Centrify Empowers DevSecOps with New Approach to Identity and Access Management
July 28, 2020

Centrify debuted Delegated Machine Credentials (DMC) as part of the Centrify Privileged Access Service to reduce risk and empower automation in increasingly complex, infrastructure-as-code-based elastic environments.

Centrify DMC enables organizations to reduce their reliance on service accounts with static credentials used to access password vaults for workloads and services in the cloud or on-premises, instead delegating the entitlements of the machine to applications running on it. The result is improved agility through the reduction of manual processes, and a smaller attack surface due to a significant reduction of service accounts that could potentially expose the organization.

The ongoing challenge for DevOps continues to be enabling agility for developers while also making sure that operations and security teams have confidence that everything is running smoothly and securely. Increasingly, the use of password vaults is becoming a bottleneck that developers don’t want to be hassled with, while security teams are struggling to keep up with the dynamic nature of DevOps centric environments. One of the main challenges is that password vaults were designed to manage human administrative login to servers. Ideally, privileged access for and between workloads would be automated by a modern cloud-PAM solution so humans don’t need to be involved.

Enter Centrify Delegated Machine Credentials, which leverages the power of the Centrify Client to enroll a machine in the Centrify Platform. The Centrify Platform gives the machine a unique identity and credential, can automatically assign role-based permissions, and scope which vault APIs can be called, to constrain access by individual applications, services, or other workloads on the machine. This machine credential can now be delegated for use by workloads on that system, leveraging the binding trust the machine has with the Centrify Platform, avoiding the need to create and manage hundreds or thousands or additional service accounts in a vault. This reduces risk and improves operational efficiency.

“The explosive growth of machine and service accounts in the enterprise is creating a wealth of opportunity for cyber-attackers to sneak into the enterprise,” said David McNeely, Chief Strategy Officer at Centrify. “Our infrastructure-as-code approach makes PAM a ‘first class citizen’ in the CI/CD pipeline, eliminating the need for thousands of potential exposure points while increasing agility. The unique binding trust between the Centrify Client and the Centrify Platform is what makes this identity-centric approach to managing machine identities and their entitlements possible.”

Traditional application-to-application password management (AAPM) approaches have been more of a band-aid. They took embedded credentials out of code, but then require the creation of hundreds or thousands of new service accounts in the vault, a credential and rotation schedule for each one, and client code to obtain the credential. This is an undertaking that can drag down even generously-sized Ops teams. Centrify Delegated Machine Credentials solves this issue by eliminating the requirement for hundreds or thousands of additional service accounts.

“Conceptually, delegated machine credentials can be thought of as ‘federation for machine identities,’ in the sense that rather than applications sharing passwords or secrets directly, the Centrify client can broker a temporary access token between Centrify’s PAS and target resources – applications, service accounts, containers, and APIs,” said Garrett Bekker, principal security analyst at 451 Research, part of S&P Global Market Intelligence. “DMC creates a machine identity and issues a scoped token that is only valid for a defined period of time, in lieu of using many service accounts with long-lived credentials that present a greater attack window.”

Share this

Industry News

November 30, 2020

Shipa is open sourcing Ketch, Shipa's deployment engine, under Apache License Version 2.0.

November 30, 2020

Portworx by Pure Storage announced its qualification and support of Portworx Enterprise for Google Cloud's Anthos on bare metal.

November 30, 2020

SnapLogic now supports SaaS contracts in AWS Marketplace, a digital catalog with thousands of software listings from independent software vendors that make it easy to find, test, buy, and deploy software that runs on Amazon Web Services (AWS).

November 24, 2020

Red Hat announced new capabilities and features for Red Hat OpenShift, the company's enterprise Kubernetes platform.

November 24, 2020

Sectigo released Chef, Jenkins, JetStack Cert-Manager, Puppet, and SaltStack integrations for its certificate management platform.

November 24, 2020

DataStax released K8ssandra, an open-source distribution of Apache Cassandra on Kubernetes.

November 23, 2020

Spectro Cloud has released a new, self-hosted version of its flagship product, Spectro Cloud.

November 23, 2020

GitLab completed integration of Peach Tech, a security software firm specializing in protocol fuzz testing and dynamic application security testing (DAST) API testing, and Fuzzit, a continuous fuzz testing solution providing coverage-guided testing.

November 23, 2020

Fugue announced the availability of its SaaS product in AWS Marketplace, further simplifying the process for Amazon Web Services customers to use Fugue to bring their environments into compliance quickly, demonstrate compliance at any time, and Shift Left on cloud security.

November 19, 2020

Rollbar announced AI-assisted workflows powered by its new automation-grade grouping engine.

November 19, 2020

Buildkite expanded its integration with GitHub and introduced a new onboarding experience.

November 19, 2020

Rancher Labs launched a new Partner Program for the OEM and embedded community.

November 18, 2020

Puppet announced its evolution to an integrated automation platform to enable key business initiatives such as scaling DevOps, risk reduction, policy as code, and evolving cloud strategies.

November 18, 2020

Adaptavist has joined the GitLab partner program as a Select partner.

November 18, 2020

Postman launched the beta version of public workspaces, a hub that makes it possible for both API producers and consumers to seamlessly communicate and collaborate in real time without team or organizational boundaries.