, internal IT staff such as system and database administrators have been the target of privilege management solutions. With the increased utilization of cloud and external services, organizations are finding that other users and groups need to be covered by the privilege management system. If IT operations are outsourced, the accounts used by Managed Service
Providers (MSPs) need to controlled and monitored. Cloud services, particularly SaaS, are often engaged and maintained by personnel outside of IT departments. These SaaS administrative accounts have access to sensitive data, and thus must be controlled and audited by the privilege management solution as well.

Passwords are still an all-too-common authentication method for getting access to user, group, shared, administrative, and service accounts even today. Managing passwords securely has
never been more important. Most privilege management systems today tackle the password problem by automatically changing the passwords periodically, consolidating administrative users into fewer accounts, providing password check-out and check-in capabilities, creating normal-user to administrative-user mappings, and time-limiting privilege usage.

Privilege management solutions also generally provide extensive auditing capabilities over the usage of administrative, group, shared, and service accounts. In these cases, auditing on these sensitive accounts goes above and beyond typical logging to include command recording and even screen (“video”) recording of the administrative user’s actions for later review. Privilege management systems may also allow definition of administrative approval workflows, whereby the concurrence of fellow administrators or management can be required before an individual user can gain administrative access.

Implementing privilege management should proceed as a set of iterative steps:

  • Inventory all privileged accounts: internal, external, and cloud
  • Limit access to privileged accounts and restrict use for “break glass” emergencies only
  • Have users log in with their individual accounts on Windows and Linux; elevate privileges based on role
  • Monitor privileged account usage
  • Use MFA everywhere for increased identity assurance and to prevent breaches
  • Detect anomalies in privileged account use that might indicate potential fraudulent activities
  • Respond to privileged account incidents quickly and with targeted actions
  • Continuously evaluate and improve your Privilege Management strategy.

Centrify Privilege Service provides management of customers’ privileged accounts. It is available as an on-premise product and also as a cloud service. Centrify is a private, venture-backed identity and access management solutions provider based in Santa Clara, California. The company was founded in 2004, and has developed privileged access security and session monitoring products for Linux, Unix, Windows, and network devices as well as Identity-as-a Service (IDaaS), mobile and Mac Management, and multi-factor authentication solutions.

2 Service Description

Centrify Privilege Service provides password management and privileged account auditing services and more. To facilitate the first step in identifyi ...

Login Get full Access

3 Strengths and Challenges

Centrify Privilege Service provides most of the necessary functions for protecting accounts with elevated privileges. As enterprises face increasing ...

Login Get full Access

Copyright

©2021 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.

top