11 April,19 at 11:50 AM
We are excited to announce that Centrify now supports CoreOS Container Optimized Linux which several of our customers are using as part of their adoption of Containerization for their application deployments. But first, let’s start with an overview of how Centrify can help you protect access to these containerized platforms and the applications that run on them.
As organizations embrace Hybrid Cloud environments moving their applications and other workloads to public clouds such as AWS, Azure and Google, application developers building custom apps inevitably rework their applications to take advantage of the hosting platform capabilities such as auto-scaling enabling elasticity and scalability. This move typically means transforming the app to a Micro Services Architecture via Containerizing Applications to achieve the flexibility necessary to enable the desired capability the business requires.
As app developers make this transition to containerized applications, the operations team needs to ensure that they can both enforce the required security for these applications as well as to support the operation of the application in production. This is where Identity, Access and Privilege Management come in. Centrify has been working with several of our largest customers to secure both their containerized applications and the hosts they run on. And many of these deployments will have either an orchestration system or container management platform to manage the containers which also needs to be secured for appropriate DevOps staff access.
We start by securing the Container Host, which typically runs Docker in order to ensure the platform on which the containers run is secured and you are able to centrally manage user access rights and privileges. Privilege management is essential for ensuring IT Staff and Developers that manage different sets of containers do not compromise the security of the host or the containerized applications of other teams.
HowTo Articles:
Many applications that run within containers may need PAM or NSS services to access or authenticate an account for networked access to other services or containers and in some cases, you may also need Kerberos services for stronger authentication than passwords or static keys for these accounts. Centrify provides security services to run within the containers running applications on these hosts providing both Identity and Access Management (IAM) as well as application account and credential management.
One use case is to enable developers to login directly to the containers that Operations creates for them to enable them to manage and troubleshoot their application. All you have to do is to install OpenSSH along with Centrify and your application. Another use case is to provide application or service account services to support one containerized application to authenticate or login to another service or containerized application on the network. This can be done by either a) creating an account in the container a server application and vaulting it’s password so that clients can check it out and login, or b) creating a network account within AD and then leveraging Kerberos to support network logins to other Active Directory integrated service.
HowTo Articles:
Most organizations adopting Containers to manage their applications will be using a container orchestration system such as Kubernetes or CoreOS Tectonic. While these orchestration platforms support creating local account for DevOps staff login, it is always a best practice to integrate these kinds of administrative platforms into your enterprise authentication system. This can be done easily by leveraging either LDAP for Integration to Active Directory via Centrify LDAP Proxy to enable multi-domain support or you can leverage SAML or OAuth to support federated login from your enterprise user accounts. Both models are shown below:
Centrify is working with several of our customers to ensure that they have control over both access and privileges across the Containerized ecosystem as well as providing IAM services for app developers building applications to run within Containers. You can get started by installing Centrify Infrastructure Services on your Docker Hosts running Linux or CoreOS, and if you are running on AWS check out our Tech Center for AWS at http://community.centrify.com/aws.