DEVOPSdigest

Centrify debuted Delegated Machine Credentials (DMC) as part of the Centrify Privileged Access Service to reduce risk and empower automation in increasingly complex, infrastructure-as-code-based elastic environments.

Centrify DMC enables organizations to reduce their reliance on service accounts with static credentials used to access password vaults for workloads and services in the cloud or on-premises, instead delegating the entitlements of the machine to applications running on it. The result is improved agility through the reduction of manual processes, and a smaller attack surface due to a significant reduction of service accounts that could potentially expose the organization.

The ongoing challenge for DevOps continues to be enabling agility for developers while also making sure that operations and security teams have confidence that everything is running smoothly and securely. Increasingly, the use of password vaults is becoming a bottleneck that developers don’t want to be hassled with, while security teams are struggling to keep up with the dynamic nature of DevOps centric environments. One of the main challenges is that password vaults were designed to manage human administrative login to servers. Ideally, privileged access for and between workloads would be automated by a modern cloud-PAM solution so humans don’t need to be involved.

Enter Centrify Delegated Machine Credentials, which leverages the power of the Centrify Client to enroll a machine in the Centrify Platform. The Centrify Platform gives the machine a unique identity and credential, can automatically assign role-based permissions, and scope which vault APIs can be called, to constrain access by individual applications, services, or other workloads on the machine. This machine credential can now be delegated for use by workloads on that system, leveraging the binding trust the machine has with the Centrify Platform, avoiding the need to create and manage hundreds or thousands or additional service accounts in a vault. This reduces risk and improves operational efficiency.

“The explosive growth of machine and service accounts in the enterprise is creating a wealth of opportunity for cyber-attackers to sneak into the enterprise,” said David McNeely, Chief Strategy Officer at Centrify. “Our infrastructure-as-code approach makes PAM a ‘first class citizen’ in the CI/CD pipeline, eliminating the need for thousands of potential exposure points while increasing agility. The unique binding trust between the Centrify Client and the Centrify Platform is what makes this identity-centric approach to managing machine identities and their entitlements possible.”

Traditional application-to-application password management (AAPM) approaches have been more of a band-aid. They took embedded credentials out of code, but then require the creation of hundreds or thousands of new service accounts in the vault, a credential and rotation schedule for each one, and client code to obtain the credential. This is an undertaking that can drag down even generously-sized Ops teams. Centrify Delegated Machine Credentials solves this issue by eliminating the requirement for hundreds or thousands of additional service accounts.

“Conceptually, delegated machine credentials can be thought of as ‘federation for machine identities,’ in the sense that rather than applications sharing passwords or secrets directly, the Centrify client can broker a temporary access token between Centrify’s PAS and target resources – applications, service accounts, containers, and APIs,” said Garrett Bekker, principal security analyst at 451 Research, part of S&P Global Market Intelligence. “DMC creates a machine identity and issues a scoped token that is only valid for a defined period of time, in lieu of using many service accounts with long-lived credentials that present a greater attack window.”