Somerford Associates Limited

Centrify - Privileged Access Management (PAM)

Zero Trust Privilege reduces data exposure by granting 'least privilege access' to whoever is requesting access. It validates the user's credentials, the context of the request and the risk of the environment. By implementing least privilege access, organisations minimise the attack surface, improve compliance visibility, reduce risk and lower costs.

Features

  • Privileged Access Management
  • Adaptive Multi-Factor Authentication (MFA) for cloud and on-premise infrastructure
  • Workflow & Lifecycle Management
  • Application Passwords, Secrets and Secure Shell (SSH) Keys Vault
  • Multi-Directory Brokering
  • Privilege Elevation
  • Shared Account & Privileged Account Password Vault
  • Secure Remote Access
  • Session Recording & Auditing
  • Active Directory Bridging

Benefits

  • Centralised identity and access management
  • Multi Factor Authentication (MFA) for access and privilege elevation
  • Risk-aware access
  • Consolidate identities and Minimise Break Glass
  • Mitigate Virtual Private Network (VPN) risk
  • Grant just enough privilege (least privilege access)
  • Grant just in time privilege (require access approvals)
  • Machine Identity & Credential Management
  • Group Policy Management
  • Local Account & Group Management

Pricing

£3,333 a licence a year

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at penny.harrison@somerfordassociates.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

1 3 1 2 5 1 2 8 1 7 9 1 6 8 5

Contact

Somerford Associates Limited Penny Harrison
Telephone: +44 1242 388168
Email: penny.harrison@somerfordassociates.com

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
Active Directory
UNIX/Linux/MacOS
Hadoop
NOSQL
Apache Web Servers
SAP
IBM DB2
Cloud deployment model
  • Public cloud
  • Private cloud
  • Hybrid cloud
Service constraints
A list of supported browsers, applications and operating systems is available
System requirements
Appropriate Licensing for services accessed through Centrify's Privileged Access Service

User support

Email or online ticketing support
Email or online ticketing
Support response times
Response within 1 hour during business hours
User can manage status and priority of support tickets
No
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
Our Service Desk provides support for P1 to P4 where a part of the software, appliance or license was previously working and is not working as expected or at all.

If an issue requires a level of Professional Services to engage, a member of the support team will discuss with your Account Manager to discuss this further.

Service Desk offer support through several channels, including telephone, e-mail and remote sessions where appropriate. Any employee of our entitled customers can raise a support desk ticket via telephone or e-mail with their company e-mail address. This will be logged and assigned to an engineer who will respond within 1 business hour.

Somerford resolve over 90% of service desk tickets without requiring the involvement of our Partners. Where Partner involvement is required, we will advise you on this process. Wherever possible, we will manage your service desk case with our Partners.

Our service desk is available between 9am and 5pm Monday to Friday, excluding Bank Holidays. Our service desk will provide support for existing Customers and companies that are engaged in Proof of Concepts.

All our customers have a Technical Account Manager.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
Professional Services are available to assist in implementing the solution and provide on-site training. Additionally online training is available along with comprehensive user documentation.
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Data can be extracted via the RestfulAPI and reporting toolset.
End-of-contract process
Client's are notified towards the end of their contract. Should the contract end, portal access will be removed. There is no additional cost to end the contract.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
Yes
Compatible operating systems
  • Android
  • IOS
  • Linux or Unix
  • MacOS
  • Windows
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
The mobile device application can be utilised as a further authentication mechanism for MFA
Service interface
No
API
Yes
What users can and can't do using the API
Centrify RestfulAPI provides full functionality to setup and make changes to all functions of the cloud service. Where relevant there are command line tools available for direct configuration and querying of all parts of the Service.
API documentation
Yes
API documentation formats
  • HTML
  • PDF
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
The front end user and administrative interface is fully customisable and exposed via RestfulAPI. Some customisation options are included within the administrative portal

Roles, rights and auditing features can be fully customised to client requirements.

This can be conducted either via the console or the command line if the user has the required access level.

Granular access can be granted to discrete parts of the environment.

Scaling

Independence of resources
Various deployment options, self-hosted and public cloud. The Centrify public cloud option is a fully managed multi-tenanted cloud deployment and the service is automatically scaled upon customer demand.

Analytics

Service usage metrics
Yes
Metrics types
Metrics include but not limited to: number of audited systems and sessions.
Location based user access of successful and denied access.
Mobile device metrics including number of devices, types of devices in the estate and compliance levels.
Use of multi-factor authentication for application access, infrastructure and service access.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Supplier type
Reseller providing extra support
Organisation whose services are being resold
Centrify

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
  • European Economic Area (EEA)
  • Other locations
User control over data storage and processing locations
Yes
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process
No
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Centrify provide a REST API to query data,
Data can also be exfiltrated via reporting mechanisms
Data export formats
  • CSV
  • Other
Other data export formats
RestAPI Extract
Data import formats
CSV

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
Centrify have three layers of redundancy to provide the highest levels of availability:

All customer data is encrypted and backed up in three redundant local systems, for immediate local failover to hot backup.

All customer data is additionally backed up to another datacenter within the same continent, for global failover if needed.

Centrify leverages Microsoft Azure and Amazon AWS datacenters, to take advantage of their best practices for fault tolerance and always-on availability
Approach to resilience
Centrify have three layers of redundancy to provide the highest levels of availability:

All customer data is encrypted and backed up in three redundant local systems, for immediate local failover to hot backup.

All customer data is additionally backed up to another datacenter within the same continent, for global failover if needed.

Centrify leverages Microsoft Azure & Amazon AWS datacenters, to take advantage of their best practices for fault tolerance and always-on availability

Further information is available on request
Outage reporting
Centrify provide a public dashboard to their cloud availability status https://www.centrify.com/support/centrify-trust/trust/
Should an outage occur customers will be informed via email.

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels
Delegated administrative access via role based control.
Centrify support can be granted read access for a specified limited time period in order to troubleshoot issues
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
No audit information available
How long system logs are stored for
User-defined

Standards and certifications

ISO/IEC 27001 certification
No
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
  • Common Criteria certification listed at EAL 2+
  • SOC II Certification
  • Centrify is validated FIPS 140-2 Level 1
  • Cloud Security Alliance Cloud Controls Matrix

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
  • CSA CCM version 3.0
  • Other
Other security governance standards
FedRAMP, FIPS 140-2 Level 1, SOC II, Common Criteria certification
Information security policies and processes
Centrify maintains a security program that includes policies and procedures, defined roles and responsibilities, and mandatory new-hire and annual training. Centrify’s program is based on ISO 27001/2 and SSAE 16 standards. Employees are subject to disciplinary action including termination for failure to comply with security policies. Centrify is audited annually by an independent 3rd party to assess the design and effectiveness of the security program and controls; the results are in the SOC II Type 2 report, available upon request with a fully-executed MNDA. Centrify’s privacy program and controls are also audited annually for compliance with relevant security requirements; the policy and results are available at: https://www.centrify.com/privacy

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Production changes are documented in a ticket system and undergo review and approval by operations management.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
Centrify tests for vulnerabilities through multiple channels, including 3rd party application vulnerability testing, bug bounty programs, 3rd party source code security testing, active network scanning, monitoring of vendor and industry security alerts, and annual risk assessments. Microsoft also maintains additional controls to manage physical, OS and network-level threats to the Azure & AWS platforms. Identified vulnerabilities and risks are tracked in an internal ticketing system from identification through resolution. Patches and relevant information releases to customers are made with expedience, according to the risk of the identified vulnerability.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
Centrify monitors application and platform components of the service for potential issues. Cloud Operations staff monitor alerts and logs for issues, and log a ticket for issues that require remediation. In the event of application or data compromise affecting customer data, the customer is notified immediately and remains in contact with the remediation team until resolution. More information on response times are provided in the EULA or SLSA.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Centrify maintains an incident response policy and program, with defined processes, roles and responsibilities. Customers may submit security issues through the normal support channels or any additional channels as provided in the EULA or SLSA. Incident reports are provided through the support channel to the primary support contact for the customer, or through security channels as provided in the EULA or SLSA.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks
No

Pricing

Price
£3,333 a licence a year
Discount for educational organisations
No
Free trial available
Yes
Description of free trial
30 day fully featured free trial or Express version with limited functionality, optionally supported with Pre-Sales Support.

Excluded are professional services and training
Link to free trial
https://www.centrify.com/free-trial/

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at penny.harrison@somerfordassociates.com. Tell them what format you need. It will help if you say what assistive technology you use.