ThycoticCentrify has unveiled its cloud provider solution to centrally manage AWS billing accounts, identity and access management (IAM) accounts, and AWS EC2 instances in real time.
Organizations are rapidly moving in-house applications to the cloud, often taking a “lift and shift” approach to migrate virtual machines (VMs) and applications to their preferred cloud provider. In doing so, they often create several different AWS Accounts for each application project or department where each AWS Account has its own root/billing account, IAM user accounts and service accounts, as well as those of the virtual machines (VMs) created to support the application. It’s difficult to manage AWS root/billing account credentials since any changes must be assisted by a human, and AWS best practice is to configure multi-factor authentication (MFA) for the account driven by AWS service enforcement. While automation tooling may integrate new AWS EC2 instances into a PAM solution, operations, staff, and auditors need a way to ensure and validate that all hosted VMs are accounted for and properly secured.
ThycoticCentrify’s cloud provider solution for AWS addresses these challenges by extending a set of existing PAM capabilities to automate continuous discovery of all AWS EC2 instances, providing full visibility of instances even in elastic auto-scaling groups. AWS root/billing accounts are vaulted for emergency access only, and interactive access to AWS Accounts via the AWS Management Console, AWS CLI, SDKs, and APIs is strictly controlled. AWS IAM accounts and associated Access Keys are eliminated or vaulted to reduce the attack surface, with SAML-based federated single sign-on providing a more secure and lower-maintenance alternative. Continuous EC2 discovery and post-discovery automations ensure complete and accurate visibility and that EC2 instances, and their privileged accounts are immediately secured and brought under centralized management.
“The cloud is a game changer when it comes to scalability and availability, but it has also changed the game for cyber-attackers looking to leverage new vulnerabilities created by disparate controls and resulting identity management challenges,” said David McNeely, chief technology officer at ThycoticCentrify. “Our cloud provider solution for AWS provides real-time visibility into cloud workloads as they are added and removed, automating privileged password and identity management that ensures administrative and access controls are enforced while reducing complexity and risk.”
The foundation of ThycoticCentrify’s cloud provider solution is a cloud-native “hub-and-spoke” architecture centered around the Centrify Platform and lightweight Centrify Gateway Connectors that enroll cloud workloads into the Centrify Platform. The solution can also auto-deploy Centrify Clients on discovered Windows and Linux instances for fine-grained access control, auditing, and visual session recording, as well as enabling password-less login, leveraging ephemeral certificates from the Centrify Platform via “Use My Account.”