Overview

Centrify DirectSecure is a policy-based software solution that secures sensitive information by dynamically isolating and protecting cross-platform systems and enabling optional end-to-end encryption of data in motion. By leveraging your existing Active Directory infrastructure and the native IPsec support built into today's operating systems, DirectSecure seamlessly blocks untrusted systems from communicating with trusted systems, and does so without the need to change your network or applications. The net result is improved adherence to regulatory compliance initiatives as well an additional layer of policy-driven protection against network attacks for mixed Windows, UNIX, and Linux environments, and prevention of unauthorized access to trusted computing resources and data. Organizations with distributed, heterogeneous systems are using DirectSecure to:

• Protect against external threats by isolating the enterprise from rogue or unmanaged computers or users
• Isolate servers holding sensitive information from the rest of the enterprise
• Encrypt data in motion
• Establish secure communication channels over public or open networks
• Isolate an individual tenant's network within an ISP's multi-tenant environment

Features and Benefits

Learn how DirectSecure can help you protect sensitive systems against external and internal threats, encrypt data in motion and more.

Deter external security threats by preventing unmanaged or rogue computers from communicating with trusted systems
Most networks are "hard on the outside and soft on the inside" from a security perspective. Firewalls, secure routers and other security methods protect at the edge, but once inside, unmanaged systems (such as those brought in by guests and contractors) or rogue computers can cause problems by introducing malware, exploiting vulnerabilities or launching denial of service attacks. DirectSecure addresses those threats by preventing an "untrusted" system — a system that has not been authenticated via issuance of a PKI certificate or a Kerberos ticket from Active Directory — from establishing networking communication with "trusted" systems. This means that even if an attacker has obtained a valid username and password, they can't access your trusted systems. And unlike other isolation solutions which rely on IP addresses that can be spoofed, DirectSecure cannot be spoofed because trusted systems must be authenticated. The net result is another layer to your defense-in-depth security strategy and a reduction in your infrastructure's surface area that is exposed to attacks.

Protect against insider threats by further restricting access to specific resources and dynamically segmenting your network
Analysts are now saying that the majority of corporate data theft is coming from insiders. DirectSecure not only protects trusted systems from untrusted systems, but can further secure your trusted systems by delivering tiered network access and tighter control over who can access specific groups of systems. For example, with DirectSecure you can dynamically segment and isolate specific groups of systems that process credit card or personal health information from other trusted systems. This software- and policy-based approach to network segmentation can help you significantly reduce the scope of an audit. For example, you can limit a PCI audit just to the systems that process credit card data, not your entire flat network.

Enable optional end-to-end encryption of data in motion to address compliance requirements and secure sensitive data
With DirectSecure, traffic sent between trusted systems is cryptographically protected so that the receiving system can verify that an authenticated system sent the packet and that the packet was not tampered with and/or modified in transit. With DirectSecure you can even configure groups of servers to accept specific types of traffic. In addition, some or all of the traffic between managed systems can be optionally encrypted, providing protection from malicious network users who attempt to capture and interpret network traffic. Encrypting data in motion is important to addressing audit requirements (for example, PCI requirement No. 4) or to better secure legacy applications that transport sensitive data in the clear.

Seamlessly implement logical secure boundaries spanning physical, virtual and cloud-based systems
The need to secure access to sensitive information has traditionally forced organizations to not take full advantage of virtualization because they don't want to consolidate their more secure systems with less secure systems on the same virtual servers. This is because in many virtualization scenarios the traffic comes from a common MAC address and it is very hard to partition traffic based on MAC addresses. A similar concern rests with cloud computing in terms of who can access your systems that you want to host in the cloud. DirectSecure addresses these concerns by letting you build logical security boundaries that span physical, virtual and cloud-based systems. These security boundaries are erected by independently authenticating and protecting each virtual machine, as opposed to attempting to partition traffic from MAC addresses.

Automate the provisioning of certificates on UNIX and Linux systems
Managing certificates on UNIX and Linux systems is required for web servers and other types of applications, but provisioning certificates is a very manual and time-intensive process. DirectSecure automates the provisioning of certificates by delivering a UNIX client for Microsoft's certificate server that can be managed by Group Policy and is secured via Kerberos.

Extend your existing infrastructure in a transparent and cost-effective manner without the need for additional investments in hardware or software
DirectSecure builds upon technologies that already exist in your environment, including your existing Active Directory infrastructure and the IPsec functionality that is built into the modern UNIX, Linux and Windows operating systems that you have deployed. This means you can leverage existing skill sets to deploy and manage authentication policies that enforce the end-to-end security you want between your systems. It also means DirectSecure works without the need for additional hardware or for disruptive changes to network topology or even to applications. And because DirectSecure uses IPsec, which is a Layer 3 protocol, it operates transparently to both applications and users. Finally, because Microsoft already provides both Group Policy and IPsec as a standard part of the Windows platform through its Server and Domain Isolation solution, there is no additional cost to integrate Windows systems with UNIX and Linux systems supported by DirectSecure.

An integral part of the Centrify Suite
DirectSecure is an integral part of the Centrify Suite of solutions for securing non-Microsoft systems and applications. Centrify DirectSecure builds on top of the Centrify DirectControl architecture, which provides the ability to join a non-Microsoft system to Active Directory, thereby facilitating the ability for a UNIX or Linux system to obtain a Kerberos ticket or, with DirectSecure installed, to obtain a PKI certificate. DirectControl also provides the cross-platform Group Policy engine that DirectSecure leverages to apply end-point authentication policies, and can also control which users can log in to which groups of UNIX and Linux systems. Other complementary solutions in the Centrify Suite include DirectAuthorize, which provides granular role-based security, and DirectAudit, which provides user-level auditing of non-Microsoft systems.