Centrify Evaluation Guide

For Prudential Guarantee & Assurance Inc. (PGA)

© 2019 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 1

Table of Contents
1 Customer Evaluation Environment Details ...................................................................... 4
2 Privileged Access Service Evaluation ............................................................................... 5
2.1 Overview ...........................................................................................................................5
2.2 Evaluation Prerequisites.....................................................................................................6
2.3 User Role and Permissions .................................................................................................7
2.4 Evaluation Use Cases..........................................................................................................7
2.4.1 Evaluation Agreement ...........................................................................................................................9

© 2019 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 2

Revisions
Version Date Author Summary
1.0 02 October 2019 E. Patricio Initial version

Customer Contacts
Contact Role Email Phone

Centrify Contacts
Contact Role Email Phone
Edwin Patricio Solutions Architect edwin.patricio@centrify.com +639175939377
Jasper Franco Sales Director jasfer.franco@centrify.com +639988586086

© 2019 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 3

1 Customer Evaluation Environment Details

Environment Notes

Managed System Type Hostname/IP Address Managed Accounts

AD Domain 135.1.0.104 pga.com Administrator
Oracle 135.1.0.7 root
Cisco 135.1.0.31, 135.1.0.200 admin
Fortigate 135.1.3.1 admin

© 2019 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 4

2 Privileged Access Service Evaluation
2.1 Overview
Centrify Privileged Access Service (PAS) gives authorized internal users, outsourced IT and third-party vendors
secure, always-on privileged access to critical shared account passwords, while maintaining control over who has
access, which account passwords they have access to and how those passwords are managed.

What does this Service Provide?

 Secure and manage super user, service, and application accounts on servers and network devices, both on-
premises and in the cloud.

 Secure Checkout of Account Passwords

 Auto-rotate passwords after checkout.

 Step-up authentication and secure access to infrastructure without knowing privileged account passwords

 Enforce centralized control over who can access credentials and audit administrator activity - including
securing 3rd party access

 Secure storage of encrypted privileged account credentials in Centrify Identity Services platform or a key
management appliance on-premises (or in the cloud)

 Secure Storage of ‘secrets’ as text or as files

 Session Establishment Without Disclosing Passwords

 Streamline Secure Privileged Access from Local Clients

 Automatically Discover Systems and Service Accounts

 Risk-aware Policies for Checkouts and Privileged Sessions

 “Break-glass” Access to Passwords from a Mobile Device

 Secure and Manage Application to Application Passwords

 Secure and Encrypted Storage of your Data

Benefits you want to highlight during the evaluation

 Improve overall operational security by limiting access to accounts with administrative privileges.

 Provide access to administrative operations without sharing privileged account passwords.

 Log all password checkout, check-in, and reset activity.

 Change the password stored automatically after a viewed or copied password is checked in to prevent
reuse.

 Enforce password complexity by generating passwords that cannot be guessed and that only the service
knows.

 Provide remote access to servers and network devices through a secure channel.

© 2019 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 5

2.2 Evaluation Prerequisites
For on-premise evaluation, below servers are required with following minimum specifications. These prerequisites
should be provisioned prior to the initial installation/configuration session with Centrify Pre-Sales engineer.

Active Directory Domain Control Server

 CPU: 2-Core
 RAM: 4 GB
Server Specifications
 Disk: 40 GB
 Form factor: virtual or physical
Operating System Windows Server 2012 R2 or 2016
Notes This is required if testing Active Directory domain can’t be provided.

Privileged Access Service (PAS) Server

Server Specifications
Operating System
General Requirements
Centrify Software Requirements
Other Software Requirements
 CPU: 2-Core
 RAM: 8 GB
 Disk: 60 GB
 Form factor: virtual or physical
Windows Server 2012 R2 or 2016
System join to Active Directory Domain
 Centrify Privileged Access Service on-premises
 Centrify Connector
 Centrify Audit and Monitoring Service
 MS SQL Server 2012, 2012 or 2016 with following
o Database Engine Services
o Reporting Services
o Full-Text and Semantic Extractions for Search

Desktop Application Server (Optional)

Server Specifications
Operating System
General Requirements
Other Software Requirements
 CPU: 2-Core
 RAM: 4 GB
 Disk: 40 GB
 Form factor: virtual or physical
Windows Server 2012 R2 or 2016
System join to Active Directory Domain
 Remote Desktop Service to be enabled during deployment by Centrify
engineer
 Desktop applications to be deployed by Centrify engineer according to
actual requirement

© 2019 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 6

2.3 User Role and Permissions
Tables below list users/accounts that can access to PAS system.
PAS Username PAS Role PAS Rights Remark
PAS system administrator. Centrify
admin@<suffix> System Administrator All Rights
Directory account.

AD Username AD Group PAS Role PAS Rights Remark

System Privileged Access
Test1 PAS Requester
Administrator Service User
System Privileged Access
Test2 PAS Approver
Administrator Service User

2.4 Evaluation Use Cases

The following is a list of the Evaluation Use Cases for PGA. This list of use cases determines the scope and success
criteria for the course of the evaluation. The Centrify Pre-Sales Engineer will work with PGA to ensure the successful
completion and validation.
Description – Objects/Requirements Results Comments Priority
Supports for on-premise user directory
Show PAS portal login for corporate users (Active Directory and/or
LDAP)
Supports for hybrid identity providers
Show PAS portal login for external consultants / partners / outsourced
IT
Supports multiple identity providers so that outsourced IT users are
kept separate from the corporate user directory when using secure
remote access to managed servers and devices.
MFA for web portal login
Access to PAS portal with built-in MFA and multiple multi-factor
authentication methods such as smart card, e-mail, phone, SMS,
mobile client, OATH OTP, FIDO U2F, RADIUS.
Password rotation for managed accounts
Schedule password rotation for managed privileged accounts
Manual password rotation for managed privileged accounts
Checking out managed account passwords without workflow
Retrieve the password for an account to enable you to log on to a
target system. PAS automatically generates a new password for the
account at the end of the checkout period.
Checking out managed account passwords with workflow
Retrieve the password for an account that requires approval.
Approver can use user’s manager or designated personnel in a group.
Checking out managed account passwords with step-up
authentication (MFA for password checkout)
Enforce step-up strong authentication upon retrieval of password for
an account to enable you to log on to a target system.
Access managed systems with shared account
Login with shared account using browser (VPN-less access) without
disclosing password

© 2019 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 7

 Typically shared account access requires workflow approval
Access managed systems without alternate (named) account
Login with alternate account without disclosing password
Typically alternate account access doesn’t require workflow approval
Access database system desktop application
Access database system by launching Windows application (for
instance, applications such as SQL Server Management Studio,
TOAD for Oracle, and VMware vSphere Client) without disclosing
password.
Access managed system with step-up authentication (MFA for
privileged session)
Enforce step-up strong authentication upon launching privilege
session to managed system.
Manage secrets
Secrets are text strings or files that you want to protect. For example,
you might have access keys, software licenses, or files that contain
sensitive or confidential information to which you want to restrict
access. Authorized user checkout secrets.
Request workflow
A request and approval workflow improves security by controlling
which users can request access, which users can grant access, and
how long access is allowed if it is granted.
Workflow applies to password checkout, remote privileged access.
Workflow can be configured with multi-levels and set approver to
requester’s manager.
Session audit – Active Sessions
Privileged access sessions lists the systems where there are sessions
initiated from service using stored account information with option to
watch or terminate the session.
Session audit – Replay Sessions
Privileged access sessions are collected and stored in an audit
database for further review and analysis. Play back the recorded
sessions using Audit Analyzer with easy-to-search and query
capabilities.

© 2019 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 8

2.4.1 Evaluation Agreement

The signature below indicates that DND has read and accepted the contents of this document, and agrees that the
specified success criteria fully defines the scope for the Proof of Concept.

Name

_Angelo Gutierrez_________________________

Signature

_________________________________________

Role

IT Manager______________________________

Date

October 7, 2019_________________________

© 2019 CENTRIFY CORPORATION. ALL RIGHTS RESERVED 9