Centrify Privileged Access Management:
Centralized Secrets Management and Modern Credential Management
DevOps relies upon secrets and credentials. Embedded in code and static files, however, they are a prime target for cyber attackers. Use Centrify PAM to vault them securely and govern access from anywhere, without complicated and effort-intensive administration. Also, offer application architects choice by serving up more robust alternatives to static account IDs and passwords, such as SAML and OAuth2 tokens.
Traditional Static Passwords Are Too Risky
The traditional approach to DevOps credential management is to use static IDs and passwords for machines, applications, and services to authenticate to each other. However, every ID and password increases your risk. Being static and often simple, they’re easier for threat actors to compromise. Each one increases your attack surface. They generally have a corresponding local account on a system, requiring some degree of administration. They’re also rarely rotated for fear of breaking any application or service that depends on them.
Like credentials, generic secrets are only valuable if they’re accessible from your systems, apps, and services. With much of our business logic now in the cloud, protected inside private clouds, having visibility to a vault can be a challenge. IT often has to replicate the vault and supporting infrastructure and implement complicated mechanisms to ensure everything is in sync.
Let Centrify Help
Centrify modern PAM solutions enable your DevOps teams to access the vault from anywhere without having to open risky inbound firewall ports or expose public IP addresses. While it can store static credentials, it provides more robust alternatives that reduce your attack surface.
With Centrify PAM, you can:
Access the Vault from Anywhere
Centrify Vault Suite is the industry’s first SaaS vault. It’s accessible from anywhere without replicating the vault infrastructure and making your virtual private clouds less private. This ensures that all your workloads have the access they need to store and retrieve secrets and obtain credentials when they need them.
Enhance Application Security
Accounts, passwords, and configuration data used by applications, containers, and microservices are a prime target for attackers. Instead of embedding them in plaintext files, securely vault and retrieve them programmatically via RESTful API or CLI calls. For more robust security, avoid passwords and obtain stronger ephemeral tokens from the Centrify Platform’s secure token service.
Provide Secure Tokens to your Workloads
The Centrify Platform has a secure token service that can create tokens such as OAUth2, SAML, PKI Certs, SSH Certs, and OpenID Connect. These are much more secure than static passwords. Since they’re also ephemeral, they don’t persist, presenting a smaller target for threat actors. Since they’re generated programmatically upon request of a system, app, or service and are short-lived, they don’t require administrative overhead.
Shrink Your Attack Surface and Reduce Operational Overhead
To access credentials and secrets in the vault, applications and services need a vault service account with which to log in. Each service account carries overhead to create and assign roles and rights. It also represents a potential vector of attack, increasing your attack surface massively. Avoid per-application service accounts and instead leverage Centrify Delegated Machine Credentials, one per machine. Give trusted applications and services on that machine a scoped OAuth2 token with permission to access specific vault APIs.
Audit Privileged Activity
Automatically log, monitor, and audit administrative activity in your development and production environments.