Centrify Empowers DevSecOps with New Approach to Identity and Access Management
July 28, 2020

Centrify debuted Delegated Machine Credentials (DMC) as part of the Centrify Privileged Access Service to reduce risk and empower automation in increasingly complex, infrastructure-as-code-based elastic environments.

Centrify DMC enables organizations to reduce their reliance on service accounts with static credentials used to access password vaults for workloads and services in the cloud or on-premises, instead delegating the entitlements of the machine to applications running on it. The result is improved agility through the reduction of manual processes, and a smaller attack surface due to a significant reduction of service accounts that could potentially expose the organization.

The ongoing challenge for DevOps continues to be enabling agility for developers while also making sure that operations and security teams have confidence that everything is running smoothly and securely. Increasingly, the use of password vaults is becoming a bottleneck that developers don’t want to be hassled with, while security teams are struggling to keep up with the dynamic nature of DevOps centric environments. One of the main challenges is that password vaults were designed to manage human administrative login to servers. Ideally, privileged access for and between workloads would be automated by a modern cloud-PAM solution so humans don’t need to be involved.

Enter Centrify Delegated Machine Credentials, which leverages the power of the Centrify Client to enroll a machine in the Centrify Platform. The Centrify Platform gives the machine a unique identity and credential, can automatically assign role-based permissions, and scope which vault APIs can be called, to constrain access by individual applications, services, or other workloads on the machine. This machine credential can now be delegated for use by workloads on that system, leveraging the binding trust the machine has with the Centrify Platform, avoiding the need to create and manage hundreds or thousands or additional service accounts in a vault. This reduces risk and improves operational efficiency.

“The explosive growth of machine and service accounts in the enterprise is creating a wealth of opportunity for cyber-attackers to sneak into the enterprise,” said David McNeely, Chief Strategy Officer at Centrify. “Our infrastructure-as-code approach makes PAM a ‘first class citizen’ in the CI/CD pipeline, eliminating the need for thousands of potential exposure points while increasing agility. The unique binding trust between the Centrify Client and the Centrify Platform is what makes this identity-centric approach to managing machine identities and their entitlements possible.”

Traditional application-to-application password management (AAPM) approaches have been more of a band-aid. They took embedded credentials out of code, but then require the creation of hundreds or thousands of new service accounts in the vault, a credential and rotation schedule for each one, and client code to obtain the credential. This is an undertaking that can drag down even generously-sized Ops teams. Centrify Delegated Machine Credentials solves this issue by eliminating the requirement for hundreds or thousands of additional service accounts.

“Conceptually, delegated machine credentials can be thought of as ‘federation for machine identities,’ in the sense that rather than applications sharing passwords or secrets directly, the Centrify client can broker a temporary access token between Centrify’s PAS and target resources – applications, service accounts, containers, and APIs,” said Garrett Bekker, principal security analyst at 451 Research, part of S&P Global Market Intelligence. “DMC creates a machine identity and issues a scoped token that is only valid for a defined period of time, in lieu of using many service accounts with long-lived credentials that present a greater attack window.”

Share this

Industry News

August 12, 2020

Datadog announced the general availability of Continuous Profiler, a low-overhead 24x7 code profiler that measures the performance of code in production.

August 12, 2020

Pulumi announced significant new capabilities for Kubernetes, including cloud native deployment automation options, ecosystem integrations and migration tools.

August 12, 2020

The Linux Foundation, the nonprofit organization enabling mass innovation through open source, announced the availability of a new training course, LFS268 - CI/CD with Jenkins X.

August 11, 2020

Datadog announced the launch of Incident Management.

August 11, 2020

Progress announced the latest release of Progress® Test Studio®, the automated UI load and performance testing tool.

August 11, 2020

Symmetry Systems emerged from stealth a year after raising $3 million in seed funding.

August 10, 2020

Red Hat announced the launch of Red Hat remote certification exams.

August 10, 2020

Signal Sciences announced an integration with Microsoft Azure App Service for the Signal Sciences next-gen Web Application Firewall (WAF) and Runtime Application Self-Protection (RASP) solution.

August 10, 2020

Copado announced Copado Government Cloud to help government agencies accelerate the time-to-value of Salesforce digital transformation projects.

August 06, 2020

Push Technology announced the launch of a new Kafka Adapter for their Diffusion Intelligent Data Mesh.

August 06, 2020

Appvia announced the launch of its Cost Prediction and Visibility tool, integrated within the latest version of its Kore platform.

August 06, 2020

LogiGear announced the newest addition to the TestArchitect™ family, TestArchitect Gondola.

August 05, 2020

Logz.io announced a partnership with HashiCorp, a provider in multi-cloud infrastructure automation software.

August 05, 2020

Digitate, a software venture of Tata Consultancy Services, announced the release of ignio™ AI.Assurance, an autonomous assurance product that enables enterprises to deliver better software faster, enhancing their business performance.

August 05, 2020

Harness acquired self-service Continuous Integration firm Drone.io, the creator of the open-source project Drone.