I previously wrote (here) about how Centrify can assist federal IT departments “2-factor Everything” in terms of logging in to machines and privilege elevation. But what about the handling of shared accounts like Unix root and Windows Administrator? This is where Centrify Privilege Service (CPS) comes in.
CPS will secure and manage your shared accounts, and it can be deployed as either a SaaS or internally within your own network or private cloud. Additionally, CPS allows you to configure your portal to use smartcards for your initial authentication, thus providing a “2-factor” requirement for initial user logins. You could configure CPS to use IWA so that users connecting from an internal network are not re-authenticated, however most of my federal customers prefer to always require users to type in their smart card pin before giving them access. After logging in with their smart card, administrators can now use CPS to check out the password of any shared account, or alternatively they could be allowed to log in remotely as this shared account without ever knowing the password. Either way both of these actions are protected by a “2-factor” authentication process.
Centrify’s Robertson has already written a great blog on how to setup your CIS/CPS tenant to use smart cards, with detailed examples and even a video. This blog can be found here.