Somerford Associates Limited

Centrify - Privileged Access Management (PAM)

Zero Trust Privilege reduces data exposure by granting 'least privilege access' to whoever is requesting access. It validates the user's credentials, the context of the request and the risk of the environment. By implementing least privilege access, organisations minimise the attack surface, improve compliance visibility, reduce risk and lower costs.

Features

• Privileged Access Management
• Adaptive Multi-Factor Authentication (MFA) for cloud and on-premise infrastructure
• Workflow & Lifecycle Management
• Application Passwords, Secrets and Secure Shell (SSH) Keys Vault
• Multi-Directory Brokering
• Privilege Elevation
• Shared Account & Privileged Account Password Vault
• Secure Remote Access
• Session Recording & Auditing
• Active Directory Bridging

Benefits

• Centralised identity and access management
• Multi Factor Authentication (MFA) for access and privilege elevation
• Risk-aware access
• Consolidate identities and Minimise Break Glass
• Mitigate Virtual Private Network (VPN) risk
• Grant just enough privilege (least privilege access)
• Grant just in time privilege (require access approvals)
• Machine Identity & Credential Management
• Group Policy Management
• Local Account & Group Management

£3,333 a licence a year

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at penny.harrison@somerfordassociates.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

131251281791685

Contact

Penny Harrison
+44 1242 388168
penny.harrison@somerfordassociates.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: Active Directory; UNIX/Linux/MacOS; Hadoop; NOSQL; Apache Web Servers; SAP; IBM DB2
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Hybrid cloud
• Service constraints: A list of supported browsers, applications and operating systems is available
• System requirements: Appropriate Licensing for services accessed through Centrify's Privileged Access Service

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Response within 1 hour during business hours
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Our Service Desk provides support for P1 to P4 where a part of the software, appliance or license was previously working and is not working as expected or at all. ; ; If an issue requires a level of Professional Services to engage, a member of the support team will discuss with your Account Manager to discuss this further. ; ; Service Desk offer support through several channels, including telephone, e-mail and remote sessions where appropriate. Any employee of our entitled customers can raise a support desk ticket via telephone or e-mail with their company e-mail address. This will be logged and assigned to an engineer who will respond within 1 business hour. ; ; Somerford resolve over 90% of service desk tickets without requiring the involvement of our Partners. Where Partner involvement is required, we will advise you on this process. Wherever possible, we will manage your service desk case with our Partners. ; ; Our service desk is available between 9am and 5pm Monday to Friday, excluding Bank Holidays. Our service desk will provide support for existing Customers and companies that are engaged in Proof of Concepts.; ; All our customers have a Technical Account Manager.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Professional Services are available to assist in implementing the solution and provide on-site training. Additionally online training is available along with comprehensive user documentation.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Data can be extracted via the RestfulAPI and reporting toolset.
• End-of-contract process: Client's are notified towards the end of their contract. Should the contract end, portal access will be removed. There is no additional cost to end the contract.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
• Application to install: Yes
• Compatible operating systems:
  • Android
  • IOS
  • Linux or Unix
  • MacOS
  • Windows
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The mobile device application can be utilised as a further authentication mechanism for MFA
• Service interface: No
• API: Yes
• What users can and can't do using the API: Centrify RestfulAPI provides full functionality to setup and make changes to all functions of the cloud service. Where relevant there are command line tools available for direct configuration and querying of all parts of the Service.
• API documentation: Yes
• API documentation formats:
  • HTML
  • PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: The front end user and administrative interface is fully customisable and exposed via RestfulAPI. Some customisation options are included within the administrative portal; ; Roles, rights and auditing features can be fully customised to client requirements. ; ; This can be conducted either via the console or the command line if the user has the required access level.; ; Granular access can be granted to discrete parts of the environment.

Scaling

• Independence of resources: Various deployment options, self-hosted and public cloud. The Centrify public cloud option is a fully managed multi-tenanted cloud deployment and the service is automatically scaled upon customer demand.

Analytics

• Service usage metrics: Yes
• Metrics types: Metrics include but not limited to: number of audited systems and sessions.; Location based user access of successful and denied access.; Mobile device metrics including number of devices, types of devices in the estate and compliance levels.; Use of multi-factor authentication for application access, infrastructure and service access.
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller providing extra support
• Organisation whose services are being resold: Centrify

Staff security

• Staff security clearance: Conforms to BS7858:2012
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
• Data sanitisation process: No
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Centrify provide a REST API to query data, ; Data can also be exfiltrated via reporting mechanisms
• Data export formats:
  • CSV
  • Other
• Other data export formats: RestAPI Extract
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Centrify have three layers of redundancy to provide the highest levels of availability: ; ; All customer data is encrypted and backed up in three redundant local systems, for immediate local failover to hot backup. ; ; All customer data is additionally backed up to another datacenter within the same continent, for global failover if needed.; ; Centrify leverages Microsoft Azure and Amazon AWS datacenters, to take advantage of their best practices for fault tolerance and always-on availability
• Approach to resilience: Centrify have three layers of redundancy to provide the highest levels of availability: ; ; All customer data is encrypted and backed up in three redundant local systems, for immediate local failover to hot backup. ; ; All customer data is additionally backed up to another datacenter within the same continent, for global failover if needed.; ; Centrify leverages Microsoft Azure & Amazon AWS datacenters, to take advantage of their best practices for fault tolerance and always-on availability; ; Further information is available on request
• Outage reporting: Centrify provide a public dashboard to their cloud availability status https://www.centrify.com/support/centrify-trust/trust/ ; Should an outage occur customers will be informed via email.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: Delegated administrative access via role based control.; Centrify support can be granted read access for a specified limited time period in order to troubleshoot issues
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: No audit information available
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Other security certifications: Yes
• Any other security certifications:
  • Common Criteria certification listed at EAL 2+
  • SOC II Certification
  • Centrify is validated FIPS 140-2 Level 1
  • Cloud Security Alliance Cloud Controls Matrix

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • CSA CCM version 3.0
  • Other
• Other security governance standards: FedRAMP, FIPS 140-2 Level 1, SOC II, Common Criteria certification
• Information security policies and processes: Centrify maintains a security program that includes policies and procedures, defined roles and responsibilities, and mandatory new-hire and annual training. Centrify’s program is based on ISO 27001/2 and SSAE 16 standards. Employees are subject to disciplinary action including termination for failure to comply with security policies. Centrify is audited annually by an independent 3rd party to assess the design and effectiveness of the security program and controls; the results are in the SOC II Type 2 report, available upon request with a fully-executed MNDA. Centrify’s privacy program and controls are also audited annually for compliance with relevant security requirements; the policy and results are available at: https://www.centrify.com/privacy

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Production changes are documented in a ticket system and undergo review and approval by operations management.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Centrify tests for vulnerabilities through multiple channels, including 3rd party application vulnerability testing, bug bounty programs, 3rd party source code security testing, active network scanning, monitoring of vendor and industry security alerts, and annual risk assessments. Microsoft also maintains additional controls to manage physical, OS and network-level threats to the Azure & AWS platforms. Identified vulnerabilities and risks are tracked in an internal ticketing system from identification through resolution. Patches and relevant information releases to customers are made with expedience, according to the risk of the identified vulnerability.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Centrify monitors application and platform components of the service for potential issues. Cloud Operations staff monitor alerts and logs for issues, and log a ticket for issues that require remediation. In the event of application or data compromise affecting customer data, the customer is notified immediately and remains in contact with the remediation team until resolution. More information on response times are provided in the EULA or SLSA.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Centrify maintains an incident response policy and program, with defined processes, roles and responsibilities. Customers may submit security issues through the normal support channels or any additional channels as provided in the EULA or SLSA. Incident reports are provided through the support channel to the primary support contact for the customer, or through security channels as provided in the EULA or SLSA.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Pricing

• Price: £3,333 a licence a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: 30 day fully featured free trial or Express version with limited functionality, optionally supported with Pre-Sales Support.; ; Excluded are professional services and training
• Link to free trial: https://www.centrify.com/free-trial/

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at penny.harrison@somerfordassociates.com. Tell them what format you need. It will help if you say what assistive technology you use.