Phone Number +1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

Smarter, More Modern PAM: Secret Server Integration with the Platform Plus Cloud Suite Enhancements

mm

Written by Tony Goulding

October 27th, 2021

ThycoticCentrify’s latest release evolves our Privileged Access Management (PAM) solutions along two critical strategic paths.

Firstly, we’re blending Thycotic and Centrify PAM products, so you benefit from the very best PAM capabilities from two of the industry’s market leaders. As an example, existing Secret Server customers will now be able to take advantage of flagship capabilities from the platform. There is way more to come as we continue to blend the respective portfolios.

The platform catalyzes PAM maturity journeys by closer coupling Secret Server to Cloud Suite

ThycoticCentrify’s ‘better together’ vision of modern PAM has rapidly taken shape with the Cloud Suite 21.7 release, which integrates the Secret Server vault with the platform. In addition to providing significant new value to Secret Server customers, the platform also catalyzes PAM maturity journeys by closer coupling Secret Server to the Cloud Suite, ThycoticCentrify’s privilege elevation and delegation management product. Conversely, Cloud Suite customers can more easily leverage the rich, easy-to-use capabilities of Secret Server.

Secondly, we are executing on the committed Thycotic and Centrify roadmaps established independently before the merger. Work there hasn’t stalled. Customers will continue to benefit from more innovation and functionality across all products.

So, in the latest release, we deliver a little of both.

  • Secret Server integration into the platform
  • Cloud Suite fine-grained Privilege Elevation for Windows and Linux
  • Cloud Suite Linux identity management

Secret Server Integration to the Platform

It’s only been a few short months since Thycotic and Centrify came together as a single company. Internally – although you don’t see this – we’re acting as one with most of the core processes and tools already unified. This is critical to ensure we execute quickly and efficiently.

One question on everyone’s lips is when we’ll start to see integrated products and marquee capabilities from both sides. There are many integrations to look forward to, but in this inaugural integration, Thycotic Secret Server (on-premises or cloud) is now a first-class citizen of the platform. Customers can add Secret Server vaults – one or multiple – to the platform and view and access passwords, SSH keys, and domain accounts across all of them from a single UI.

But of most interest will be a brand-new capability that Secret Server inherits from the platform – WebSSH and WebRDP sessions. This enables administrators to establish a secure remote login session to Windows, Linux, or UNIX servers from anywhere, via a browser, with no client installation, and without the inherent risks and overhead of VPN dependence. Log in is seamless, with the platform injecting vaulted account passwords transparently and tunneling the SSH or RDP session back to the user through a browser.

If you’re interested in learning more, we hope you’ll check out the latest version of Secret Server and sign up for a free 30-day trial.

Cloud Suite Fine-Grained Authorization

Privilege elevation is a critical element of a mature PAM solution. It’s “one side of the PAM coin,” vaulting being the other. It addresses the need to grant admins minimum rights (aka least privilege) with the ability to elevate privilege, when necessary, for a limited time, centrally managed. On Linux, this is especially beneficial versus local sudoers files typically managed in a decentralized fashion on each system.

Cloud Suite delivers centralized, fine-grained control of access and privilege

Cloud Suite sees a significant update with the 21.7 release, delivering centralized, fine-grained control of access and privilege for Windows and Linux servers. With PAM policies centrally managed in the SaaS platform, organizations can scope varying degrees of privileged access that better align with administrators’ job functions. Cloud Suite enforces these policies locally on the host machine and allows administrators to elevate permissions, just-in-time, to run privileged applications or commands.

Server Suite already supports fine-grained privilege elevation. The latest release now brings this capability to Cloud Suite. So, with this release, we now have two great product options for privilege elevation on Windows and Linux servers. Server Suite is ideal for customers with a heavy dependence and investment in Active Directory, Kerberos, and on-premises systems. It leverages Active Directory for unified management of privileged access security policies across Windows and Linux.

However, suppose you’re using VMs in a cloud provider. In that case, you will need a new way to enable enterprise user account-based login, especially if you’re also adopting cloud directories such as Azure AD, Okta, Ping, or ForgeRock. Cloud Suite allows you to manage privileged access centrally from the SaaS platform with a brokered identity management view into those cloud directories.

Customers now have a choice when it comes to managing and controlling server access and privilege. Both solutions enforce centralized policies on each host, controlling login, MFA, and fine-grained privilege elevation.

Linux Identity Management

As organizations grow and infrastructure becomes more decentralized, it’s essential to ensure consistent user IDs (UIDs) and group IDs (GIDs) for users when accessing Linux systems. Without this, users are plagued with denied access to applications, files, folders, and network shares, resulting in frustration, help-desk tickets, and productivity overheads.

Here are two common scenarios where a mismatch of Linux attributes can result in availability issues:

  • My NAS storage has a predefined UID/GID namespace setup already. I want to use the same GID/UID namespace for systems that I enroll into Cloud Suite for consistent access.
  • I have already set up my LDAP or Active Directory to use RFC-2307 attributes for UID/GID user/group names. I want to do the same for systems I enroll into Cloud Suite.

In this release, instead of auto-generating random UIDs and GIDs, Cloud Suite now allows customers to define UIDs and GIDs centrally within the platform. Thus, when a user with a Linux profile defined in the platform logs into a Linux box, Cloud Suite ensures their correct RFC-2307 Linux profile attributes are associated with the session.

The Centrify Clients on the host systems perform UID/GID rationalization and preserves this across user sessions. Access to applications, files, and folders remains intact, with no disruption in usage. Linux Profile attributes can be set, viewed, and reported through the Cloud Suite UI or programmatically via APIs.

Learn more about how Centrify Cloud Suite enables you to protect access to servers and critical infrastructure with just-in-time, just-enough privileges for administrators.

 

Like this post?

Get our top blog posts delivered to your inbox once a month.

SHARE THIS